Updated 2004-06-07
Disclaimer: These are my notes, your mileage may vary.
On the Netware server :
1. Get eDir 8.6.2 or later (I didn't get it to work with NDS8)
2. Remove the mappings for uidNumber and gidNumber (Attribute Map) and enable
plain text password (General) in the LDAP Group object using ConsoleOne
3. Add the posixAccount (and shadowAccount) schemata to NDS by
getting the rfc2307-usergroup.ldif file here and
use the Wizard in C1 to import it to extend NDS. If you are using
LDAP over SSL, the certificate should be in sys:\public\rootcert.der
(Note. This already exists in NW6.5 (and 6?))
4. Assign inheritable Read to CN, UID, gidNumber, uidNumber, homeDirectory,
loginShell and uniqueID for [Public] at the top of your tree.
On the Linux side:
1. Make sure openldap is linked against openssl: 'ldd /usr/lib/libldap.so.2 | grep ssl'
If not you have to compile your own, openldap-2.1.15 against openssl-0.9.6i
worked for me (it also requires Sleepycat/Berkley DB 4.x)
2. Get pam_ldap-161 and nss_ldap-204 (or later) from http://www.padl.com/Contents/OpenSourceSoftware.html.
Compile pam_ldap with --with-ldap-lib=openldap
--with-ldap-conf-file=/etc/ldap.conf and
nss_ldap with --with-ldap-lib=openldap --enable-rfc2307bis
--with-ldap-conf-file=/etc/ldap.conf --enable-schema-mapping.
For nss_ldap you might get a compile error about
db; edit the Makefile and add -ldb to the LIBS variable.
(If you are running Mandrake 9.0 you might have to make a link from
/usr/lib/libdb.so.3 to /usr/lib/libdb.so)
3. Use Mozilla to get the SSL certificate by browsing to
https://NW_server_ip:636, choose to accept the certificate permanently and copy the certs
(cert7.db, key3.db and secmod.db) to /etc/ssl/certs
4. Then put this in your /etc/ldap.conf on the linux machine:
host your-server-ip
base your-ldap-base (eg ou=subcontainer,o=container)
ldap_version 3
scope sub
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_password nds
nss_base_passwd your-ldap-base
nss_map_attribute uniqueMember member
nss_map_attribute userPassword authPassword
pam_password nds
ssl on
sslpath /etc/ssl/certs/
TLS_CACERT /etc/ssl/certs/SSLCertDNS.pem
5. Edit /etc/nsswitch to use ldap and copy appropriate pam.d files
(like login, gdm/xdm et.al.) from the pam_ldap-161 directory to /etc/pam.d
The last step is to extend the NDS user to include the posixAccount
values.
In NW6.5 (and 6?) this property is avalilable in ConsoleOne also.
Import the posixAdd.ldif below through the C1 Wizard or use this
command in linux (edit the values first):
(note - this is Sun One Directory syntax. I need to fix the switches for
OpenLDAP syntax)
ldapmodify -v -h your-ldap-server -Z -P /etc/ssl/certs -w - -D \
cn=your-admin-cn -f posixAdd.ldif
posixAdd.ldif:
version: 1
dn: cn=your-user,ou=your,o=domain
changetype:modify
add:objectClass
objectClass: posixAccount
uidNumber: your-users-user-id
uid: same-as-cn
gidNumber: your-users-group-id
homeDirectory: /your-users-home-directory
loginShell: /bin/tcsh
NOTE: I tried linking against Sun One Directory 5.08 (former
Netscape/iPlanet) and though most things worked gimp, ggv and others
(as well as KDE and GNOME) hanged. An 'strace' showed that they stopped
in rt_sigsuspend. Apparently there's some mismatch between OneDir
and libpthreads. Use OpenLDAP/SSL instead.
Automounting home directories over NFS:
Assuming the users have their home directories in /home/students/2002/class1
on the NFS server and you want it mounted locally on /home/students/user-name
this is what you'll have to do.
On the NFS server add this to your /etc/exports:
/home/students client-ip(rw,root_squash)
On the autofs/ldap client add this to /etc/auto.master:
/home/students file:/etc/auto.home
and this to /etc/auto.home:
* -rw,hard,intr,rsize=8192,wsize=8192,nosuid server-ip:/home/students/&