Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 04-08-2006 Installation Manual page 699

pam_ldap.so is installed and the PAM configuration is adapted (see
"pam_unix2.conf Adapted to LDAP"
Example 37.11 pam_unix2.conf Adapted to LDAP
auth: use_ldap
account: use_ldap
password: use_ldap
session: none
When manually configuring additional services to use LDAP, include the PAM LDAP
module in the PAM configuration file corresponding to the service in /etc/pam.d.
Configuration files already adapted to individual services can be found in /usr/
share/doc/packages/pam_ldap/pam.d/. Copy appropriate files to /etc/
pam.d.
glibc name resolution through the nsswitch mechanism is adapted to the employ-
ment of LDAP with nss_ldap. A new, adapted file nsswitch.conf is created in
/etc with the installation of this package. Find more about the workings of nsswitch
.conf in Section 31.6.1, "Configuration Files"
be present in nsswitch.conf for user administration and authentication with LDAP.
See Example 37.12, "Adaptations in nsswitch.conf"
Example 37.12 Adaptations in nsswitch.conf
passwd: compat
group: compat
passwd_compat: ldap
group_compat: ldap
These lines order the resolver library of glibc first to evaluate the corresponding files
in /etc and additionally access the LDAP server as sources for authentication and
user data. Test this mechanism, for example, by reading the content of the user database
with the command getent passwd. The returned set should contain a survey of the
local users of your system as well as all users stored on the LDAP server.
To prevent regular users managed through LDAP from logging in to the server with
ssh or login, the files /etc/passwd and /etc/group each need to include an
additional line. This is the line +::::::/sbin/nologin in /etc/passwd and
+::: in /etc/group.
(page 699)).
(page 603). The following lines must
(page 699).
Example 37.11,
LDAP—A Directory Service 699