| Red Hat Linux 7.1: The Official Red Hat Linux Reference Guide | ||
|---|---|---|
| Prev | Chapter 4. Lightweight Directory Access Protocol (LDAP) | Next |
This section provides a brief overview of how to configure your Red Hat Linux system to authenticate using OpenLDAP. Unless you're an OpenLDAP expert, you will probably need more documentation than is provided here. Please refer to the references provided in the section called Additional Resources for more information.
First, you should make sure that the appropriate packages are installed on both the LDAP server and the LDAP client machines. The LDAP server needs the openldap package.
The LDAP client machines need the following packages installed: openldap, auth_ldap, and nss_ldap.
Next, edit the slapd.conf file to make sure it matches the specifics of your organization.
Please refer to the section called Edit /etc/openldap/slapd.conf for instructions on editing slapd.conf.
Edit the ldap.conf files in /etc and in /etc/openldap on the LDAP server and clients.
Edit /etc/ldap.conf, the configuration file for nss_ldap and pam_ldap, to reflect your organization and search base. The file /etc/openldap/ldap.conf is the configuration file for the command line tools like ldapsearch, ldapadd, etc., and it will also need to be edited for your LDAP setup. Client machines will need to have both of these files modified..
To use nss_ldap, you'll need to add ldap to the appropriate fields in /etc/nsswitch.conf. (Be very careful when editing this file; be sure that you know what you're doing.) For example:
passwd: files ldap shadow: files ldap group: files ldap |
To have standard PAM-enabled applications use LDAP for authentication, run authconfig and select Use LDAP. (PAM is beyond the scope of this LDAP overview, so if you need help, consult Chapter 8 and the PAM man pages.)
The /usr/share/openldap/migration directory contains a set of shell and Perl scripts for migrating your old authentication information into LDAP format. (You must have Perl installed on your system to use these scripts.)
First, you'll need to modify the migrate_common.ph file so that it reflects your domain. The default DNS domain should be changed from:
$DEFAULT_MAIL_DOMAIN = "padl.com"; |
to something like:
$DEFAULT_MAIL_DOMAIN = "your_company.com"; |
The default base should also be changed, from:
$DEFAULT_BASE = "dc=padl,dc=com"; |
to something like:
$DEFAULT_BASE = "dc=your_company,dc=com"; |
Next, you'll need to decide which script to use. The following table may help you:
Table 4-1. LDAP Migration Scripts
| Existing name service | Is LDAP running? | Use this script: |
|---|---|---|
| /etc flat files | yes | migrate_all_online.sh |
| /etc flat files | no | migrate_all_offline.sh |
| NetInfo | yes | migrate_all_netinfo_online.sh |
| NetInfo | no | migrate_all_netinfo_offline.sh |
| NIS (YP) | yes | migrate_all_nis_online.sh |
| NIS (YP) | no | migrate_all_nis_offline.sh |
Run the appropriate script based on your existing name service.
The README and the migration-tools.txt files in /usr/share/openldap/migration provide more details on how to migrate the information.