Show Table of Contents
28.7. Configuring a System to Authenticate Using OpenLDAP
This section provides a brief overview of how to configure OpenLDAP user authentication. Unless you are an OpenLDAP expert, more documentation than is provided here is necessary. Refer to the references provided in Section 28.9, “Additional Resources” for more information.
Install the Necessary LDAP Packages.
First, make sure that the appropriate packages are installed on both the LDAP server and the LDAP client machines. The LDAP server needs the openldap-servers package.
The
openldap, openldap-clients, and nss_ldap packages need to be installed on all LDAP client machines.
Edit the Configuration Files.
- On the server, edit the
/etc/openldap/slapd.conffile on the LDAP server to make sure it matches the specifics of the organization. Refer to Section 28.6.1, “Editing/etc/openldap/slapd.conf” for instructions about editingslapd.conf. - On the client machines, both
/etc/ldap.confand/etc/openldap/ldap.confneed to contain the proper server and search base information for the organization.To do this, run the graphical Authentication Configuration Tool (system-config-authentication) and select Enable LDAP Support under the User Information tab.It is also possible to edit these files by hand. - On the client machines, the
/etc/nsswitch.confmust be edited to use LDAP.To do this, run the Authentication Configuration Tool (system-config-authentication) and select Enable LDAP Support under the User Information tab.If editing/etc/nsswitch.confby hand, addldapto the appropriate lines.For example:passwd: files ldap shadow: files ldap group: files ldap
28.7.1. PAM and LDAP
To have standard PAM-enabled applications use LDAP for authentication, run the Authentication Configuration Tool (
system-config-authentication) and select Enable LDAP Support under the Authentication tab. For more about configuring PAM, refer to Section 48.4, “Pluggable Authentication Modules (PAM)” and the PAM man pages.
28.7.2. Migrating Old Authentication Information to LDAP Format
The
/usr/share/openldap/migration/ directory contains a set of shell and Perl scripts for migrating authentication information into an LDAP format.
Note
Perl must be installed on the system to use these scripts.
First, modify the
migrate_common.ph file so that it reflects the correct domain. The default DNS domain should be changed from its default value to something like:
$DEFAULT_MAIL_DOMAIN = "example";
The default base should also be changed to something like:
$DEFAULT_BASE = "dc=example,dc=com";
The job of migrating a user database into a format that is LDAP readable falls to a group of migration scripts installed in the same directory. Using Table 28.1, “LDAP Migration Scripts”, decide which script to run to migrate the user database.
Run the appropriate script based on the existing name service.
The
README and the migration-tools.txt files in the /usr/share/openldap/migration/ directory provide more details on how to migrate the information.
Table 28.1. LDAP Migration Scripts
| Existing name service | Is LDAP running? | Script to Use |
|---|---|---|
/etc flat files | yes | migrate_all_online.sh |
/etc flat files | no | migrate_all_offline.sh |
| NetInfo | yes | migrate_all_netinfo_online.sh |
| NetInfo | no | migrate_all_netinfo_offline.sh |
| NIS (YP) | yes | migrate_all_nis_online.sh |
| NIS (YP) | no | migrate_all_nis_offline.sh |
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.