This is a mirror of Reinurm 2007: http://myy.helia.fi/%7Ea0700043/ldap_authentication.html crawled 2007-03-26.
LDAP (Lightweight Directory Access Protocol) allows central user, group, domain..... authentication, information storage ...
Using LDAP in a local network, you can allow your users to login and authenticate from anywhere on your network.
Do 'sudo apt-get install slapd ldap-utils' answering the prompts as follows:
For the DNS domain name, enter your domain name.
This will be translated from 'part1.part2.part3 to an LDAP base of 'dc=part1,dc=part2,dc=part3'.
For example, 'theend.ofthe.world' would become 'dc=theend,dc=ofthe,dc=world'.
This becomes what is known as your BaseDN.
For your organzation you can enter any string; this becomes associated the 'ou' field of your BaseDN record.
Next enter your LDAP administrator password twice. This will set the password for 'cn=admin,[["BaseDN"]] and give 'cn=admin,[["BaseDN"]]' write access to everything in your LDAP tree.
Accept the default of No to the question Allow LDAPv2 protocol
Edit '/etc/ldap/slapd.conf' to allow access for users to update their loginShell entries by adding the following before the 'access to *' entry:
access to attrs=loginShell
by dn="cn=admin,[["BaseDN"]]" write
by self write
by * read access to attrs=loginShell
by dn="cn=admin,dc=example,dc=com" write
by self write
by * read
This directive specifies the DN that is not subject to access control or administrative limit restrictions for operations on this database. The DN need not refer to an entry in this database or even in the directory. The DN may refer to a SASL identity.
Entry-based Example:
rootdn "cn=Manager,dc=example,dc=com"
SASL-based Example:
rootdn "uid=root,cn=example.com,cn=digest-md5,cn=auth"
See the SASL Authentication section for information on SASL authentication identities.
This directive can be used to specifies a password for the DN for the rootdn (when the rootdn is set to a DN within the database).
Example:
rootpw secret
It is also permissible to provide hash of the password in RFC 2307 form. slappasswd(8) may be used to generate the password hash.
Example:
rootpw {SSHA}ZKKuqbEKJfKSXhUbHG3fG8MDn9j1v4QNThe hash was generated using the command slappasswd -s secret.
You can use also other encryption methods. I prefer {MD5}.
add or update the password-hash to {MD5} or whatever enryption you use
Now you can test you configration file by 'sudo slaptest'.
If it says contains errors or doesn't succeed when you can use 'sudo slaptest -d 1', which sets debug level to 1 and informs where are errors. After success that run 'sudo /etc/init.d/slapd restart'
The directory has been created at the installation, now it is time to populate. It will be populated with a "classical" entry that will be compatible with directory (for example for a shared directory), with classical accounts (for a web application) and with Unix accounts (posix).
LDAP directory can be fed with a ldif file (ldif means ldap directory interchange format). Generate this example text file init.ldif somewhere on your system:
dn: dc=example,dc=com objectClass: dcObject objectClass: organizationalUnit dc: example ou: Example Dot Com dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups dn: uid=lionel,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: lionel sn: Porcheron givenName: Lionel cn: Lionel Porcheron displayName: Lionel Porcheron uidNumber: 1000 gidNumber: 10000 userPassword: <password> gecos: Lionel Porcheron loginShell: /bin/bash homeDirectory: /home/lionel shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: lionel.porcheron@example.com postalCode: 31000 l: Toulouse o: Example mobile: +33 (0)6 xx xx xx xx homePhone: +33 (0)5 xx xx xx xx title: System Administrator postalAddress: initials: LP dn: cn=example,ou=groups,dc=example,dc=com objectClass: posixGroup cn: example gidNumber: 10000
In the example above, the directory structure, a user and group have been setup. In other example you might see the objectClass: top added in every entry, but that is default behaviour so you don't have to add it explicitely.
Now, add your entries to the LDAP :
stop LDAP daemon: sudo/etc/init.d/slapd stop
delete the content that was automaticaly added at installation:
sudorm-rf/var/lib/ldap/*
add the content sudoslapadd -l init.ldif
start LDAP daemon: sudo /etc/init.d/slapd start
We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search in the LDAP directory :
ldapsearch -xLLL -b "dc=example,dc=com" uid=lionel sn givenName cn dn: uid=lionel,ou=people,dc=example,dc=com cn: Lionel Porcheron sn: Porcheron givenName: Lionel
Just a quick explanation :
-x is because we do not use SASL authentication method (by default)
-LLL disable printing LDIF informations
Other possibility is to use migrationtools
'sudo apt-get install migrationtools'
Edit /etc/migrationtools/migrate_common.ph by changing the lines show below. The DEFAULT_ changes are customisations for your site, while the UID/GID lines ignore system users (that is those users created and modified by debian package scripts), and the nobody user and group (65534:65534). You can find your system settings by looking in /etc/adduser.conf.
# Default DNS domain $DEFAULT_MAIL_DOMAIN = "your.domain"; # Default base $DEFAULT_BASE = "[["BaseDN"]]"; ... # Uncomment these to exclude Debian-managed system users and groups $IGNORE_UID_BELOW = 1000; # Don't uncomment this if you want to be able to add users to system groups # $IGNORE_GID_BELOW = 1000; # And here's the opposite for completeness $IGNORE_UID_ABOVE = 29999; $IGNORE_GID_ABOVE = 29999;
# Default DNS domain $DEFAULT_MAIL_DOMAIN = "example.com"; # Default base $DEFAULT_BASE = "dc=example,dc=com"; ... # Uncomment these to exclude Ubunutu/Debian-managed system users and groups $IGNORE_UID_BELOW = 1000; # Don't uncomment this if you want to be able to add users to system groups # $IGNORE_GID_BELOW = 1000; # And here's the opposite for completeness $IGNORE_UID_ABOVE = 9999; $IGNORE_GID_ABOVE = 9999;
the only things we'll migrate are users and groups, and you can check out the base structure, so let's start with this one:
cd /usr/share/migrationtools/ ./migrate_base.pl > base.ldif
The only entries which are or might become interesting for us are the following
dn: dc=example,dc=at dc: example objectClass: top objectClass: domain objectClass: domainRelatedObject associatedDomain: example.at dn: ou=People,dc=example,dc=com ou: People objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject associatedDomain: example.at dn: ou=Group,dc=example,dc=com ou: Group objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject associatedDomain: example.com
migrate_group.pl
Here is the minimized output from ./migrate_group.pl /etc/group group.ldif:
dn: cn=max,ou=Group,dc=example,dc=at
objectClass: posixGroup
objectClass: top
cn: max
userPassword: {crypt}x
gidNumber: 1000
dn: cn=users,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: users
userPassword: {crypt}x
gidNumber: 100
dn: cn=nogroup,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: nogroup
userPassword: {crypt}x
gidNumber: 65534This information can now be added to the LDAP server by executing something like the following:
ldapadd -H ldap://ldap.example.com/ -D "cn=manager,dc=example,dc=com" -x -W -f $FILE
BTW: The main purpose of a group is to hold several users :).
An
entry in /etc/group like "somegrp:x:12345:userone,usertwo"
can be accomplished by adding a "memberUid"
attribute for each user to the group's LDAP entry:
"memberUid: userone" and
"memberUid: usertwo".
./migrate_passwd.pl /etc/passwd passwd.ldif
# Restrict access as this file holds all passwords:
chmod 600 passwd.ldif
example:
dn: uid=max,ou=People,dc=subnet,dc=at
uid: max
cn: Markus Amersdorfer
givenname: Markus
sn: Amersdorfer
mail: THEUSERNAME@subnet.at
mailRoutingAddress: THEUSERNAME@mail.subnet.at
mailHost: mail.subnet.at
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$_my-password-hash-from-/etc/shadow
shadowLastChange: 12174
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /data/home/max
gecos: Markus Amersdorfer,,,This information can again be added to the LDAP server by executing something like the following:
ldapadd -H ldap://ldap.subnet.at/ -D "cn=manager,dc=subnet,dc=at" -x -W -f passwd.ldif_corrected Enter LDAP Password: adding new entry "uid=max,ou=People,dc=subnet,dc=at"
Now we will start the daemon and see some data.
Can you start the daemon?
/etc/init.d/slapd start pidof slapd
If you installed ldap-utils you can now run the following test. Note that we did not configure ldap-utils so you have to specify a whack of extra options, that will not be required once you perform the steps in the next chapter.
ldapsearch -x -W -b 'dc=example' -D 'cn=admin,dc=example' -H 'ldap://127.0.0.1:389/' 'objectclass=*'
If your /etc/ldap/ldap.conf is properly configured, you can attempt:
ldapsearch -x -W -D 'cn=admin,dc=example' 'objectClass=*'
Both will ask you for the admin password. You should also repeat this test for the nss user. If you imported your database using migrationtools you should also be able to retrieve any user's record by using that user's credentials (ie: -D 'cn=thatuser,dc=example').
It is very annoying to create all ldif datafiles to manipulate users.
One possibility is to use graphical interfaces. I used Luma, also where are php-ldap, GQ and others. You can find more http://www.bind9.net/ldap-tools
to install luma 'sudo apt-get install luma'
To configure luma and use it, the very good manuals are http://luma.sourceforge.net/
#apt-get install libnss-ldap libpam-ldap nscd ldap-utils
LDAP Account for
root: cn=admin,dc=example,dc=com
Password: XXXX
Make local root
database admin: yes
Database require logging in: No
Root login
account: cn=admin,dc=example,dc=com
Root login password: XXXX
libnss-ldap will allow us to use ldap as a naming service, libpam-ldap allows pm to authenticate users through LDAP and finally nscd is a password, group and host lookup daemon which caches result so LDAP won't be questionned any time the authentication as to be done. The ldap-utils package allows you to querry and alter the ldap database remotely. I don't think that it's actually used by of the other tools, but you will need it for testing.
The ldap-utils is configured by the /etc/ldap/ldap.conf file. Your's should read something along these lines:
URI ldap://ldap.example.net BASE dc=example
Make sure that URI points to your server. Keep in mind that URI must resolve before you can authenticate via LDAP, to get around that dependency you can use an IP address instead of a hostname. More importantly, if you use LDAP for distributing /etc/hosts entries then you should definately use an IP address for URI.
You should now be able to querry the ldap database on your client machine by running this:
ldapsearch -x -W -D 'cn=admin,dc=example' 'objectclass=*'
Now, let's edit the files and make sure you get the following setting:
#nano /etc/libnss-ldap.conf
host ldap
base
dc=example,dc=com
rootbinddn cn=admin,dc=example,dc=com
#nano /etc/libnss-ldap.secret
XXXXX
#nano /etc/pam_ldap.conf
host ldap
base
dc=example,dc=com
rootbinddn cn=admin,dc=example,dc=com
#nano /etc/pam_ldap.secret
XXXXX
pam configuration files need to be modfied a bit like:
#nano /etc/pam.d/common-account
account sufficient
pam_ldap.so
account required pam_unix.so
#nano /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth
required pam_unix.so nullok_secure use_first_pass
#nano /etc/pam.d/common-password
password sufficient
pam_ldap.so
password required pam_unix.so nullok obscure min=4
max=8 md5
#nano /etc/pam.d/common-session
session sufficient
pam_ldap.so
session required pam_unix.so
session optionnal
pam_foreground.so
#if you want user homedir to be created on first login
#session
required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent
Finally, let's edit nsswitch so the system will be able to switch from local system authentication to ldap authentication.
# nano /etc/nsswitch.conf
passwd: files ldap
group: files
ldap
shadow: files ldap
Now you should be ready to use ldap authentication
Make sure you have an account defined in ldap and not in the passwd and group files on the client machine. You can now querry the NSS interface for this information:
getent passwd username Finally you should be able to log in workstations using ldap account.
Based on my experience, I would make the following
recommendations:
*Start with a fresh system. Migrating
user/group accounts is
possible, but more complicated
*Get LDAP
going first, then fuss with SSL/TLS
*Work with a couple of
sacrificial machines, rather than production
systems. If you can't
spare the machines, give VMWare Server a try.
It's free, and
Ubuntu runs well on it.
*Be willing to start over multiple
times.
*When you're configuring slapd, make sure you understand
all
directives you're using. *Even if that means running down
an
explanation one directive at a time. Every directive exists for
a
reason. What applies to one person's situation may not apply
to
yours. Only when you understand each and every line in
your
slapd.conf can you achieve true Zen.
LDAP
authentication really isn't all that hard. It's just that you
have
to have a working vocabulary to make sense of most of
the
documentation out there. You have to get your hands dirty and
break
it a few times in order to build a vocabulary.
Good
luck
Links what I used:
http://www.jukie.net/~bart/ldap/ldap-authentication-on-debian/#Populate%20the%20database
http://home.subnet.at/~max/ldap/index.php#migrate-linux
https://help.ubuntu.com/community/OpenLDAPServer
http://www.debuntu.org/ldap-server-and-linux-ldap-clients-p2
GNU General Public License v2
Renno Reinurm
with any mistakes or successions you can connect
renno.reinurm at gmail.com