LDAP
-
- guru
- Posts: 562
- Joined: Thu Jan 09, 2003 8:25 pm
LDAP
Im writing a Lab for what is essentially an intro to linux administration course at my school.
What do you guys use as the LDAP server? I'm really looking for ease of use i think. I've been looking up info on OpenLDAP and Fedora Directory Server (the comptuers are running fedora core 6).
The server will be running on the same machine as the client logging in so that the students can install the server and see what its like to login using LDAP as opposed to using /etc/passwd for authentication.
I dont really think there is an easy way to show auto-mounting network drives and such on this single machine type installation.
What do you guys use as the LDAP server? I'm really looking for ease of use i think. I've been looking up info on OpenLDAP and Fedora Directory Server (the comptuers are running fedora core 6).
The server will be running on the same machine as the client logging in so that the students can install the server and see what its like to login using LDAP as opposed to using /etc/passwd for authentication.
I dont really think there is an easy way to show auto-mounting network drives and such on this single machine type installation.
I have to tell you that I am extremely weak in the LDAP area although I have messed around with it on various levels including installing Fedora Directory server, playing around with OpenLDAP and some LDAP integration between AD and Linux. I am by no means confident with LDAP and feel like a complete n00b. I would be very interested in anything you come up with and please feel free to use me as a guinea pig for your labs. I have wanted to get better with LDAP for a long time now. I have been working a lot with various PAM authentication methods for work. For instance I now have all of our Linux, Sun, and AIX servers authenticating via Radius to a Cisco Secure ACS server. I wanted to integrate the Freeradius server with LDAP as well as have servers authenticate directly to LDAP. My biggest problem is understanding LDAP itself. My LDAP skills are extremely "sketchy". :)
-
- guru
- Posts: 562
- Joined: Thu Jan 09, 2003 8:25 pm
Well so far my opinion of fedora-ds isnt that good.
I havent been able to get it started because of various errors and I cant find a frontend for it. I know redhat has an administrator console that should be able to administer fedora-ds graphically but i cant find it in the repos.
OpenLDAP is running on the computer fine i think, but theres no accounts made so i cant login to create new users.
Most documentation for OpenLDAP advises writing LDIF files and execute them using the server to populate the db with an administrator account. I really need an eaasier way to do this, so i have installed phpldapadmin.
The only problem is that you need an administrator acocunt in your LDAP db to login with it. So i'm trying to figure out an easy way to create the admin account in OpenLDAP
I havent been able to get it started because of various errors and I cant find a frontend for it. I know redhat has an administrator console that should be able to administer fedora-ds graphically but i cant find it in the repos.
OpenLDAP is running on the computer fine i think, but theres no accounts made so i cant login to create new users.
Most documentation for OpenLDAP advises writing LDIF files and execute them using the server to populate the db with an administrator account. I really need an eaasier way to do this, so i have installed phpldapadmin.
The only problem is that you need an administrator acocunt in your LDAP db to login with it. So i'm trying to figure out an easy way to create the admin account in OpenLDAP
I was able to get the GUI front-end for Fedora Directory Server running fine and it seemed to be pretty slick. I don't currently have it running but I could install it again and give you the steps I had to go through to get it working if you are interested. My problem was that I still didn't have a great understanding of LDAP. I was able to create users in the directory through the GUI with no problems.
-
- guru
- Posts: 562
- Joined: Thu Jan 09, 2003 8:25 pm
I'll try and get it reinstalled on my laptop and let you know what I had to do. I do remember it taking a bit to figure out what I had to do when I installed it previously. I do recall there was a version in the repository but I did not use that version. I am pretty sure I downloaded "a" version from the fedora directory server project site and for some reason I recall that it wasn't the very latest version. I'll try and piece it back together and let you know. It's not like the installation was hard, just getting the finding the right combination was the only hard part. I'm pretty sure everything I needed came from here though:
http://directory.fedoraproject.org/wiki/Download
http://directory.fedoraproject.org/wiki/Download
Wow, turned out to be easier than I thought. I just installed the latest FC6 x86 RPM (even though I am running F7) and it worked. This is the RPM I installed:
http://directory.fedoraproject.org/down ... 86.opt.rpm
After installing you have to run the setup:
# /opt/fedora-ds/setup/setup
where I just picked option #1 for express install and accepted all the defaults and set a couple of passwords and then started the graphical console with the command displayed at the end of the installation. It came right up.
http://directory.fedoraproject.org/down ... 86.opt.rpm
After installing you have to run the setup:
# /opt/fedora-ds/setup/setup
where I just picked option #1 for express install and accepted all the defaults and set a couple of passwords and then started the graphical console with the command displayed at the end of the installation. It came right up.
-
- guru
- Posts: 562
- Joined: Thu Jan 09, 2003 8:25 pm
I'm not sure what to make of this error. There is lotsa memory available. No swap on this machine though.root@localhost ~]# cd /opt/fedora-ds/
[root@localhost fedora-ds]# ./startconsole
GC Warning: Out of Memory! Returning NIL!
GC Warning: Out of Memory! Returning NIL!
GC Warning: Out of Memory! Returning NIL!
java.lang.OutOfMemoryError
*** Got java.lang.OutOfMemoryError while trying to print stack trace.
[root@localhost fedora-ds]# cat /proc/meminfo
MemTotal: 952180 kB
MemFree: 14192 kB
Buffers: 17948 kB
Cached: 503172 kB
-
- guru
- Posts: 562
- Joined: Thu Jan 09, 2003 8:25 pm
I made a swapfile and i get a slightly different error:
[root@localhost fedora-ds]# swapon /swapfile
[root@localhost fedora-ds]# ./startconsole
GC Warning: Out of Memory! Returning NIL!
GC Warning: Out of Memory! Returning NIL!
GC Warning: Out of Memory! Returning NIL!
*** Catastrophic failure while handling uncaught exception.
It does appear to want a lot of memory. My laptop has over a GB of memory and it said it wanted more when I installed:
I wonder if this is some sort of tuning option? I'll dig into it and see what I can find.WARNING: 1010MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system.
Do you have Java installed?
Here is a good article:
http://www.enterprisenetworkingplanet.c ... hp/3624006
Here is a good article:
http://www.enterprisenetworkingplanet.c ... hp/3624006
Last edited by Void Main on Wed Jun 20, 2007 12:46 pm, edited 1 time in total.
-
- guru
- Posts: 562
- Joined: Thu Jan 09, 2003 8:25 pm
Yeah looks like a Java issue. You might have missed that last link I found. Looks like a good article with some good references:
http://www.enterprisenetworkingplanet.c ... hp/3624006
http://www.enterprisenetworkingplanet.c ... hp/3624006
In fact here are all 3 parts:
Use Fedora Directory Server For Manageable LDAP:
http://www.enterprisenetworkingplanet.c ... hp/3622486
Use Fedora Directory Server For Manageable LDAP (Part 2):
http://www.enterprisenetworkingplanet.c ... hp/3624006
Use Fedora Directory Server For Manageable LDAP (Part 3):
http://www.enterprisenetworkingplanet.c ... hp/3625371

Use Fedora Directory Server For Manageable LDAP:
http://www.enterprisenetworkingplanet.c ... hp/3622486
Use Fedora Directory Server For Manageable LDAP (Part 2):
http://www.enterprisenetworkingplanet.c ... hp/3624006
Use Fedora Directory Server For Manageable LDAP (Part 3):
http://www.enterprisenetworkingplanet.c ... hp/3625371

I installed fedora-ds on my mythtv box and am now able to authenticate everything against it. Once you install fedora-ds and add a few users just run "system-config-authentication" and check the LDAP boxes and click the configure button to set the IP address and domain name (or edit your /etc/ldap.conf, /etc/nsswitch.conf, and /etc/pam.d/system-auth files manually):
http://www.linux.com/articles/58731
http://directory.fedoraproject.org/wiki/Howto:PAM
I have my pam configured so when authenticating it will first try the local UNIX password and if that fails try the LDAP password automatically. When changing passwords it will change both the local UNIX password and the ldap passwords. Here is my /etc/pam.d/system-auth file:
I did not add "ldap" to the passwd, shadow, and group entries in /etc/nsswitch.conf because I found if your directory is unavailable then local authentication hangs or is very slow (not good for use on my laptop). I do need to look into group integration though.
http://www.linux.com/articles/58731
http://directory.fedoraproject.org/wiki/Howto:PAM
I have my pam configured so when authenticating it will first try the local UNIX password and if that fails try the LDAP password automatically. When changing passwords it will change both the local UNIX password and the ldap passwords. Here is my /etc/pam.d/system-auth file:
Code: Select all
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_ldap.so use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so