Friday, May 15, 2009

Configure OpenLDP Server & LDAP Client in Ubuntu


  • Configure Server


 

Step 1 : Install Packages

 #apt-get install slapd ldap-utils migrationtools

 During the installation you will be prompted to supply an Admin password and then to confirm .

 Admin password: secret

Confirm password: secret

 

Step 2 : Reconfigure OpenLDP Server

      #dpkg-reconfigure slapd

 This will also prompt you for some information

 No

DNS domain name: example.com

Name of your organization: example.com

Admin password: secret

Confirm password: secret

OK

BDB

No

Yes

No

 

Step 3 : Generate a encrypted password using slappasswd

       #slappasswd

        New password : password

        Conf password : password

        {SSHA}iJE9RpyiswdfdE10MQGof6lNycmGjG0edXd

 

Step 4 : Check /etc/ldap/slapd.conf file parameter

       # vi init.ldif

 database        bdb

suffix          "dc=example,dc=com"

rootdn          "cn=admin,dc=example,dc=com"

rootpw          {SSHA}iJE9RpyiswdfdE10MQGof6lNycmGjG0edXd

    #paste the password we have generated using slappasswd

 

Step 5 :  Reboot the server and start slapd service

# reboot          

# /etc/init.d/slapd start

 

Step 6 : Generate ldif files for user group & organization data

Sample file :  # vi init.ldif

dn: dc=example,dc=com

objectClass: dcObject

objectClass: organizationalUnit

dc: example

ou: Example Dot Com

 

dn: cn=admin,dc=example,dc=com

objectClass: simpleSecurityObject

objectClass: organizationalRole

cn: admin

description: LDAP administrator

userPassword: <password>

 

dn: ou=people,dc=example,dc=com

objectClass: organizationalUnit

ou: people

 

dn: ou=groups,dc=example,dc=com

objectClass: organizationalUnit

ou: groups

 

dn: uid=lionel,ou=people,dc=example,dc=com

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

uid: lionel

sn: Porcheron

givenName: Lionel

cn: Lionel Porcheron

displayName: Lionel Porcheron

uidNumber: 1000

gidNumber: 10000

userPassword: <password>

gecos: Lionel Porcheron

loginShell: /bin/bash

homeDirectory: /home/lionel

shadowExpire: -1

shadowFlag: 0

shadowWarning: 7

shadowMin: 8

shadowMax: 999999

shadowLastChange: 10877

mail: lionel.porcheron@example.com

postalCode: 31000

l: Toulouse

o: Example

mobile: +33 (0)6 xx xx xx xx

homePhone: +33 (0)5 xx xx xx xx

title: System Administrator

postalAddress:

initials: LP

 

dn: cn=example,ou=groups,dc=example,dc=com

objectClass: posixGroup

cn: example

gidNumber: 10000

 

dn: cn=example2,ou=groups,dc=example,dc=com

objectClass: posixGroup

cn: example2

memberUid: lionel

gidNumber: 10001

 

save the file

 

Step 7: Finalize process

 #/etc/init.d/slapd stop

# rm -rf /var/lib/ldap/*

# slapadd -l init.ldif 

# chown -R openldap:openldap /var/lib/ldap

# /etc/init.d/slapd start

 

Step 8 : Test Server

 #ldapsearch -x -b "cn=admin,dc=example,dc=com"

 

If It shows the result then server is working fine.

  

  • Configure Client


  

Step 1 : Install required packages

 #apt-get install auth-client-config libpam-ldap libnss-ldap

 

Answer the questions with the following (customize if you need to):

 Should debconf manage LDAP configuration?: Yes

LDAP server Uniform Resource Identifier: ldapi://example.com

Distinguished name of the search base: dc=example,dc=com

LDAP version to use: 3

Make local root Database admin: Yes

Does the LDAP database require login? No

LDAP account for root: cn=admin,dc=example,dc=com

LDAP root account password: secret

 

Step 2: Configure /etc/ldap.conf file

Backup files

#cp /etc/ldap.conf  /etc/ldap.conf.org

#cp /etc/ldap/ldap.conf /etc/ldap/ldap.conf.org

 

Modify the below content from the file /etc/ldap.conf

host example.com

base dc=example,dc=com

uri ldap://example.com/

rootbinddn cn=admin,dc=example,dc=com

bind_policy soft

#cp /etc/ldap.conf /etc/ldap/ldap.conf

 

Step 3: Configure OpenLDAP authentication profile

Create a new file open_ldap

# vim /etc/auth-client-config/profile.d/open_ldap

 

Put below content

[open_ldap]

nss_passwd=passwd: compat ldap

nss_group=group: compat ldap

nss_shadow=shadow: compat ldap

pam_auth=auth       required     pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_ldap.so use_first_pass

auth       required     pam_deny.so

pam_account=account    sufficient   pam_unix.so

account    sufficient   pam_ldap.so

account    required     pam_deny.so

pam_password=password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   sufficient   pam_ldap.so use_first_pass

password   required     pam_deny.so

pam_session=session    required     pam_limits.so

session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077

session    required     pam_unix.so

session    optional     pam_ldap.so

 

Step 4 : Backup files

#cp /etc/nsswitth.conf /etc/nsswith.conf.org

#cp –ra /etc/pam.d/* /tmp/backup

 

Step 5 : Enable the new OpenLDAP profile

# auth-client-config -a -p open_ldap

 

Step 6: Test ldap client

#getent passwd  (will show the ldapserver database users created in init.ldif file)

#getent group    (will show the ldapserver group created in init.ldif file)

 

If above command shows the users then add new user and try to login on client

# vi newuser.ldif

dn: uid=sanjay,ou=People,dc=example,dc=com

uid: sanjay

cn: sanjay

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword: sanjay

shadowLastChange: 14301

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 1009

gidNumber: 1002

homeDirectory: /home/sanjay

 

save above file and exit.

 

#/etc/init.d/slapd stop

#slapadd –l newuser.ldif

#/etc/init.d/slapd start

Try to login to the client machine using

 

#ssh sanjay@ipaddress

If  you are able to login then your configuration is correct otherwise you have missed some points. Check again…enjoy!!!!!!!!!!!!!!!!
Posted by sanjay dalal at 4:27 AM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

sanjay's shared items

My Blog List