Configuring Your System to Authenticate Using OpenLDAP

This section provides a brief overview of how to configure your Red Hat Linux system to authenticate using OpenLDAP. Unless you're an OpenLDAP expert, you will probably need more documentation than is provided here. Please refer to the references provided in the section called LDAP Resources on the Web for more information.

Install the Necessary LDAP Packages

First, you'll need to make sure that the appropriate packages are installed on both the LDAP server and the LDAP client machines. The LDAP server needs the openldap package.

The LDAP client machines need the following packages installed: openldap, auth_ldap, and nss_ldap.

Edit Configuration Files

Edit /etc/openldap/slapd.conf

The slapd.conf file, located in /etc/openldap, contains the configuration information needed by your slapd LDAP server. You'll need to edit this file to make it specific to your domain and your server.

The suffix line names the domain for which the LDAP server will provide information. The suffix line should be changed from:

suffix 		"dc=your-domain, dc=com"

so that it reflects your domain name. For example:

suffix		"dc=acmewidgets, dc=com"

or

suffix 		"dc=acmeuniversity, dc=org"

The rootdn entry is the DN for a user who is unrestricted by the access control or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. The rootdn line needs to be changed from:

rootdn		"cn=root, dc=your-domain, dc=com"

to something like:

rootdn		"cn=root, dc=redhat, dc=com"

or

rootdn		"cn=ldapmanager, dc=my_organization, dc=org"

Change the rootpw line from:

rootpw 		secret

to something like

rootpw		{crypt}s4L9sOIJo4kBM

In the above example, you're using an encrypted root password, which is a much better idea than leaving a plain text root password in the slapd.conf file. To make this crypt string, you should either copy it out of a passwd file, or use Perl:

perl -e "print crypt('passwd','a_salt_string');"

In the previous Perl line, salt_string is a two character salt, and passwd is the plain text version of the password.

You could also copy a passwd entry out of /etc/passwd, but this won't work if the passwd entry is an MD5 password (the default in Red Hat Linux 7.0).

Edit ldap.conf

Edit the ldap.conf files in /etc and in /etc/openldap on the LDAP server and clients.

Edit /etc/ldap.conf, the configuration file for nss_ldap and pam_ldap, to reflect your organization and search base. The file /etc/openldap/ldap.conf is the configuration file for the command line tools like ldapsearch, ldapadd, etc., and it will also need to be edited for your LDAP setup. Client machines will need to have both of these files modified for your system.

Edit /etc/nsswitch.conf

To use nss_ldap, you'll need to add ldap to the appropriate fields in /etc/nsswitch.conf. (Be very careful when editing this file; be sure that you know what you're doing.) For example:

passwd: files ldap
shadow: files ldap
group: files ldap

PAM and LDAP

To have standard PAM-enabled applications use LDAP for authentication, run authconfig and select Use LDAP. (PAM is beyond the scope of this LDAP overview, so if you need help, consult the section called User Authentication with PAM in Chapter 2 and/or PAM man pages.)

Migrate Your Old Authentication Information to LDAP Format

The /usr/share/openldap/migration directory contains a set of shell and Perl scripts for migrating your old authentication information into LDAP format. (Yes, you'll need to have Perl on your system to use these scripts.)

First, you'll need to modify the migrate_common.ph file so that it reflects your domain. The default DNS domain should be changed from:

$DEFAULT_MAIL_DOMAIN = "padl.com";

to something like:

$DEFAULT_MAIL_DOMAIN = "your_company.com";

The default base should also be changed, from:

$DEFAULT_BASE = "dc=padl,dc=com";

to something like:

$DEFAULT_BASE = "dc=your_company,dc=com";

Next, you'll need to decide which script to use. The following table should tell you:

Table 7-1. LDAP Migration Scripts

Existing name serviceIs LDAP running?Use this script:
/etc flat filesyesmigrate_all_online.sh
/etc flat filesnomigrate_all_offline.sh
NetInfoyesmigrate_all_netinfo_online.sh
NetInfonomigrate_all_netinfo_offline.sh
NIS (YP)yesmigrate_all_nis_online.sh
NIS (YP)Nomigrate_all_nis_offline.sh

Run the appropriate script based on your existing name service.

The README and the migration-tools.txt files in /usr/share/openldap/migration provide more details.