Warning Livedoc is no longer being updated and will be deprecated shortly. Please refer to https://documentation.tjhsst.edu.

Difference between revisions of "NSS LDAP"

From Livedoc - The Documentation Repository
Jump to: navigation, search
(Initial edit. Currently incomplete.)
 
(Configuring LDAP: Completed section.)
Line 13: Line 13:
 
=Configuring LDAP=
 
=Configuring LDAP=
 
==Linux==
 
==Linux==
 +
*libnss-ldap (or similar) needs to be installed.
 +
*Edit /etc/libnss-ldap.conf:
 +
**Setup LDAP servers 198.38.16.59:388, 198.38.16.12:388, and 198.38.16.13:388.
 +
**Use search base: dc=csl,dc=tjhsst,dc=edu.
 +
**Set bind_timelimit to 2
 +
**Set bind_policy to soft
 +
**Set nss_base_passwd to <code>ou=people,</code>
 +
**Set nss_base_group to <code>ou=group,</code>
 +
*Edit /etc/nsswitch.conf to use "files ldap" for the passwd and group databases.  The two lines should look like this:
 +
<nowiki>
 +
passwd:    files ldap
 +
group:      files ldap</nowiki>
 +
*You may need to restart nscd.
 
==Solaris==
 
==Solaris==
 +
'''WARNING:''' There was at least one point in the history of Sun Directory Server where setting up the LDAP client on the LDAP server was not supported because the client was started before the server was, causing a halt in system boot because of a failure to initialize the client.  I'm not sure if this is still the case, but if it is, you will need an init script to disable the client in SMF until the server starts, and then restart the client after the server starts.  In the CSL, this is easily done by installing the STJinitd-sunds package.
 +
*Run the following command:
 +
<nowiki>
 +
/usr/sbin/ldapclient manual -a credentialLevel=anonymous \
 +
-a defaultSearchBase="dc=csl,dc=tjhsst,dc=edu" \
 +
-a defaultSearchScope=sub \
 +
-a defaultServerList="198.38.16.12:388 198.38.16.13:388" \
 +
-a followReferrals="TRUE" \
 +
-a preferredServerList="198.38.16.59:388" \
 +
-a serviceSearchDescriptor=passwd:ou=people,dc=csl,dc=tjhsst,dc=edu \
 +
-a serviceSearchDescriptor=group:ou=group,dc=csl,dc=tjhsst,dc=edu</nowiki>
 +
*On most CSL systems: You are done.
 +
*On stock Solaris systems (and possibly some CSL systems):
 +
**The ldapclient command has installed an nsswitch.conf that assumes you use LDAP for everything.  And I mean EVERYTHING.  But that's rarely the case anywhere.  So <code>cp /etc/nsswitch.dns /etc/nsswitch.conf</code>.  Then edit /etc/nsswitch.conf to use "files ldap" for passwd and group.  See Linux section above for sample of what this will look like.
 +
**<code>pkill nscd</code> to restart it (Solaris 10), or restart it some other way.
 
==Admin-only access==
 
==Admin-only access==
 +
Follow the above directions, but wherever you see an <code>ou=people</code>, replace it with an <code>ou=sysadmins</code>.  Only sysadmins with LDAP entries in ou=sysadmins will be able to access that system.  Note that additional access control can, and is often, managed by using hostname groups (i.e. the LDAP POSIX group named after the hostname of the system).  This is currently not done on Solaris systems, but is done on most Linux systems.
  
 
=Organization=
 
=Organization=

Revision as of 14:25, 30 July 2008

LDAP is used to store NSS (Name Service Switch) information for the UNIX passwd and group databases. All information about network users, such as UNIX uid/gid, home directory, shell, and other group membership is handled through NSS.

History

Previously, the CSL used NIS to store network user information. However, when the decision was made to integrate CSL accounts and authentication with Windows Active Directory (previously all CSL accounts were managed separately and required an application form to receive), LDAP was chosen to replace NIS as the backend for the NSS database.

Integrated authentication using LDAP and Kerberos was initially deployed in lab 231 during the spring of 2006. Sun Directory Server 5.2 was used at the time, replicated from sol across what are now known as chuku and ekhi. During the summer following, LDAP was moved into a VMWare virtual machine known as daystar in order to run LDAP on a faster system. However, for reasons not completely understood, the VM subsequently developed problems during the fall of 2006 and resulted in NSS becoming painfully slow on both rockhopper (at that time used for all of lab 231 and 16 LTSP nodes in the CSL) and the rest of the CSL workstations. In order to remedy the situation, /etc/passwd was rapidly deployed as a flatfile across all affected systems. Hesiod was subsequently set up as the NSS database for the remainder of the school year and the beginning of the next.

During the winter of 2007-08, NSS was switched back to LDAP following various discussions. (Need more information.) LDAP was configured on chuku and mihr, running Sun Directory Server 6.

Current

NSS LDAP is currently used by nearly all *NIX systems managed by the CSL. It is running in LDOMs ldap1 and ldap2.

Configuring LDAP

Linux

  • libnss-ldap (or similar) needs to be installed.
  • Edit /etc/libnss-ldap.conf:
    • Setup LDAP servers 198.38.16.59:388, 198.38.16.12:388, and 198.38.16.13:388.
    • Use search base: dc=csl,dc=tjhsst,dc=edu.
    • Set bind_timelimit to 2
    • Set bind_policy to soft
    • Set nss_base_passwd to ou=people,
    • Set nss_base_group to ou=group,
  • Edit /etc/nsswitch.conf to use "files ldap" for the passwd and group databases. The two lines should look like this:
passwd:     files ldap
group:      files ldap
  • You may need to restart nscd.

Solaris

WARNING: There was at least one point in the history of Sun Directory Server where setting up the LDAP client on the LDAP server was not supported because the client was started before the server was, causing a halt in system boot because of a failure to initialize the client. I'm not sure if this is still the case, but if it is, you will need an init script to disable the client in SMF until the server starts, and then restart the client after the server starts. In the CSL, this is easily done by installing the STJinitd-sunds package.

  • Run the following command:
/usr/sbin/ldapclient manual -a credentialLevel=anonymous \
 -a defaultSearchBase="dc=csl,dc=tjhsst,dc=edu" \
 -a defaultSearchScope=sub \
 -a defaultServerList="198.38.16.12:388 198.38.16.13:388" \
 -a followReferrals="TRUE" \
 -a preferredServerList="198.38.16.59:388" \
 -a serviceSearchDescriptor=passwd:ou=people,dc=csl,dc=tjhsst,dc=edu \
 -a serviceSearchDescriptor=group:ou=group,dc=csl,dc=tjhsst,dc=edu
  • On most CSL systems: You are done.
  • On stock Solaris systems (and possibly some CSL systems):
    • The ldapclient command has installed an nsswitch.conf that assumes you use LDAP for everything. And I mean EVERYTHING. But that's rarely the case anywhere. So cp /etc/nsswitch.dns /etc/nsswitch.conf. Then edit /etc/nsswitch.conf to use "files ldap" for passwd and group. See Linux section above for sample of what this will look like.
    • pkill nscd to restart it (Solaris 10), or restart it some other way.

Admin-only access

Follow the above directions, but wherever you see an ou=people, replace it with an ou=sysadmins. Only sysadmins with LDAP entries in ou=sysadmins will be able to access that system. Note that additional access control can, and is often, managed by using hostname groups (i.e. the LDAP POSIX group named after the hostname of the system). This is currently not done on Solaris systems, but is done on most Linux systems.

Organization

Software

Sun Java System Directory Server Enterprise Edition v6

Sun Java System Directory Server

  • Sun's equivalent of slapd
  • Fully integrates with nsswitch for all databases (currently only using passwd and group)
  • Currently running in one-way replication on ldap1 (master) and ldap2.

Sun Java System Identity Synchronization for Windows

  • Connects and synchronizes users from Active Directory to Sun LDAP server and maps specified attributes (currently only one-way from AD to Sun)

Identity Synchronization for Windows

Attribute Mappings

Description Active Directory Sun LDAP
Username samAccountName uid
Password (hashed) unicodepwd userpassword
First name givenname givenname
Surname sn sn
Full Name cn cn
Display Name displayName displayName
Description (grad year for current students) description description


See Also