3

Does it exist any official installation documentation about how to setup an LDAP server that I can connect my clients to with authconfig. I'm will be Centos 6 and RHEL 6.1.

What I can find is this. But I don't need to learn how to restart the services, I'd more like to know what kind of stuff I need to enter in my LDIF files, any SELinux things that needs to be done, how to execute the authconfig tool and stuf that people write in their how to blogs.

Does any thing like that exist? Or do I need to get that information from unupdated blogs and by reading in linux man pages and maybe from openldap.org which has way to much information about things I don't need to know to setup authentication.

Arlukin
  • 1,203
  • 6
  • 18
  • 27
  • What are you trying to do in this? Are you looking to do some sort of LDAP authentication? – Rilindo Oct 17 '11 at 18:43
  • Setup a central LDAP server that stores users, groups and then connect my linux clients to that server. With something like this authconfig --enableldap --enableldaptls --enableldapauth --disablenis --enablecache --enablemkhomedir --enablelocauthorize --ldapserver=10.100.x.x --ldapbasedn="dc=example,dn=com" --updateall – Arlukin Oct 17 '11 at 19:00

1 Answers1

3

The answer, of course, depends on what you are trying to achieve, which you have not told us. The official documentation has plenty of operational details and is IMHO quite comprehensive. For details on the authentication configuration see Chapter 10 of the RHEL deployment guide.

Unfortunately the documentation won't tell you how to design and populate a proper Directory Information Tree (DIT) for your organisation or your needs. It seems this is your problem. Designing a DIT is hard if you have never done it before. You first and foremost need to exactly know, and properly define, which pieces of information you are going to save in the tree (users, groups, machines, ...?). Then think about which applications (Apache, Postfix, NSS, PAM, ...?) need to access those pieces of information and how. This also means learning to use the LDAP tools properly. You also need to learn how objects in a DIT are constructed, i.e. what are the different attributes, what does it mean when an object has an objectClass of inetOrgPerson, how LDAP filters work, etc.

There are a few books out there which discuss such things, and I have learned much from Matt Butcher's Mastering OpenLDAP, but also from the OpenLDAP mailing lists. Ask useful questions there and you will get useful replies.

I don't think I can tell you much more without more details from you.

daff
  • 4,729
  • 2
  • 26
  • 27
  • You are right, it's the DIT I'd like to get help with. And it's mainly the /etc/passwd and /etc/group info I'd like to store in a central place. Using PAM/authconfig on the clients. But you are confirming what I have felt since I did setup openldap (from blog info here and there) on centos 5.x a year ago. You need to learn a lot to do this simple thing. And either you don't get enough information or you get to much information or the information is old =) – Arlukin Oct 17 '11 at 19:13
  • BTW I have my own working script for this on Centos 5.x (https://github.com/systemconsole/syco/blob/master/bin/public/installLdap.py). This question was generated by my frustration about finding easily grapsed official info about installing it on Centos 6. Which uses a slightly different setup. – Arlukin Oct 17 '11 at 19:17
  • Well, LDAP is hardly a simple thing, even if you only store user and group information in the tree. The queries against the tree may be simple but only because much work has to be put into designing the tree properly beforehand (it's the same thing with an RDBMS, BTW). But I have felt the same way a year ago. LDAP is seemingly very common, yet there is little comprehensive information to be found for the uninitiated. That's why I bought Matt Butcher's book. It clears many things up, even though by now it is a bit out of date (on the OpenLDAP specific stuff, not on general LDAP concepts). – daff Oct 17 '11 at 19:27
  • I have now done some of my homework and read a lot of blogs and man pages. And starting to get a grasp of how it works. My feeling now is that it shouldn't need to be this hard to get started with an LDAP-Server. I think the offical documentation is LDAP:s biggest problem. The technology looks solid and good. I did write down all my conclussions in this post http://serverfault.com/questions/323497/how-do-i-configure-ldap-on-centos-6-for-user-authentication-in-the-most-secure-a/323569#323569 – Arlukin Oct 21 '11 at 08:36
  • In my experience it's not an "LDAP problem", it's more a problem of figuring out what poorly documented applications expect from a DIT. – fuero Feb 06 '13 at 07:28