LDAP

Place to discuss Fedora and/or Red Hat
Master of Reality
guru
guru
Posts: 562
Joined: Thu Jan 09, 2003 8:25 pm

LDAP

Post by Master of Reality » Mon Jun 18, 2007 12:21 pm

Im writing a Lab for what is essentially an intro to linux administration course at my school.

What do you guys use as the LDAP server? I'm really looking for ease of use i think. I've been looking up info on OpenLDAP and Fedora Directory Server (the comptuers are running fedora core 6).

The server will be running on the same machine as the client logging in so that the students can install the server and see what its like to login using LDAP as opposed to using /etc/passwd for authentication.

I dont really think there is an easy way to show auto-mounting network drives and such on this single machine type installation.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5712
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Mon Jun 18, 2007 1:51 pm

I have to tell you that I am extremely weak in the LDAP area although I have messed around with it on various levels including installing Fedora Directory server, playing around with OpenLDAP and some LDAP integration between AD and Linux. I am by no means confident with LDAP and feel like a complete n00b. I would be very interested in anything you come up with and please feel free to use me as a guinea pig for your labs. I have wanted to get better with LDAP for a long time now. I have been working a lot with various PAM authentication methods for work. For instance I now have all of our Linux, Sun, and AIX servers authenticating via Radius to a Cisco Secure ACS server. I wanted to integrate the Freeradius server with LDAP as well as have servers authenticate directly to LDAP. My biggest problem is understanding LDAP itself. My LDAP skills are extremely "sketchy". :)

Master of Reality
guru
guru
Posts: 562
Joined: Thu Jan 09, 2003 8:25 pm

Post by Master of Reality » Wed Jun 20, 2007 11:58 am

Well so far my opinion of fedora-ds isnt that good.

I havent been able to get it started because of various errors and I cant find a frontend for it. I know redhat has an administrator console that should be able to administer fedora-ds graphically but i cant find it in the repos.


OpenLDAP is running on the computer fine i think, but theres no accounts made so i cant login to create new users.

Most documentation for OpenLDAP advises writing LDIF files and execute them using the server to populate the db with an administrator account. I really need an eaasier way to do this, so i have installed phpldapadmin.

The only problem is that you need an administrator acocunt in your LDAP db to login with it. So i'm trying to figure out an easy way to create the admin account in OpenLDAP

User avatar
Void Main
Site Admin
Site Admin
Posts: 5712
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Jun 20, 2007 12:01 pm

I was able to get the GUI front-end for Fedora Directory Server running fine and it seemed to be pretty slick. I don't currently have it running but I could install it again and give you the steps I had to go through to get it working if you are interested. My problem was that I still didn't have a great understanding of LDAP. I was able to create users in the directory through the GUI with no problems.

Master of Reality
guru
guru
Posts: 562
Joined: Thu Jan 09, 2003 8:25 pm

Post by Master of Reality » Wed Jun 20, 2007 12:03 pm

hmm any idea what that frontend is called or if its in a repo. If i can get that running it would probably be a better solution.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5712
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Jun 20, 2007 12:09 pm

I'll try and get it reinstalled on my laptop and let you know what I had to do. I do remember it taking a bit to figure out what I had to do when I installed it previously. I do recall there was a version in the repository but I did not use that version. I am pretty sure I downloaded "a" version from the fedora directory server project site and for some reason I recall that it wasn't the very latest version. I'll try and piece it back together and let you know. It's not like the installation was hard, just getting the finding the right combination was the only hard part. I'm pretty sure everything I needed came from here though:

http://directory.fedoraproject.org/wiki/Download

User avatar
Void Main
Site Admin
Site Admin
Posts: 5712
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Jun 20, 2007 12:23 pm

Wow, turned out to be easier than I thought. I just installed the latest FC6 x86 RPM (even though I am running F7) and it worked. This is the RPM I installed:

http://directory.fedoraproject.org/down ... 86.opt.rpm

After installing you have to run the setup:

# /opt/fedora-ds/setup/setup

where I just picked option #1 for express install and accepted all the defaults and set a couple of passwords and then started the graphical console with the command displayed at the end of the installation. It came right up.

Master of Reality
guru
guru
Posts: 562
Joined: Thu Jan 09, 2003 8:25 pm

Post by Master of Reality » Wed Jun 20, 2007 12:26 pm

root@localhost ~]# cd /opt/fedora-ds/
[root@localhost fedora-ds]# ./startconsole
GC Warning: Out of Memory! Returning NIL!
GC Warning: Out of Memory! Returning NIL!
GC Warning: Out of Memory! Returning NIL!
java.lang.OutOfMemoryError
*** Got java.lang.OutOfMemoryError while trying to print stack trace.

[root@localhost fedora-ds]# cat /proc/meminfo
MemTotal: 952180 kB
MemFree: 14192 kB
Buffers: 17948 kB
Cached: 503172 kB
I'm not sure what to make of this error. There is lotsa memory available. No swap on this machine though.

Master of Reality
guru
guru
Posts: 562
Joined: Thu Jan 09, 2003 8:25 pm

Post by Master of Reality » Wed Jun 20, 2007 12:28 pm

I made a swapfile and i get a slightly different error:
[root@localhost fedora-ds]# swapon /swapfile
[root@localhost fedora-ds]# ./startconsole
GC Warning: Out of Memory! Returning NIL!
GC Warning: Out of Memory! Returning NIL!
GC Warning: Out of Memory! Returning NIL!
*** Catastrophic failure while handling uncaught exception.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5712
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Jun 20, 2007 12:38 pm

It does appear to want a lot of memory. My laptop has over a GB of memory and it said it wanted more when I installed:
WARNING: 1010MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system.
I wonder if this is some sort of tuning option? I'll dig into it and see what I can find.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5712
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Jun 20, 2007 12:43 pm

Do you have Java installed?

Here is a good article:
http://www.enterprisenetworkingplanet.c ... hp/3624006
Last edited by Void Main on Wed Jun 20, 2007 12:46 pm, edited 1 time in total.

Master of Reality
guru
guru
Posts: 562
Joined: Thu Jan 09, 2003 8:25 pm

Post by Master of Reality » Wed Jun 20, 2007 12:43 pm

i believe my java version is too old. I will upgrade and retry.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5712
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Jun 20, 2007 12:47 pm

Yeah looks like a Java issue. You might have missed that last link I found. Looks like a good article with some good references:

http://www.enterprisenetworkingplanet.c ... hp/3624006

User avatar
Void Main
Site Admin
Site Admin
Posts: 5712
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Jun 20, 2007 12:53 pm

In fact here are all 3 parts:

Use Fedora Directory Server For Manageable LDAP:
http://www.enterprisenetworkingplanet.c ... hp/3622486

Use Fedora Directory Server For Manageable LDAP (Part 2):
http://www.enterprisenetworkingplanet.c ... hp/3624006

Use Fedora Directory Server For Manageable LDAP (Part 3):
http://www.enterprisenetworkingplanet.c ... hp/3625371

Image

User avatar
Void Main
Site Admin
Site Admin
Posts: 5712
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Sat Jun 23, 2007 7:32 pm

I installed fedora-ds on my mythtv box and am now able to authenticate everything against it. Once you install fedora-ds and add a few users just run "system-config-authentication" and check the LDAP boxes and click the configure button to set the IP address and domain name (or edit your /etc/ldap.conf, /etc/nsswitch.conf, and /etc/pam.d/system-auth files manually):

http://www.linux.com/articles/58731
http://directory.fedoraproject.org/wiki/Howto:PAM

I have my pam configured so when authenticating it will first try the local UNIX password and if that fails try the LDAP password automatically. When changing passwords it will change both the local UNIX password and the ldap passwords. Here is my /etc/pam.d/system-auth file:

Code: Select all

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
I did not add "ldap" to the passwd, shadow, and group entries in /etc/nsswitch.conf because I found if your directory is unavailable then local authentication hangs or is very slow (not good for use on my laptop). I do need to look into group integration though.

Post Reply