Unified Linux Login and Home Directory Using OpenLDAP and NFS/automount
Tags: Linux, nfs, openldap, server config, tutorials
In this post, how to unified Linux login and home directory using OpenLDAP and NFS/automount will be introduced.
0. System environment
LDAP and NFS server:
IP: 10.0.0.2
OS: CentOS 5.3 X86_64
ldap base dn: “dc=lgcpu1″
Clients:
IP: 10.0.0.1/24
OS: Fedora 11 X86_64
1. LDAP server
1.1 Package installation:
# yum install openldap-servers # /sbin/chkconfig ldap on # /sbin/service ldap start
1.2 Add or edit these configurations:
Edit /etc/openldap/slapd.conf. Add or edit:
include /etc/openldap/schema/redhat/autofs.schema
#########################################################
# ldbm and/or bdb database definitions
#########################################################
database bdb
suffix "dc=lgcpu1"
checkpoint 1024 15
rootdn "cn=Manager,dc=lgcpu1"
rootpw {crypt}x
# Access Control
access to attrs=userPassword
by self write
by anonymous auth
by dn="cn=manager,dc=lgcpu1" write
by * compare
access to *
by self write
by dn="cn=manager,dc=lgcpu1" write
by * read
How to get the rootpw:
perl -e "print crypt('passwd', 'salt_string',);"
1.3 Add top.ldif
top.ldif:
dn: dc=lgcpu1 objectclass: dcObject objectclass: organization o: lgcpu1 group dc: lgcpu1 dn: cn=manager,dc=lgcpu1 objectclass: organizationalRole cn: manager dn: ou=people,dc=lgcpu1 ou: people objectclass: organizationalUnit objectclass: domainRelatedObject associatedDomain: lgcpu1 dn: ou=contacts,ou=people,dc=lgcpu1 ou: contacts ou: people objectclass: organizationalUnit objectclass: domainRelatedObject associatedDomain: lgcpu1 dn: ou=group,dc=lgcpu1 ou: group objectclass: organizationalUnit objectclass: domainRelatedObject associatedDomain: lgcpu1
Add top.ldif to ldap server:
$ ldapadd -x -D 'cn=manager,dc=lgcpu1' -W -f top.ldif
Then search all the content in the ldap server by:
ldapsearch -x -D 'cn=manager,dc=lgcpu1' -W
If the previous work is correctly processed. ldapsearch will print out all the content in ldap database.
1.4 Add users and groups from local configuration:
Copy passwd shadow group from /etc/ to some tmp location
Edit them and only keep the normal users, that means no system users.
$ vim /usr/share/openldap/migration/migrate_common.ph
Edit these values:
# Default DNS domain $DEFAULT_MAIL_DOMAIN = "cse.ust.hk"; # Default base $DEFAULT_BASE = "dc=lgcpu1";
$ /usr/share/openldap/migration/migrate_passwd.pl ./passwd > people.ldif
Then add the encryped password from shadow file to userPassword.
Like this:
userPassword: {crypt}$1$Zlkjsdf…
Then add people.ldif to ldap server
$ /usr/share/openldap/migration/migrate_group.ph ./group > group.ldif
Then add group.ldif to ldap server
2. NFS server
Edit /etc/exports
/home 10.0.0.1/24(rw)
auto.master.ldif
dn: ou=auto.master,dc=lgcpu1 objectClass: top objectClass: automountMap ou: auto.master dn: cn=/home,ou=auto.master,dc=lgcpu1 objectClass: automount automountInformation: ldap:ou=auto.home,dc=lgcpu1 cn: /home dn: cn=/share,ou=auto.master,dc=lgcpu1 objectClass: automount automountInformation: ldap:ou=auto.misc, dc=lgcpu1 cn: /share
add auto.master.ldif
auto.home.ldif
Add for every users
add auto.home.ldif
auto.misc.ldif
Add for some common share directories
dn: ou=auto.misc,dc=lgcpu1 objectClass: top objectClass: automountMap ou: auto.misc
add auto.misc.ldif
3. Client configuration
3.1 Packages installation
# yum install nss_ldap autofs nfs-utils # chkconfig autofs on # service rpcbind restart # service autofs restart
3.2 Configuration
# authconfig-tui
Select like this:
| User Information Authentication │ │ [ ] Cache Information [*] Use MD5 Passwords │ │ [ ] Use Hesiod [*] Use Shadow Passwords │ │ [*] Use LDAP [*] Use LDAP Authentication │ │ [ ] Use NIS [ ] Use Kerberos │ │ [ ] Use Winbind [ ] Use Fingerprint reader │ │ [ ] Use Winbind Authentication │ │ [*] Local authorization is sufficient │
In next step:
│ [ ] Use TLS │ │ Server: ldap://10.0.0.2/________________________ │ │ Base DN: dc=lgcpu1_______________________________ │
3.3 Delete old user entries in:
/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow
4. add individual person
Add people.sample.ldif to ldap
dn: uid=sample,ou=People,dc=lgcpu1
uid: sample
cn: sample
sn: sample
mail: sample@cse.ust.hk
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {crypt}$6$encryped password here
loginShell: /bin/bash
uidNumber: 507
gidNumber: 507
homeDirectory: /home/sample
Add group.sample.ldif to ldap
dn: cn=sample,ou=Group,dc=lgcpu1
objectClass: posixGroup
objectClass: top
cn: sample
userPassword: {crypt}x
gidNumber: 507
Addauto.home.sample.ldif to ldap
dn: cn=sample,ou=auto.home,dc=lgcpu1 objectClass: automount automountInformation: 10.0.0.2:/home/sample cn: sample
Delete old entries in:
/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow
Create home directory on NFS server:
# mkdir /home/sample # cp /etc/skel/.[a-z] * /home/sample/ # chown -R sample\: /home/sample/
Updated history:
Jun. 2, 2010. Change “chmod” to “chown” which is error.
22 Feb. 2010. ldapsearch is added.
26 Feb. 2010. Format the text.
May 22, 2010. Format the text. Service nfs isn’t needed on client side.
Aug. 3, 2010. Update slapd.conf file. Change db to bdb. and attr to attrs.
Read more:
Leave your response!