[Techtalk] Re: [Newchix] OpenLDAP Client configuration???? no clue

Devdas Bhagat devdas at dvb.homelinux.org
Sat Oct 23 06:59:46 EST 2004

On 21/10/04 08:59 +1000, Karina wrote:

Sending to Techtalk. Reply-To set, please reply to list only. Hitting
Reply on this message should be sufficient.

Reply contents inline.

> <smile> thank you Devdas,
> the purpose of the Linux "dumb terminal" is for students to log into the 
> web mail and surf the web in a central location.
> we would like them to log into the machines with there e-mail user name 
> and password, located in ldap.
> and we would like to keep it as simple as possible.

This is mostly a kiosk mode requirement, with the additional requirement
of authentication from a directory server for the initial access.

> I have managed to setup the details for the LDAP Client, using the LDAP 
> Client setup within YaST, the GUI configuration tool, and I am now at a 
> section that requires me to do Module Configuration, where I edit the 
> attributes and values.
> which I think is a good place to be <smile>

So have you managed to get the authentication with LDAP working?
I /could/ tell you here about the generic way of implementing LDAP
authentication, but I suspect that with the skill level you claim, my
explanation is going to fly right over your head.
This isn't meant to disparage/discourage you, but LDAP on Linux isn't 
the easiest thing to do without a friendly client, and I have no YaST

My favorite tool is the Java based LDAP browser at
http://www.iit.edu/~gawojar/ldap/download.html .

> Within the eMac LDAP configuration we had to do the attributes mapping 
> we could import them with an ldif file, and once we got that sorted, we 
> were able to copy it over to the other macs...

The same configuration /should/ work on Linux. Actually, for your
purposes you should not need to have any LDIF files floating around.

> as I am kind of new to Linux, in the sense that I have almost no clue 
> were the configuration files are, and i have limited skills in creating 
> scripts, I decided to search and find resources to help me along...

Authenticating from LDAP (or any networked service) involves setting up
the authentication server and loading the relevant data into it. The
next step is to configure the client to do that.

I will assume that your centralized directory has already been setup and
works, with relevant accounts already entered in.

The config file you need to edit is /etc/ldap.conf. There may be
friendly frontends to this, but you should be able to figure those out.

Parameters in /etc/ldap.conf are whitespace separated.
# starts a comment, which continues till the end of the line.

The important parameters you need to set:

host 	<hostname or IP of the LDAP server.
base	<the basedn of your directory>

For most purposes, the remaining parameters should be valid. That,
however, will depend on the configuration of your directory server and
the specific objectclasses and attributes you are using.

Then add to the /etc/pam.d/system-auth (or equivalent config file on
SuSE) (lines will wrap)

auth        sufficient    /lib/security/pam_ldap.so use_first_pass
account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
password    sufficient    /lib/security/pam_ldap.so use_authtok
session     optional      /lib/security/pam_ldap.so

You may have to change the use_first_pass directive on the first line to
try_first_pass for authentication to work.

Once you have LDAP authentication working from a normal PC, then you can
work on the Kiosk part of the setup.

I hope this helps

Devdas Bhagat

> newchix mailing list was my first step... and i am still learning <smile>
> I have posted this in techtalk as well
> thank you again for your reply
> Devdas Bhagat wrote:
> >On 20/10/04 12:02 +1000, Karina wrote:
> >  
> >
> >>Hello all,
> >>
> >>just wondering if anyone can help me here,
> >>I am looking to setup some Linux desktop machines for basic "dumb 
> >>terminal" usage with authentication to the LDAP server...
> >>    
> >>
> >
> >Since you are asking on newchix rather than techtalk, I will assume that
> >you aren't really familiar with Linux, or Unix.
> >
> >  
> >
> >>and I have No clue where to start looking.
> >>    
> >>
> >
> >Depending on the purpose of the setup, you may find the Linux Terminal
> >Server Project ( http://www.ltsp.org/ ), or the Kiosk mode setups 
> >(http://kiosk.mozdev.org/ or http://www.kde.org/997748764/ )
> >
> >  
> >
> >>I am using SuSE 9.1,  and I have set YaST Ldap client with the 
> >>appropriate details and well that is as far as I have managed to get...
> >>    
> >>
> >
> >You appear to have two requirements:
> >
> >Single sign on with LDAP
> >Terminal servers/dumb terminals/diskless nodes
> >
> >Given the disclaimer I trimmed, I have no real idea of the purpose
> >behind these systems, but if you can provide some details of the
> >intended purpose of the systems, I think we could help you better.
> >
> >Devdas Bhagat
> >_______________________________________________
> >Newchix mailing list
> >Newchix at linuxchix.org
> >http://mailman.linuxchix.org/mailman/listinfo/newchix
> >'Reply' goes to the original sender. Use 'reply-to-list' if it's available.
> >
> >  
> >
> -- 
> UTS CRICOS Provider Code:  00099F
> DISCLAIMER: This email message and any accompanying attachments may contain
> confidential information.  If you are not the intended recipient, do not
> read, use, disseminate, distribute or copy this message or attachments.  If
> you have received this message in error, please notify the sender immediately
> and delete this message. Any views expressed in this message are those of the
> individual sender, except where the sender expressly, and with authority,
> states them to be the views the University of Technology Sydney. Before
> opening any attachments, please check them for viruses and defects.

More information about the Techtalk mailing list