Advertise on warmetal.nl!
Click for more information
about advertising here.

Did you find this website useful? Did I save you a lot of time?
Please consider donating to support this site:

[[SuSE LDAP]]
 
Trace: » Sudo » Welcome to warmetal.nl » Sjoerd Hooft » AIX NIM » SuSE LUM » AIX Info » AIX NIM Disaster Recovery » Modellen » CommVault Reports » SuSE LDAP
Table of Contents

SuSE LDAP

Since the Novell Linux User Management doesn't work as well as desired I decided to take a look at simple LDAP authentication for SLES boxes, or SLED or openSuSE. They all work the same for as far as the user authentication is concerned. This turned out to be pretty simple, following these steps:
  1. Configuring install sources
  2. Setting up LDAP authentication
  3. Check and troubleshoot
  4. Sudo

Configure Install Sources

When the LDAP client is being configured you need additional packages to be installed. By default the pam-ldap and nss-ldap packages need to be installed, which will be done automatically if the correct sources are installed. We have an internal SuSE installation and update server so that was not an issue for me:
suseldap01.jpg As you can see I configured the installation source, the online source (for upgrades) and the update source.

Setting Up LDAP Authentication

LDAP Authentication is configured in Yast, so startup yast:
  • yast2
  • Go to “Security and Users” → “User Management” → “Expert Options” → “Authentication and User Sources”

At this point the configuration is going to check the installation sources, when they are not available or missing it will tell you so and you won't get the chance to configure the LDAP source. When the wizard is done you see the possible authentication sources. Click on LDAP:
suseldap02.jpg As the server you can use an IP-address or the DNS name, and be sure to select a search base high enough to find all the users that need to log on. When you're done save and exit and you're done.

Check And Troubleshoot

Check users:
suse:~ # id sjoerd
uid=610(sjoerd) gid=606(ssh-access) groups=606(ssh-access),613(ssh-nam),612(ssh-managedservices))

The user is recognized including the secondary groups it's member of. You're done!

Sudo

Now all that's left is to configure sudo. Because this is quite important and because there is a lot of information and to learn about it I created a special page on it.

Request

There are two ways of logging into SuSE using eDirectory credentials. Using SuSE LUM or SuSE LDAP (this page). Is there anyone out there who knows why I should use lum? Because the LDAP was so much easier to set up…
, ,

Discussion

brad, 2010/08/26 16:25
Hi. I have recently setup LDAP auth on our SuSE servers. Are you still using it? I don't have much to add to your process, but I noticed that we seemed to have had troubles with the NSCD (Name Service Cache Deamon) process. It appears that this process hangs and doesn't respond quickly to request. This service caches your LDAP lookups, so not all processes need to go out to LDAP, but if you are not running this service then everything that relies on a group/user ID translation would indeed go to LDAP. After enabling this on approximately 70 servers we noticed an increased load on our LDAP host. Part of the problem I think is that for every process that a user/group ID translation is required, the system will perform an LDAP lookup. This can be alleviated by adding this variable to the /etc/ldap.conf file: nss_initgroups_ignoreusers root,gwrk The users list is a comma separated list of local users on your system. The system should no longer do LDAP lookups for these local accounts. Also, i found, that it seems to be better to put that variable at the top of the file, but that may be questionable. After a lot of reading, i decided to change my method for LDAP auth. We only use the LDAP auth for SSH access to the systems. So, I decided to change the system to only auth for SSH. I followed this link for a start: http://wiki.linuxquestions.org/wiki/Pam_ldap But, I changed a few of the steps. 1. edit /etc/nsswitch.conf as suggested: passwd: files ldap group: files ldap 2. you should already have pam_ldap installed. 3. I did not edit "PasswordAuthentication" in /etc/ssh/sshd_config, i tried it both ways and it made no difference, so I left it as default. 4. Edit /etc/pam.d/sshd as suggested. 5. If you have already enabled LDAP auth, then this setting will be set in: /etc/pam.d/common-session 6. I did not change /etc/pam.d/common-password 7. /etc/init.d/nscd restart In addition, you may have to disable some of your ldap settings. You will want to remove any "compat" entries in /etc/nsswitch.conf I would edit the /etc/passwd, /etc/group, and /etc/shadow files and remove the lines with "+:::" that were added. Edit /etc/security/pam_unix2.conf and remove the "ldap" additions. I also edited the sudo file and the su file in /etc/pam.d/ and made the same changes that the sshd file got. So that now, both of those commands will support LDAP auth. I look forward to discussing your pros and cons for LDAP auth in your SLES environment. bb
Sjoerd Hooft, 2010/08/27 17:36
Hi Brad, I haven't read the pam_ldap article yet but I can see where you're going. Limiting the authentication to just ssh could be a nice approach, but could be a problem in the future when requirements change. I had problems with the nscd as well, just recently when configuring LDAP authentication to an Active Directory LDAP. I decided to stop caching the group in nscd.conf because it would cache the group membership too long (we provide system access based on group membership in AD). I'm still on entirely satisfied on this but due to project priorities I don't have much time for it right now. Let's keep each other up to date.
Enter your comment:
 
suseldap.txt · Last modified: 2010/04/02 20:20 (external edit)