DokuWiki

Site Tools

Trace: ldap_usage
Hotfix release available: 2024-02-06a "Kaos". upgrade now! [55.1] (what's this?)
New release available: 2024-02-06 "Kaos". upgrade now! [55] (what's this?)
ldap_usage

Table of Contents

LDAP usage and setup

LDAP stands for the “Lightweight Directory Access Protocol.” It is a method of storing user account information (and more broadly, information about people) on a server where that info can be accessed over a computer network.

For purposes of our situation here at WPICS, LDAP is used to store username, real-name, homedirectory, and login shell information in a central location so that it may be shared across many machines easily, eliminating the need to create duplicate accounts on many machines (LDAP can store passwords as well, but we use the more-secure kerberos for that).

In practice this means that a newly-created UNIX/Linux machine could be pointed at the departmental Kerberos and LDAP servers, very quickly giving many people access to the machine without the need to add multiple local accounts. It also gives us the ability to very quickly add or remove accounts from a potentially large number of machines at once.

Server Setup

On eressea see directory work/sysAdmin/Documentation/LDAP-for-WPICS … that information should be transcribed into here, hopefully becoming more readable on the way.

We used Ubuntu for our LDAP server since setup appeared to be less complex. Good instructions were found here: https://help.ubuntu.com/14.04/serverguide/openldap-server.html

Server setup can be a bit confusing but it only needs to be done once.

Client Setup

All clients need the special shells installed in /shells or people will not be able to login. You can symlink to the actual shell executable, or you can compile and install the gateway shells which are located […etc…]

FreeBSD

Using LDAP and user directories on FreeBSD requires the net/nss-ldap package be installed: 

cd /usr/ports/net/nss_ldap
sudo make install clean

Once the install is done, edit /usr/local/etc/nss_ldap.conf with a file containing this: 

host csds1.cs.wpi.edu
base dc=cs,dc=wpi,dc=edu
uri ldap://csds1.cs.wpi.edu/

Then edit /etc/nsswitch.conf. COmment out the lines “group: compat” and “passwd: compat” and add the lines: 

group: files ldap
passwd: files ldap

Be careful – if you've pointed your machine at both Kerberos and LDAP servers and the /shell directory is installed, people can login to the machine right away if they try to. So if you want to keep the machine locked up, you should use the gateway script for the shells.

Linux

In Ubnutu/Debian you need to add the package “lslcd” which tells your machine to look to an LDAP server for directory information. 

sudo apt-get install nslcd

… when asked, use this LDAP server for passwd and group services and no others.

ldap_usage.txt · Last modified: 2021/11/26 18:18 by mvoorhis