Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i need help!!
i'm a linux newbie but i have given this project:
Single login sign-on on Linux. Both the clients and the server are Linux-based. The authentication to be tested is LDAP, and Kerberos. The applications that must be tested are (but not limited to): HTTP authentication, FTP, X via XDMCP, NFS and SSH.
there will be 4 laptops provided
how do i start and where to start??
*sorry if i post at wrong topic because i don't know where it belongs to.
*if any podders know something similar like this mind post it too?
Interesting that Samba isn't on the list! The samba 3 books (available with the samba-doc package has some ldap info. Also google for "ldap ibm redbook". They have a redbook on migrating from Windos w/ADC to Linux w/LDAP. I think this is mostly an LDAP & PAM configuration issue.
Interesting that Samba isn't on the list! The samba 3 books (available with the samba-doc package has some ldap info. Also google for "ldap ibm redbook". They have a redbook on migrating from Windos w/ADC to Linux w/LDAP. I think this is mostly an LDAP & PAM configuration issue.
You could indicate which distributions you are working with. Once the ldap server is setup, on the clients, you may just need to select ldap as the authentication source for logging in. If the PAM system is used to authenticate the services you listed, this may make the changes in one place for the clients.
The "Samba 3 by Example" does have a sample configuration and setup for an ldap based setup.
Also google for the "pam_krb5+ldap" module. It may fit the bill. Designing your ldap configuration may be a job. The Samba 3 by Example suggests becoming proficient with ldap instead of just applying their boilerplate solution.
You could indicate which distributions you are working with. Once the ldap server is setup, on the clients, you may just need to select ldap as the authentication source for logging in. If the PAM system is used to authenticate the services you listed, this may make the changes in one place for the clients.
The "Samba 3 by Example" does have a sample configuration and setup for an ldap based setup.
Also google for the "pam_krb5+ldap" module. It may fit the bill. Designing your ldap configuration may be a job. The Samba 3 by Example suggests becoming proficient with ldap instead of just applying their boilerplate solution.
distribution??
don't understand
you mean the types of linux that the laptop is working with?
if is this case i think is red hat or ubuntu..but different distributions matters?
from what i heard is that once user sign in/login there will be 1 server to authenticate it and the user doesn't need to login with his/her password anymore for any other stuff...and everything is using linux.....sound like what you say above..
there will be a lot of configuration and codings??
distribution??
don't understand
you mean the types of linux that the laptop is working with?
if is this case i think is red hat or ubuntu..but different distributions matters?
A distribution (as in "Linux distribution") is an operating system that uses Linux kernel. Like Ubuntu, Fedora, SuSE, Mandrake, Debian, Slackware, ... so yeah, you got it right. The distribution itself does not matter (you can get everything working despite of what you choose), but different distributions may have different tools installed right from the start, and different distributions may make the configuration in a slightly different way. For example RedHats/Fedora operating systems usually have their "own" tools, mostly graphical, that you're supposed to use. On Slackware you usually edit the configuration files directly with a text editor, and so on. One distribution might come with everything ready to use after the setup, or with very little configuration, and on some other you might need to fetch and install the needed programs/utilies from the web (or from setup discs) first, then configure them to use them. Nowadays (if you pick up a "distribution for the masses", those favourite ones) it doesn't make much difference which one you pick up. Ubuntu or Fedora/RedHat is a good choice for this project I think..
A distribution (as in "Linux distribution") is an operating system that uses Linux kernel. Like Ubuntu, Fedora, SuSE, Mandrake, Debian, Slackware, ... so yeah, you got it right. The distribution itself does not matter (you can get everything working despite of what you choose), but different distributions may have different tools installed right from the start, and different distributions may make the configuration in a slightly different way. For example RedHats/Fedora operating systems usually have their "own" tools, mostly graphical, that you're supposed to use. On Slackware you usually edit the configuration files directly with a text editor, and so on. One distribution might come with everything ready to use after the setup, or with very little configuration, and on some other you might need to fetch and install the needed programs/utilies from the web (or from setup discs) first, then configure them to use them. Nowadays (if you pick up a "distribution for the masses", those favourite ones) it doesn't make much difference which one you pick up. Ubuntu or Fedora/RedHat is a good choice for this project I think..
I see..thanks so much..got a clearer view of what distribution is. so when i using different distribution, the distribution have its own software for me to config right?
For SuSE, you can use yast to change the Authentication source that you use when you log in. One distro may do a better job of setting up the clients than another.
SuSE uses commented configuration files in /etc/sysconf or example that set "meta-variables". Then when SuSEconfig is run, the actual config files for the services are modified if need be. It also has graphical config utilities in YaST2 modules.
The GUI ldap client setup will find the ldap server for you, fetch the DN, configure the client to use TLS/SSL, modify the PAM and nsswitch.conf file, and has options such as creating a home directory when logging in or indicating that the "Home Directories on This Machine".
A slackware client may require you to configure PAM, etal. manually and may not even have PAM support.
For SuSE, you can use yast to change the Authentication source that you use when you log in. One distro may do a better job of setting up the clients than another.
SuSE uses commented configuration files in /etc/sysconf or example that set "meta-variables". Then when SuSEconfig is run, the actual config files for the services are modified if need be. It also has graphical config utilities in YaST2 modules.
The GUI ldap client setup will find the ldap server for you, fetch the DN, configure the client to use TLS/SSL, modify the PAM and nsswitch.conf file, and has options such as creating a home directory when logging in or indicating that the "Home Directories on This Machine".
A slackware client may require you to configure PAM, etal. manually and may not even have PAM support.
so you advise me to use SuSE??
but what happen if i use Ubuntu or Fedora/RedHat?? because i think i will have a higher chance using either Ubuntu or Fedora/RedHat. got any ideas about it?
really thanks for sharing information with me =)
Every distribution is slightly different, according to the preferences of each particular company, but the technology is more-or-less the same.
In this case, the technology that will probably be used is called PAM = Pluggable Authentication Modules.
PAM is a very cleverly-designed system that's designed to provide consistent handling of tasks like this one. It allows applications (and the system itself) to just say, "Authenticate this!" ... without caring how exactly the job will be done. The PAM system applies an easily-configurable set of rules to handle each type of request, and it does so by means of "modules."
For instance, when you log-on to your computer, your password might be checked against /etc/passwd, or it might be checked against "shadow" passwords, or it might be checked by LDAP, or it might be determined by the phase of the moon. The request is the same: "this is a user-login, and I need to know if it's acceptable or not." The method for handling that request is determined by PAM. In an LDAP-based system, for instance, PAM will load and invoke an authentication-module that interfaces with LDAP. Shadow-passwords would be implemented (instead...) by invoking a different module. And so-on.
I was giving you an idea using my distro because it was close at hand. Ubuntu or Fedora may have similar configuration utilities. If they handle the client end configurations for you, then that would make your job easier. Otherwise you would need to configure PAM and nsswitch yourself on each distro.
Every distribution is slightly different, according to the preferences of each particular company, but the technology is more-or-less the same.
In this case, the technology that will probably be used is called PAM = Pluggable Authentication Modules.
PAM is a very cleverly-designed system that's designed to provide consistent handling of tasks like this one. It allows applications (and the system itself) to just say, "Authenticate this!" ... without caring how exactly the job will be done. The PAM system applies an easily-configurable set of rules to handle each type of request, and it does so by means of "modules."
For instance, when you log-on to your computer, your password might be checked against /etc/passwd, or it might be checked against "shadow" passwords, or it might be checked by LDAP, or it might be determined by the phase of the moon. The request is the same: "this is a user-login, and I need to know if it's acceptable or not." The method for handling that request is determined by PAM. In an LDAP-based system, for instance, PAM will load and invoke an authentication-module that interfaces with LDAP. Shadow-passwords would be implemented (instead...) by invoking a different module. And so-on.
this sound a bit similar like what i'm going to do. to login to user computer and after it user doesnt need to type in their password for other services. there will be server helping to authenticate password..think the server will be LDAP
by the way what is nsswitch which jschiwal mentioned?
so if i have a client n server. i need to do the configuration at both side?
There will be a corresponding library that you would install (libnss_ldap).
Certain functions in the c-library do things like host lookup or determining group members, etc. The /etc/nsswitch.conf file controls what the c functions use to get the information.
There are corresponding library functions that do the work. For example, a line in /etc/nsswitch.conf might contain the line "hosts: files wins". This causes the gethostbyname() function to look in the /etc/hosts file or use the libnss_wins.so library.
In your case, you would have an entry like "passwd: files ldap" and an libnss_ldap.so library. The getpwent() c library function would use /etc/passwd or ldap to get a password structure entry. If you were using NIS instead, then the line would be "passwd: files nis" and libnss_nis.so would be used.
Your clients /etc/hosts file might contain a single entry for the ldap server, and maybe the LAN's nameserver. Each host will probably still have an entry in /etc/passwd and /etc/shadow for the root user. Imagine that you had a NIC problem or there was an accidental configuration error that didn't allow the user to log in. You want root to be able to log in to fix things.
There will be a corresponding library that you would install (libnss_ldap).
Certain functions in the c-library do things like host lookup or determining group members, etc. The /etc/nsswitch.conf file controls what the c functions use to get the information.
There are corresponding library functions that do the work. For example, a line in /etc/nsswitch.conf might contain the line "hosts: files wins". This causes the gethostbyname() function to look in the /etc/hosts file or use the libnss_wins.so library.
In your case, you would have an entry like "passwd: files ldap" and an libnss_ldap.so library. The getpwent() c library function would use /etc/passwd or ldap to get a password structure entry. If you were using NIS instead, then the line would be "passwd: files nis" and libnss_nis.so would be used.
Your clients /etc/hosts file might contain a single entry for the ldap server, and maybe the LAN's nameserver. Each host will probably still have an entry in /etc/passwd and /etc/shadow for the root user. Imagine that you had a NIC problem or there was an accidental configuration error that didn't allow the user to log in. You want root to be able to log in to fix things.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.