Re: [K12OSN] First crack at ldap "automagic" packages
Martin Stevens (stevens@chace.enfield.sch.uk)
Thu, 17 Apr 2003 13:29:54 +0100
Will these work on a k12lstp3.10 or just a plain RH9 installation ?
Sent: Wednesday, April 16, 2003 5:45 AM
Subject: [K12OSN] First crack at ldap "automagic" packages
The URL says it all:
ftp://k12linux.mesd.k12.or.us/pub/donotuse/
Do not even think about using these packages unless you _want_ to reduce
your computer into a smoking rubble of useless bits ;-)
If you make it this far and still want more...
I compiled the test packages for RH9 only, if you're going to play with
these it is safe to assume that you are already running RH9. Otherwise
you are clueful enough to grab the SRPMS and build them on an ealier
version.
If you make it this far and still want more...
Install the ldap-scripts package first. I'm working on the assumption
that there will be one LDAP server and several other servers that will
authenticate off the LDAP server. Build the LDAP server first. After
you install the ldap-scripts package on the to-be LDAP server, run:
/usr/share/ldap-config/configureldap-server
Answer/confirm the questions the script asks. Bug #1: having a period "."
in your password will generate a bad password. Stick with just alpha-
numeric characters for now.
Once that is done, remove all existing samba packages and then install
the samba-ldap-* versions. The samba-ldap-* versions are intentially
hostile to the normal samba packages, I don't want people installing
the LDAP versions by mistake - you have to go out of your way to
get them installed.
You probably want to reboot at this point, some things won't pick up
the massive changes you just did without a reboot (GDM in particular).
If you had pre-existing samba accounts, you can edit smb.conf to suite
your needs, restart samba, and test it out.
If you did not have pre-existing samba accounts, you'll have to reset
user's passwords before they can authenticate with samba. You'll
need to use the directory_administrator program to change the passwords,
so install that now & run it. All other applications will authenticate
w/o a problem.
When adding new users, or modifying existing users, be sure to select
"This user participates in a SAMBA domain" - otherwise they will not
have samba-compatible passwords generated.
Now that you know the LDAP server is working well, you can convert
other servers to authenticate off the LDAP server. The process is the
same, except after installing the ldap-scripts package you will want
to run this script:
/usr/share/ldap-config/configureldap-client
rather than the configureldap-server script.
Other notes: if you prefer command line utilities to the gui stuff,
there are "ldap enabled" clones of useradd, userdel, groupadd, etc
available in /usr/sbin/useradd-ldap, /usr/sbin/groupadd-ldap, etc.
Using the commandline utilites,
Changing passwords works from the command line works, but you have
to run both "password" and "smbpassword" to make sure both the system
and samba passwords are correct.
The first time a user logins in after having an account added to
LDAP, they need to login to a program that has root access - such as
samba or gdm/kdm. Otherwise the program won't be able to create the
home directory for the user and their login will likely fail.
It also appears that upgrading from an earlier version of RH to RH9
does add the necessary magic to do the automagic creation of home
directories. If you did an upgrade, append this line to
/etc/pam.d/system-auth
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
I'm sure there are many, many more deadly bugs and gotchas...
-Eric
_______________________________________________
K12OSN mailing list
K12OSN@redhat.com
https://listman.redhat.com/mailman/listinfo/k12osn
For more info see
_______________________________________________
K12OSN mailing list
K12OSN@redhat.com
https://listman.redhat.com/mailman/listinfo/k12osn
For more info see