Version 1 - History - OpenLDAP - Research and Development Network - projects @ RU

1

Joseph Foley

h1. OpenLDAP

2

3

h2. Guides

4

5

* OpenLDAP http://www.openldap.org/

6

** With DHCP config http://wiki.herzbube.ch/index.php/ISCDHCP#Configuration_with_LDAP

7

* http://techpubs.spinlocksolutions.com/dklar/ldap.html

8

* https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html

9

* http://www.rjsystems.nl/en/2100-kerberos-openldap-openafs-client.php

10

* Hacking LDAP for Outlook and Thunderbird http://linuxgazette.net/130/peterson.html

11

h2. DNS autoconfig

12

13

http://www.rjsystems.nl/en/2100-dns-discovery-openldap.php

14

15

<pre>

16

_ldap._tcp.dev.ru.is.	IN	SRV	10 0 389 ldap.dev.ru.is.

17

</pre>

18

19

20

h2. Installing the server and basic config

21

22

# Install the packages

23

<pre>sudo apt-get install slapd ldap-utils</pre>

24

# Include important schema files

25

<pre>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/core.ldif

26

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif

27

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

28

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif</pre>

29

#Setup ldapsearch defaults so you don't need to keep typing them in.

30

## Open @/etc/ldap/ldap.conf@ or create if it does not exist and add these lines

31

<pre># This file is mostly for ldapsearch

32

BASE dc=dev,dc=ru,dc=is

33

URI ldapi:///

34

loglevel 256

35

</pre>

36

37

# Configure database including root password (notice olcRootPW)

38

<pre># Load dynamic backend modules

39

dn: cn=module,cn=config

40

objectClass: olcModuleList

41

cn: module

42

olcModulepath: /usr/lib/ldap

43

olcModuleload: back_hdb

44

45

# Database settings

46

dn: olcDatabase=hdb,cn=config

47

objectClass: olcDatabaseConfig

48

objectClass: olcHdbConfig

49

olcDatabase: {1}hdb

50

olcSuffix: dc=dev,dc=ru,dc=is

51

olcDbDirectory: /var/lib/ldap

52

olcRootDN: cn=admin,dc=dev,dc=ru,dc=is

53

olcRootPW: devnetsecret

54

olcDbConfig: set_cachesize 0 2097152 0

55

olcDbConfig: set_lk_max_objects 1500

56

olcDbConfig: set_lk_max_locks 1500

57

olcDbConfig: set_lk_max_lockers 1500

58

olcDbIndex: objectClass eq

59

olcLastMod: TRUE

60

olcDbCheckpoint: 512 30

61

olcAccess: to attrs=userPassword by dn="cn=admin,dc=dev,dc=ru,dc=is" write by anonymous auth by self\

62

 write by * none

63

olcAccess: to attrs=shadowLastChange by self write by * read

64

olcAccess: to dn.base="" by * read

65

olcAccess: to * by dn="cn=admin,dc=dev,dc=ru,dc=is" write by * read

66

</pre>

67

# Now we load this config into the database

68

<pre>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.dev.ru.is.ldif</pre>

69

70

h2. Populate the frontend directory

71

72

# Create top-level object in domain

73

<pre># Create top-level object in domain

74

dn: dc=dev,dc=ru,dc=is

75

objectClass: top

76

objectClass: dcObject

77

objectclass: organization

78

o: DevNet at RU

79

dc: Dev

80

description: DevNet at RU

81

82

# Admin user.

83

dn: cn=admin,dc=dev,dc=ru,dc=is

84

objectClass: simpleSecurityObject

85

objectClass: organizationalRole

86

cn: admin

87

description: LDAP administrator

88

userPassword: superuser

89

90

dn: ou=people,dc=dev,dc=ru,dc=is

91

objectClass: organizationalUnit

92

ou: people

93

94

dn: ou=groups,dc=dev,dc=ru,dc=is

95

objectClass: organizationalUnit

96

ou: groups

97

98

dn: uid=john,ou=people,dc=dev,dc=ru,dc=is

99

objectClass: inetOrgPerson

100

objectClass: posixAccount

101

objectClass: shadowAccount

102

uid: john

103

sn: Doe

104

givenName: John

105

cn: John Doe

106

displayName: John Doe

107

uidNumber: 1000

108

gidNumber: 10000

109

userPassword: testypassword

110

gecos: John Doe

111

loginShell: /bin/bash

112

homeDirectory: /home/john

113

shadowExpire: -1

114

shadowFlag: 0

115

shadowWarning: 7

116

shadowMin: 8

117

shadowMax: 999999

118

shadowLastChange: 10877

119

mail: john.doe@dev.ru.is

120

postalCode: 31000

121

l: Toulouse

122

o: Example

123

mobile: +33 (0)6 xx xx xx xx

124

homePhone: +33 (0)5 xx xx xx xx

125

title: System Administrator

126

postalAddress:

127

initials: JD

128

129

dn: cn=example,ou=groups,dc=dev,dc=ru,dc=is

130

objectClass: posixGroup

131

cn: example

132

gidNumber: 10000

133

134

</pre>

135

# Addd it to the system

136

<pre>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f frontend.dev.ru.is.ldif</pre>

137

# Now test it.  the -xLLL suppresses the schema output

138

<pre>ldapsearch -xLLL -b "dc=dev,dc=ru,dc=is" uid=john sn givenName cn</pre>

139

# Check to see if defaults also work.

140

<pre>ldapsearch -xLLL -b uid=john sn givenName cn</pre>

141

# Permissions testing.  Check if the userPassword field is present.  It should not be.

142

<pre>ldapsearch -x</pre>

143

# Now we use the offline ldap command @slapcat@, which should see the password</pre>

144

<pre>sudo slapcat</pre>

145

146

h2. Adding users

147

148

# Create a modified version of the information.  Change this as appropriate and don't put a password.  Save it to file @adduser.ldif@

149

<pre>dn: uid=john,ou=people,dc=dev,dc=ru,dc=is

150

objectClass: inetOrgPerson

151

objectClass: posixAccount

152

objectClass: shadowAccount

153

uid: john

154

sn: Doe

155

givenName: John

156

cn: John Doe

157

displayName: John Doe

158

uidNumber: 1000

159

gidNumber: 10000

160

#userPassword: testypassword

161

gecos: John Doe

162

loginShell: /bin/bash

163

homeDirectory: /home/john

164

shadowExpire: -1

165

shadowFlag: 0

166

shadowWarning: 7

167

shadowMin: 8

168

shadowMax: 999999

169

shadowLastChange: 10877

170

mail: john.doe@dev.ru.is

171

postalCode: 31000

172

l: Toulouse

173

o: Example

174

mobile: +33 (0)6 xx xx xx xx

175

homePhone: +33 (0)5 xx xx xx xx

176

title: System Administrator

177

postalAddress:

178

initials: JD

179

</pre>

180

# Now add it

181

<pre>sudo ldapadd -Y EXTERNAL -H ldapi:/// -f adduser.ldif</pre>

182

# Hmm, that didn't work.  Let's use the ldapscripts instead

183

184

h3. ldapscripts

185

186

# install the packages

187

<pre>sudo apt-get install ldapscripts</pre>

188

# setup the config in @/etc/ldapscripts/ldapscripts.conf@

189

<pre>BINDDN="cn=admin,dc=dev,dc=ru,dc=is"

190

BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"

191

192

SUFFIX="dc=dev,dc=ru,dc=is"

193

GSUFFIX="ou=Groups"        # Groups ou (just under $SUFFIX)

194

USUFFIX="ou=People"         # Users ou (just under $SUFFIX)

195

MSUFFIX="ou=Machines"      # Machines ou (just under $SUFFIX)

196

197

GIDSTART="10000" # Group ID

198

UIDSTART="10000" # User ID

199

MIDSTART="20000" # Machine ID

200

201

USHELL="/bin/bash"

202

UHOMES="/home/%u"     # You may use %u for username here

203

CREATEHOMES="yes"      # Create home directories and set rights ?

204

HOMESKEL="/etc/skel"  # Directory where the skeleton files are located. Ignored if undefined or none\

205

xistant.

206

HOMEPERMS="755"       # Default permissions for home directories

207

</pre>

208

#Edit @/etc/ldapscripts/ldapscripts.passwd@

209

<pre>superuser</pre>

210

# Now create a group!  Note that you can pick your UID or GID, but you generally don't need to

211

<pre>sudo ldapaddgroup ru 101</pre>

212

# Now create a user with that group

213

<pre> sudo ldapadduser <username> ru</pre>

214

215

216

h2. NSS and PAM setup

217

218

# Install the modules

219

<pre>sudo apt-get install libnss-ldap nscd</pre>

220

## server: ldap://130.208.209.37  (note that it is @ldap@, not @ldapi@!)

221

## Version 3

222

## local root database admin: no

Project

General

Profile

Research and Development Network

OpenLDAP » History » Version 1