How to use external OpenLDAP

Attention:

• Please make sure added nis.schema configuration to /etc/openldap/slapd.conf configuration
• Please make sure obtained the suffix of the existing OpenLDAP, for example: dc=hpc,dc=lico
• Please confirm OpenLDAP communication protocol, for example: ldap://
• Please execute the following steps on the node that to access OpenLDAP

Step 1. Install nss-pam-ldapd

dnf install -y nss-pam-ldapd

Step 2. Configure /etc/nslcd.conf, add the following content:

​x
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.

# The user and group nslcd should run as.
uid nslcd
gid ldap

# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
# Modify <LDAP_ADDRESS> to LDAP node IP
# Take the communication protocol as ldap:// as an example
uri ldap://<LDAP_ADDRESS>/

base <suffix>
ssl no
rootpwmoddn uid=admin, <suffix>

Step 3. Start the nslcd service

xxxxxxxxxx
chmod 600 /etc/nslcd.conf
systemctl enable nslcd --now

Step 4. Create the path for the configuration file:

xxxxxxxxxx
mkdir -p /usr/share/authselect/vendor/nslcd

Step 5. Download configuration files from: https://hpc.lenovo.com/lico/downloads/7.0/examples/conf/authselect/authselect.tar.gz

Step 6. Enable the configuration:

xxxxxxxxxx
tar -xzvf authselect.tar.gz -C /usr/share/authselect/vendor/nslcd/
authselect select nslcd with-mkhomedir --force

Step 7. Find the following configuration in the LiCO configuration file /etc/lico/lico.ini.d/user.ini and change the value to false:

xxxxxxxxxx
USE_LIBUSER = false

Step 8. Import the user into LiCO:

xxxxxxxxxx
lico import_user -u <USERNAME> -r <ROLE>