Installing and Enabling secure ldap-nsswitch operation on Fedora Core 2 (implemented on Fedora Core 2 - Test 2) Install RedHat Packages ------------------ yum install krb5-workstation yum install cyrus-sasl yum install cyrus-sasl-gssapi yum install cyrus-sasl-plain yum install cyrus-sasl-devel yum install nss_ldap yum install nscd Setting up NSSWITCH ------------------- in /etc/nsswitch.conf add ldap to any line you want to resolve (passwd) so it looks like the following: passwd files ldap This will cause nsswitch to fall back to ldap to find non-local users. Of course, you can remove the 'files' entry alltogether and make ldap a critical service. Note though that if ldap breaks then, you are without even a root user (no su!) and will require a boot into single-user mode to fix. If you want to make ldap the primary userbase, then just keep system users (and root) in the local files and add all new users to ldap. Edit /etc/ldap.conf ------------------- specify the location of the ldap server you wish to use, as well as the base dn of any service you wish to resolve. See the sample ldap.conf file for more details as to which entries to use. In a nutshell, the most basic set of entries is: host culver.citi.umich.edu base dc=citi,dc=umich,dc=edu nss_base_passwd ou=People,dc=citi,dc=umich,dc=edu nss_base_shadow ou=People,dc=citi,dc=umich,dc=edu nss_base_groups ou=Groups,dc=citi,dc=umich,dc=edu Enabling Kerberos/GSSAPI ------------------------ Make sure you installed the krb5-workstation and cyrus-sasl-gssapi packages. Edit /etc/krb5.conf and set your default realm and realm info. At this point, kinit and make sure that you can authenticate using kerberos. Have your kerberos admin make an nss_ldap/ principal and create a keytab for that principal. Install the keytab on your local machine in /etc/ (some distros might preffer /etc/krb5/krb5.keytab) (ldap_tabfile can be a new file and does not have to be part of an existing keytab) Edit /etc/ldap.conf and include the following lines: use_sasl on sasl_auth_id nss_ldap/ Create the following script (/etc/nscdcc_refresh) --- Begin Script --- #!/bin/sh /usr/kerberos/bin/kinit -k -t /etc/ -c /etc/.ldapcache nss_ldap/ && chown nscd:nscd /etc/.ldapcache && chmod 0600 /etc/.ldapcache --- End script --- Set up your crontab to refresh your local service ticket cache using the keytab and newly created script. 0 */6 * * * /etc/nscdcc_refresh Edit the startup file that fires off nscd (/etc/init.d/nscd) and set the environment variable KRB5CCNAME=/etc/.ldapcache for the nscd instance. Also have the /etc/nscdcc_refresh script run just before nscd is launched. Setting Up NSCD --------------- Make sure you've got the nscd package installed. Look over /etc/nscd.conf and see if you like what you see. Start nscd using the /etc/init.d/nscd scripts You will need to configure your system to start nscd at runtime. Resources: ----------- http://www.hut.fi/cc/docs/kerberos/nss_ldap.html notes: lucca-mapping.notes