25.5. The YaST LDAP Client

YaST includes a module to set up LDAP-based user management. If you did not enable this feature during the installation, start the module by selecting Network Services+LDAP Client. YaST automatically enables any PAM and NSS related changes as required by LDAP (described below) and installs the necessary files.

25.5.1. Standard Procedure

Background knowledge of the processes acting in the background of a client machine helps you understand how the YaST LDAP client module works. If LDAP is activated for network authentication or the YaST module is called, the packages pam_ldap and nss_ldap are installed and the two corresponding configuration files are adapted. pam_ldap is the PAM module responsible for negotiation between login processes and the LDAP directory as the source of authentication data. The dedicated module pam_ldap.so is installed and the PAM configuration is adapted (see Example 25.11, “pam_unix2.conf Adapted to LDAP”).

Example 25.11. pam_unix2.conf Adapted to LDAP

auth:       use_ldap 
account:    use_ldap
password:   use_ldap 
session:    none

When manually configuring additional services to use LDAP, include the PAM LDAP module in the PAM configuration file corresponding to the service in /etc/pam.d. Configuration files already adapted to individual services can be found in /usr/share/doc/packages/pam_ldap/pam.d/. Copy appropriate files to /etc/pam.d.

glibc name resolution through the nsswitch mechanism is adapted to the employment of LDAP with nss_ldap. A new, adapted file nsswitch.conf is created in /etc/ with the installation of this package. More about the workings of nsswitch.conf can be found in Section 18.6.1, “Configuration Files”. The following lines must be present in nsswitch.conf for user administration and authentication with LDAP. See Example 25.12, “Adaptations in nsswitch.conf”.

Example 25.12. Adaptations in nsswitch.conf

passwd: compat
group: compat

passwd_compat: ldap
group_compat: ldap

These lines order the resolver library of glibc first to evaluate the corresponding files in /etc and additionally access the LDAP server as sources for authentication and user data. Test this mechanism, for example, by reading the content of the user database with the command getent passwd. The returned set should contain a survey of the local users of your system as well as all users stored on the LDAP server.

To prevent regular users managed through LDAP from logging in to the server with ssh or login, the files /etc/passwd and /etc/group each need to include an additional line. This is the line +::::::/sbin/nologin in /etc/passwd and +::: in /etc/group.

25.5.2. Configuration of the LDAP Client

After the initial adjustments of nss_ldap, pam_ldap, /etc/passwd, and /etc/group have been taken care of by YaST, you can simply connect your client to the server and let YaST do user management via LDAP. This basic setup is described in Section 25.5.2.1, “Basic Configuration”.

Use the YaST LDAP client to further configure the YaST group and user configuration modules. This includes manipulating the default settings for new users and groups and the number and nature of the attributes assigned to a user or a group. LDAP user management allows you to assign far more and different attributes to users and groups than traditional user or group management solutions. This is described in Section 25.5.2.2, “Configuring the YaST Group and User Administration Modules”.

25.5.2.1. Basic Configuration

The basic LDAP client configuration dialog (Figure 25.2, “YaST: Configuration of the LDAP Client”) opens during installation if you choose LDAP user management or when you select Network Services+LDAP Client in the YaST Control Center in the installed system.

Figure 25.2. YaST: Configuration of the LDAP Client

YaST: Configuration of the LDAP Client

To authenticate users of your machine against an OpenLDAP server and enable user management via OpenLDAP, proceed as follows:

  1. Click Use LDAP to enable the use of LDAP. Select Use LDAP but Disable Logins instead if you want to use LDAP for authentication, but do not want other users to log in to this client.

  2. Enter the IP address of the LDAP server to use.

  3. Enter the LDAP base DN to select the search base on the LDAP server.

    If you want to retrieve the base DN automatically, click Fetch DN. YaST then checks for any LDAP database on the server address specified above. Choose the appropriate base DN from the search results given by YaST.

  4. If TLS or SSL protected communication with the server is required, select LDAP TLS/SSL.

  5. If the LDAP server still uses LDAPv2, explicitly enable the use of this protocol version by selecting LDAP Version 2.

  6. Select Start Automounter to mount remote directories on your client, such as a remotely managed /home.

  7. Click Finish to apply your settings.

Figure 25.3. YaST: Advanced Configuration

YaST: Advanced Configuration

To modify data on the server as administrator, click Advanced Configuration. The following dialog is split in two tabs. See Figure 25.3, “YaST: Advanced Configuration”:

  1. In the Client Settings tab, adjust the following settings to your needs:

    1. If the search base for users, passwords, and groups differs from the global search base specified the LDAP base DN, enter these different naming contexts in User Map, Password Map, and Group Map.

    2. Specify the password change protocol. The standard method to use whenever a password is changed is crypt, meaning that password hashes generated by crypt are used. For details on this and other options, refer to the pam_ldap man page.

    3. Specify the LDAP group to use with Group Member Attribute. The default value for this is member.

  2. In Administration Settings, adjust the following settings:

    1. Set the base for storing your user management data via Configuration Base DN.

    2. Enter the appropriate value for Administrator DN. This DN must be identical with the rootdn value specified in /etc/openldap/slapd.conf to enable this particular user to manipulate data stored on the LDAP server. Enter the full DN (such as cn=admin,dc=suse,dc=de) or activate Append Base DN to have the base DN added automatically when you enter cn=admin.

    3. Check Create Default Configuration Objects to create the basic configuration objects on the server to enable user management via LDAP.

    4. If your client machine should act as a file server for home directories across your network, check Home Directories on This Machine.

    5. Click Accept to leave the Advanced Configuration then Finish to apply your settings.

Use Configure User Management Settings to edit entries on the LDAP server. Access to the configuration modules on the server is then granted according to the ACLs and ACIs stored on the server. Follow the procedures outlined in Section 25.5.2.2, “Configuring the YaST Group and User Administration Modules”.

25.5.2.2. Configuring the YaST Group and User Administration Modules

Use the YaST LDAP client to adapt the YaST modules for user and group administration and to extend them as needed. Define templates with default values for the individual attributes to simplify the data registration. The presets created here are stored as LDAP objects in the LDAP directory. The registration of user data is still done with the regular YaST modules for user and group management. The registered data is stored as LDAP objects on the server.

Figure 25.4. YaST: Module Configuration

YaST: Module Configuration

The dialog for module configuration (Figure 25.4, “YaST: Module Configuration”) allows the creation of new modules, selection and modification of existing configuration modules, and design and modification of templates for such modules.

To create a new configuration module, proceed as follows:

  1. Click New and select the type of module to create. For a user configuration module, select suseuserconfiguration and for a group configuration choose susegroupconfiguration.

  2. Choose a name for the new template.

    The content view then features a table listing all attributes allowed in this module with their assigned values. Apart from all set attributes, the list also contains all other attributes allowed by the current schema but currently not used.

  3. Accept the preset values or adjust the defaults to use in group and user configuration by selecting the respective attribute, pressing Edit, and entering the new value. Rename a module by simply changing the cn attribute of the module. Clicking Delete deletes the currently selected module.

  4. After you click OK, the new module is added to the selection menu.

The YaST modules for group and user administration embed templates with sensible standard values. To edit a template associated with a configuration module, proceed as follows:

  1. In the Module Configuration dialog, click Configure Template.

  2. Determine the values of the general attributes assigned to this template according to your needs or leave some of them empty. Empty attributes are deleted on the LDAP server.

  3. Modify, delete, or add new default values for new objects (user or group configuration objects in the LDAP tree).

Figure 25.5. YaST: Configuration of an Object Template

YaST: Configuration of an Object Template

Connect the template to its module by setting the susedefaulttemplate attribute value of the module to the DN of the adapted template.

[Tip]Tip

The default values for an attribute can be created from other attributes by using a variable instead of an absolute value. For example, when creating a new user, cn=%sn %givenName is created automatically from the attribute values for sn and givenName.

Once all modules and templates are configured correctly and ready to run, new groups and users can be registered in the usual way with YaST.