Unified Linux Login and Home Directory Using OpenLDAP and NFS/automount

In this post, how to unified Linux login and home directory using OpenLDAP and NFS/automount will be introduced.

0. System environment

This solution is tested on Fedora 12 systems and CentOS 5.

LDAP and NFS server:
IP: 10.0.0.2
OS: Fedora 12 x86_64
ldap base dn: “dc=lgcpu1″

Clients:
IP: 10.0.0.1/24
OS: Fedora 12 x86_64

1. LDAP server

Package installation:

# yum install openldap-servers
# /sbin/chkconfig ldap on
# /sbin/service ldap start

 Add or edit these configurations:

Edit /etc/openldap/slapd.conf. Add or edit:

include    /etc/openldap/schema/redhat/autofs.schema

#########################################################
# ldbm and/or bdb database definitions
#########################################################

database    bdb
suffix      "dc=lgcpu1"
checkpoint      1024 15
rootdn      "cn=Manager,dc=lgcpu1"

rootpw      {crypt}x

# Access Control
access to attrs=userPassword
  by self                               write
  by anonymous                          auth
  by dn="cn=manager,dc=lgcpu1"  write
  by *                                  compare
access to *
  by self                               write
  by dn="cn=manager,dc=lgcpu1"  write
  by *                                  read

How to get the rootpw:

perl -e "print crypt('passwd', 'salt_string',);"

Add top.ldif

top.ldif:

dn: dc=lgcpu1
objectclass: dcObject
objectclass: organization
o: lgcpu1 group
dc: lgcpu1

dn: cn=manager,dc=lgcpu1
objectclass: organizationalRole
cn: manager

dn: ou=people,dc=lgcpu1
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: lgcpu1

dn: ou=contacts,ou=people,dc=lgcpu1
ou: contacts
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: lgcpu1

dn: ou=group,dc=lgcpu1
ou: group
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: lgcpu1

Add top.ldif to ldap server:

$ ldapadd -x -D 'cn=manager,dc=lgcpu1' -W -f top.ldif

Then search all the content in the ldap server by:

ldapsearch -x -D 'cn=manager,dc=lgcpu1' -W

If the previous work is correctly processed. ldapsearch will print out all the content in ldap database.

Add users and groups from local configuration:

Copy passwd shadow group from /etc/ to some tmp location
Edit them and only keep the normal users, that means no system users.

$ vim /usr/share/openldap/migration/migrate_common.ph

Edit these values:

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "cse.ust.hk";

# Default base
$DEFAULT_BASE = "dc=lgcpu1";

Then add the encryped password from shadow file to userPassword like this:

$ /usr/share/openldap/migration/migrate_passwd.pl ./passwd > people.ldif

The password is in this format:

userPassword: {crypt}$1$Zlkjsdf...

Then add people.ldif to ldap server

$ /usr/share/openldap/migration/migrate_group.ph ./group > group.ldif

Then add group.ldif to ldap server

Add auto.master.ldif

dn: ou=auto.master,dc=lgcpu1
objectClass: top
objectClass: automountMap
ou: auto.master

dn: cn=/home,ou=auto.master,dc=lgcpu1
objectClass: automount
automountInformation: ldap:ou=auto.home,dc=lgcpu1
cn: /home

dn: cn=/share,ou=auto.master,dc=lgcpu1
objectClass: automount
automountInformation: ldap:ou=auto.misc, dc=lgcpu1
cn: /share

add auto.master.ldif

Add auto.home.ldif

Add for every users

add auto.home.ldif

auto.misc.ldif

Add for some common share directories

dn: ou=auto.misc,dc=lgcpu1
objectClass: top
objectClass: automountMap
ou: auto.misc

add auto.misc.ldif

2. NFS server

Please refer to How to Set Up and Configure NFS Server and Clients for how to set up a NFS server.

Edit /etc/exports

Allow the servers inside subnet 10.0.0.1/24 to mount the /home directory with read/write permission. Add this line to /etc/exports:

/home 10.0.0.1/24(rw)

Start up service

Enable nfs service on the NFS server so that the service automatically starts each time the server starts:

# /sbin/chkconfig nfs on

You may also manually start it

# service nfs start

3. Client configuration

3.1 Packages installation

# yum install nss_ldap autofs nfs-utils
# chkconfig autofs on
# service rpcbind restart
# service autofs restart

3.2 Configuration

# authconfig-tui

Select like this:

|  User Information        Authentication                         │
│  [ ] Cache Information   [*] Use MD5 Passwords                  │
│  [ ] Use Hesiod          [*] Use Shadow Passwords               │
│  [*] Use LDAP            [*] Use LDAP Authentication            │
│  [ ] Use NIS             [ ] Use Kerberos                       │
│  [ ] Use Winbind         [ ] Use Fingerprint reader             │
│                          [ ] Use Winbind Authentication         │
│                          [*] Local authorization is sufficient  │

In next step:

│          [ ] Use TLS                              │
│  Server: ldap://10.0.0.2/________________________ │
│ Base DN: dc=lgcpu1_______________________________ │

3.3 Delete old user entries in:

/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow

4. add individual person

Add people.sample.ldif to ldap

dn: uid=sample,ou=People,dc=lgcpu1
uid: sample
cn: sample
sn: sample
mail: sample@cse.ust.hk
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {crypt}$6$encryped password here
loginShell: /bin/bash
uidNumber: 507
gidNumber: 507
homeDirectory: /home/sample

Add group.sample.ldif to ldap

dn: cn=sample,ou=Group,dc=lgcpu1
objectClass: posixGroup
objectClass: top
cn: sample
userPassword: {crypt}x
gidNumber: 507

Addauto.home.sample.ldif to ldap

dn: cn=sample,ou=auto.home,dc=lgcpu1
objectClass: automount
automountInformation: 10.0.0.2:/home/sample
cn: sample

Delete old entries in:

/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow

Create home directory on NFS server:

# mkdir /home/sample
# cp /etc/skel/.[a-z]* /home/sample/
# chown -R 507:507 /home/sample/

Eric Zhiqiang Ma

Eric is interested in building high-performance and scalable distributed systems and related technologies. The views or opinions expressed here are solely Eric's own and do not necessarily represent those of any third parties.

4 comments:

  1. This is really daunting. Is there any tutorial I could find that explains what these configurations do exactly?

    1. That’s true. But I do not get enough time to test and update this post currently.

      Most of the parts hard to understand may be among the LDAP-related stuffs. You may refer to http://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP for a tutorial and http://tldp.org/HOWTO/LDAP-HOWTO/ for general introduction/tutorial to OpenLDAP.

      Please also note that the idea is the same on newer systems for centralization authentication and home but some of the content in this post may need to be modified to work on a newer version of the systems (the original one is written and tested on Fedora 12).

  2. Hi
    Hi

    Your tutorial looks promisingly good. But I hit an error when I tried creating home directory:

    pi@rpipro /home $ sudo chown -R 10000: /home/john
    chown: invalid spec: `10000:’

    Do you have any ideas why I got this and you didn’t?

Leave a Reply

Your email address will not be published. Required fields are marked *