"Fossies" - the Fresh Open Source Software Archive

Member "nss_ldap-265/doc/README.SFU" (6 Nov 2009, 6132 Bytes) of package /linux/privat/old/nss_ldap-265.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 *******************************************************************
    2 
    3 nss_ldap-AD-pwdgrp
    4 
    5   This file describes the modifications that were made to, and the
    6   build process of, the nss_ldap-150 source to allow passwd and 
    7   group info to be retrieved from a Windows 2000 Active Directory.
    8 
    9   Modified by: 	djflux (Andrew Rechenberg) - dj_flux@yahoo.com
   10   Date:		3 May 2001
   11   URL:		http://w3.one.net/~djflux/nss_ldap-AD.shtml
   12 
   13 *******************************************************************
   14 
   15 ***              ***
   16 *** IMPORTANT!!! ***
   17 ***              ***
   18 -- One MUST have Microsoft Server for NIS from Microsoft Services 
   19    for UNIX 2.0 installed on a Windows 2000 Server Domain Controller 
   20    in order for this modified module to operate correctly.  See the 
   21    URL below for more info about SFU 2.0:
   22 	
   23 	http://www.microsoft.com/windows2000/sfu
   24 
   25 -- One must also have the LDAP devel libraries installed on the machine
   26    in order to properly build this module.  The proper headers and 
   27    libraries can be found in the openldap-devel package.
   28 
   29 From: "Rechenberg, Andrew" <arechenberg@shermfin.com>
   30 Subject: RE: [nssldap] Can not get nss_ldap to work, can anyone please hel p me?
   31 To: "'Allister Maguire'" <amaguire@actonz.com>, nssldap@padl.com
   32 Date: Thu, 24 Jan 2002 09:28:36 -0500
   33 
   34 
   35 The README.SFU is slightly little out of date and off topic now.  I
   36 originally wrote README.SFU when I modified nss_ldap and Luke Howard
   37 integrated the patch into nss_ldap-150 I believe as a configure option.
   38 
   39 There is now the ability to do schema mapping in nss_ldap and change which
   40 attributes are used for LDAP lookups.  You have to use the following
   41 configure option:
   42 
   43 ./configure --enable-schema-mapping [REST_OF_YOUR_OPTIONS_HERE]
   44 
   45 Once nss_ldap is compiled then you edit your ldap.conf file and uncomment
   46 the attribute mapping under the MSSFU section (use your favorite text editor
   47 and search for MSSFU and you should find it).  Once you do that, and you
   48 modify your nsswitch.conf, you should be off and running.
   49 
   50 Let me know if you need anymore help.
   51 
   52 Regards,
   53 Andy.
   54 
   55 
   56 
   57 *
   58 *** Test systems specifications ***
   59 *
   60 This module has been tested and works with the following operating
   61 system versions:
   62 
   63 RedHat Linux 7.1, kernel 2.4.2-2, against Win2000 Server SP1 mixed-mode
   64 RedHat Linux 6.2, kernel 2.2.17 (smp, custom), Win2000 Server SP1 mixed mode
   65 RedHat Linux 6.1, kernel 2.2.17 (smp, custom), Win2000 Server SP1 mixed mode
   66 
   67 The module should compile work with other *NIX/*BSD OS's, but your mileage 
   68 may vary.
   69 
   70 I believe there is a coding difference in certain applications between Red 
   71 Hat 6.1, and versions 6.2 and greater.  When testing the modified module I 
   72 used 'id [USERNAME]' to make sure that the correct information was being 
   73 retrieved from the AD.  In Red Hat versions 6.2 or greater (7.0 not tested,
   74 but it should be the same), 'id [USERNAME]' would only return UID, and primary
   75 GID.  If [USERNAME] was logged in interactively and ran 'id' the command showed
   76 UID, primary GID, and all other group memberships.
   77 
   78 However, when running 'id [USERNAME]' in Red Hat 6.1, the command returned a 
   79 "Segmentation Fault."  If the user is logged in interactively on 6.1, all of
   80 the correct information is still retrieved.
   81 
   82 I am going to check into this issue, but the module should still behave correctly
   83 under 6.1.  Let me know if you find out anything different.
   84  
   85 
   86 *
   87 *** What was modified ***  
   88 *
   89 There is very little to modify in order to retrieve passwd and group 
   90 information from a Windows 2000 Active Directory.
   91 
   92 [Ed note: the patches are incorporated, so all you need to do is
   93  run ./configure --enable-mssfu-schema]
   94 
   95 Supplied in the ./admods directory is the context diff of ldap-schema.h.  
   96 This file shows the attributes that needed to be modified in order to 
   97 use nss_ldap for user and group information on a Linux machine.  Besides
   98 a slight modification of the Makefile, this is the only file that needs 
   99 to be changed.
  100 
  101 Below are the lines that need to be modified in the Makefile.  Just make 
  102 the lines in your Makefile similar to the ones below.
  103 
  104 nss_ldap_so_LDFLAGS = -shared -L/lib/libdb.so
  105 LDFLAGS = -L/lib/libdb.so
  106 NSS_LDAP_LDFLAGS = -enss_ldap_initialize -lsys -lcsys -lc -ldb
  107 LIBS = -lldap -llber -lnsl -lresolv -ldb
  108 
  109 The "-ldb" in NSS_LDAP_LDFLAGS and LIBS may not be necessary, but I 
  110 wasn't about the change anything in the module after I had it working :)
  111 Also, the -L switch should have the path to your libdb.so (e.g if libdb.so.3
  112 is in /usr/local/lib then your LDFLAGS should have -L/usr/local/lib/libdb.so.3).
  113 
  114 
  115 *
  116 *** Building it ***
  117 *
  118 This is the procedure that was used to build this module. The ldap-schema.h
  119 file include in this source tree has already been modified to work with 
  120 SFUed Active Directory, so you do not need to modify that file.  The 
  121 ldap-schema.diff file has been provided for illustration purposes so one 
  122 knows what attributes have been modified.
  123 
  124 1) make distclean
  125 2) ./configure --with-ldap=openldap --libdir=/lib --enable-mssfu-schema
  126 3) Modify Makefile so that the lines in Makefile are similar to those listed 
  127     above.
  128 4) make install
  129 
  130 That's it!
  131 
  132 
  133 *
  134 *** /etc/ldap.conf ***
  135 *
  136 Modify your /etc/ldap.conf file to match your Active Directory/LDAP 
  137 configuration.  Unless you have changed your AD from the stock install, 
  138 you should have the following RFC2307bis naming contexts in your 
  139 ldap.conf file:
  140 
  141 nss_base_passwd		cn=Users,dc=yourdomain,dc=com?one
  142 nss_base_group		cn=Users,dc=yourdomain,dc=com?one
  143 
  144 With the stock Active Directory, all users and groups are located in the 
  145 cn=users container underneath your domain.  If your AD has been modified, 
  146 then modify the naming contexts to suit your directory.
  147 
  148 You should also set the PAM login attribute.  Mine is as follows:
  149 
  150 pam_login_attribute	msSFUName
  151 
  152 
  153 *
  154 *** Basic info ***
  155 *
  156 For basic setup of LDAP authentication and information storage and retrieval
  157 see the following URLs (specific to OpenLDAP and Linux, but they give one a
  158 good base understanding of how the process works):
  159 
  160 http://www.linux.com/howto/LDAP-Implementation-HOWTO/pamnss.html
  161 http://www.openldap.org/lists/openldap-software//200010/msg00097.html
  162 
  163 
  164