Unified Linux Login and Home Using OpenLDAP and NFS

ByEric Ma

In this post, how to unified Linux login and home directory using OpenLDAP and NFS/automount will be introduced.

0. System environment

This solution is tested on Fedora 12 systems and CentOS 5.

LDAP and NFS server:
IP: 10.0.0.2
OS: Fedora 12 x86_64
ldap base dn: “dc=lgcpu1″

Clients:
IP: 10.0.0.1/24
OS: Fedora 12 x86_64

1. LDAP server

Package installation:

# yum install openldap-servers
# /sbin/chkconfig ldap on
# /sbin/service ldap start

 Add or edit these configurations:

Edit /etc/openldap/slapd.conf. Add or edit:

include    /etc/openldap/schema/redhat/autofs.schema

#########################################################
# ldbm and/or bdb database definitions
#########################################################

database    bdb
suffix      "dc=lgcpu1"
checkpoint      1024 15
rootdn      "cn=Manager,dc=lgcpu1"

rootpw      {crypt}x

# Access Control
access to attrs=userPassword
  by self                               write
  by anonymous                          auth
  by dn="cn=manager,dc=lgcpu1"  write
  by *                                  compare
access to *
  by self                               write
  by dn="cn=manager,dc=lgcpu1"  write
  by *                                  read

How to get the rootpw:

perl -e "print crypt('passwd', 'salt_string',);"

Add top.ldif

top.ldif:

dn: dc=lgcpu1
objectclass: dcObject
objectclass: organization
o: lgcpu1 group
dc: lgcpu1

dn: cn=manager,dc=lgcpu1
objectclass: organizationalRole
cn: manager

dn: ou=people,dc=lgcpu1
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: lgcpu1

dn: ou=contacts,ou=people,dc=lgcpu1
ou: contacts
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: lgcpu1

dn: ou=group,dc=lgcpu1
ou: group
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: lgcpu1

Add top.ldif to ldap server:

$ ldapadd -x -D 'cn=manager,dc=lgcpu1' -W -f top.ldif

Then search all the content in the ldap server by:

ldapsearch -x -D 'cn=manager,dc=lgcpu1' -W

If the previous work is correctly processed. ldapsearch will print out all the content in ldap database.

Add users and groups from local configuration:

Copy passwd shadow group from /etc/ to some tmp location
Edit them and only keep the normal users, that means no system users.

$ vim /usr/share/openldap/migration/migrate_common.ph

Edit these values:

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "cse.ust.hk";

# Default base
$DEFAULT_BASE = "dc=lgcpu1";

Then add the encryped password from shadow file to userPassword like this:

$ /usr/share/openldap/migration/migrate_passwd.pl ./passwd > people.ldif

The password is in this format:

userPassword: {crypt}$1$Zlkjsdf...

Then add people.ldif to ldap server

$ /usr/share/openldap/migration/migrate_group.ph ./group > group.ldif

Then add group.ldif to ldap server

Add auto.master.ldif

dn: ou=auto.master,dc=lgcpu1
objectClass: top
objectClass: automountMap
ou: auto.master

dn: cn=/home,ou=auto.master,dc=lgcpu1
objectClass: automount
automountInformation: ldap:ou=auto.home,dc=lgcpu1
cn: /home

dn: cn=/share,ou=auto.master,dc=lgcpu1
objectClass: automount
automountInformation: ldap:ou=auto.misc, dc=lgcpu1
cn: /share

add auto.master.ldif

Add auto.home.ldif

Add for every users

add auto.home.ldif

auto.misc.ldif

Add for some common share directories

dn: ou=auto.misc,dc=lgcpu1
objectClass: top
objectClass: automountMap
ou: auto.misc

add auto.misc.ldif

2. NFS server

Please refer to [[how-to-set-up-and-configure-nfs-server-and-clients]] for how to set up a NFS server.

Edit /etc/exports

Allow the servers inside subnet 10.0.0.1/24 to mount the /home directory with read/write permission. Add this line to /etc/exports:

/home 10.0.0.1/24(rw)

Start up service

Enable nfs service on the NFS server so that the service automatically starts each time the server starts:

# /sbin/chkconfig nfs on

You may also manually start it

# service nfs start

3. Client configuration

3.1 Packages installation

# yum install nss_ldap autofs nfs-utils
# chkconfig autofs on
# service rpcbind restart
# service autofs restart

3.2 Configuration

# authconfig-tui

Select like this:

|  User Information        Authentication                         │
│  [ ] Cache Information   [*] Use MD5 Passwords                  │
│  [ ] Use Hesiod          [*] Use Shadow Passwords               │
│  [*] Use LDAP            [*] Use LDAP Authentication            │
│  [ ] Use NIS             [ ] Use Kerberos                       │
│  [ ] Use Winbind         [ ] Use Fingerprint reader             │
│                          [ ] Use Winbind Authentication         │
│                          [*] Local authorization is sufficient  │

In next step:

│          [ ] Use TLS                              │
│  Server: ldap://10.0.0.2/________________________ │
│ Base DN: dc=lgcpu1_______________________________ │

3.3 Delete old user entries in:

/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow

4. add individual person

Add people.sample.ldif to ldap

dn: uid=sample,ou=People,dc=lgcpu1
uid: sample
cn: sample
sn: sample
mail: sample@cse.ust.hk
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {crypt}$6$encryped password here
loginShell: /bin/bash
uidNumber: 507
gidNumber: 507
homeDirectory: /home/sample

Add group.sample.ldif to ldap

dn: cn=sample,ou=Group,dc=lgcpu1
objectClass: posixGroup
objectClass: top
cn: sample
userPassword: {crypt}x
gidNumber: 507

Addauto.home.sample.ldif to ldap

dn: cn=sample,ou=auto.home,dc=lgcpu1
objectClass: automount
automountInformation: 10.0.0.2:/home/sample
cn: sample

Delete old entries in:

/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow

Create home directory on NFS server:

# mkdir /home/sample
# cp /etc/skel/.[a-z]* /home/sample/
# chown -R 507:507 /home/sample/

Read more:

Similar Posts

  • How to put files with spaces in names into HDFS?

    ByQ A

    I got this error when I tried to save a file with a space in its name into HDFS: $ hdfs dfs -put -f “/home/u1/testa/test a” “/u1/testa/test a” put: unexpected URISyntaxException while the HDFS seems allow spaces in its file names: https://hadoop.apache.org/docs/r2.7.3/hadoop-project-dist/hadoop-common/filesystem/model.html . How to achieve the effect of saving the files with spaces in…

  • How to enable RPM Fusion for CentOS 6.6?

    ByEric Ma

    How to enable RPM Fusion for CentOS 6.6? Enable RPM fusion on RHEL 6 or compatible like CentOS: su -c ‘yum localinstall –nogpgcheck http://download1.rpmfusion.org/free/el/updates/6/i386/rpmfusion-free-release-6-1.noarch.rpm http://download1.rpmfusion.org/nonfree/el/updates/6/i386/rpmfusion-nonfree-release-6-1.noarch.rpm’ It will install https://fedoraproject.org/wiki/EPEL. If it fails to install EPEL automatically, you will need to install it manually. Reference: http://rpmfusion.org/Configuration Read more: How to install alien on CentOS 7 to…

  • How to pass results from the opened window to the openning window in JavaScript?

    ByEric Ma

    From the opening window by JavaScript window.open(), we can pass info to the opened by hash. But how to pass results back from the opened window to the openning window in JavaScript? Assume in the opener window, a JavaScript variable is defined like var exchangeVar = ”; In the opened window, you can update the…

  • Chinese Charactor Configuration on Fedora 11

    ByEric Ma

    最新的更新版本请看: Fedora 中文字体设置. 使用Linux时我个人倾向使用英文环境系统,而Fedora11在英文环境下中文字体有时会不太好看,经常遇到需要字体优化美化的问题。 以下是我的配置方案,经测试效果还算不错,解决了Fedora 11 中文字体难看的问题: 方案1:使用uming和ukai字体,即AR PL UMing CN等。 关键是使用的字体包如下: 首先要安装这两个字体: cjkuni-ukai-fonts cjkuni-uming-fonts 然后配置一下~/.fonts.conf文件. 使sans-serif serif monospace字体中文使用uming/ukai即可. 我的.fonts.conf文件可以从这里下载(两种选择, 我喜欢前者): https://github.com/zma/config_files 使用Liberation和uming/ukai字体: .fonts.cofn.liberation 使用dejavu和uming/ukai字体: .fonts.conf.dejavu 下载后放到自己的$HOME下改名为.fonts.conf就可以了。 使用uming字体效果如下(请放大后看效果): 方案2:安装文泉驿字体,这个非常简单,安装相应包即可了。 如果喜欢其它的字体选择性的安装上就可以了,只要注意只安装自己需要的就行了。有人使用微软雅黑字体,首先这是侵权的,其次开源的字体做得其实已经很不错了。 最后将字体平滑选项打开, KDE和gnome都有相关设置方法。 以上内容只是针对使用xft字体系统的设置。对于使用核心字体系统的X程序来说字体依然会出现很丑的情况。 下面是针对emacs的设置方法: 首先需要安装这个字体包: xorg-x11-fonts-misc 注意到在中文系统下emacs的中文显示非常好,而在英文环境中去非常差,我们可以利用这一点,在运行emacs前首先将系统环境设为中文即可。 在~/bin/下建立一文件ema 内容如下: #!/bin/bash rm -f ~/.emacs ln -s ~/.emacs.x ~/.emacs LANG=zh_CN.UTF-8 emacs –fullheight -r $* 然后加入执行权限即可: chmod +x…

4 Comments

  1. This is really daunting. Is there any tutorial I could find that explains what these configurations do exactly?

    Reply

    1. That’s true. But I do not get enough time to test and update this post currently.

      Most of the parts hard to understand may be among the LDAP-related stuffs. You may refer to http://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP for a tutorial and http://tldp.org/HOWTO/LDAP-HOWTO/ for general introduction/tutorial to OpenLDAP.

      Please also note that the idea is the same on newer systems for centralization authentication and home but some of the content in this post may need to be modified to work on a newer version of the systems (the original one is written and tested on Fedora 12).

      Reply

  2. Hi
    Hi

    Your tutorial looks promisingly good. But I hit an error when I tried creating home directory:

    pi@rpipro /home $ sudo chown -R 10000: /home/john
    chown: invalid spec: `10000:’

    Do you have any ideas why I got this and you didn’t?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *