The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
This procedure assumes that:
LDAP provides information for
ou=People,ou=Groups, andnisMapName=auto.home.The LDAP server uses NFS to export the users' home directories. See Section 21.2.2, “Mounting an NFS File System”
To create an account for a user on the LDAP server:
If the LDAP server does not already export the base directory of the users' home directories, perform the following steps on the LDAP server:
Create the base directory for user directories, for example
/nethome:#
mkdir /nethomeAdd an entry such as the following to
/etc/exports:/nethome *(rw,sync)
You might prefer to restrict which clients can mount the file system. For example, the following entry allows only clients in the 192.168.1.0/24 subnet to mount
/nethome:/nethome 192.168.1.0/24(rw,sync)
Use the following command to export the file system:
#
exportfs -i -o ro,sync *:/nethome
Create the user account, but do not allow local logins:
#
useradd -bbase_dir-s /sbin/nologin -uUID-UusernameFor example:
#
useradd -b /nethome -s /sbin/nologin -u 5159 -U arc815The command updates the
/etc/passwdfile and creates a home directory under/nethomeon the LDAP server.The user's login shell will be overridden by the
LoginShellvalue set in LDAP.Use the id command to list the user and group IDs that have been assigned to the user, for example:
#
id arc815uid=5159(arc815) gid=5159(arc815) groups=5159(arc815)Create an LDIF file that defines the user, for example
arc815-user.ldif:# UPG arc815 dn: cn=arc815,ou=Groups,dc=mydom,dc=com cn: arc815 gidNumber: 5159 objectclass: top objectclass: posixGroup # User arc815 dn: uid=arc815,ou=People,dc=mydom,dc=com cn: John Beck givenName: John sn: Beck uid: arc815 uidNumber: 5159 gidNumber: 5159 homeDirectory: /nethome/arc815 loginShell: /bin/bash mail: johnb@mydom.com objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount userPassword: {SSHA}xIn this example, the user belongs to a user private group (UPG), which is defined in the same file. The user’s login shell attribute
LoginShellis set to/bin/bash. The user's password attributeuserPasswordis set to a placeholder value. If you use Kerberos authentication with LDAP, this attribute is not used.If you have configured LDAP authentication, use the following command to add the user to LDAP:
#
ldapadd -cxWD cn=admin,dc=mydom,dc=com -f arc815-user.ldifEnter LDAP Password:admin_passwordIf you have configured Kerberos authentication, use kinit to obtain a ticket granting ticket (TGT) for the
adminprincipal, and use this form of the ldapadd command:#
ldapadd -f arc815-user.ldifVerify that you can locate the user and his or her UPG in LDAP:
#
ldapsearch -LLL -x -b "dc=mydom,dc=com" '(|(uid=arc815)(cn=arc815))'dn: cn=arc815,ou=Groups,dc=mydom,dc=com cn: arc815 gidNumber: 5159 objectClass: top objectClass: posixGroup dn: uid=arc815,ou=People,dc=mydom,dc=com cn: John Beck givenName: John sn: Beck uid: arc815 uidNumber: 5159 gidNumber: 5159 homeDirectory: /home/arc815 loginShell: /bin/bash mail: johnb@mydom.com objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccountIf you have configured LDAP authentication, set the user password in LDAP:
#
ldappasswd -xWD "cn=admin,dc=mydom,dc=com"\-S "uid=arc815,ou=people,dc=mydom,dc=com"New password:user_passworduser_passwordadmin_passwordIf you have configured Kerberos authentication, use kinit to obtain a ticket granting ticket (TGT) for the
adminprincipal, and use the kadmin command to add the user (principal) and password to the database for the Kerberos domain, for example:#
kadmin -q "addprinc alice@MYDOM.COM"
For more information, see the kadmin(1),
ldapadd(1), ldappasswd(1),
and ldapsearch(1) manual pages.