PDA

View Full Version : Configure SLES 11 LDAP client without Yast



smwit
13-Dec-2012, 09:32
Hi!

I need to figure out how to configure a SLES 11 installation to authenticate via LDAP without using any interactive tools,
it is going to be handled by CFengine.
The ldap.conf and nsswitch.conf is already taken care of, but it is not enough, I guess the Yast LDAP module does
something with PAM as well.

Can anyone point me to what more needs to be done, I suspect that pam-config can be what Iīm looking for, but I donīt know
how to use it.

ab
13-Dec-2012, 14:29
Random idea:

Have you considered setting up a test box via Yast and seeing what is
changed by the installation? I'd guess 99.9% of changes are in /etc so
copying and then comparing old/new should be pretty easy.

I'd check /etc/pam.d for changes specifically, based on what you're
written so far.

Good luck.

lixner
13-Dec-2012, 15:25
Once you get the ldap.conf and nsswitch.conf right, you have to configure pam like this:

/etc/pam.d/common-password-pc
password requisite pam_pwcheck.so nullok cracklib
password sufficient pam_unix2.so use_authtok nullok
password required pam_ldap.so try_first_pass use_authtok

/etc/pam.d/common-auth-pc
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_ldap.so use_first_pass

/etc/pam.d/common-account-pc
account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_ldap.so use_first_pass

/etc/pam.d/common-session-pc
session required pam_limits.so
session required pam_unix2.so
session optional pam_ldap.so
session optional pam_umask.so


Be careful, if you screw up "these files" you may not be able to log in, so keep a root shell logged in and test on another console.

Best regards

Lars