LDAP
Configuring LDAP Server in Ubuntu
Setting up LDAP clients for UNIX authentication
Implementing Autofs using LDAP maps
Configuring LDAP to authenticate Samba users
LDAP on Ubuntu/Debian
Setting up the LDAP server
01. Install the slapd, ldap-utils and migrationtools packages
# apt-get install slapd ldap-utils migrationtools phpldapadmin
02. Create a link for ldapadmin for Web access
# ln -s /usr/share/phpldapadmin /var/www/phpldapadmin
03. Modify the dc values in /usr/share/phpldapadmin/config/config.php file as follows:
$ldapservers->SetValue($i,'server','base',array('dc=sys-admin,dc=net'));
04. Re-configure the slapd package. Answer the questions as bellow
# dpkg-reconfigure slapd OpenLDAP server configuration?: no DNS domain name: sys-admin.net Name of your organization: Organization Name Admin passwd: secret Confirm admin password: secret Database backend: BDB Database to be removed when slapd is purged: no Allow LDAPv2 protocol: no Omit openLDAP server configuration: no
05. Start the LDAP server if not started already
# /etc/init.d/slapd start
06. Test the ldap server
# ldapsearch -x -b dc=sys-admin,dc=net # ldapsearch -x -b 'dc=sys-admin,dc=net' '(objectclass=*)'
07. Add initial entries to ldap database. Use the migrationtools to convert the /etc files to LDAP files
7a. Modify the $DEFAULT_MAIL_DOMAIN and $DEFAULT_BASE in /usr/share/migrationtools/migrate_common.ph file from padl to your domain name.
$DEFAULT_MAIL_DOMAIN = "sys-admin.net"; $$DEFAULT_BASE = "dc=sys-admin,dc=net"; $IGNORE_UID_BELOW = 1000; $IGNORE_GID_BELOW = 1000; $IGNORE_UID_ABOVE = 9999; $IGNORE_GID_ABOVE = 9999;
7b. Convert the /etc/hosts, /etc/passwd, /etc/group, etc.. to ldif format using migrationtools
/migrate_base.pl > /tmp/base.ldif
/migrate_group.pl /etc/group /tmp/group.ldif
/migrate_hosts.pl /etc/hosts /tmp/hosts.ldif
/migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
/migrate_automount.pl /etc/auto.master /tmp/automount.ldif
/migrate_automount.pl /etc/auto.home >> /tmp/automount.ldif
7c. Add the ldiff files to LDAP database
ldapadd -x -D "cn=admin,dc=sys-admin,dc=net" -W -f /tmp/base.ldif ldapadd -x -D "cn=admin,dc=sys-admin,dc=net" -W -f /tmp/passwd.ldif ldapadd -x -D "cn=admin,dc=sys-admin,dc=net" -W -f /tmp/group.ldif ldapadd -x -D "cn=admin,dc=sys-admin,dc=net" -W -f /tmp/hosts.ldif ldapadd -x -D "cn=admin,dc=sys-admin,dc=net" -W -f /tmp/automount.ldif
LDAP server is ready now
LDAP Authentication in ubuntu
01. On the client system, install the following packages
# apt-get install ldap-utils libpam-ldap libnss-ldap nscd
The libnss-ldap and libpam-ldap packages ask few questions. Answer them
LDAP Server host: <IP address of Server> The distinguished name of the search base: dc=sys-admin,dc=net LDAP version to use: 3 LDAP account for root: cn=admin,dc=sys-admin,dc=net Root account passwd: <your password Here> Make local root Database admin: Yes Database requires logging in: No Root login account: cn=admin,dc=gene,dc=com
02. Edit the /etc/nsswitch.conf file
cat /etc/nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
03. Add / Edit /etc/ldap/ldap.conf file
cat /etc/ldap/ldap.conf
BASE dc=sys-admin, dc=net
URI ldap://IP-address_of_your_ldap_server
04. Modify the common-account, common-auth, common-password, common-session, su and ssh pam modules as follows
# cat /etc/pam.d/common-account account sufficient pam_ldap.so account required pam_unix.so use_first_pass # cat /etc/pam.d/common-auth auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass # cat /etc/pam.d/common-password password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5 password required pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass # cat /etc/pam.d/common-session session sufficient pam_ldap.so session required pam_unix.so session optional pam_foreground.so # cat /etc/pam.d/ssh auth required pam_env.so # [1] auth required pam_env.so envfile=/etc/default/locale @include common-auth account required pam_nologin.so @include common-account @include common-session session optional pam_motd.so # [1] session optional pam_mail.so standard noenv # [1] session required pam_limits.so @include common-password # cat /etc/pam.d/su auth sufficient pam_rootok.so session required pam_env.so readenv=1 session required pam_env.so readenv=1 envfile=/etc/default/locale session optional pam_mail.so nopen @include common-auth @include common-account @include common-session # cat /etc/pam.d/passwd @include common-password
05. Modify /etc/libnss-ldap.conf and /etc/pam_ldap.conf as follows
# cat /etc/libnss-ldap.conf
host <IP-Address_of_LDAP_server>
base ou=People,dc=sys-admin,dc=net
uri ldap://IPaddress_of_Ldap_server/
ldap_version 3
nss_base_passwd ou=People,dc=sys-admin,dc=net
nss_base_group ou=Group,dc=sys-admin,dc=net
06. Verify the system can get the user information from LDAP server using getent command
# getent passwd
07. Try logging in to the system using LDAP user
Problem:
01. While the LDAP server comes up, it gives the following error message repeated several times and takes very long time to boot
udevd[374]: nss_ldap: could not connect to any LDAP server as (null) -
Can't contact LDAP server
Sol: This is the problem with libnss-ldap package and a known problem. The booting time can be considerably reduced by adding the following lines to /etc/ldap/ldap.conf or /etc/libnss-ldap.conf
bind_policy hard nss_reconnect_tries 2 nss_reconnect_sleeptime 1 nss_reconnect_maxconntries 2
Also, change nsswitch.conf as follows
passwd files ldap group files ldap shadow files ldap
Alternatively, download and install the following package
http://www.porcheron.info/libnss-ldap_251-7_i386.deb
02. Could not change the password of Ldap users. Gives "User not known to the underlying authentication module"
Sol: Make sure /etc/pam.d/passwd files has entries in the following order
password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5
Autofs using LDAP on ubuntu
For installing nfs-server, client packages and configuring automount, refer File Sharing section here
On the LDAP server:
01. Install autofs-ldap in server. This package contains /etc/ldap/schema/autofs.schema file. Without this autofs.schma, it is not possible to add automountMap object class in LDAP.
# apt-get install autofs autofs-ldap
2a. Add the following line in /etc/ldap/slapd.conf in the ldap server
include /etc/ldap/schema/autofs.schema
2b. Restart the ldap daemon
# /etc/init.d/slapd restart
03. Create the auto.master map entry for LDAP
3a. If you want to keep auto.master map file also in the LDAP server, add the following ldif to ldap server. Else, skip this step and continue to step 04
# cat /root/auto.master.ldif dn: ou=auto.master, dc=sys-admin,dc=net ou: auto.master objectClass: top objectClass: automountMap dn: cn=/home,ou=auto.master, dc=sys-admin,dc=net objectClass: automount automountInformation: ldap:192.168.123.51:ou=auto.home,dc=sys-admin,dc=net --timeout 30 cn: /home
3b. Add the contents of /root/auto.master to ldap server
# ldapadd -x -D "cn=admin,dc=sys-admin,dc=net" -W -f /root/auto.master.ldif
04. Create the auto.home map entries for LDAP
4a. If /etc/auto.home already exits, convert it to ldif format using migration tools. If not, create a file called autofs.ldif shown bellow.
# /usr/share/migrationtools/migrate_automount.pl /etc/auto.home /root/autofs.ldif # cat autofs.ldif dn: ou=auto.home,dc=sys-admin,dc=net objectClass: top objectClass: automountMap ou: auto.home dn: cn=test1,ou=auto.home,dc=sys-admin,dc=net objectClass: automount cn: test1 automountInformation: 192.168.123.51:/home/test1 dn: cn=test2,ou=auto.home,dc=sys-admin,dc=net objectClass: automount cn: test2 automountInformation: 192.168.123.51:/home/test2
4b. Add the contents of /root/autofs.ldif to the LDAP database
# ldapadd -x -D "cn=admin,dc=sys-admin,dc=net" -W -f autofs.ldif
On all the client systems where you want the directories automount, do the following
01. Install autofs and autofs-ldap packages. Without autofs-ldap package, client may not pick up the master map file auto.master from the LDAP server
# apt-get install autofs autofs-ldap
02. If you have already added auto.master map entries to LDAP server and want to serve /etc/auto.master file also by ldap server, add the following line to /etc/nsswitch.conf. If you want to keep local auto.master file in each server, skip to step 04.
automount: ldap files
03. Add the following lines to /etc/nsswitch.conf file
automount files ldap
04. If you want to keep the local /etc/auto.master file in each server, modify it as shown bellow to refer LDAP server for map files. Otherwise, skip to next step
# cat /etc/auto.master /home ldap:LDAP_server_name:ou=auto.home,dc=sys-admin,dc=net
05. Restart the autofs daemon
# /etc/init.d/autofs restart
06. Test whether automount is working fine
SAMBA and LDAP in ubuntu
01. Install samba and samba-doc packages. samba.schema is included in samba-doc package
# apt-get install samba samba-doc
02. Copy /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz to /etc/ldap/schema/ directory and unzip it
# cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
# cd /etc/ldap/schema/
# gunzip samba.schema.gz
03. Add the following line in /etc/ldap/slapd.conf
include /etc/ldap/schema/samba.schema
04. Setup the samba server. Edit the /etc/samba/smb.conf file as follows and restart the samba server
# cat smb.conf
[global]
workgroup = WORKGROUP
server string = %h server (Samba, Ubuntu)
obey pam restrictions = Yes
#--- Logging options
log level = 2
debug pid = yes
debug timestamp = yes
debug uid = yes
#---LDAP authentication settings
passdb backend = ldapsam guest
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=sys-admin,dc=net
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap admin dn = cn=admin,dc=sys-admin,dc=net
[secretdata]
comment = Samba home from LDAPSVR
directory = /smbhome
valid users = jeeva, kpalanis
read only = No
browseable = no
[homes]
comment = User Home directories
browseable = no
writable = yes
[sharedata]
comment = Sharred data for all users
directory = /home/shared
readonly = no
hide unreadable = yes
#--- settings for the recycle bin
vfs objects = recycle
recycle:repository = /home/shared-recycle
recycle:noversions = 2
05. Let the Samba server know the password for the LDAP admin account listed in smb.conf file using smbpasswd command. This password is stored in the secret.tdb file. Please note that, If the the value of ldap admin dn changes, the password will need to be manually updated as well. If the password is not stored using smbpasswd -w option, samba server may fail to startup.
smbpasswd -w <passwd_of_ldapadmin>
06.Restart the samba server
# /etc/init.d/samba restart
07. To allow each users to change their samba password, add the following lines to /etc/ldap/slapd.conf
access to attr=sambaLMPassword,sambaNTPassword
by dn="cn=admin,dc=sys-admin,dc=net" write
by self write
by anonymous auth
by * none
access to *
by dn="cn=admin,dc=sys-admin,dc=net" write
by * read
06. Add the LDAP authentication information for samba server in in /etc/samba/smb.conf
security = user
ldap server = yourldapserver
ldap suffix = "dc=sys-admin,dc=net"
ldap admin dn = "cn=admin,dc=sys-admin,dc=net"
encrypt passwords = true
passdb backend = ldapsam guest
To add a samba user to LDAP:
01. Get the local SID of Samba server
net getlocalsid
02. Create a ldif file for samba user
http://aput.net/~jheiss/samba/ldap.shtml
http://www.wlug.org.nz/Samba3LDAP
"/usr/sbin/slappasswd -h {CRYPT}"-command to create password-hashes for the users
http://wiki.debian.org/OpenLDAPSetup
http://people.debian.org/~torsten/ldapnss.html
http://docs.solstice.nl/index.php/Directory-server
http://www.howtoforge.com/linux_ldap_authentication
http://moduli.net//pages/sarge-ldap-auth-howto