How to enable LDAP authentication on SLES9 or SuSE Linux 10.x
This document (3000394) is provided subject to the disclaimer at the end of this document.
SuSE Linux 10.x
Novell eDirectory 8.7.3.x
This TID walks you through the configuration of all necessary components to enable LDAP authentication from a SLES 9 or SuSE Linux 10.x workstation to a SLES 9 server running eDirectory 8.7.3.x
Configuration of the LDAP Server
Verify that eDirectory is installed, running and current with: ndsstat
Verify that the box running eDirectory is a SLES9 server with: cat /etc/SuSE-release
Extend eDirectory with RFC2307 schema. Hint:By default eDirectory places the file at /usr/lib/nds-schema/rfc2307-usergroup.sch on the server when eDirectory is installed.
Creating a Proxy User for Anonymous Binds
When the user authenticates to the Linux box a call is made of eDirectory to validate the existence of the user. This call must have rights to read the directory. There are many ways to facilitate this. The creation of a Proxy User which is allowed to connect without a password is the method shown here.
Create a new user account (for the examples of this document it is called ldapuser) and set the password to null. Do not click Cancel when prompted, but click OK so that Public/Private keys are generated.
In iManager under the Rights Roll | Modify Trustees| select the container where your users reside (or the root of the tree if you wish) and give the proxy user Browse entry rights, and read and compare property rights on the following attributes:
CN, Description, O, OU, Object Class, dc, gecos, gidNumber, homeDirectory, loginShell, memberUid, uidNumber, uniqueID
Add Address of LDAP Servers. This should be the ipaddresses of eDirectory LDAP servers that are going to be communicated with for LDAP authentication. This can be a list of ipaddresses separated by a space.
NOTE: Your mileage May Very with this approach. SLES 9 and SuSE Linux 10.x provide a different interface within YaST for the configuration of the LDAP Client. The Author suggests using the interface and then manually verifying the correct additions were made to the /etc/ldap.conf and the /etc/nsswitch.conf files.
If user home directories are going to be created locally then PAM will need to dynamically create a user home directory. You will just get an error in a text based login, and will not be allowed to login using an X session
Verify the SLES server speaks LDAP :
ldapconfig get -a [eDirectory user to bind as] -w [password] | grep "TCP Port”
example ldapconfig get -a cn=admin.o=novell -w novell | grep "TCP Port"
You should see something like: LDAP TCP Port: 389
If you like, you can just type ldapconfig get and you will be prompted for everything else
Verify LDAP port 389 is available:
Type netstat -an | grep [port found in step 1.1.a]
example. netstat -an | grep 389
There is a simple way to verify that your name service subsystem is using your LDAP server as instructed. Assign a file to be owned by a user that exists only in the LDAP database, not in /etc/passwd. If an ls -l correctly shows the username, then the name service subsystem is consulting the LDAP database; if it just shows the user number, something is wrong. For example, if the user john, with user number 1001, exists only in LDAP, we can try
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:3000394
- Creation Date:03-MAY-07
- Modified Date:27-APR-12
- SUSESUSE Linux Enterprise Server
Did this document solve your problem? Provide Feedback