[Freeipa-users] FreeIPA for Linux desktop deployment
Ben Eisenbraun
bene at hkl.hms.harvard.edu
Mon May 9 13:29:46 UTC 2011
Hi Nasir,
Here are my notes (in Trac wiki markup format no less) for manually setting
up Ubuntu clients to use our FreeIPA 1.2 server. I haven't tested the 2.0
branch yet, but I suspect it's primarily the same.
HTH.
-ben
--
| Ben Eisenbraun
| SBGrid Consortium | http://sbgrid.org |
| Harvard Medical School | http://hms.harvard.edu |
== Accounts/Authentication ==
Install required packages:
{{{
apt-get install ldap-utils krb5-user libpam-ldap libnss-ldap nss-updatedb libnss-db autofs nfs-common autofs-ldap
}}}
This should spawn a dpkg-configure instance for Kerberos, give the proper information.
Edit /etc/nsswitch.conf to include:
{{{
passwd: files ldap
group: files ldap
automount: files ldap
}}}
Edit /etc/ldap.conf to include:
{{{
uri ldap://your.server.name
base dc=EXAMPLE,dc=COM
bind_policy soft
pam_lookup_policy yes
pam_password md5
nss_initgroups_ignoreusers root,ldap
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
ssl no
ldap_version 3
pam_filter objectClass=posixAccount
}}}
To enable pam-ldap, run:
{{{
pam-auth-update
}}}
To enable autofs-managed home directories, edit /etc/ldap/ldap.conf to read:
{{{
BASE dc=EXAMPLE,dc=COM
URI ldap://your.server.name
}}}
For kerberos config, edit /etc/krb5.conf to include
{{{
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DEV-NETWORK.IN.HWLAB
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DEV-NETWORK.IN.HWLAB = {
kdc = your.server.name
admin_server = your.server.name
}
[domain_realm]
dev-network.in.hwlab = EXAMPLE.COM
.dev-network.in.hwlab = EXAMPLE.COM
}}}
More information about the Freeipa-users
mailing list