Post-Installation


Extending the Schema

Before executing the nis-drv-config script, ensure that the Require TLS for Simple Binds with Password option is disabled in eDirectory. For more information, refer to the Novell eDirectory Administration Guide.

To run the script, execute the following command:

nis-drv-config [-h hostname] [-D adminContext] [-w adminPassword]

The nis-drv-config script extends the eDirectory schema for the DirXML Driver for NIS. The eDirectory schema needs to be extended only once for a particular eDirectory tree.

On a Linux machine that uses native LDAP tools, extend the schema using the following:

nis-drv-config [-h hostname] [-D adminContext] [-w adminPassword] <-x>

If the hostname or adminContext are not provided as command line parameters, you are prompted to input them. The adminContext should be given in LDAP format cn=admin, o=context.

注:  If you want to manually extend the schema that is used by the NIS driver using the ndssch utility, the schema is contained in the nis.sch file in the /usr/lib/nds-schema directory where the driver is installed.


Configuring the PAM Module

A PAM module is provided to capture passwords and send them to the driver.

For the Files datastore, the driver is installed on the machine where the files are, and the PAM module must be installed on the same machine.

For NIS and NIS+, the driver needs to be installed on only one UNIX machine, and the PAM module (the password filter) needs to be installed where the driver is installed as well as on all machines where passwords can possibly be changed. A utility is provided which installs the PAM module on a remote machine, which requires SSH to be configured so that the remote machine trusts the machine that the utility is run from.

To configure the PAM module:

  1. Execute the following command:

    nis-drv-config -pam

  2. You are now prompted to select the appropriate PAM module configuration option:

    • 1: if you want to configure PAM on a local machine.

      This will copy the PAM module to the local machine.

    • 2: if you want to configure PAM on a remote machine (requires SSH).

      To configure PAM on a remote machine, you must have already configured SSH. For more information on configuring SSH on a remote machine, refer to Completing the SSH Configuration So the PAM Module Can Be Installed on a Remote Machine.

    • 3: if you want to remove the PAM configuration from a local machine.

    • 4: if you want to remove the PAM configuration from a remote machine (requires SSH).

  3. (Conditional) If you selected 2 or 4 in Step 2, specify the IP address or the name of the remote machine where PAM is to be configured.

  4. Specify the name and the type of the UNIX datastore that the driver is synchronizing with, whether Files, NIS or NIS+.

    The default is NIS.

  5. Specify the hostname of the machine where the driver is running.

  6. If you selected NIS in Step 4, specify the directory where the NIS map files are located.

    The default is /var/yp/domain name.

  7. Specify yes if the machine uses shadow passwords.

  8. Type y to confirm the inputs provided for the PAM configuration

    The necessary PAM configuration is now completed.

For more information about the PAM configuration files, refer to PAM Configuration .


Completing the SSH Configuration So Passwords Can Be Sent to the Driver

重要:  This configuration is not required if the PAM module is configured on the machine where the driver is running.

For the PAM module on the remote machine to transfer the password to the Driver, the machine where the Driver is running must trust the remote machine. To enable that, SSH configuration must be set up between the two machines.

  1. Make sure you meet the prerequisites for setting up SSH:

    • You must have root privileges on both machines
    • ssh server must be running on the machine the Driver is running on
    • ssh client must be available on the remote machine

  2. Generate a public/private key pair on the remote machine.

    1. Generate a key pair using the following command:

      ssh-keygen -t dsa

    2. Accept the default name (for example, .ssh/id_dsa) or specify a different name for the key pair generated.

    3. When prompted for a passphrase, press Enter without typing a passphrase.

      It is necessary to have an empty passphrase; the utility will not work otherwise.

    4. Press Enter when prompted again to verify the passphrase.

  3. Copy the public key (.pub extension) to the machine where the Driver is running.

    For example:

    scp root-user-home-dir/.ssh/id_dsa.pub target-machine:/id_dsa.pub

  4. On the machine where the Driver is running, add the contents of this public key to the list of trusted keys.

    The list of trusted keys is the authorized_keys file in the .ssh directory in the root user's home directory. If the id_dsa.pub key has been copied to the machine, this command can be executed on the machine where the Driver is running:

    cat /id_dsa.pub >> root-user-home-dir/.ssh/authorized_keys

    重要:  The angle bracket (>>) or greater-than symbol is repeated twice, in order to append. A single angle bracket overwrites instead of appending.

  5. Repeat this procedure for every remote machine that should send password changes to the DirXML Driver for NIS.

To ensure that the SSH configuration is complete, execute the following command at the root user's prompt:

ssh target-machine hostname

This will return the target-machine of the SSH configuration.


Completing the SSH Configuration So the PAM Module Can Be Installed on a Remote Machine

The remote machine must trust the machine where the Driver is installed. This is necessary so that the PAM module can be installed on the remote machine using SSH.

  1. Make sure you meet the prerequisites for setting up SSH:

    • You must have root privileges on both machines
    • ssh server must be running on the remote machine
    • ssh client must be available on the machine the driver is running on

  2. Generate a public/private key pair on the machine where the driver is installed.

    1. Generate a key pair using the following command:

      ssh-keygen -t dsa

    2. Accept the default name (for example, .ssh/id_dsa) or specify a different name for the key pair generated

    3. When prompted for a passphrase, press Enter without typing a passphrase.

      It is necessary to have an empty passphrase; the utility will not work otherwise.

    4. Press Enter when prompted again to verify the passphrase.

  3. Copy the public key (.pub extension) to the remote machine.

    For example:

    scp root-user-home-dir/.ssh/id_dsa.pub target-machine:/id_dsa.pub

  4. On the remote machine, add the contents of this public key to the list of trusted keys.

    The list of trusted keys is the authorized_keys file in the .ssh directory in the root user's home directory. If the id_dsa.pub key has been copied to the remote machine, this command can be executed on the remote machine:

    cat /id_dsa.pub >> root-user-home-dir/.ssh/authorized_keys

    重要:  The angle bracket (>>) or greater-than symbol is repeated twice, in order to append. A single angle bracket overwrites instead of appending.

  5. Repeat this procedure for every remote machine that you want to configure the PAM utility on.

To ensure that the SSH configuration is complete, execute the following command at the root user's prompt:

ssh target-machine hostname

This will return the target-machine of the SSH configuration.