Full Installation Guide - NSS

From Qmail-LDAP Wiki

Jump to: navigation, search

Up

NSS(Optional)

In a traditional UNIX system, users acces to a system through a terminal or console. In this cases the information about users and groups is commonly stored in text files like /etc/passwd. In modern systems is often neccesary that the same user be able to access different systems using unique id information(usuarlly login and password). To facilitate this sort of configurations, in 1985 Sun Microsystems invented NIS(Network Infomation Service), which is an architechture where you keep a centralized database of users that can be accessed by multiple servers. With Solaris 2, Sun created an API capable to interact with different authentication methods(NIS,NIS+,etc). Any application made with this API doesnt need to know anything about where are the users stored(local files, remote databases,etc). This API is called NSS and it allow us to make different methods to validate users. The main configuration in defined in file /etc/nsswitch.conf, which determine the policy and precedence followed to authenticate users.

If we use NSS we'll have the advantage that LDAP users will also be valid system users, which can be used to have shell accounts, own files, samba and any application that use local users will recognize LDAP users as valid.

Debian

To enable NSS in Debian you must install the necessary packages: 

apt-get install libpam-ldap libnss-ldap libnet-ldap-perl

Define LDAP access in /etc/libnss-ldap.conf: 

host 127.0.0.1
base dc=domain,dc=com
ldap_version 3
binddn cn=Manager,dc=domain,dc=com
bindpw secret
nss_base_passwd ou=users,dc=domain,dc=com?sub
nss_base_group          ou=grupos,dc=domain,dc=com?sub

And at last configure /etc/nsswitch.conf like this: 

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap


This will allow Unix system to recognize LDAP users as local users, using credentials for LDAP stored in libnss-ldap.conf.

FreeBSD

Install the next packages:

  • nss-3.9.2.tbz
  • nss_ldap-1.204_5.tbz

Then: 

cd /usr/local/etc/
cp nss_ldap.conf.sample nss_ldap.conf


And in nss_ldap.conf 

base dc=domain,dc=com
ldap_version 3
binddn cn=Manager,dc=domain,dc=com
bindpw secret
nss_base_passwd ou=users,dc=ISP?one
nss_base_shadow ou=users,dc=ISP?one
nss_base_group          ou=grupos,dc=domain,dc=com?one


Despues de esto cualquier usuario que se agregue a LDAP y tenga la clase posixAccount sera visto como un usuario Unix.

Retrieved from "http://www.qmail-ldap.org/wiki/index.php/Full_Installation_Guide_-_NSS"
Personal tools