Caching server is required when LDAP server is down and Client want to login in the local machine. If LDAP server is down then even if client is valid then also he/she is not able to login into the local machine.
So to prevent this situation we need to implement Cached credential at client side.
Step 1 : Install required packages
# apt-get install nss-updatedb libnss-db libpam-ccreds
Step 2 : Configure OpenLDAP authentication profile
# vim /etc/auth-client-config/profile.d/open_ldap
[open_ldap]
nss_passwd=passwd: compat ldap [NOTFOUND=return] db
nss_group=group: compat ldap [NOTFOUND=return] db
nss_shadow=shadow: compat ldap
nss_netgroup=netgroup: nis
pam_auth=auth optional pam_group.so
auth required pam_env.so
auth [success=done default=ignore] pam_unix.so nullok_secure try_first_pass
# If LDAP is unavailable, go to next line. If authentication via LDAP is successful, skip 1 line.
# If LDAP is available, but authentication is NOT successful, skip 2 lines.
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store
auth [default=bad] pam_ccreds.so action=update
auth required pam_deny.so
pam_account=account [user_unknown=ignore authinfo_unavail=ignore default=done] pam_unix.so
account [user_unknown=ignore authinfo_unavail=ignore default=done] pam_ldap.so
account required pam_permit.so
pam_password=password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_first_pass
password required pam_deny.so
pam_session=session required pam_limits.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_unix.so
session optional pam_ldap.so
Save the file.
Step 3: Create a script for configuration
#vi script.sh
echo '#!/bin/sh' | sudo tee /etc/cron.daily/upd-local-nss-db
echo `which nss_updatedb` ldap | sudo tee -a /etc/cron.daily/upd-local-nss-db
sudo chmod +x /etc/cron.daily/upd-local-nss-db
cp open_ldap /etc/auth-client-config/profile.d/
auth-client-config -a -p open_ldap
Save the file and make it executable.
#chmod +x script.sh
#./script.sh
Step 4: Configure /etc/ldap.conf file.
Check the parameter
host example.com
base dc=example,dc=com
uri ldap://example.com/
rootbinddn cn=admin,dc=example,dc=com
bind_policy soft
Save file and exit.
# cp /etc/ldap.conf /etc/ldap/ldap.conf
# nss_updatedb ldap
(it will create a passwd.db and group.db )
Step 4 : Test the LDAP client.
#reboot
For caching users in client machine you must need to login one time into the local machine so that your data is stored into the databases. So next time even LDAP server is not available you can able to login into the local machin
#ssh sanjay@ldapclientip
Now Shutdown LDAP service from Server to test caching server
# /etc/init.d/slapd stop.
Now try to login into the LDAP server
#ssh sanjay@ldapclientip
It will permit you to login into the local machine and authentication is based on the data stored in the nss database on local machine.
Friday, May 15, 2009
Configure OpenLDP Server & LDAP Client in Ubuntu
- Configure Server
Step 1 : Install Packages
#apt-get install slapd ldap-utils migrationtools
During the installation you will be prompted to supply an Admin password and then to confirm .
Admin password: secret
Confirm password: secret
Step 2 : Reconfigure OpenLDP Server
#dpkg-reconfigure slapd
This will also prompt you for some information
No
DNS domain name: example.com
Name of your organization: example.com
Admin password: secret
Confirm password: secret
OK
BDB
No
Yes
No
Step 3 : Generate a encrypted password using slappasswd
#slappasswd
New password : password
Conf password : password
{SSHA}iJE9RpyiswdfdE10MQGof6lNycmGjG0edXd
Step 4 : Check /etc/ldap/slapd.conf file parameter
# vi init.ldif
database bdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}iJE9RpyiswdfdE10MQGof6lNycmGjG0edXd
#paste the password we have generated using slappasswd
Step 5 : Reboot the server and start slapd service
# reboot
# /etc/init.d/slapd start
Step 6 : Generate ldif files for user group & organization data
Sample file : # vi init.ldif
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organizationalUnit
dc: example
ou: Example Dot Com
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: <password>
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
dn: uid=lionel,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: lionel
sn: Porcheron
givenName: Lionel
cn: Lionel Porcheron
displayName: Lionel Porcheron
uidNumber: 1000
gidNumber: 10000
userPassword: <password>
gecos: Lionel Porcheron
loginShell: /bin/bash
homeDirectory: /home/lionel
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: lionel.porcheron@example.com
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: LP
dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
gidNumber: 10000
dn: cn=example2,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example2
memberUid: lionel
gidNumber: 10001
save the file
Step 7: Finalize process
#/etc/init.d/slapd stop
# rm -rf /var/lib/ldap/*
# slapadd -l init.ldif
# chown -R openldap:openldap /var/lib/ldap
# /etc/init.d/slapd start
Step 8 : Test Server
#ldapsearch -x -b "cn=admin,dc=example,dc=com"
If It shows the result then server is working fine.
- Configure Client
Step 1 : Install required packages
#apt-get install auth-client-config libpam-ldap libnss-ldap
Answer the questions with the following (customize if you need to):
Should debconf manage LDAP configuration?: Yes
LDAP server Uniform Resource Identifier: ldapi://example.com
Distinguished name of the search base: dc=example,dc=com
LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=example,dc=com
LDAP root account password: secret
Step 2: Configure /etc/ldap.conf file
Backup files
#cp /etc/ldap.conf /etc/ldap.conf.org
#cp /etc/ldap/ldap.conf /etc/ldap/ldap.conf.org
Modify the below content from the file /etc/ldap.conf
host example.com
base dc=example,dc=com
uri ldap://example.com/
rootbinddn cn=admin,dc=example,dc=com
bind_policy soft
#cp /etc/ldap.conf /etc/ldap/ldap.conf
Step 3: Configure OpenLDAP authentication profile
Create a new file open_ldap
# vim /etc/auth-client-config/profile.d/open_ldap
Put below content
[open_ldap]
nss_passwd=passwd: compat ldap
nss_group=group: compat ldap
nss_shadow=shadow: compat ldap
pam_auth=auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam_account=account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so
pam_password=password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_first_pass
password required pam_deny.so
pam_session=session required pam_limits.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_unix.so
session optional pam_ldap.so
Step 4 : Backup files
#cp /etc/nsswitth.conf /etc/nsswith.conf.org
#cp –ra /etc/pam.d/* /tmp/backup
Step 5 : Enable the new OpenLDAP profile
# auth-client-config -a -p open_ldap
Step 6: Test ldap client
#getent passwd (will show the ldapserver database users created in init.ldif file)
#getent group (will show the ldapserver group created in init.ldif file)
If above command shows the users then add new user and try to login on client
# vi newuser.ldif
dn: uid=sanjay,ou=People,dc=example,dc=com
uid: sanjay
cn: sanjay
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: sanjay
shadowLastChange: 14301
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1009
gidNumber: 1002
homeDirectory: /home/sanjay
save above file and exit.
#/etc/init.d/slapd stop
#slapadd –l newuser.ldif
#/etc/init.d/slapd start
Try to login to the client machine using
#ssh sanjay@ipaddress
If you are able to login then your configuration is correct otherwise you have missed some points. Check again…enjoy!!!!!!!!!!!!!!!!
Tuesday, May 12, 2009
Installing Gnome Desktop on CentOs/RHEL/Fedora/Ubuntu Server installation
# yum groupinstall “X Window System” “GNOME Desktop Environment”
This should install GNOME Desktop on your System…
For Ubuntu server
#aptitute install ubuntu-desktop or
#apt-get install ubuntu-desktop
Enjoy.......
This should install GNOME Desktop on your System…
For Ubuntu server
#aptitute install ubuntu-desktop or
#apt-get install ubuntu-desktop
Enjoy.......
Friday, May 8, 2009
Import data to mysql database from .txt files using "Sed"
Review the post :http://sanjaybdalal.wordpress.com/2009/05/08/export-mysql-tables-in-txt-files/ . In this post we have export the mysql database data into the .txt files.
Now we are import the data from .txt files to mysql database. For that we have to reformate the .txt files data which will support in the sql format.
#sed -e 's/,/","/g' -e 's/^/insert into example values("/g' -e 's/$/");/g' example.txt > example.txt.new
Now we are import the data from .txt files to mysql database. For that we have to reformate the .txt files data which will support in the sql format.
#cat example.txt
1,SANJAY,AHMEDABAD,SYSTEM ADMIN
1,PRIYA,PUNE,PERL DEVELOPER
1,AKSHAY,GONDAL,PERL DEVELOPER
1,MIHIR,MUMBAI,PERL DEVELOPER
Now using "sed" command we will format this file to support sql.
sed -e 's/,/","/g' -e 's/^/insert into example values("/g' -e 's/$/");/g' example.txt
#sed -e 's/,/","/g' -e 's/^/insert into example values("/g' -e 's/$/");/g' example.txt > example.txt.new
where ^ represent start to the line and $ represent end of the line.
Output :
#cat example.txt.new
insert into example values("1","SANJAY","AHMEDABAD","SYSTEM ADMIN");
insert into example values("1","PRIYA","PUNE","PERL DEVELOPER");
insert into example values("1","AKSHAY","GONDAL","PERL DEVELOPER");
insert into example values("1","MIHIR","MUMBAI","PERL DEVELOPER");
Subscribe to:
Posts (Atom)