Configure an OpenLDAP server on ubuntu 14.04
1.some concepts
Distinguished Name (DN). This DN consists of the object name
(Common Name = cn)
Cn=Robert,dc=sandr,dc=fr
Object has attributes, like cn
All the information about user objects and their attributes is in the LDAP schema
After installing a basic LDAP server, you’ll have a basic schema. If support for additional objects is required, you can extend this schema by installing additional schema files and loading them in LDAP
/etc/ldap/schema
A generic file format is used to work with information in an LDAP environment. This format is known as the LDAP Data Interchange Format (LDIF). As an administrator, you will use LDIF to add information to the LDAP Directory.
If more than one LDAP server is used in your network, you can choose to set up one of them as the master server and the other as the slave server. Additionally, you need to set up synchronization between these servers. This synchronization is implemented by using the slurpd daemon.
LDAP client:
1. Nss_ldap, the module that is installed to make it possible to refer to the LDAP server from the /etc/nsswitch.conf configuration file.
2. PAM
Configure a LDAP server:
1. Install the LDAP software.
2. Configure the LDAP server
3. Start slapd.
4. Create an LDIF file and use ldapadd to add information to the LDAP database.
5. Use ldapsearch to verify that your LDAP server is working.
6. (Optional) Set up replication using slurpd.
2. Installation
root@ubuntu:~# apt-get install slapd ldap-utils
Reading package lists… Done
Building dependency tree
Reading state information… Done
…
root@ubuntu:~# dpkg-reconfigure slapd
choose no
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
The RTC configuration is stored in the /etc/ldap/slapd.d/ directory. The directory server’s configuration can be modified by editing the files in this directory and restarting slapd, but it is also possible to modify the server configuration in real-time by changing the configuration entries in the special RTC DIT cn=config with the tools in the ldap-utils package (ldapadd, ldapmodify, et cetera), just as if you were dealing with a regular DIT.
root@ubuntu:/usr/local/etc# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config|more
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcAllows: bind_v2
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
root@ubuntu:/usr/local/etc# slappasswd
New password:
Re-enter new password:
{SSHA}pQvegg6GcYKUd6No11xYRrswJNIBFrCt
root@ubuntu:~/ldap# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/example.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “olcDatabase=hdb,cn=config”
ldap_add: Other (e.g., implementation specific) error (80)
additional info: olcDbDirectory: value #0: invalid path: Permission denied
Add this to /etc/apparmor.d/usr.sbin.slapd
#robert
/home/robert/ldap r,
/home/robert/ldap/** rwk,
root@ubuntu:/etc/apparmor.d# service apparmor reload
* Reloading AppArmor profiles
Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
…done.
root@ubuntu:/etc/apparmor.d# cd
root@ubuntu:~# cd ldap
root@ubuntu:~/ldap# ls
example.ldif
root@ubuntu:~/ldap# ldapadd -Y EXTERNAL -H ldapi:/// -f ./example.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry “olcDatabase=hdb,cn=config”
ldap_add: Other (e.g., implementation specific) error (80)
additional info: <olcSuffix> namingContext “dc=robert321,dc=com” already served by a preceding hdb database
install phpldapadmin
apt-get install phpldapadmin
461 vi /etc/phpldapadmin/config.php
462 vi /etc/phpldapadmin/apache.conf
$servers->setValue(‘server’,’name’,’ubuntu.robert321.com’);
/* Examples:
‘ldap.example.com’,
‘ldaps://ldap.example.com/’,
‘ldapi://%2fusr%local%2fvar%2frun%2fldapi’
(Unix socket at /usr/local/var/run/ldap) */
$servers->setValue(‘server’,’host’,’127.0.0.1′);
/* The port your LDAP server listens on (no quotes). 389 is standard. */
// $servers->setValue(‘server’,’port’,389);
/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
auto-detect it for you. */
$servers->setValue(‘server’,’base’,array(‘dc=robert321,dc=com’));
Image may be NSFW.
Clik here to view.
root@ubuntu:/var/lib/ldap# ls -lrt
total 512
-rw-r–r– 1 openldap openldap 96 Jan 16 08:53 DB_CONFIG
-rw-r–r– 1 openldap openldap 2048 Jan 16 08:53 alock
-rw——- 1 openldap openldap 114687 Jan 16 12:57 __db.003
-rw——- 1 openldap openldap 8192 Jan 16 12:57 objectClass.bdb
-rw——- 1 openldap openldap 32768 Jan 16 12:57 id2entry.bdb
-rw——- 1 openldap openldap 8192 Jan 16 12:57 dn2id.bdb
-rw——- 1 openldap openldap 10485759 Jan 16 12:57 log.0000000001
-rw——- 1 openldap openldap 139263 Jan 16 13:09 __db.002
-rw——- 1 openldap openldap 294911 Jan 16 13:09 __db.001
dn: dc=robert321,dc=com
objectClass: dcObject
objectClass: organizationalUnit
dc: robert321
ou: robert321 Dot Com
dn: cn=admin,dc=robert321,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: <password>
dn: ou=people,dc=robert321,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=robert321,dc=com
objectClass: organizationalUnit
ou: groups
dn: uid=lionel,ou=people,dc=robert321,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: lionel
sn: Porcheron
givenName: Lionel
cn: Lionel Porcheron
displayName: Lionel Porcheron
uidNumber: 1000
gidNumber: 10000
userPassword: <password>
gecos: Lionel Porcheron
loginShell: /bin/bash
homeDirectory: /home/lionel
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: lionel.porcheron@robert321.com
postalCode: 31000
l: Toulouse
o: robert321
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: LP
dn: cn=robert321,ou=groups,dc=robert321,dc=com
objectClass: posixGroup
cn: robert321
gidNumber: 10000
dn: cn=robert3212,ou=groups,dc=robert321,dc=com
objectClass: posixGroup
cn: robert3212
memberUid: lionel
gidNumber: 10001
root@ubuntu:/var/lib/ldap# ldapadd -x -W -c -D “cn=admin,dc=robert321,dc=com” -f /tmp/init.ldif
Enter LDAP Password:
adding new entry “dc=robert321,dc=com”
ldap_add: Already exists (68)
adding new entry “cn=admin,dc=robert321,dc=com”
ldap_add: Already exists (68)
adding new entry “ou=people,dc=robert321,dc=com”
adding new entry “ou=groups,dc=robert321,dc=com”
ldap_add: Already exists (68)
adding new entry “uid=lionel,ou=people,dc=robert321,dc=com”
adding new entry “cn=robert321,ou=groups,dc=robert321,dc=com”
adding new entry “cn=robert3212,ou=groups,dc=robert321,dc=com”
root@ubuntu:/usr/local# ldapsearch -x -b “dc=robert321,dc=com”
# extended LDIF
#
# LDAPv3
# base <dc=robert321,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# robert321.com
dn: dc=robert321,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: robert321.com
dc: robert321
search attribute:
root@ubuntu:/usr/local# ldapsearch -x -b “dc=robert321,dc=com” uid=admin sn givenName cn
# extended LDIF
#
# LDAPv3
# base <dc=robert321,dc=com> with scope subtree
# filter: uid=admin
# requesting: sn givenName cn
#
# search result
search: 2
result: 0 Success
# numResponses: 1
Ref:
http://www.unixmen.com/configure-linux-clients-authenticate-using-openldap/
http://www.openldap.org/doc/admin24/slapdconf2.html
https://help.ubuntu.com/community/LDAPClientAuthentication
Authentication Linux client with openldap server
1.Create the group
root@ubuntu:~# more posixGroup.ldif
dn: cn=ldapusers,ou=groups,dc=robert321,dc=com
objectClass: posixGroup
cn: ldapusers
gidNumber: 4000
the group name is admin
Image may be NSFW.
Clik here to view.
2. Create a new user
root@ubuntu:~# more newuser.ldif
dn: cn=zabbix,ou=People,dc=robert321,dc=com
givenName: zabbix
sn: monitoring
cn: zabbix
uid: zabbix
uidNumber: 2089
homeDirectory: /home/zabbix
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
userPassword: password1
gidNumber: 4000
3. input to the openldap
ldapadd -W -D cn=admin,dc=robert321,dc=com -f posixGroup.ldif
ldapadd -W -D cn=admin,dc=robert321,dc=com -f newuser.ldif
4. on the client machine do:
apt-get install ldap-auth-client nscd
dpkg-reconfigure ldap-auth-config
With the wizard complete it will have written to /etc/ldap.conf. We now need to configure the name service file, /etc/nsswitch.conf. This we do by running the following command:
sudo auth-client-config -t nss -p lac_ldap
This will setup the nss profile to search for local users then ldap users. See the file /etc/auth-client-config/profile.d/ldap-auth-config for more details
root@ubuntu2:~# more /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
BASE dc=robert321,dc=com
URI ldap://192.168.246.130
5. for /etc/sudoers
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
As zabbix is in admin group, it can do sudo
Image may be NSFW.
Clik here to view.
If we do not have a central file server for home directories we will need to create users’ home directories locally when they log in. PAM, the plugable authentication modules can do this. Create a configuration file in /usr/share/pam-configs/ . It should read similar to the following
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
We are now ready to update pam:
sudo pam-auth-update
This will start a little wizard, make sure your configuration shows, along with LDAP and anything else that you need. They normally will be selected.
Finally we just need to restart the name cache daemon:
sudo /etc/init.d/nscd restart
We can test the results by running
getent passwd
The post Configure an OpenLDAP server on ubuntu 14.04 and Authentication linux client with it appeared first on Robert Chen.