Talk:LDAP authentication

From ArchWiki
Jump to: navigation, search

Poor writing

This article needs to include more explanatory information rather than an example of one user's configuration (which may or may not work?). -- pointone 11:41, 17 January 2011 (EST)

Error

Following this guide and the other one out of the box I get the following error when trying to import (ldapadd) or search (ldapsearch)

slapd[20458]: fd=12 DENIED from unknown (127.0.0.1)

And yes I do have slapd in the hosts.allow

Add to /etc/hosts.allow:
slapd: 127.0.0.1
Peleki 11:14, 21 August 2010 (EDT)

Suggestions

If you want hdb as backend, you have to adjust the PKGBUILD to --enable-hdb and rebuild the package

To disable the IPV6 error, add -4 to the slapd init script at line 14 (/usr/sbin/slapd -4 $SLAPD_OPTIONS)

To disable the " openldap configure monitor database to enable" add "database monitor" in /etc/openldap/slapd.conf BEFORE any database backend type (hdb or bdb)

--mvinnicius 19:55, 14 February 2011 (EST)

For the record, it's probably better to add -4 to the SLAPD_OPTIONS variable in /etc/conf.d/slapd than to modify the rc-script. --DJPohly 21:09, 14 February 2011 (EST)

Overhaul

I started editing the page with the goal of merging it with the LDAP Authentication one and also with the main OpenLDAP article. I rewrote the introduction and added some explanations for the client side like NSS and PAM. I'm gooing to remove the pam_ldap and nss_ldap bit and use nss_pam_ldapd from AUR which is the most uptodate (and robust) version. If anyone has any objections feel free to say so.

Clarification

I think the client configuration section should clarify that you would want to choose between ldap or sssd (with sssd being the more robust of the two).

Also, in the sssd section, there's a handy note pointing out that sudo is not compiled with sssd support. I created a sudo-sssd package in the aur. Perhaps it would be beneficial to link to it?

Niq000 (talk) 06:36, 9 July 2015 (UTC)

I've found several conflicts in this article that I think need to be resolved or annotated.

1. This article refers to OpenLDAP for initial setup which sets you up with rootdn as "cn=root,dc=example,dc=org". However this article expects that you've set up rootdn "cn=Manager,dc=example,dc=org". We should be consistent or figure out a better way to refer to this new user.

2. The file changes described in "Client Setup" completely conflict with the changes in "Online and Offline Authentication with SSSD". If these sections are exclusive, it is important to describe the options available before people start with the intuitive "Client Setup". If the primary advantage of SSSD is that offline authentication is possible, it's important to describe that as a limitation in the "Client Setup" section and refer to SSSD for the better approach.

3. In "LDAP Server Setup" -> "Set up access controls" the article instructs to change /etc/openldap/slapd.conf and restart slapd.service, however that is insufficient according to the OpenLDAP page. Instead you need to slapindex, then chown some files before restarting the service.

4. Initial entries are described in "Populate LDAP Tree with Base Data", however this is already done in the original OpenLDAP article (to a lesser extent). There should be a note in the original reference to the OpenLDAP article of when to stop following the guide. If a user finishes one before starting here, there will be conflicting records.

5. The OpenLDAP article says that we will likely want to add some typically used schemas to the top of slapd.conf and some indexes to the bottom of slapd.conf. In this article we should specify which schemas and indexes are applicable to this particular application.

6. A fresh install shows a signficant difference in /etc/pam.d/sudo from what is described in the "Enable Sudo" section. Instead it has a set of include statements instead of what is described here. I suspect that the first half of this section is no longer necessary.

7. If packages nss-pam-ldapd and sssd are not totally exclusive, then it should be noted in "Online and Offline Authentication with SSSD" how far one should follow the "Client Setup" section.

8. The "SSSD Configuration" section points to "man sssd.conf" for info. However ldap-relevant config used here such as ldap_tls_reqcert are only defined in "man sssd-ldap". We should correct the reference.

9. If you've completed the "Client Setup" section, then you've added pam_ldap.so in many of the files in /etc/pam.d. In SSSD's "PAM configuration" section, we replace all instances of pam_ldap.so with pam_sss.so except for in /etc/pam.d/su and su-l. It's unclear regarding whether this instance should also be replaced.

Unfortunately I don't have the confidence to make these changes, especially since I haven't had success yet for my configuration.

Stewbond (talk) 19:36, 19 January 2017 (UTC)