Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I just recently intergraded a Fedora 6 box using LDAP, SAMBA and LAM(LDAP Administration Manager, I think)into my network to take over the Microsoft PDC that was giving me major headaches and made it my PDC. I use LAM to create accounts that have the appropiate privileges. The trouble that I am having is that when I login from a windows workstation as a normal user, I cannot get into certain directories. I am having trouble with permissions with certain directories. I looked at samba.conf and am having a lot of trouble setting up permission. Using this setup how would I control permission to directories like you would using MS Active Directory?
Define your users and groups in the LDAP directory, and if you have configured it correctly the Linux system can use them just like local users and groups. By default, Linux only attaches one group to a file or directory though - you need to use the ACLs tools to build more complex permission sets.
Does LDAP sycronize its accounts with the local accounts in /etc/passwd and /etc/groups of the local machine that is holding all of my linux accounts(I hope you understand that). The reason that I ask this is because if you create a user in LAM and LDAP then is should also create the account in /etc/passwd and /etc/group, correct?
Does LDAP sycronize its accounts with the local accounts in /etc/passwd and /etc/groups of the local machine that is holding all of my linux accounts(I hope you understand that). The reason that I ask this is because if you create a user in LAM and LDAP then is should also create the account in /etc/passwd and /etc/group, correct?
No. The relevant Linux components (nsswitch, PAM) will work with multiple information sources, but use local files by default. The idea is that you create the minimum on each system, and define the rest in your directory service. You configure your systems check their local files first for each lookup, and then query the network directory service if there is no match.
So the accounts in LDAP are completly separate from the accounts that are stored on the local machine under /etc/passwd and /etc/groups, right? If that is the case then what controls the permission of the directories that are being shared on the machine? So really then LDAP is only used for account authenication? I am confused!
Well, the basic principles are really the same as Windows - once you attach a system to a domain administrators can specify users and groups from either network sources or the local account files (/etc/passwd and friends) when they set permissions on files and directories. If you configure the system correctly chown etc. don't care whether the names that you specify are from a standard LDAP directory, an Active Directory, or the local account files. An LDAP directory is just a kind of database that can hold user account information (and many other things) for client systems to search.
Note that the system hosting an LDAP service doesn't automatically use that directory service for account lookups - you have to configure it like any other client system. Fedora ships with a tool to attach the system to authentication sources like LDAP, Kerberos etc.
There is a shortage of good documentation for OpenLDAP, but Red Hat provide several free books from their Website for "Red Hat Directory Server", which is a brand name for their own LDAP product (Fedora Directory Server):
So in order for the LDAP to control the whole system then I have to make the whole computer use LDAP as the authenication mechanism? I have tried that and modified my system to act as a client and played with the nsswitch.conf file and etc. I will create another post for that particular problem.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.