Ubuntu – LDAP user’s home stored

ldapopenldapUbuntu

I have been goolging around LDAP these days. And I'm trying to deploy a central authentication server for quite a few ubuntu servers.

After all the research, one question come to my mind.

Where are LDAP user's home stored?

Are they stored in the LDAP server (the central one who manages all?).If so, what if we have a huge expansion, and the original server does not meet the needs more. Should we migrate it to another machine? Or is there a way to cluster it?

If not, are they stored on client machines? When user logs into different servers, they have different homes?

How is LDAP acls talk to client acls? If I have www:www on some of the client machines, how do I allow certain users to access them?

THX.

Best Answer

Your LDAP database only holds metadata about your users. The path name of the user's home directory will be in there (because that's metadata), but the home directory itself will not (because that's data). Shared/non-shared home directories is a problem entirely orthogonal from where user metadata is stored. You can have shared home directories (via NFS, AFS or something else) entirely independent of how you store and distribute the user information. Or you can have a home directory per machine. It's totally your choice.

Related Solutions

Ubuntu LDAP Make Home Directory

The way we solved this is to add another attribute to LDAP, something like linuxHomeDirectory . Then you can create a mapping in ldap.conf:

nss_map_attribute homeDirectory linuxHomeDirectory

The for each user you set the attribute in LDAP to the path you want for their Linux home dir, such as /home/$username or whatnot.

If you have your home directories served from OS X server, you can mount those with an automounter in the /Volumes/$servername/$path hierarchy on Linux and then you don't need to do any LDAP attribute mangling.

More info: Here's an article how to extend the LDAP schema in OpenDirectory: http://www.afp548.com/article.php?story=20060228230005854

To populate the user attributes you can use the ldapadd and ldapmodify tools.

LDAP change user pass on client

I think you need to allow auth-bind'ing for it to work. By this, I mean the user connects to the ldap (or pam proxies) and presents his/her credentials. If the ldap server likes what it sees, the authbind succeeds and PAM knows thay your user/pass pair is correct. Please see the example in zytrax's book

Adjust your ACL to have a section similar to

# ACL1
access to attrs=userpassword
       by self       write
       by anonymous  auth
       by group.exact="cn=itpeople,ou=groups,dc=example,dc=com"    write
       by *          none

Best Answer

Related Solutions

Ubuntu LDAP Make Home Directory

LDAP change user pass on client

Related Topic