OpenLDAP¶

Guides¶

• OpenLDAP http://www.openldap.org/
  • With DHCP config http://wiki.herzbube.ch/index.php/ISCDHCP#Configuration_with_LDAP
• http://techpubs.spinlocksolutions.com/dklar/ldap.html
• https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html
• http://www.rjsystems.nl/en/2100-kerberos-openldap-openafs-client.php
• Hacking LDAP for Outlook and Thunderbird http://linuxgazette.net/130/peterson.html
  h2. DNS autoconfig

http://www.rjsystems.nl/en/2100-dns-discovery-openldap.php

_ldap._tcp.dev.ru.is.    IN    SRV    10 0 389 ldap.dev.ru.is.

Installing the server and basic config¶

1. Install the packages
   

   sudo apt-get install slapd ldap-utils

2. Include important schema files
   

   sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/core.ldif
   sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
   sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
   sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

   
   #Setup ldapsearch defaults so you don't need to keep typing them in.
   1. Open /etc/ldap/ldap.conf or create if it does not exist and add these lines
      

      # This file is mostly for ldapsearch
      BASE dc=dev,dc=ru,dc=is
      URI ldapi:///
      loglevel 256
      

1. Configure database including root password (notice olcRootPW)
   

   # Load dynamic backend modules
   dn: cn=module,cn=config
   objectClass: olcModuleList
   cn: module
   olcModulepath: /usr/lib/ldap
   olcModuleload: back_hdb
   
   # Database settings
   dn: olcDatabase=hdb,cn=config
   objectClass: olcDatabaseConfig
   objectClass: olcHdbConfig
   olcDatabase: {1}hdb
   olcSuffix: dc=dev,dc=ru,dc=is
   olcDbDirectory: /var/lib/ldap
   olcRootDN: cn=admin,dc=dev,dc=ru,dc=is
   olcRootPW: devnetsecret
   olcDbConfig: set_cachesize 0 2097152 0
   olcDbConfig: set_lk_max_objects 1500
   olcDbConfig: set_lk_max_locks 1500
   olcDbConfig: set_lk_max_lockers 1500
   olcDbIndex: objectClass eq
   olcLastMod: TRUE
   olcDbCheckpoint: 512 30
   olcAccess: to attrs=userPassword by dn="cn=admin,dc=dev,dc=ru,dc=is" write by anonymous auth by self\
    write by * none
   olcAccess: to attrs=shadowLastChange by self write by * read
   olcAccess: to dn.base="" by * read
   olcAccess: to * by dn="cn=admin,dc=dev,dc=ru,dc=is" write by * read
   

2. Now we load this config into the database
   

   sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.dev.ru.is.ldif

Populate the frontend directory¶

1. Create top-level object in domain
   

   # Create top-level object in domain
   dn: dc=dev,dc=ru,dc=is
   objectClass: top
   objectClass: dcObject
   objectclass: organization
   o: DevNet at RU
   dc: Dev
   description: DevNet at RU
   
   # Admin user.
   dn: cn=admin,dc=dev,dc=ru,dc=is
   objectClass: simpleSecurityObject
   objectClass: organizationalRole
   cn: admin
   description: LDAP administrator
   userPassword: superuser
   
   dn: ou=people,dc=dev,dc=ru,dc=is
   objectClass: organizationalUnit
   ou: people
   
   dn: ou=groups,dc=dev,dc=ru,dc=is
   objectClass: organizationalUnit
   ou: groups
   
   dn: uid=john,ou=people,dc=dev,dc=ru,dc=is
   objectClass: inetOrgPerson
   objectClass: posixAccount
   objectClass: shadowAccount
   uid: john
   sn: Doe
   givenName: John
   cn: John Doe
   displayName: John Doe
   uidNumber: 1000
   gidNumber: 10000
   userPassword: testypassword
   gecos: John Doe
   loginShell: /bin/bash
   homeDirectory: /home/john
   shadowExpire: -1
   shadowFlag: 0
   shadowWarning: 7
   shadowMin: 8
   shadowMax: 999999
   shadowLastChange: 10877
   mail: john.doe@dev.ru.is
   postalCode: 31000
   l: Toulouse
   o: Example
   mobile: +33 (0)6 xx xx xx xx
   homePhone: +33 (0)5 xx xx xx xx
   title: System Administrator
   postalAddress:
   initials: JD
   
   dn: cn=example,ou=groups,dc=dev,dc=ru,dc=is
   objectClass: posixGroup
   cn: example
   gidNumber: 10000
   
   

2. Addd it to the system
   

   sudo ldapadd -Y EXTERNAL -H ldapi:/// -f frontend.dev.ru.is.ldif

3. Now test it. the -xLLL suppresses the schema output
   

   ldapsearch -xLLL -b "dc=dev,dc=ru,dc=is" uid=john sn givenName cn

4. Check to see if defaults also work.
   

   ldapsearch -xLLL -b uid=john sn givenName cn

5. Permissions testing. Check if the userPassword field is present. It should not be.
   

   ldapsearch -x

6. Now we use the offline ldap command slapcat, which should see the password
   

   sudo slapcat

Adding users¶

1. Create a modified version of the information. Change this as appropriate and don't put a password. Save it to file adduser.ldif
   

   dn: uid=john,ou=people,dc=dev,dc=ru,dc=is
   objectClass: inetOrgPerson
   objectClass: posixAccount
   objectClass: shadowAccount
   uid: john
   sn: Doe
   givenName: John
   cn: John Doe
   displayName: John Doe
   uidNumber: 1000
   gidNumber: 10000
   #userPassword: testypassword
   gecos: John Doe
   loginShell: /bin/bash
   homeDirectory: /home/john
   shadowExpire: -1
   shadowFlag: 0
   shadowWarning: 7
   shadowMin: 8
   shadowMax: 999999
   shadowLastChange: 10877
   mail: john.doe@dev.ru.is
   postalCode: 31000
   l: Toulouse
   o: Example
   mobile: +33 (0)6 xx xx xx xx
   homePhone: +33 (0)5 xx xx xx xx
   title: System Administrator
   postalAddress:
   initials: JD
   

2. Now add it
   

   sudo ldapadd -Y EXTERNAL -H ldapi:/// -f adduser.ldif

3. Hmm, that didn't work. Let's use the ldapscripts instead

ldapscripts¶

1. install the packages
   

   sudo apt-get install ldapscripts

2. setup the config in /etc/ldapscripts/ldapscripts.conf
   

   BINDDN="cn=admin,dc=dev,dc=ru,dc=is" 
   BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" 
   
   SUFFIX="dc=dev,dc=ru,dc=is" 
   GSUFFIX="ou=Groups"        # Groups ou (just under $SUFFIX)
   USUFFIX="ou=People"         # Users ou (just under $SUFFIX)
   MSUFFIX="ou=Machines"      # Machines ou (just under $SUFFIX)
   
   GIDSTART="10000" # Group ID
   UIDSTART="10000" # User ID
   MIDSTART="20000" # Machine ID
   
   USHELL="/bin/bash" 
   UHOMES="/home/%u"     # You may use %u for username here                                             
   CREATEHOMES="yes"      # Create home directories and set rights ?                                    
   HOMESKEL="/etc/skel"  # Directory where the skeleton files are located. Ignored if undefined or none\
   xistant.                                                                                             
   HOMEPERMS="755"       # Default permissions for home directories   
   

   
   #Edit /etc/ldapscripts/ldapscripts.passwd
   

   superuser

3. Now create a group! Note that you can pick your UID or GID, but you generally don't need to
   

   sudo ldapaddgroup ru 101

4. Now create a user with that group
   

    sudo ldapadduser <username> ru

NSS and PAM setup¶

1. Install the modules
   

   sudo apt-get install libnss-ldap nscd

   1. server: ldap://130.208.209.37 (note that it is ldap, not ldapi!)
   2. Version 3
   3. local root database admin: no