I use puppet for managing our production servers. Under rhel5 the standard way of enabling ldap is to use the authconfig tool. Which works successfully, but isn't really capable with the puppet way of doing things. If I were to have puppet make the relevant edits to the authentication config files, which ones should I change ? Off the top of my head the files I know that need editing to enable ldap authentication are
/etc/ldap.conf
/etc/nsswitch.conf
But there may also be pam config files which I am not suer about
I typically edit:
I think that covers the necessary evils. Might need /etc/sudoers as well.
My preference is to manage /etc/sysconfig/authconfig (which contains a list of vars) then use authconfig --updateall, this lets me drop 1 file that controls everything.
I'm not sure about any RedHat specific configurations, but take a look at this LDAP configuration guide.
Basically, besides the files you mention, you should also configure PAM like so:
Our script to set up ldap auth (which invokes authconfig) modifies these files:
Slightly off-topic, but something that can be helpful when setting up PAM for ldap auth is to automatically create user home directories when they log into a server for the first time.
If you are setting up ldap in system-auth file, then add the following to "session":
On a RHEL5 server, I have this after "session require pam_limits.so" (3rd "session" config param).
as per tucker's suggestion above, puppet is a great tool for managing configs across multiple servers.
If your kickstarting you can set this up as a kickstart option See:
http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Installation_Guide-en-US/s1-kickstart2-options.html
Use authconfig-tui on one client to create the necessary files (ldap.conf, krb5.conf, pam.d/system-auth-ac etc), then copy those files into your puppet install and use puppet to push the files to all new and existing servers.
If you have a significant number of servers and you're not using puppet, you should consider it.