YaST includes a module to set up LDAP-based user management. If you did not enable this feature during the installation, start the module by selecting Section 4.4.1, “Configuring Basic Settings”.
+ . YaST automatically enables any PAM and NSS-related changes as required by LDAP and installs the necessary files. Simply connect your client to the server and let YaST manage users over LDAP. This basic setup is described inUse the YaST LDAP client to further configure the YaST group and user configuration modules. This includes manipulating the default settings for new users and groups and the number and nature of the attributes assigned to a user or group. LDAP user management allows you to assign far more and different attributes to users and groups than traditional user or group management solutions. This is described in Section 4.4.2, “Configuring the YaST Group and User Administration Modules”.
The basic LDAP client configuration dialog (Figure 4.6, “YaST: LDAP Client Configuration”) opens during installation if you choose LDAP user management or when you select + in the YaST Control Center in the installed system.
To authenticate users of your machine against an OpenLDAP server and to enable user management via OpenLDAP, proceed as follows:
Click
to enable the use of LDAP. Select if instead you want to use LDAP for authentication, but do not want other users to log in to this client.Enter the IP address of the LDAP server to use.
Enter the
to select the search base on the LDAP server. To retrieve the base DN automatically, click . YaST then checks for any LDAP database on the server address specified above. Choose the appropriate base DN from the search results given by YaST.If TLS or SSL-protected communication with the server is required, select
.If the LDAP server still uses LDAPv2, enable the use of this protocol version by selecting
.
Select /home
.
Select
to have a user's home automatically created on the first user login.Click
to apply your settings.To modify data on the server as administrator, click Figure 4.7, “YaST: Advanced Configuration”.
. The following dialog is split into two tabs. SeeIn the
tab, adjust the following settings according to your needs:If the search base for users, passwords, and groups differs from the global search base specified in the
, enter these different naming contexts in , , and .
Specify the password change protocol. The standard method to use
whenever a password is changed is crypt
,
meaning that password hashes generated by crypt
are used. For details on this and other options, refer to the
pam_ldap
man page.
Specify the LDAP group to use with member
.
In
, adjust the following settings:Set the base for storing your user management data via
.
Enter the appropriate value for rootdn
value
specified in /etc/openldap/slapd.conf
to enable
this particular user to manipulate data stored on the LDAP server.
Enter the full DN (such as
cn=Administrator,dc=example,dc=com
) or activate
to have the base DN added
automatically when you enter cn=Administrator
.
Check
to create the basic configuration objects on the server to enable user management via LDAP.If your client machine needs to act as a file server for home directories across your network, check
.Use the
section to select, add, delete, or modify the password policy settings to use. The configuration of password policies with YaST is part of the LDAP server setup.Click
to leave the , then to apply your settings.Use Section 4.4.2, “Configuring the YaST Group and User Administration Modules”.
to edit entries on the LDAP server. Access to the configuration modules on the server is then granted according to the ACLs and ACIs stored on the server. Follow the procedures outlined inUse the YaST LDAP client to adapt the YaST modules for user and group administration and to extend them as needed. Define templates with default values for the individual attributes to simplify the data registration. The presets created here are stored as LDAP objects in the LDAP directory. The registration of user data is still done with the regular YaST modules for user and group management. The registered data is stored as LDAP objects on the server.
The dialog for module configuration (Figure 4.8, “YaST: Module Configuration”) allows the creation of new modules, selection and modification of existing configuration modules, and design and modification of templates for such modules.
To create a new configuration module, proceed as follows:
In the
click , then open the tab. Click and enter the LDAP server credentials.
Click suseuserconfiguration
and for a group configuration
choose susegroupconfiguration
.
Choose a name for the new template. The content view then features a table listing all attributes allowed in this module with their assigned values. Apart from all set attributes, the list also contains all other attributes allowed by the current Schema, but currently not used.
Accept the preset values or adjust the defaults to use in group and
user configurations by selecting the relevant attribute, pressing
cn
attribute of the
module. Clicking deletes the currently
selected module.
After you click
, the new module is added to the selection menu.The YaST modules for group and user administration embed templates with standard values. To edit a template associated with a configuration module, proceed as follows:
In the
dialog, click .Determine the values of the general attributes assigned to this template according to your needs or leave them empty. Empty attributes are deleted on the LDAP server.
Modify, delete, or add new default values for new objects (user or group configuration objects in the LDAP tree).
Connect the template to its module by setting the
susedefaulttemplate
attribute value of the module to
the DN of the adapted template.
![]() | |
The default values for an attribute can be created from other
attributes by using a variable instead of an absolute value. For
example, when creating a new user, |
Once all modules and templates are configured correctly and ready to run, new groups and users can be registered in the usual way with YaST.