Configuring stock SL6 to use DICE and LDAP changes

Configuring a stock SL6 box to use DICE kerberos, ldap and AFS was trivial. Kerberos and LDAP can be configured via the system/admin/authentication GUI. All that was required for AFS was to add a CELL=inf.ed.ac.uk to the end of /etc/sysconfig/openafs.

Previously, we would have added an nss_map_attribute entry to /etc/ldap.conf to map ~{user} to users’ AFS home directories. However the file /etc/ldap.conf doesn’t exist under SL6. This file has been replaced by /etc/pam_ldap.conf. Moreover, SL6 ships with nslcd, a local LDAP name service daemon. We probably won’t want this for DICE, but that deliberation is out of scope for this project. Adding the nss_map_attribute entry to /etc/pam_ldap.conf has no effect while nslcd is running. Instead, to enable the AFS home dir mapping you need to add map passwd homeDirectory afsHomeDirectory
to /etc/nslcd.conf

Also worthy of note is that the package nss_ldap has been replaced by two packages – pam_ldap (containing /lib/security/pam_ldap.so and /etc/pam_ldap.conf) and nss-pam-ldapd (containing /usr/lib/libnss_ldap.so, /usr/sbin/nslcd and /etc/nslcd.conf)

This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

One Response to Configuring stock SL6 to use DICE and LDAP changes

  1. Pingback: SL6 and LDAP client configuration | Scientific Linux 6 LCFG port diary

Comments are closed.