SUSE Linux Enterprise Desktop Documentation Part IV. Services / Chapter 34. Configuring eDirectory Authentication
	Chapter 33. Using NIS		34.2. Using iManager to Enable Users for eDirectory Authentication

Configuring eDirectory Authentication

Contents

34.1. Setting Up Workstations to Use eDirectory Authentication
34.2. Using iManager to Enable Users for eDirectory Authentication
34.3. Turning Off LUM and eDirectory Authentication

You can use Novell® Linux User Management (LUM) to configure SUSE® Linux Enterprise Desktop workstations on your network so that users can log in to them using their Novell eDirectory™ usernames and passwords instead of their local Linux workstation usernames and passwords. Using LUM and eDirectory to manage user login information eliminates the need to create local users in the /etc/passwd and /etc/shadow files on each SUSE Linux Enterprise Desktop workstation. It also simplifies user account management by consolidating user accounts into a central point of administration.

You can use eDirectory tools and technologies to manage access to Linux resources on the network. After authenticating, users have the rights and privileges specified in eDirectory. These are the same rights and privileges that are typically stored in a local account or redirected to other authentication methods, such as NIS. The user account information stored in eDirectory lets users access file and printer resources on your network.

Users can log in to SUSE Linux Enterprise Desktop workstations using access methods such as login, ftp, ssh, su, rsh, rlogin, xdm (KDE), and gdm (GNOME). They only need to enter an eDirectory username and password. They do not need to remember the full context—LUM searches out the correct user in eDirectory.

This section guides you through the steps required to set up a SUSE Linux Enterprise Desktop workstation to use eDirectory authentication, which includes configuring the SUSE Linux Enterprise Desktop workstation for eDirectory authentication and enabling users on the eDirectory server. For more detailed information on LUM and on configuring your eDirectory 8.6. x, 8.7. x, or 8.8. x server to use LUM, see the Novell Linux User Management Technology Guide .

Setting Up Workstations to Use eDirectory Authentication

Before users can use their eDirectory usernames and passwords to log in, the SUSE Linux Enterprise Desktop workstation must be configured with Linux User Management components. You can set up eDirectory Authentication during the installation, or you can use YaST to set it up anytime after installation.

To install and configure LUM during the SUSE Linux Enterprise Desktop installation, select eDirectory LDAP as the authentication method in the User Authentication Method window, then complete Step 2 through Step 10 below. If it is not already installed, you will be prompted to install the yast2-linux-user-mgmt package.

Figure 34.1. User Authentication Method

To install and configure LUM on a workstation that is already running:

Start YaST and select Security and Users+Linux User Management.
If you do not see the Linux User Management entry in YaST, select Software+Software Management first and install the yast2-linux-user-mgnt package.
In the Linux User Management LDAP Server Configuration window, specify whether eDirectory is running on the computer itself (Local System) or on another computer on the network (Remote System).
If eDirectory is running on a remote system, specify the remote system's IP address.

Optionally, provide the eDirectory Admin Name with Context, and the Admin Password.

The admin name and context must be entered in LDAP syntax, which uses a comma instead of a period (for example: cn=admin,o=novell).

Important

	Important
If you do not have rights to create objects in the eDirectory tree, leave these fields blank. Contact your eDirectory administrator, give him the host name of your client, and ask him to create a LUM Workstation object with your host name. Ask where you can get a copy of the CA certificate for the LDAP server and place this certificate in the `/var/nam` directory. The name of the CA certificate matches the name of the “preferred-server” entry in the `/etc/nam.conf` file and has a `.der` extension. You can type namconfig get preferred-server to get the name. For example, if namconfig get preferred-server returns `server.xyz.com,` your certificate file name is `.server.xyz.com.der`.

If you do not have rights to create objects in the eDirectory tree, leave these fields blank. Contact your eDirectory administrator, give him the host name of your client, and ask him to create a LUM Workstation object with your host name. Ask where you can get a copy of the CA certificate for the LDAP server and place this certificate in the /var/nam directory.

The name of the CA certificate matches the name of the “preferred-server” entry in the /etc/nam.conf file and has a .der extension. You can type namconfig get preferred-server to get the name. For example, if namconfig get preferred-server returns server.xyz.com, your certificate file name is .server.xyz.com.der.

Click Next and specify the location of the Linux/UNIX Config object.
The Linux/UNIX Config object stores a list of the locations (contexts) where Linux/UNIX Workstation objects reside on the network. It also controls the range of numbers to be assigned as user IDs (UIDs) and group IDs (GIDs) when User and Group objects are created. This object is created when LUM is configured on the eDirectory server, and is usually located in an upper container of the eDirectory tree (for example, o=novell). Contact your eDirectory administrator for the context.
For more information, see Understanding eDirectory Objects and Linux in the Novell Linux User Management Technology Guide.
Optionally, specify the location of the LUM Workstation object.
The LUM Workstation object represents the actual computer a user logs in to. If you have rights to create objects in the eDirectory tree, which means you are able to specify the eDirectory administrator name, context, and password in Step 4), this object is automatically created as part of the workstation configuration and is usually placed in an Organization (O) or Organizational Unit (OU) container in the eDirectory tree. You can also create a LUM Workstation object by clicking Linux User Management+Create Linux Workstation Object in iManager.
If you have disabled anonymous binds to the LDAP server, specify a Proxy User Name with Context, and a Proxy User Password that has rights to the LDAP tree.
Click Next to continue.
Select which login access methods should use eDirectory for authentication.
Click Finish.
Installing and configuring LUM technology sets up the SUSE Linux Enterprise Desktop workstation to validate login requests against user account information stored in eDirectory. Before users can log in, they must have eDirectory user accounts created with iManager and extended for LUM, and their User objects must be associated with the workstation they will log in to. See Section 34.2, “Using iManager to Enable Users for eDirectory Authentication” for more information.