LDAP
Fed up with manually copying over /etc/passwd etc. again lost hairs with NISPLUS?
I searched for a long time on the net, look at the list below and read at least partly 3 books.
Very time consuming, therefor I'm going to describe an simple setup with a Debian LDAP server (slapd) and some Debian clients.
Most stuff will also apply to other distrbutions.
IMPORTANT: If you have questions whatever, contact me: christian@leber.de
General Notes
In this example the following things apply:
- craptop.home - 192.168.3.153 is the master LDAP
- igor3.home - 192.168.3.5 is the only client
- core.home - 192.168.3.3 is the replica
- dc=leber is the root of our directory
Step for Step to a working LDAP setup
First we have to install slapd on the server we are going to use. Even when we don´t want to use automount on the LDAP
server, we´ll very likely need the supplied schema to use the LDAP server for automount/autofs entries.
(on woody add:
"deb http://www.ecology.uni-kiel.de/mirrors/debian/backports.org/debian/dists/woody/openldap2/ ./"
or another mirror from backports.org to your /etc/apt/sources.list
and put this file http://debian.christian-leber.de/ldap/automount.schema in your /etc/ldap/schema directory)
apt-get install slapd autofs-ldap
So debconf will ask us some stuff, probably not everything what's here, don't worry:
- Do you want to omit the configuration of slapd? no
- Enter the domain name: leber
- Enter the name of your organization: whatever you want
- Admin password: pick one
- Which database backend would you like to use? LDBM or BDB... throw a coin
- Do you want your database to be removed when slapd is purged? no
- Allow LDAPv2 protocol: no
this will give us a slapd.conf like this one:
http://debian.christian-leber.de/ldap/01/slapd.conf
Now we allready have some stuff in the database (debconf), just run slapcat and get about this:
dn: dc=leber
objectClass: top
objectClass: dcObject
objectClass: organization
o: Some organisation
dc: leber
structuralObjectClass: organization
entryUUID: 06d98d7e-f466-1027-990b-83a2de42985c
creatorsName: cn=anonymous
modifiersName: cn=anonymous
createTimestamp: 20040216005140Z
modifyTimestamp: 20040216005140Z
entryCSN: 2004021600:51:40Z#0x0001#0#0000
dn: cn=admin,dc=leber
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e2NyeXB0fVFmWU8vQVJGSllyM0E=
structuralObjectClass: organizationalRole
entryUUID: 06e5b7b6-f466-1027-990c-83a2de42985c
creatorsName: cn=anonymous
modifiersName: cn=anonymous
createTimestamp: 20040216005140Z
modifyTimestamp: 20040216005140Z
entryCSN: 2004021600:51:40Z#0x0002#0#0000
Now you can pipe this to a file, and you have a nice backup: slapcat >backup
We have allready installed autofs-ldap, we probably don´t need the automounter on the server,
but we need the included schema later for automounting, so add:
include /etc/ldap/schema/automount.schema
directly after the other include lines.
and also this to the global directives:
password-hash {SSHA}
While doing something with slapd we may allready set TLS up.
First we need a private key and a certificate, we just go to our /etc/ldap and do the following.
The Common Name is _VERY_ important it needs to be the full hostname of your ldap server. (get it with hostname IP-ADDRESS)
openssl genrsa -out ldap.key 1024
openssl req -new -key ldap.key -out ldap.csr
Now we are doing our own CA:
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.cert
And we sign our key for 10 years...
openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert -CAkey ca.key -CAcreateserial -days 3650
now just add the following to the slapd.conf within the Global Directives Section:
TLSCertificateFile /etc/ldap/ldap.cert
TLSCertificateKeyFile /etc/ldap/ldap.key
TLSCACertificateFile /etc/ldap/ca.cert
Ok, so now slapd is fine and we need to add some stuff to our LDAP database
I suggest using phpldapadmin, because it's easy to set up and actually works,
like probably a lot of other tools.
Installation is really easy, just get it and untar it to /var/www somewhere.
(it's here: http://phpldapadmin.sourceforge.net/)
as long as the most recent release is 0.9.3 get this cvs snapshot, you'll need it for
the Automount entries: http://debian.christian-leber.de/ldap/phpldapadmin_20040219.tar.bz2
Rename is to a name without version number, change to the dir and copy config.php.example to config.php
You need to adjust some parameters:
$servers[$i]['host'] = 'craptop.home';
$servers[$i]['base'] = 'dc=leber';
$servers[$i]['auth_type'] = 'form';
$servers[$i]['login_dn'] = 'cn=admin,dc=leber';
$servers[$i]['default_hash'] = 'ssha';
(FIXME: TLS etc. mit phpldapadmin)
Under dc=leber we create the Organizational Units "people" and "group".
Now we create at least one "Posix Group" byond group and add at least
one user beyond people.
Now we should have a working LDAP server with at least one group and one user.
We'll take care for automounting $home of the users later.
Setting up a Debian client box to use LDAP
First we install the Name Service Cache Daemon:
apt-get install nscd
The next thing is the NSS module for LDAP:
apt-get install libnss-ldap
debconf will ask us some stuff:
- Give the IP address of your LDAP server
- The root of our directory, here it's dc=leber
- LDAP version: 3
- login neccessary: no
- only owner can read it?: no
The config file of libnss-ldap ist btw. /etc/libnss-ldap.conf, we'll probably have to change it later.
As of now LDAP is not used, we have to change the /etc/libnss.conf to use it, therefore change the passwd,group
and shadow line that it looks like this:
passwd: compat ldap
group: compat ldap
shadow: compat ldap
Now we can try it:
root@igor3:~# touch /tmp/testfile
root@igor3:~# chown 1097 /tmp/testfile
root@igor3:~# ls -l /tmp/testfile
-rw-r--r-- 1 christian root 0 2004-02-28 21:45 /tmp/testfile
Excellenti, it works!
Hopefully not only on my box. :-)
For logging in to a computer PAM will be used the client will send the password to the LDAP server
that says if the password is ok or not.
apt-get install libpam-ldap
debconf will ask us some stuff:
- server: 192.168.3.153
- base: dc=leber
- ldap version: 3
- Make local root Database admin: no
- Database requires logging in: no
- Local crypt to use when changing passwords: exop
Now PAM needs to know about the new authentification Method, on debian sarge or newer it's enough to have the following stuff:
- /etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
- /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass
- /etc/pam.d/common-passwd
password sufficient pam_ldap.so
password required pam_unix.so md5
- /etc/pam.d/other
the password lines should look like:
password sufficient pam_ldap.so
password required pam_unix.so md5
The configuration file of libpam-ldap is btw.: /etc/pam_ldap.conf
Now we have to do some changes to use TLS for authentification.
restarting sshd is probably a good idea: /etc/init.d/ssh restart
Now you should be able to login with ssh, you probably also have to restart other services before they work.
Setting up autofs/automount
-add stuff
create custom with ou=auto.master, choose the ObjectClass automountMap
create beyond auto.master a object with cn=/home where the ObjectClass is automount
automountInformation is: ldap:192.168.3.153:ou=auto.home,ou=Automount,dc=leber rsize=8192,wsize=8192
-edit /etc/defaults/autofs
-add to /etc/nsswitch.conf
automount: ldap
On the client (debian sarge+):
apt-get install autofs-ldap
- /etc/default/autofs should look like:
# Timeout value in seconds (default: 300)
TIMEOUT=300
# The LDAP URI for auto.master
# (e. g. LDAPURI="ldap://ldapserver.example.com/")
LDAPURI="ldap://134.155.45.155"
# The LDAP base for auto.master
# (e. g. LDAPBASE="ou=auto.master,ou=Automount,dc=example,dc=com")
LDAPBASE="ou=auto.master,ou=Automount,dc=lsra"
- automount: ldap
apt-get install ldap-utils
/etc/init.d/ldap.conf
BASE dc=leber
URI ldap://192.168.3.153
Links
software for LDAP
ldots.org: LDAP Authentication HOWTO
metaconsultancy.com: Using OpenLDAP
metaconsultancy.com: LDAP Authentication for Linux
Pam Module for Solaris
LDAP: Integrating Authentication Across Operating Systems and ...
Secure LDAP for Solaris (via TLS/SSL)
compiling openssl, openldap and the pam module for solaris 8
Naming and Directory Services in the Solaris 9 Operating Environment Data Sheet
Christof Meerwald: Quick-Start Guide to LDAP (Lightweight Directory Access Protocol)
Christof Meerwald: Backports to woody (debian 3.0) (libpam-ldap, directory-administrator)
Automount über LDAP
wiki.debian.net: Configuring LDAP Authentication for Debian
Setting up an replicator server
add to the /etc/slapd.conf global section:
replogfile /var/lib/ldap/slapd.replog
replica...
Now we need a key for our replica server, so we go to /etc/ldap on our master and do:
openssl genrsa -out replica.key 1024
openssl req -new -key replica.key -out replica.csr
Remember, Common Name NEEDS to be the host name of your replica server.
No we sign our key with the CA we have done earlier.
openssl x509 -req -in replica.csr -out replica.cert -CA ca.cert -CAkey ca.key -CAcreateserial -days 365
So now we have to get a replica server, without replica is not very helpfull, you know?
We install it, configuration doesn't matter, better nothing automatic.
apt-get install slapd autofs-ldap
now stop it /etc/init.d/slapd stop
delete the database in /var/lib/ldap, we'll migrate our own stuff from our master server
Now copy over the /etc/ldap/slapd.conf from the master to the replica.
It will stay the same, besides that we remove the replogfile and the replica stuff
and add all in the Database section:
rootdn "replica,dc=leber"
rootpw {SSHA}....
(Use slappasswd to generate the password.)
updatedn "cn=replica,dc=leber"
updateref ldap://craptop.home
on the master /etc/init.d/slapd stop
on the replica /etc/init.d/slapd start
on the master /etc/init.d/slapd start
Now we go again to our clients...
damn, doesn't work
How to backup/save/dump the whole LDAP database?
/etc/init.d/slapd stop
slapcat > backup.ldif
/etc/init.d/slapd start