Debian Planet










Welcome to Debian Planet

Search

Apt-get into it.
Main Menu

  • Home

  • Topics

  • Web Links

  • Your Account

  • Submit News

  • Stats

  • Top 10

  • Debian

    These are important Debian sites one should not be without!

  • Official Debian site

  • Package search

  • Mailing list archives

  • Bug reports

  • Debian on CD

  • Unofficial woody CD ISOs

  • Unofficial APT sources

  • Developers' Corner

    Other great Debian news sources:

  • Debian Weekly News

  • Kernel Cousin Debian

    (Debian mailing lists digested)
  • Community Groups

    Need help? You're not alone on this planet.

  • debianHELP

    (User support site)

  • Debian International

  • DebianForum.de

    (Deutsch)

  • EsDebian

    (español)

  • DebianWorld

    (français)

  • MaximumDebian

    (Italiano)

  • DebianUsers

    (Korean)

  • Debian-BR

    (Português)

  • IRC

    The place to get help on a Debian problem (after reading docs) or to just chat and chill is #debian on irc.debian.org.

    Many of the Debian Planet staff live there so pop by and say hello.

    Wanna write?

    Got that latest or greatest scoop? Perhaps you have some important news for the Debian community? Submit a news item!

    Or perhaps you've written a rather ground breaking insight into some aspect of Debian and you feel compelled to share it with others? Knock up a longer editorial article and send it to the editors.

    Sponsorship

    DP is sponsored by Xinit Systems and kieser.net.

    Domains paid for and hosted by uklinux.net.

    Buy your Debian merchandise at DebianShop.com.

    Who's Online

    There are currently, 45 guest(s) and 4 member(s) that are online.

    You are Anonymous user. You can register for free by clicking here.

      
    Debian and LDAP authentication
    Contributed by Anonymous on Monday, September 17 @ 07:12:01 BST

    Debian
    I'm sysadim at at school in Denmark with 2200 users in my /etc/passwd file on my potato. Apt-get update fails because of too many lines in the passwd file, furthermore the number of users will increase the next years.
    Other schools in the area use novell which apparently can authenticate against an LDAP - server. So i had the idea to join them and employ an LDAP server for authentication. But after reading parts of the OpenLDAP doc I gave up. Is there no easy way to employ LDAP as an authentication system?

    DanielS: Debian has an excellent setup for their machines, and that's also distributed. I was planning to do an LDAP talk for my LUG anyway, so I'll probably knock up an LDAP-Auth-on-Debian-HOWTO sometime soon. Anyone got any good ideas or references?

     
    Related Links

  • Debian Homepage
  • SPI Inc.
  • More about Debian
  • News by DanielS

    Most read story about Debian:
    Xpdf and PDF copy-control

    Last news about Debian:

    Printer Friendly Page  Send this Story to a Friend
  • "Debian and LDAP authentication" | Login/Create Account | 17 comments
    Threshold


    The comments are owned by the poster. We aren't responsible for their content.

    2200? Try 3400. (Score: 3, Insighful)
    by Anonymous on Monday, September 17 @ 07:34:42 BST

    I'm sysadmin for a small ISP where we have over 3400 users in /etc/passwd. adduser takes several minutes because the current implementation invokes the perl 'getpw' function (N^2)/2 times to try to figure out what UIDs are available...then it does the same thing on groups.

    An alternative I may try is:

    for ($uid = 1000, getpwuid($uid), $uid++) {};

    because that's at least linear time to find next available, which is all that's really needed anyway, as opposed to exponential time to find all taken UIDs. Yeesh!

    ANYWAY,

    We at the ISP in question will probably also move to LDAP soon.

    [ Reply ]


    Re: Debian and LDAP authentication (Score: 0)
    by Anonymous on Monday, September 17 @ 08:32:48 BST

    I'm runing the OpenLDAP server on a box at home with all the users and user details and two other potatos authenticate against it. It is not very easy to configure but it can be done with pam_ldat and libnss_ldap.

    [ Reply ]


    Re: Debian and LDAP authentication (Score: 1)
    by sboss (scott at sboss dot net) on Monday, September 17 @ 15:29:08 BST
    (User Info)

    Could you write up what you did and post it. It would be helpful to other people.

    Scott

    [ Reply ]


    Wanted: Task packages (Score: 0)
    by Anonymous on Monday, September 17 @ 10:24:13 BST

    Having Task packages (or whatever they are called today) for this would be great! What I envision is this:

    task-ldap-auth-server: Sets up the system to act as an LDAP authentication server. During installation asks if the user wants it to migrate /etc/passwd, /etc/groups, and /etc/whatever entries into LDAP.

    task-ldap-auth-client: Sets up the system to use an LDAP server for authentication. During installation asks what server it should authenticate against. Should preferrably warn about things like local users not being present on the LDAP server and similar problems that may occur.

    I know this might be quite a bit of work, and *I* definitely don't have the skill to do it (having myself failed to set up LDAP authentication a couple of times). But if it was available, I think it would help quite a bunch of people with these kinds of problems.

    Cheers //Johan

    [ Reply ]


    Re: Debian and LDAP authentication (Score: 2, Informative)
    by Anonymous on Monday, September 17 @ 10:33:26 BST

    Have look at this documents:

    LDAP-HOWTO

    LDAP-Implementation HOWTO

    LDAPv3-HOWTO: http://www.bayour.com/LDAPv3-HOWTO.html

    [ Reply ]


    some documentation. (Score: 1)
    by captainlarry (org.spack@larry) on Monday, September 17 @ 21:21:40 BST
    (User Info) http://www.spack.org/~larry/

    I have some documentation on what I did to get OpenLDAP to work as an authentication/naming source with Solaris 8. It's incomplete cause the .com I was working for went belly up and I never got around to finishing it, but if you can read between the lines it's all pretty much there.

    For what it's worth, once you have a working, correctly configured LDAP server (which Debian does almost out of the box) setting up a client to authenticate from an LDAP server is trivial. The sucky part is wrapping your head around how LDAP works and that the usermanagement tools for data in the LDAP server pretty much suck.

    The page is on my wiki site so feel free to add more information (and Linux specific info) to it if you wish. Hell, if people pester me maybe even I'll do it. 🙂



    http://www.spack.org/index.cgi/Solaris8Ldap

    Adam.

    [ Reply ]


    Re: Debian and LDAP authentication (Score: 0)
    by Anonymous on Monday, September 17 @ 22:04:11 BST

    there is a _VERY_GOOD_ howto at http://www.imaginator.com/~simon/ldap/ explaining how to set up pam/libnss with ldap....

    additionally i suggest that you run nscd if you use ldap because many things will get much faster then 😉

    [ Reply ]


    an HOWTO on my website (Score: 0)
    by Anonymous on Tuesday, September 18 @ 08:57:23 BST

    I just manage to install authentication against OpenLDAP on Debian, also with SSL.

    check http://www.raphinou.com/ldaps

    and send any comments if have difficulties.

    [ Reply ]


    Re: an HOWTO on my website (Score: 0)
    by Anonymous on Tuesday, September 18 @ 14:14:36 BST

    Is it possible to use the same LDAP setup for the Windows-users as well? (So they authenticate to the same LDAP-server?)

    Yes, I'd like all at the office to use Debian GNU/Linux, but hey, some of them work in marketing. 🙂

    [ Reply ]


    Re: an HOWTO on my website (Score: 1)
    by captainlarry (org.spack@larry) on Tuesday, September 18 @ 17:58:09 BST
    (User Info) http://www.spack.org/~larry/

    No. If you want to do that you need to run your LDAP server on Windows 2000 (aka. Active Directory). If you hunt around the padl and openldap mailing lists you'll see quite a bit of information on making active directory work as an LDAP based naming and authenictation source for unix clients.

    Adam.

    [ Reply ]


    Re: an HOWTO on my website (Score: 1)
    by abo on Wednesday, September 19 @ 02:05:51 BST
    (User Info) http://sourceforge.net/users/abo/

    Not quite correct...

    You can get samba to authenticate against LDAP using PAM, then get the windows boxes to authenticate against samba.

    Actually, I think that this only works 100% if you use un-encrypted passwords on samba/windows. If you want to use encrypted samba/windows passwords, samba uses it's own passwords file, but samba provides hooks to ensure that the unix passwords (in LDAP via PAM) are kept in sync with changes to the samba passwords. Note that this does not work the other way around... changes to the unix password do not automaticlly propogate to samba. You could write a wrapper for 'passwd' to do this.

    (Hmmm... thinks. I wonder if you could configure PAM so that changes to the unix passwords _are_ propogated to the samba passwords).

    [ Reply ]


    Re: an HOWTO on my website (Score: 0)
    by Anonymous on Wednesday, September 19 @ 22:03:51 BST

    Would this mean that you need

    three password entries in the LDAP directory

    the one from

    /etc/passwd

    /etc/shadow

    /etc/samba/smbpasswd

    I have 2300 sambausers on 116 computers validating against one debian samba server

    is that possible with LDAP ?

    [ Reply ]


    Re: an HOWTO on my website (Score: 1)
    by abo on Thursday, September 20 @ 01:38:43 BST
    (User Info) http://sourceforge.net/users/abo/

    Disclaimer: I haven't done this...yet.

    The /etc/passwd and /etc/shadow stuff in LDAP is the normal LDAP authentication for Linux setup (Note: I am assuming here that you use shadow passwords with LDAP. It is highly possible that you can't or don't want to do this for some reason).

    I don't know if samba can store it's passwords inside LDAP. In any case, you probably don't want to. Remember LDAP is a directory serving up info that can be used by other hosts for authentication. Samba can act as a central authentication server for other windows boxes. A single samba can serve multiple clients, so you don't need to put it's passwords into a database for access by multiple hosts.

    The only possible reason to put samba passwords into LDAP would be if you had multiple samba servers that you wanted to use the same passwords. However, in this case it is probably better to use samba's domain master stuff than LDAP.

    ABO

    [ Reply ]


    Host attribute (Score: 0)
    by Anonymous on Wednesday, September 19 @ 11:10:31 BST

    Anyone knows how to make this field work? We use pam_ldap/nss authentification, and it works OK, but there's no way to make the 'host' value work. Is it a bug?

    [ Reply ]


    Re: Debian and LDAP authentication (Score: 0)
    by Anonymous on Thursday, September 20 @ 03:47:53 BST

    Hmmm...I'm working on a side project right now that'll explore authenticating users on LDAP (via Samba, Netatalk), as well as integrating with DNS and DHCP to manage that as well. I'll post a follow-up as soon as I've got it where I want it.

    [ Reply ]


    Re: Debian and LDAP authentication (Score: 0)
    by Anonymous on Tuesday, September 25 @ 07:45:27 BST

    Greetings!

    The L for "Lightweight" in LDAP indeed seems to be mistakenly chosen ;-). Here are a few links which might help you out:

    http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/LDAP-Implementation-HOWTO.html

    http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP.html

    http://www.unav.es/cti/ldap-smb/ldap-smb-HEAD-howto.html

    http://www.umich.edu/~dirsvcs/ldap/doc/guides/slapd/5.html#RTFToC20

    http://www.faqs.org/rfcs/rfc2251.html

    http://www.faqs.org/rfcs/rfc1777.html

    http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html

    http://webrum.uni-mannheim.de/math/tking/

    http://samba.cadcamlab.org/lists/samba-ntdom/Feb2000/00481.html

    http://ldap.hklc.com

    http://www.cosc.canterbury.ac.nz/%7Empj17/ldap/

    http://www.unav.es/cti/ldap-smb/ldap-smb-TNG-schemas.html

    Try them and if you get stuck, simply mail on of the openldap mailing lists which can be found at

    http://www.openldap.org/lists/

    So long,

    Dustin Huptas

    [ Reply ]


    Re: Debian and LDAP authentication (Score: 0)
    by Anonymous on Tuesday, November 06 @ 11:06:47 GMT

    I have working Debian woody setup and working users authentication from ldap. Exim is working too. In future I will try to write some howto on this. If someone need help, I can try to answer some questions.

    mail me next at home dot lt

    [ Reply ]


    Based on: PHP-Nuke

    All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2000 by Debian Planet

    You can syndicate our news using the file backend.php.