
LDAP NAMESERVICE SWITCH LIBRARY
===============================

This is the nss_ldap library, an LDAP module for the Solaris Nameservice
Switch (NSS), the GNU libc NSS, and the ISC BIND IRS (used on BSDI
and IRS).

The LDAP schema used is described in RFC 2307

Insert this:

passwd:     files nis ldap
group:      files nis ldap

or something similar in /etc/nsswitch.conf.

The source code is distributed under the GNU General Library Public Licence
(see COPYING.LIB). 

Platforms this has been built under:

	o Linux 2.x
	o Solaris 2.4, 2.6, 7, 8
	o FreeBSD BIND 8.x
	o AIX 4.?? with IRS

If you are willing to use an older, and possibly buggy, version
of nss_ldap, you can find patches to get it to work with the
"real" FreeBSD nsswitch at http://www.nectar.com/freebsd/nsswitch.

To install:

% ./configure
% make
% make install

NB: you need to use GNU make! (often called gmake or gnumake)

1. Installation
---------------

You need to ensure libnss_ldap.so.1 (or nss_ldap.so.1, for Solaris) is in
/usr/lib.

2. Building shared LDAP client libraries
----------------------------------------

You can build a position independent LDAP client library by compiling
-fPIC and linking with -shared, or downloading the Mozilla or Netscape
LDAP SDKs. Note that OpenLDAP only appears to build shared libraries
on some platforms (apparently not Solaris?). To build these, configure
with --enable-shared.

3. glibc 2.0 compatibility
--------------------------

Current versions of the nss_ldap library are designed to work with
glibc 2.1, not glibc 2.0. They _may_ work with glibc 2.0. YMMV.

4. RFC2307BIS
-------------

Compiling with -DRFC2307BIS adds rfc2307bis support, which at the
moment just gets you support for groups with distinguished name
members (instead of login names). A posixGroup can thus have the
both memberUid and uniqueMember attributes. This support makes
uses of the Berkeley DB library to cache DN to login name mappings;
if you don't want to use this or don't have libdb, then you need
to undefine DN2UID_CACHE in util.c. 

5. Building under FreeBSD
-------------------------

Here's what I do to build it under FreeBSD. You will need to
link it into libbind.a for it actually to be useful.

CPPFLAGS="-I/usr/local/include -I/usr/local/include/bind -DPIC"
export CPPFLAGS
CFLAGS=$CPPFLAGS # this is weird
export CFLAGS
LDFLAGS="-L/usr/local/lib"
LIBS="-lbind_r -lgnuregex -lsasl -lkrb"
export LDFLAGS LIBS
./configure
make

6. Solaris, shadowAccount
-------------------------

Joerg Paysen notes:

> I think its extremly important that you have a
> /etc/shadow file so that an ObjectClass shadowAccount
> will be created in the ldap database. My experience is
> that without shadowAccount nss_ldap does not work on
> solaris!!

7. Mailing lists
----------------

To discuss nss_ldap and related technologies, you may
subscribe to the following mailing lists:    

        <URL:mailto:nssldap-request@padl.com>
and
        <URL:mailto:ldap-nis-request@padl.com>

Send an electronic mail message with "subscribe" in the
message body to join the list.

8. Commercial support
---------------------

Note that PADL now offer commercial support on a
per-incident basis.      

To request a support incident, send email to: nssldap-support@padl.com

--
PADL Software Pty Ltd
nssldap-support@padl.com
http://www.padl.com/

