Configure new LDAP clients

Authenticate through openldap

For linux machines

For linux machines (centos for example) the authentication is done through NSS_LDAP and PAM_LDAP module that has been integrated into the system. There's a integrated utility authconfig  that can do the set up.
 
Firstly, make sure that the certificates used for ssl connection are located in the folder specified in the /etc/openldap/ldap.conf file. By default, this folder is located at /etc/openldap/cacerts .

use command:
authconfig-tui
 
It should be configured as follow:
 
and
 
 

Automatically create local home directory for ldap users

The reference for this is at http://www.pcgossip.com/doc/ldap_dc.html
  • create a pam_ldap.conf file in the /etc directory of the client machine and put in the following information
# The name of your ldap server or the ldap server address.
host sophia.blueprint.org
# The name of your search base.
base dc=blueprint,dc=org
# The version of ldap protocol to use.
ldap_version 3
  • edit /etc/pam.d/sshd and /etc/pam.d/gdm files, insert the following two lines at the begining of account section
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
  • edit /etc/pam.d/login file insert the following line after "session required pam_selinux.so close" respectively
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

For Windows XP machines

To authenticate users on Windows machines, the windows machine must join the domain created by samba server (i.e. BLUEPRINT-NT). To join this domain, login to the computer using the administrator account. Then right click my computer icon and select Properties-> Computer Name -> Change. In the new window, specify the computer name and the domain name (BLUEPRINT-NT) and click OK. A new window would pop out asking for the username and password of the domain controller. Enter the root user and its password (or any other samba users), and the computer will join the new domain. Restart the computer to let the change take effect.

Restrict user logon on particular machine

In some cases only a subset of users are allowed to logon to certain machines. This can be done through pam_filter or by enabling pam_check_host_attr in the /etc/ldap.conf

Use pam_filter

Pam fileter would apply a filter to the uids to limit the users that could login into the machine. Varies types of criteria could be used by pam_filter. To use pam_filter, just add the filter to the /etc/ldap.conf file. For example, in order to  restrict logins to a machine to users belongs to the group "512" the following filter can be applied:

pam_filter gid=512

Use host attribute

Enabling pam_check_host_attr directive in the /etc/ldap.conf would let pam to check values of hosts attribute in the users' account and only allow the users whose hosts values contain the hostname of the machine to login. This way of ristriction is not prefered because it results complication in authentication process and the hosts attribute is not supported by smbldap-tools, so manual modification of openldap directory is required.
Comments