Naming Service for Linux
Introduction
Penrose can be used as the name service for Linux machines. To connect Penrose to Linux, you can use NSS LDAP (nss_ldap) and PAM LDAP (pam_ldap). To store the data, Penrose can use any of the available adapters (e.g. JDBC, LDAP, NIS).
Installing Penrose Server
Download and install Penrose Server. The installation directory is referred to as PENROSE_SERVER_HOME.
Configure Penrose to provide a POSIX directory based on RFC 2307.
Penrose comes with a sample POSIX partition with JDBC backend. First, prepare the database using the files in PENROSE_SERVER_HOME/samples/posix/sql. Then install POSIX partition:
cd PENROSE_SERVER_HOME cp -r samples/posix/partition partitions/posix
Edit PENROSE_SERVER_HOME/conf/server.xml:
<partition name="posix" path="partitions/posix"/>
See also Network Information Service.
Installing NSS LDAP
See NSS LDAP.
Installing PAM LDAP (optional)
See PAM LDAP.
For authentication, NSS LDAP will retrieve password from Penrose and then perform the authentication locally. This behaviour is sometimes undesirable because of security concerns. You can avoid this problem by adding PAM LDAP. Instead of retrieving the password, PAM LDAP will execute a bind operation against Penrose.
Configuring LDAP Connection
The connection to Penrose server can be configured in /etc/ldap.conf.
host <LDAP server> port <LDAP port> base <search base> binddn <bind DN> bindpw <bind password> rootbinddn <root bind DN>
The root bind password is stored in /etc/ldap.secret.
Debian uses different files but should be configured the same way:
- NSS LDAP: /etc/libnss-ldap.conf and /etc/libnss-ldap.secret
- PAM LDAP: /etc/pam_ldap.conf and /etc/pam_ldap.secret
Here is an example:
host localhost port 10389 base dc=Posix,dc=Example,dc=com binddn uid=admin,ou=system bindpw secret rootbinddn uid=admin,ou=system