Changes between Version 1 and Version 2 of LdapTroubleshooting


Ignore:
Timestamp:
01/31/12 15:06:30 (6 years ago)
Author:
joshuadf
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • LdapTroubleshooting

    v1 v2  
    1 There are two LDAP servers,  `cuboid` and `bursa`, with 
     1There are two LDAP servers,  `axon` and `deltoid`, with 
    22CNAMES `ldap1.biostr.washington.edu` and `ldap2.biostr.washington.edu`. 
    33Login should work if either is up. You may need to restart `nscd` (the Name Service Caching Daemon). 
     
    1313The LDAP client setup is done at installation time with the following commands, see KickStart for more details: 
    1414{{{ 
    15 authconfig --enableshadow --enablemd5 \ 
    16 --enableldap --ldapserver=ldaps://ldap1.biostr.washington.edu \ 
    17 --ldapbasedn="dc=sig,dc=biostr,dc=washington,dc=edu" --enableldapauth \ 
    18 --enableldaptls --enablecache --disablenis --kickstart 
     15# LDAP 
     16# openldap-clients 
     17if [ ! -f /etc/pki/tls/certs/UW-CA-CERT ]; then 
     18  echo 'SIGERR: This depends on UW-CA-CERT' 
     19fi 
     20authconfig --enableshadow --enablemd5 --enableldap --ldapserver=ldaps://ldap2.biostr.washington.edu --ldapbasedn="dc=sig,dc=biostr,dc=washington,dc=edu" --enableldapauth --enableldaptls --enablecache --disablenis --disablekrb5 --kickstart 
    1921mv /etc/ldap.conf /etc/ldap.conf.orig 
    2022cat > /etc/ldap.conf << EOF 
    21 uri             ldaps://ldap1.biostr.washington.edu  ldaps://ldap2.biostr.washington.edu  
    22 ssl             on 
    23 tls_cacertfile  /usr/share/rhn/UW-CA-CERT 
    24 tls_checkpeer   yes 
    25 ldap_version    3 
    26 scope           one 
    27 rootbinddn      cn=admin,dc=sig,dc=biostr,dc=washington,dc=edu 
    28 base            dc=sig,dc=biostr,dc=washington,dc=edu 
    29 nss_base_passwd ou=People,dc=sig,dc=biostr,dc=washington,dc=edu 
    30 nss_base_shadow ou=People,dc=sig,dc=biostr,dc=washington,dc=edu 
    31 nss_base_group  ou=Group,dc=sig,dc=biostr,dc=washington,dc=edu 
    32 pam_password    exop 
     23uri                        ldaps://ldap1.biostr.washington.edu ldaps://ldap2.biostr.washington.edu 
     24ssl                        on 
     25tls_cacertfile             /etc/pki/tls/certs/UW-CA-CERT 
     26tls_checkpeer              yes 
     27ldap_version               3 
     28scope                      one 
     29rootbinddn                 cn=admin,dc=sig,dc=biostr,dc=washington,dc=edu 
     30base                       dc=sig,dc=biostr,dc=washington,dc=edu 
     31nss_base_passwd            ou=People,dc=sig,dc=biostr,dc=washington,dc=edu 
     32nss_base_shadow            ou=People,dc=sig,dc=biostr,dc=washington,dc=edu 
     33nss_base_group             ou=Group,dc=sig,dc=biostr,dc=washington,dc=edu 
     34pam_password               exop 
     35timelimit                  30 
     36bind_timelimit             30 
     37bind_policy                soft 
     38nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon 
     39EOF 
     40 
     41cat > /etc/nslcd.conf << EOF 
     42uri ldaps://ldap1.biostr.washington.edu 
     43uri ldaps://ldap2.biostr.washington.edu 
     44base dc=sig,dc=biostr,dc=washington,dc=edu 
     45ssl on 
     46tls_reqcert never 
     47tls_cacertfile /etc/pki/tls/certs/UW-CA-CERT 
     48EOF 
     49cat > /etc/pam_ldap.conf << EOF 
     50base dc=sig,dc=biostr,dc=washington,dc=edu 
     51uri ldaps://ldap1.biostr.washington.edu 
     52uri ldaps://ldap2.biostr.washington.edu 
     53ssl on 
     54tls_cacertfile /etc/pki/tls/certs/UW-CA-CERT 
     55pam_password md5 
    3356EOF 
    3457mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.orig 
     
    3659URI  ldaps://ldap1.biostr.washington.edu ldaps://ldap2.biostr.washington.edu 
    3760BASE dc=sig,dc=biostr,dc=washington,dc=edu 
    38 TLS_CACERT /usr/share/rhn/UW-CA-CERT 
     61TLS_CACERT /etc/pki/tls/certs/UW-CA-CERT 
    3962TLS hard 
    4063TLS_REQCERT demand 
    4164EOF 
    42 /etc/init.d/nscd restart 
     65mv /etc/sysconfig/autofs /etc/sysconfig/autofs.orig 
     66cat > /etc/sysconfig/autofs <<EOF 
     67DEFAULT_MASTER_MAP_NAME="auto.master" 
     68DEFAULT_TIMEOUT=300 
     69DEFAULT_BROWSE_MODE="no" 
     70DEFAULT_MAP_OBJECT_CLASS="automountMap" 
     71DEFAULT_ENTRY_OBJECT_CLASS="automount" 
     72DEFAULT_MAP_ATTRIBUTE="ou" 
     73DEFAULT_ENTRY_ATTRIBUTE="cn" 
     74DEFAULT_VALUE_ATTRIBUTE="automountInformation" 
     75UNDERSCORETODOT=1 
     76EOF 
     77/etc/init.d/nscd stop 
    4378/etc/init.d/autofs restart 
     79/etc/init.d/nslcd restart 
    4480/etc/init.d/portmap restart 
     81# automountMap symlinks 
     82ln -s /share/vagal-data /usr/local/data 
     83for i in andrew brinkley detwiler bnniii jdftest joshuadf; do  ln -s /nfs/$i /home; done 
     84#for i in andrew brinkley corina detwiler joshuadf jws kmull lober natalia onard rosse schoen shapiro wvw ; do  ln -s /nfs/$i /home; done 
     85 
     86echo 'MailTo = logwtch@sig.biostr.washington.edu' >> /etc/logwatch/conf/logwatch.conf  
    4587}}} 
     88 
    4689 
    4790By the way, here are some common LDAP abbreviation codes: