This section provides a brief overview of how to configure a Red Hat Linux
system to authenticate using OpenLDAP. Unless you are an OpenLDAP
expert, you will probably need more documentation than is provided here.
Please refer to the references provided in the Section called Additional Resources for more information.
Install the Necessary LDAP Packages
First, you should make sure that the appropriate packages are
installed on both the LDAP server and the LDAP client machines. The
LDAP server needs the openldap-server package.
The LDAP client machines need the following packages installed:
openldap, openldap-clients,
and nss_ldap.
Edit the Configuration Files
On the Server, Edit slapd.conf
Edit the /etc/openldap/slapd.conf file on the
LDAP server to make sure it matches the specifics of your
organization. Please refer to the Section called slapd.conf for instructions on editing
slapd.conf.
On the Clients, Edit /etc/ldap.conf and
/etc/openldap/ldap.conf
On all client machines, both /etc/ldap.conf and
/etc/openldap/ldap.conf need to contain the
proper server and search base information for your organization.
The simplest way to do this is to run the
authconfig application and select
Use LDAP on the the User Information
Configuration screen.
You can also edit these files by hand.
On the Clients, Edit /etc/nsswitch.conf
On all client machines, the /etc/nsswitch.conf
must be edited to use LDAP.
The simplest way to do this is to run the
authconfig application and select
Use LDAP on the the User Information
Configuration screen.
If editing /etc/nsswitch.conf by hand, add
ldap to the appropriate fields.
For example:
passwd: files ldap
shadow: files ldap
group: files ldap |
PAM and LDAP
To have standard PAM-enabled applications use LDAP for
authentication, run authconfig and select
Use LDAP Authentication on the the
Authentication Configuration screen. For more
on configuring PAM consult, Chapter 7 and the PAM man
pages.
Migrating Old Authentication Information to LDAP
Format
The /usr/share/openldap/migration/ directory
contains a set of shell and Perl scripts for migrating
authentication information into LDAP format.
 | Note |
|---|
| | You must have Perl installed on your system to use these scripts.
|
First, you will need to modify the
migrate_common.ph file so that it reflects your
domain. The default DNS domain should be changed from its default
value to something like:
$DEFAULT_MAIL_DOMAIN = "your_company"; |
The default base should also be changed, to something like:
$DEFAULT_BASE = "dc=your_company,dc=com"; |
The job of migrating a user database into a format LDAP can read falls
to a group of migration scripts installed with the
nss_ldap package. Using Table 18-1, decide which script to run in order
to migrate your user database.
Table 18-1. LDAP Migration Scripts
| Existing name service | Is LDAP running? | Script to Use |
|---|
| /etc flat files | yes | migrate_all_online.sh |
| /etc flat files | no | migrate_all_offline.sh |
| NetInfo | yes | migrate_all_netinfo_online.sh |
| NetInfo | no | migrate_all_netinfo_offline.sh |
| NIS (YP) | yes | migrate_all_nis_online.sh |
| NIS (YP) | no | migrate_all_nis_offline.sh |
Run the appropriate script based on your existing name service.
The README and the
migration-tools.txt files in the
/usr/share/openldap/migration directory provide
more details on how to migrate the information.
