This blog posting is a part of a series of blog postings:
- Part 1 - OpenLDAP setup
- Part 2 - SSL/TLS
- Part 3 - Schemas for samba, autofs and kerberos
- Part 4 - Kerberos setup
- Part 5 - DNS settings for kerberos using dnsmasq
- Part 6 - NFSv4 with kerberos
- Part 7 - Autofs
I documented the setup that I made on Ubuntu 10.04 alpha 2 to get OpenLDAP working in different configurations.
The goal of this setup is to have OpenLDAP running so that users can authenticate to it using pam-ldap and nss-ldap can get user and group information.
The following documents were used when testing this:
Server setup
On the server the following packages are needed:sudo apt-get install slapd ldap-utils
After installing the packages the following files are present under /etc/ldap/slapd.d:
/etc/ldap/slapd.d/
/etc/ldap/slapd.d/cn=config
/etc/ldap/slapd.d/cn=config/cn=schema
/etc/ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif
/etc/ldap/slapd.d/cn=config/cn=schema.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
/etc/ldap/slapd.d/cn=config.ldif
The schemas need to be loaded in the server as by default there are none:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif
To create the actual database that stores the entries in the directory, one needs to create an ldif file. In this example we use dc=edu,dc=example,dc=org as the directory suffix and place the database under /var/lib/ldap/.
create_database.ldif:
# Load hdb backend module
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb
# Create the hdb database and place the files under /var/lib/ldap
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=edu,dc=example,dc=org
olcRootDN: uid=admin,ou=People,dc=edu,dc=example,dc=org
olcRootPW: example
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
ldapadd is used to modify the cn=config entries:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f create_database.ldif
Next the new database needs to be populated with ou=People and ou=Groups to hold hold the user and group information.
init_database.ldif
dn: dc=edu,dc=example,dc=org objectClass: dcObject objectclass: organization o: edu.example.org dc: edu description: LDAP rootdn: ou=People,dc=edu,dc=example,dc=org objectClass: top objectClass: organizationalUnit ou: People dn: ou=Groups,dc=edu,dc=example,dc=org objectClass: top objectClass: organizationalUnit ou: Groups
Use ldapadd to apply init_database.ldif:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f init_database.ldifFinally modify the ACL to limit access to the database. Here we allow anonymous access to read the directory:
acls.ldif:
dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="uid=admin,ou=People,dc=edu,dc=example,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.subtree="" by * read
olcAccess: {2}to * by dn="uid=admin,ou=People,dc=edu,dc=example,dc=org" write by * read
Modify the database:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f acls.ldif
The following commands can be useful while configuring and debugging:
# Show the current configuration: sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config # Show the current data in the directory as anonymous user: ldapsearch -x -h localhost -b dc=edu,dc=example,dc=org # Dump the database with metadata: sudo slapcat
Once the server responds to queries, it's time to configure the client.
Client setup
The client setup uses the new nss-ldapd and pam-ldapd modules that provide local daemon functionality:
sudo apt-get install libnss-ldapd libpam-ldapd
During installation select ldap for the following nss services:
- group
- passwd
This configured /etc/nsswitch.conf, /etc/pam.d/common-auth and /etc/nslcd.conf automatically to work correctly.
To add some test users we can use ldapscripts package. The installation can be done either on the ldap server or on a remote server as the scripts connect to the server specified in the configuration file. After installing the ldapscripts package one needs to configure it.
/etc/ldapscripts/ldapscripts.conf:
SERVER="ldap://localhost" BINDDN="uid=admin,ou=People,dc=edu,dc=example,dc=org" BINDPWD="example" SUFFIX="dc=edu,dc=example,dc=org" # Global suffix GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX) USUFFIX="ou=People" # Users ou (just under $SUFFIX)
Adding users with ldapadduser may take time if machine random number entropy
pool is low. To use pseudo-random number generation (with weaker passwords),
you may also change:
PASSWORDGEN="cat /dev/urandom | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
Creating groups and users and changing passwords can be done with simple commands:
sudo ldapaddgroup testgroup sudo ldapadduser testuser testgroup sudo ldapsetpasswd testuser
To test that everything works correctly, let's try getent and logins:
getent passwd getent group ssh testuser@localhost
And everything seems to work as planned. Great! The setup is still lacking encryption and other features that need to be added next. The next steps are to get tls working and get kerberos+samba+autofs to use the ldap installation.