This section provides a brief overview of how to configure your Red Hat Linux
system to authenticate using OpenLDAP.
Unless you are an OpenLDAP expert, you will
probably need more documentation than is provided here. Please refer to
the references provided in the Section called Additional Resources for more
information.
First, you should make sure that the appropriate packages are
installed on both the LDAP server and the LDAP client machines. The
LDAP server needs the openldap-server package.
The LDAP client machines need the following packages installed:
openldap, openldap-clients,
auth_ldap, and nss_ldap.
Next, edit the /etc/openldap/slapd.conf file to
make sure it matches the specifics of your organization.
Please refer to the Section called slapd.conf for
instructions on editing slapd.conf.
Edit the ldap.conf file on the LDAP server and
clients.
Edit /etc/ldap.conf, the configuration file for
nss_ldap and pam_ldap, to
reflect your organization and search base. The file
/etc/openldap/ldap.conf is the configuration
file for the command line tools such as
ldapsearch and
ldapadd, and it will also need to be edited
for your LDAP setup. Client machines will need to have both of
these files modified.
To use nss_ldap, you will need to add
ldap to the appropriate fields in
/etc/nsswitch.conf. (Be very careful when
editing this file; be sure that you know what you are doing.) For
example:
passwd: files ldap
shadow: files ldap
group: files ldap |
To have standard PAM-enabled applications use LDAP for
authentication, run authconfig and select
Use LDAP. (PAM is beyond the scope of this
LDAP overview, so if you need help, consult Chapter 8 and the PAM man pages.)
The /usr/share/openldap/migration directory
contains a set of shell and Perl scripts for migrating your old
authentication information into LDAP format. (You must have Perl
installed on your system to use these scripts.)
First, you will need to modify the
migrate_common.ph file so that it reflects your
domain. The default DNS domain should be changed from:
$DEFAULT_MAIL_DOMAIN = "padl.com"; |
to something like:
$DEFAULT_MAIL_DOMAIN = "your_company.com"; |
The default base should also be changed, from:
$DEFAULT_BASE = "dc=padl,dc=com"; |
to something like:
$DEFAULT_BASE = "dc=your_company,dc=com"; |
Next, decide which script to use based on Table 19-1.
Table 19-1. LDAP Migration Scripts
| Existing name service | Is LDAP running? | Script to Use |
|---|
| /etc flat files | yes | migrate_all_online.sh |
| /etc flat files | no | migrate_all_offline.sh |
| NetInfo | yes | migrate_all_netinfo_online.sh |
| NetInfo | no | migrate_all_netinfo_offline.sh |
| NIS (YP) | yes | migrate_all_nis_online.sh |
| NIS (YP) | no | migrate_all_nis_offline.sh |
Run the appropriate script based on your existing name service.
The README and the
migration-tools.txt files in
/usr/share/openldap/migration provide more
details on how to migrate the information.
