wiki:PrincetonLDAPAuthentication5

Princeton LDAP authentication on PU_IAS 5

Quick Configuration

The quickest way to configure your PU_IAS 5 installation to use OIT's LDAP servers for authentication is to run the following command as root:

authconfig --update --enableldap --enableldapauth --enableldaptls \
--ldapserver="ldap.princeton.edu,ldap2.princeton.edu,ldap3.princeton.edu,ldap4.princeton.edu,ldap5.princeton.edu" \
--ldapbasedn="o=Princeton University,c=US" --enablecache

This will configure your machine to use ldap directory for its user information service as well as for authentication. Note that after this change anyone with Princeton ID will be able to login to your workstation.

You can change the above line to achieve various goals. E.g. you could use OIT LDAP servers just for authentication and add user information locally yourself - just drop --enableldap option.

Recomended changes to default configuration The authconfig unnecessarily adds ldap to protocols, services, netgroup and automount. It would be good to remove ldap in all those lines in /etc/nsswitch.conf. As OIT's ldap server doesn't seem to contain Unix groups then it is safe to do the same with the group entry (i.e. drop ldap from group line).

If you do not remove ldap from group entry in nsswitch.conf then do add:

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman

(if not there already) to /etc/ldap.conf. Restrict by department If you would like to restrict logins to only your department modify /etc/ldap.conf by modifying or adding a line like:

nss_base_passwd o=Princeton University,c=US?one?ou=Mathematics

The last part of the above line, after last "?" is the ldap search criteria that you could use to limit who can login to your workstation. E.g. you can find out about other ldap attributes you might be able to use by looking at a detailed search result:

ldapsearch -x '(uid=sample_user_name)'

Password changes You can instruct your users that they should be using pysnch to change their passwords by adding the following line to /etc/ldap.conf:

pam_password_prohibit_message Please visit http://psynch.princeton.edu/ to change your password.
Last modified 7 years ago Last modified on Aug 2, 2010 4:46:41 PM