The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
This procedure assumes that:
LDAP provides information for
ou=People
,ou=Groups
, andnisMapName=auto.home
.The LDAP server uses NFS to export the users' home directories. See Section 21.2.2, “Mounting an NFS File System”
To create an account for a user on the LDAP server:
If the LDAP server does not already export the base directory of the users' home directories, perform the following steps on the LDAP server:
Create the base directory for user directories, for example
/nethome
:#
mkdir /nethome
Add an entry such as the following to
/etc/exports
:/nethome *(rw,sync)
You might prefer to restrict which clients can mount the file system. For example, the following entry allows only clients in the 192.168.1.0/24 subnet to mount
/nethome
:/nethome 192.168.1.0/24(rw,sync)
Use the following command to export the file system:
#
exportfs -i -o ro,sync *:/nethome
Create the user account, but do not allow local logins:
#
useradd -b
base_dir
-s /sbin/nologin -u
UID
-U
username
For example:
#
useradd -b /nethome -s /sbin/nologin -u 5159 -U arc815
The command updates the
/etc/passwd
file and creates a home directory under/nethome
on the LDAP server.The user's login shell will be overridden by the
LoginShell
value set in LDAP.Use the id command to list the user and group IDs that have been assigned to the user, for example:
#
id arc815
uid=5159(arc815) gid=5159(arc815) groups=5159(arc815)Create an LDIF file that defines the user, for example
arc815-user.ldif
:# UPG arc815 dn: cn=arc815,ou=Groups,dc=mydom,dc=com cn: arc815 gidNumber: 5159 objectclass: top objectclass: posixGroup # User arc815 dn: uid=arc815,ou=People,dc=mydom,dc=com cn: John Beck givenName: John sn: Beck uid: arc815 uidNumber: 5159 gidNumber: 5159 homeDirectory: /nethome/arc815 loginShell: /bin/bash mail: johnb@mydom.com objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount userPassword: {SSHA}x
In this example, the user belongs to a user private group (UPG), which is defined in the same file. The user’s login shell attribute
LoginShell
is set to/bin/bash
. The user's password attributeuserPassword
is set to a placeholder value. If you use Kerberos authentication with LDAP, this attribute is not used.If you have configured LDAP authentication, use the following command to add the user to LDAP:
#
ldapadd -cxWD cn=admin,dc=mydom,dc=com -f arc815-user.ldif
Enter LDAP Password:
adding new entry "cn=arc815,ou=Groups,dc=mydom,dc=com" adding new entry "uid=arc815,ou=People,dc=mydom,dc=com"admin_password
If you have configured Kerberos authentication, use kinit to obtain a ticket granting ticket (TGT) for the
admin
principal, and use this form of the ldapadd command:#
ldapadd -f arc815-user.ldif
Verify that you can locate the user and his or her UPG in LDAP:
#
ldapsearch -LLL -x -b "dc=mydom,dc=com" '(|(uid=arc815)(cn=arc815))'
dn: cn=arc815,ou=Groups,dc=mydom,dc=com cn: arc815 gidNumber: 5159 objectClass: top objectClass: posixGroup dn: uid=arc815,ou=People,dc=mydom,dc=com cn: John Beck givenName: John sn: Beck uid: arc815 uidNumber: 5159 gidNumber: 5159 homeDirectory: /home/arc815 loginShell: /bin/bash mail: johnb@mydom.com objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccountIf you have configured LDAP authentication, set the user password in LDAP:
#
ldappasswd -xWD "cn=admin,dc=mydom,dc=com"
\-S "uid=arc815,ou=people,dc=mydom,dc=com"
New password:
Re-enter new password:user_password
Enter LDAP Password:user_password
admin_password
If you have configured Kerberos authentication, use kinit to obtain a ticket granting ticket (TGT) for the
admin
principal, and use the kadmin command to add the user (principal) and password to the database for the Kerberos domain, for example:#
kadmin -q "addprinc alice@MYDOM.COM"
For more information, see the kadmin(1)
,
ldapadd(1)
, ldappasswd(1)
,
and ldapsearch(1)
manual pages.