It's fairly easy. However, there is a bug with nss_ldap as shipped in 6.1 that causes it to not let /usr be umounted on shutdown, so you really want to grab the version out of rawhide.
This is assuming you want to setup a server, and a client. I have no clue how to setup the auth stuff to work with something other than openldap, though I suspose this is a standard schema and wouldnt vary much.
iirc, this is what I did to get a machine authenticating via LDAP:
auth_ldap-1.4.0-1
nss_ldap-85-2 (-2 is from rawhide, dont try this without it)
openldap-1.2.7-2
openldap-devel-1.2.7-2
pam_ldap-36-1
For client you need at least openldap, auth_ldap, nss_ldap, pam_ldap. For the server you also need at least the openldap package.
Most of the config files are in /etc/openldap
Edit /etc/openldap/slapd.conf. change suffix= and rootdn= to approriate values.
You might also want to change the "directory" variable to /tmp or /var/tmp, depending on how your perms are setup.
This is the main config file for the actual "server", as best I can tell.
The interesting bit is here. You need to migrate your old info to LDAP format. There are migration tools included with the openldap rpm in /usr/share/openldap/migration. In theory, these let you migrate locate "files" type setups, or nix/nis+ configurations.
NOTE: READ THE README
Be sure you edit migrate_common.ph and edit the approriate values, DEFAULT_MAIL_DOMAIN, DEFAULT_BASE
I've used the migrate_all_offline.sh script to migrate /etc/, etc (no pun intended) to a ldap server. The migrate_all_nis_offline.sh seems to work perfectly well for migrating a nis server too, though it appears that not all standard nis maps are supported with ldap schemas yet.
Assuming nothing breaks horribly, you should be able to start up your ldap server with:
/etc/rc.d/init.d/ldap start
Okay, I'm not real sure if its neccesary to tweak /etc/openldap/ldap.conf on the clients.
There is also a /etc/ldap.conf that needs configuration (at least the ldap server, and the base).
Edit these files , and change the host value to point to your ldap server, and base and binddn as approriate.
That should get ldap working correctly, to test, try:
ldapsearch -d 5 -L "(objectclass=*)"
It shoudl return a big list of stuff. If it gives you some error about "object not found" I would suspect that the base values ("dc=redhat,dc=com" etc) are not all matching client side and server side. If you dont change the variables in migrate_common.ph mentioned above, this can happen.
To change your system to authenticate with ldap, just edit /etc/nsswitch.conf. Just add "ldap" as the second method (behind "files") for passwds, group, and shadow.
Not all the fields are supported by ldap. Take a look at /usr/doc/nss_ldap*/nsswitch.ldap for more info.
I would be careful about editing this file. You definately do not want to remove "files" from the passwd section ;->
That should be about all you need to change. If pam_ldap is already installed, most all of your standard authentication should work just fine.
Gotchas:
In a big network with lots of folks potentially being
able to read ldap requests, you probabaly dont want people to
be able to easily get passwd strings, crytped as they may be.
The following is a slightly altered bit of info and an
example config from seth vidal
More info can be found in the "Slapd And Slurpd Administrators Guide"
########################################
# permissions
#######################################
defaultaccess read
# [[ probably not advised but depending on what your doing ]]
access to attr=userpassword
by self write
by dn="cn=manager,dc=example,dc=com" write
by * none
# [[ this acl changes the rights over the userpassword field - it says the cn
# for this entry can write,read,search and compare.
# the manager can write etc
# anyone else gets nothing - so pw's aren't listed unless you are the user or
# are root. ]]
access to *
by self write
by dn="cn=manager,dc=example,dc=com" write
by * read
# [[anything else self can write, manager can write anyone else can read ]]
One thing you will notice quickly if you move from local files or NIS to LDAP for authentication, is that openLDAP isnt very fast.
However, at least on linux, there are a few things you can do to make this bearable.
The best thing you can do to improve system performance is to use the name service caching daemon. This is a multithreaded caching daemon that caches name server requests and lookups. It can improve the speed of name lookups drastically. It introduce some occasional problems, but for a system authenticating via LDAP, it is pretty much required.
Nscd is part of the GNU glibc package, and I belive Solaris also includes a similar daemon. Most distributions will package nscd seperately, and this is the case for Red Hat Linux 6.1. The version included is nscd-2.1.2.
There really isnt any configuration for nscd, as it will cache LDAP request (or more accurately, name service request results) automatically.
To start it:
/etc/rc.d/init.d/nscd start
You can use `ntsysv` to configure nscd to start automatically if it doesnt already.
Tuning Slapd
Tuning slapd is a little bit more difficult. There are a few things you can do that seem to improve performance slightly.
loglevel 0
Creating Indexes
An example:
index cn,uid index uidnumber,gidnumber pres,eq
This will build an index on all fields in cn, uid, uidnumber, and the pres field of gidnumber.
Note that this will only effect new entries to the database, and not older entries. To do that, you probabaly want to export your data to ldif, and reimport it.