Dell Wyse Enhanced Ubuntu Linux T50 Manual de usuario descargar pdf (Pagina 216)

Appendix C. Manually Conﬁguring Integration with Novell eDirectory

Repeat the steps above for the uidNumber and gidNumber attributes, adjusting parameters as needed.

C.3. Removing Attribute Mappings

After extending the schema, two attribute mappings must be removed for proper operations. If they are

not removed, neither uidNumber nor gidNumber will work as needed.

Attribute mappings are used to map LDAP attribute names to NDS attribute names as a compatibility

feature of Novell NDS. Since NDS has been around for a longer time than the LDAP speciﬁcation, a lot

of software exists that use the NDS names of object classes and attributes.

In order for LDAP authentication to work, the mapping from uidNumber to UID as well as the one from

gidNumber to GID must be removed.

To remove the mappings you right click on the LDAP group entry at root level of your tree and select

Properties . Under the Attribute map tab is a list of attribute mappings. Depending on your version of

eDirectory and your version of Console One, there are either direct mappings between gidNumber and

GID, or a mapping between groupID and GID, with gidNumber as a secondary LDAP attribute. If there

is a search function available, use that to locate the relevant mappings, and delete them.

One symptom of the fact that attribute mappings for gidNumber and uidNumber have not been removed

is that when searching eDirectory for groups without specifying what attribute to fetch, the gidNumber

shows up, but when explicitly specifying that gidNumber should be fetched, no data is returned.

C.4. Adding nss_map_attribute statements to /etc/ldap.conf

For NSS (looking up information about users and groups) to work well when fetching information from

eDirectory, the following three lines should be in /etc/ldap.conf

nss_map_attribute uniqueMember member

nss_map_attribute uid cn

pam_password nds

The ﬁrst two make sure that the Linux machine asks for the correct attributes, and more importantly, that

when processing a request to ﬁnd out which groups a user is member of, it doesn’t have to lookup every

DN found as a member to ﬁnd out which uid it corresponds to. The last line makes sure changing

passwords in eDirectory from Linux works. Use any PAM-enabled password-changing program in Linux

to achieve this functionality.

C.5. Creating a DN for search operations

In most environments, it’s not a good idea to setup eDirectory so that anyone can read the attributes

needed by LDAP Authentication (uid, uidNumber, gidNumber, homeDirectory and loginShell).

Depending on the network setup, the information may be more or less sensitive. To prevent this, a special

user is created in the database, and all search operations from the ThinLinc servers are made after

binding as this user. This way, the amount of information that can be extracted by an anonymous user is

limited. However, all users on the ThinLinc servers can read the password of this user, so the protection

is limited. The user must have access to the mentioned attributes. In this section, we will describe how to

create this user and setup the access control.

206

1 2 ... 211 212 213 214 215 216 217 218 219 220

Sin comentarios

Dell Wyse Enhanced Ubuntu Linux T50 Manual de usuario Pagina 216