i need help!!
i'm a linux newbie but i have given this project:

Single login sign-on on Linux. Both the clients and the server are Linux-based. The authentication to be tested is LDAP, and Kerberos. The applications that must be tested are (but not limited to): HTTP authentication, FTP, X via XDMCP, NFS and SSH.

there will be 4 laptops provided

how do i start and where to start??

*sorry if i post at wrong topic because i don't know where it belongs to.
*if any podders know something similar like this mind post it too?

please help!!

thank you

Interesting that Samba isn't on the list! The samba 3 books (available with the samba-doc package has some ldap info. Also google for "ldap ibm redbook". They have a redbook on migrating from Windos w/ADC to Linux w/LDAP. I think this is mostly an LDAP & PAM configuration issue.

This web search might help as well:
http://safari.oreilly.com/013188221X

thank you
i will do a search about this
but got anybody know how to start?? or other stuff to search for??

thanks~

You could indicate which distributions you are working with. Once the ldap server is setup, on the clients, you may just need to select ldap as the authentication source for logging in. If the PAM system is used to authenticate the services you listed, this may make the changes in one place for the clients.

The "Samba 3 by Example" does have a sample configuration and setup for an ldap based setup.
Also google for the "pam_krb5+ldap" module. It may fit the bill. Designing your ldap configuration may be a job. The Samba 3 by Example suggests becoming proficient with ldap instead of just applying their boilerplate solution.

Also check out this blog site.
http://blog.scottlowe.org/2006/09/08...ccess-control/

distribution??
don't understand
you mean the types of linux that the laptop is working with?
if is this case i think is red hat or ubuntu..but different distributions matters?

from what i heard is that once user sign in/login there will be 1 server to authenticate it and the user doesn't need to login with his/her password anymore for any other stuff...and everything is using linux.....sound like what you say above..
there will be a lot of configuration and codings??

sorry, ask too much
thank you for your help

A distribution (as in "Linux distribution") is an operating system that uses Linux kernel. Like Ubuntu, Fedora, SuSE, Mandrake, Debian, Slackware, ... so yeah, you got it right. The distribution itself does not matter (you can get everything working despite of what you choose), but different distributions may have different tools installed right from the start, and different distributions may make the configuration in a slightly different way. For example RedHats/Fedora operating systems usually have their "own" tools, mostly graphical, that you're supposed to use. On Slackware you usually edit the configuration files directly with a text editor, and so on. One distribution might come with everything ready to use after the setup, or with very little configuration, and on some other you might need to fetch and install the needed programs/utilies from the web (or from setup discs) first, then configure them to use them. Nowadays (if you pick up a "distribution for the masses", those favourite ones) it doesn't make much difference which one you pick up. Ubuntu or Fedora/RedHat is a good choice for this project I think..

I see..thanks so much..got a clearer view of what distribution is. so when i using different distribution, the distribution have its own software for me to config right?

For SuSE, you can use yast to change the Authentication source that you use when you log in. One distro may do a better job of setting up the clients than another.

SuSE uses commented configuration files in /etc/sysconf or example that set "meta-variables". Then when SuSEconfig is run, the actual config files for the services are modified if need be. It also has graphical config utilities in YaST2 modules.
The GUI ldap client setup will find the ldap server for you, fetch the DN, configure the client to use TLS/SSL, modify the PAM and nsswitch.conf file, and has options such as creating a home directory when logging in or indicating that the "Home Directories on This Machine".
A slackware client may require you to configure PAM, etal. manually and may not even have PAM support.

so you advise me to use SuSE??
but what happen if i use Ubuntu or Fedora/RedHat?? because i think i will have a higher chance using either Ubuntu or Fedora/RedHat. got any ideas about it?
really thanks for sharing information with me =)

Every distribution is slightly different, according to the preferences of each particular company, but the technology is more-or-less the same.

In this case, the technology that will probably be used is called PAM = Pluggable Authentication Modules.

PAM is a very cleverly-designed system that's designed to provide consistent handling of tasks like this one. It allows applications (and the system itself) to just say, "Authenticate this!" ... without caring how exactly the job will be done. The PAM system applies an easily-configurable set of rules to handle each type of request, and it does so by means of "modules."

For instance, when you log-on to your computer, your password might be checked against /etc/passwd, or it might be checked against "shadow" passwords, or it might be checked by LDAP, or it might be determined by the phase of the moon. The request is the same: "this is a user-login, and I need to know if it's acceptable or not." The method for handling that request is determined by PAM. In an LDAP-based system, for instance, PAM will load and invoke an authentication-module that interfaces with LDAP. Shadow-passwords would be implemented (instead...) by invoking a different module. And so-on.

I was giving you an idea using my distro because it was close at hand. Ubuntu or Fedora may have similar configuration utilities. If they handle the client end configurations for you, then that would make your job easier. Otherwise you would need to configure PAM and nsswitch yourself on each distro.

this sound a bit similar like what i'm going to do. to login to user computer and after it user doesnt need to type in their password for other services. there will be server helping to authenticate password..think the server will be LDAP

by the way what is nsswitch which jschiwal mentioned?

so if i have a client n server. i need to do the configuration at both side?

really thanks for all podders help

now is confirm that my linux distribution is Ubuntu
i got 2 laptop installed Ubuntu

This website explains setting up PAM and nsswitch.conf.
http://imaginator.com/~simon/ldap/

There will be a corresponding library that you would install (libnss_ldap).

Certain functions in the c-library do things like host lookup or determining group members, etc. The /etc/nsswitch.conf file controls what the c functions use to get the information.
There are corresponding library functions that do the work. For example, a line in /etc/nsswitch.conf might contain the line "hosts: files wins". This causes the gethostbyname() function to look in the /etc/hosts file or use the libnss_wins.so library.

In your case, you would have an entry like "passwd: files ldap" and an libnss_ldap.so library. The getpwent() c library function would use /etc/passwd or ldap to get a password structure entry. If you were using NIS instead, then the line would be "passwd: files nis" and libnss_nis.so would be used.

Your clients /etc/hosts file might contain a single entry for the ldap server, and maybe the LAN's nameserver. Each host will probably still have an entry in /etc/passwd and /etc/shadow for the root user. Imagine that you had a NIC problem or there was an accidental configuration error that didn't allow the user to log in. You want root to be able to log in to fix things.

i see
but what happen if using kerbero?