Changes between Initial Version and Version 1 of PrincetonLDAPAuthentication5


Ignore:
Timestamp:
Aug 2, 2010 4:46:03 PM (9 years ago)
Author:
thomas
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • PrincetonLDAPAuthentication5

    v1 v1  
     1=Princeton LDAP authentication on PU_IAS 5= 
     2 
     3==Quick Configuration== 
     4 
     5The quickest way to configure your PU_IAS 5 installation to use OIT's LDAP servers for authentication is to run the following command as root: 
     6{{{ 
     7#!sh 
     8authconfig --update --enableldap --enableldapauth --enableldaptls \ 
     9--ldapserver="ldap.princeton.edu,ldap2.princeton.edu,ldap3.princeton.edu,ldap4.princeton.edu,ldap5.princeton.edu" \ 
     10--ldapbasedn="o=Princeton University,c=US" --enablecache 
     11}}} 
     12 
     13This will configure your machine to use ldap directory for its user information service as well as for authentication.  Note that after this change anyone with Princeton ID will be able to login to your workstation.  
     14 
     15You can change the above line to achieve various goals.  E.g. you could use OIT LDAP servers just for authentication and add user information locally yourself - just drop --enableldap option. 
     16 
     17Recomended changes to default configuration 
     18The authconfig unnecessarily adds ldap to protocols, services, netgroup and automount.  It would be good to remove ldap in all those lines in /etc/nsswitch.conf.  As OIT's ldap server doesn't seem to contain Unix groups then it is safe to do the same with the group entry (i.e. drop ldap from group line). 
     19 
     20If you do not remove ldap from group entry in nsswitch.conf then do add: 
     21{{{ 
     22#!sh 
     23nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman 
     24}}} 
     25(if not there already) to /etc/ldap.conf. 
     26Restrict by department 
     27If you would like to restrict logins to only your department modify /etc/ldap.conf by modifying or adding a line like: 
     28{{{ 
     29nss_base_passwd o=Princeton University,c=US?one?ou=Mathematics 
     30}}} 
     31The last part of the above line, after last "?" is the ldap search criteria that you could use to limit who can login to your workstation.  E.g. you can find out about other ldap attributes you might be able to use by looking at a detailed search result: 
     32{{{ 
     33ldapsearch -x '(uid=sample_user_name)' 
     34}}} 
     35Password changes 
     36You can instruct your users that they should be using pysnch to change their passwords by adding the following line to /etc/ldap.conf: 
     37{{{ 
     38pam_password_prohibit_message Please visit http://psynch.princeton.edu/ to change your password. 
     39}}}