LDAP

This is an update of the LDAP part of my diskless client project, which is documented on my old site at http://www.xs4all.nl/~rjb/ . This is work in progress (updated 27042009)...

(to be merged for 9.04)

$ dpkg-reconfigure slapd
Omit OpenLDAP server configuration? No
DNS domain name: your_domain.com
Organization name: Your_organization
Database backend to use: HDB
Do you want the database to be removed when slapd is purged: Yes
Move old database: Yes
Administrator password:
Allow LDAPv2 protocol: No

/etc/phpldapadmin/config.php:

:1,$ s/dc=example,dc=com/dc=your_domain,dc=com/g

/etc/default/slapd:

SLAPD_SERVICES="ldaps:/// ldap://127.0.0.1/"
$ ldapmodify -x -D cn=admin,cn=config -W
(password)
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/slapd-cert.pem

dn: cn=config
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/slapd-cert.pem

dn: cn=config
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/slapd-key.pem

^D

(end of merge)

Reference: https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html

Installing the software

Let's install the software:

aptitude install slapd ldap-utils libpam-ldap libnss-ldap migrationtools phpldapadmin

In case you're wondering what all of this does, simply said:

  • slapd is the LDAP server
  • ldap-utils contains LDAP clients, among other things.
  • libpam-ldap contains a plugin which is used for validating logins, changing passwords etc... It uses LDAP, so it is in fact also an LDAP client. Installing this will also install ldap-auth-config.
  • libnss-ldap, another LDAP client, is part of NSS, which is responsible for deciding where to lookup data like passwd, group, shadow, hosts, networks etc. which formerly only was available in /etc. Now, the user can specify in /etc/nsswitch.conf where to look. He/she can specify for userinfo to look in /etc/passwd first, then LDAP. This will have an effect on the output of, for example an ls -l command.
  • migrationtools contains scripts which can copy and convert data from files in /etc, like /etc/passwd to the LDAP server.
  • phpldapadmin is a webinterface for LDAP.

When installing slapd, the system will ask what password to use for the administrator. Just invent one and remember it. When installing ldap-auth-config, the system will ask for URI of the LDAP server, which in our case will look something like this:

ldaps://server_hostname/

Replace server_hostname by your server's hostname.

Please note that in Ubuntu 8.04 or later a hostname is required; an IP address will not work anymore for secure connections.

Using ldaps instead of ldap or ldapi, enables us to use encrypted connections over the network. So if you want to use an LDAP server on machine A for authenticating users on machine B, you can do that without sending plain-text passwords over the network.

It will also ask for the distinguished name of the search base. The what? :-) Let's say it's a bit like the search domain in DNS, which in our case would be mydomain.com, in LDAP written as:

dc=mydomain,dc=com

You will have to replace mydomain and com to suit your needs, but you need to keep the rest: it's the LDAP way of specifying things. Note that this has no relationship with DNS, so you don't need to keep the LDAP dc's in sync with FQDN's. You can just invent an other name for your LDAP setup.

Answer No when asked if you would like to create a local root database, and No to the option "Database requires logging in".

Running the LDAP server: slapd

(obsolete part to be removed)

The configuration file for slapd is /etc/ldap/slapd.conf. Edit it (only relevant lines shown):

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        none
modulepath      /usr/lib/ldap
moduleload      back_hdb
sizelimit       500
tool-threads    1
backend         hdb

database        config
rootdn          "cn=admin,cn=config"
rootpw          {MD5}xxxxxxxxxxxxxxxxxxxxxxx

database        hdb
suffix          "dc=mydomain,dc=com"
directory       "/var/lib/ldap"
dbconfig        set_cachesize 0 2097152 0
dbconfig        set_lk_max_objects 1500
dbconfig        set_lk_max_locks 1500
dbconfig        set_lk_max_lockers 1500
index           objectClass eq
lastmod         on
checkpoint      512 30
password-hash   {md5}
TLSCertificateFile     /etc/ldap/slapd-cert.pem
TLSCertificateKeyFile  /etc/ldap/slapd-key.pem
TLSCACertificateFile   /etc/ldap/slapd-cert.pem
rootdn          "cn=Manager,dc=mydomain,dc=com"
rootpw          {MD5}xxxxxxxxxxxxxxxxxxxxxxxx

access to attrs=userPassword
        by dn="uid=root,ou=People,dc=mydomain,dc=com" write
        by anonymous auth
        by self write
        by * none

access to *
        by dn="uid=root,ou=People,dc=mydomain,dc=com" write
        by * read

Note that the 3rd block is for converting the (obsolete) slapd.conf into the slapd.d directory structure.

The MD5 hash above needs to be replaced by the hash returned by the following command:

slappasswd -h {md5}

When asked for a password, you need to type the new password for the LDAP Manager, which is like the "root" user in Unix. Just invent a password and remember it.

When you are finished editing /etc/ldap/slapd.conf it is time to convert it to the slapd.d directory structure (Ubuntu / Kubuntu >= 8.10 only). Run these commands:

slaptest -f slapd.conf -F slapd.d
chown -R openldap:openldap slapd.d
chmod 600 slapd.conf
mv -i slapd.conf slapd.conf.bak

The last command will prevent slapd.conf from being used.

(end of obsolete part)

Configure slapd:

$ dpkg-reconfigure slapd
Omit OpenLDAP server configuration? No
DNS domain name: your_domain.com
Organization name: Your_organization
Database backend to use: HDB
Do you want the database to be removed when slapd is purged: Yes
Move old database: Yes
Administrator password:
Allow LDAPv2 protocol: No

The DNS domain name will be converted to a "distinguished name of the search base" mentioned earlier. Earlier we specified it for the clients, now we do the same for the server.

Create a self-signed certificate and key pair. Type:

cd /etc/ldap
openssl req -new -x509 -nodes \
   -out slapd-cert.pem -keyout slapd-key.pem -days 999999
chmod 644 slapd-cert.pem
chown openldap:openldap slapd-key.pem
chmod 400 slapd-key.pem

When asked for CommonName type the hostname of your LDAP-server.

Please note that in Ubuntu 8.04 or later a hostname is required; an IP address will not work anymore for secure connections.

Tell slapd about the certificate:

$ ldapmodify -x -D cn=admin,cn=config -W
(password)
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/slapd-cert.pem

dn: cn=config
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/slapd-cert.pem

dn: cn=config
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/slapd-key.pem

Hit Ctrl-D to end the input.

Edit /etc/default/slapd.

SLAPD_SERVICES="ldaps:/// ldap://127.0.0.1/"

Type:

/etc/init.d/slapd restart

If this fails, try to debug it using:

slapd -d -1 -g openldap -u openldap -F /etc/ldap/slapd.d

If you see something like:

main: TLS init def ctx failed: -64

check if the TLS paths in slapd.conf match the locations of the SSL certificate and key. Also check the permissions of these files.

(probably obsolete; it may have been merged in /etc/ldap.conf)

The configuration file for the LDAP clients in ldap-utils is /etc/ldap/ldap.conf. Edit it. It should look like this:

BASE            dc=mydomain,dc=com
URI             ldaps://your_hostname:636/
TLS_REQCERT     allow

(end of obsolete part)

Test the LDAP server:

ldapsearch -D "cn=admin,dc=mydomain,dc=com" -W -x
ldapsearch -H 'ldaps://your_hostname/' -D "cn=admin,dc=mydomain,dc=com" -W -x
ldapsearch -H 'ldap://127.0.0.1/' -D "cn=admin,dc=mydomain,dc=com" -W -x
ldapsearch -W -x

You need to type the LDAP manager password for the first 3 commands. At the last command just type enter: here we test the anonymous login. In Ubuntu 8.04 you really need the hostname in the second command instead of the IP address. If you see something like:

result: 32 No such object

that's ok.

If you see something like:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

check if slapd is running, and if not, try to debug it using the command mentioned earlier (calling slapd directly, and using option -d -1). Also check out /etc/defaults/slapd, in particular the SLAPD_SERVICES option. It should look similar as the example mentioned earlier. No hash sign (#) should appear at the beginning of that line. If you are using Jaunty (9.04), there may be a bug which prevents the 2nd command (using ldaps) from working.

Migrating the files in /etc to LDAP

Next task is to convert /etc/passwd, /etc/shadow and /etc/group to LDAP. Go to /usr/share/migrationtools and edit migrate_common.ph. In Ubuntu 8.04 this file has been moved to /usr/share/perl5.

# $DEFAULT_MAIL_DOMAIN = "padl.com";
$DEFAULT_BASE = "dc=mydomain,dc=com";
# $DEFAULT_MAIL_HOST = "mail.padl.com";
$EXTENDED_SCHEMA = 1;

Type:

./migrate_base.pl > /tmp/base.ldif
./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
./migrate_group.pl /etc/group /tmp/group.ldif
ldapadd -D "cn=Manager,dc=mydomain,dc=com" -W -x -f /tmp/base.ldif
ldapadd -D "cn=Manager,dc=mydomain,dc=com" -W -x -f /tmp/passwd.ldif
ldapadd -D "cn=Manager,dc=mydomain,dc=com" -W -x -f /tmp/group.ldif
rm /tmp/base.ldif /tmp/passwd.ldif /tmp/group.ldif

Note that ldapadd has an option -c to continue after errors (instead of aborting).

A web GUI for LDAP: phpldapadmin

Edit the following lines in /usr/share/phpldapadmin/config/config.php:

$config->custom->session['blowfish'] = 'some random string';
$ldapservers->SetValue($i,'server','name','My LDAP Server');
$ldapservers->SetValue($i,'server','host','ldap://127.0.0.1/');
$ldapservers->SetValue($i,'server','port','389');
$ldapservers->SetValue($i,'server','base',array('dc=mydomain,dc=com'));
$ldapservers->SetValue($i,'server','auth_type','session');
$ldapservers->SetValue($i,'login','dn','');
$ldapservers->SetValue($i,'login','pass','');
$ldapservers->SetValue($i,'server','tls',false);
$ldapservers->SetValue($i,'server','low_bandwidth',false);
$ldapservers->SetValue($i,'appearance','password_hash','md5');
$ldapservers->SetValue($i,'login','attr','dn');

Replace some random string to something really random :-) Keep the IP 127.0.0.1 as-is (localhost).

Assuming you already have Apache, PHP and a webbrowser installed, startup a webbrowser and go to https://localhost/phpldapadmin/. Login as cn=Manager,dc=mydomain,dc=com. You can also login anonymously, but then you cannot see the password hashes and you cannot change anything.

This is a perfect moment to cleanup the LDAP. Remove everything, except Group and People.

Configuring the system to use LDAP

Edit /etc/ldap.conf:

  • Remove the 1st line containing ###DEBCONF### to prevent the system from overwriting this file
  • Comment out these lines, by placing a # at the beginning of each line:
    host 192.168.1.2
    base dc=mydomain,dc=com
    
  • Add this line:
    uri ldaps://your_hostname/
    
  • Uncomment the following line, by removing the #:
    #pam_password exop
    
    and make sure other pam_password lines start with a #

These changes are needed for security by using ldaps:// (with encryption) instead of ldap:// (without encryption).

Edit /etc/nsswitch.conf, changing these 3 lines:

passwd:         files ldap
group:          files ldap
shadow:         files ldap

Check if LDAP works with NSS:

getent passwd | grep 0:0

You should see 2 identical lines, one coming from /etc and one coming from LDAP.

Setting up PAM to work with LDAP

Edit /etc/pam.d/common-auth:

auth     sufficient   pam_unix.so nullok_secure
auth     requisite    pam_ldap.so use_first_pass

Edit /etc/pam.d/common-account:

account   sufficient   pam_unix.so
account   required     pam_ldap.so

Edit /etc/pam.d/common-password:

password   sufficient   pam_unix.so nullok obscure min=4 max=8 md5
password   requisite    pam_ldap.so

Edit /etc/pam.d/common-session:

session   required   pam_env.so readenv=1
session   required   pam_unix.so
session   optional   pam_ldap.so
session   required   pam_mkhomedir.so skel=/etc/skel/ umask=077
session   optional   pam_foreground.so

The first line has nothing to do with LDAP. It's there to read /etc/environment even when logging in using KDM. The home directory will be created automatically if it does not exist.

In order to turn off the caching of hosts, edit this line in /etc/nscd.conf:

enable-cache            hosts           no

Check if LDAP works with PAM. When you change a password, the corresponding password hash in the LDAP should also change, and you should be able to use this new password anywhere.

Recovering from a crash

If you cannot start slapd after a crash, you may be able to recover the database by installing the db4.2-util package and running the following command:

db4.2_recover -c -h -v /var/lib/ldap

After that, slapd should be able to run again.

Diskless client hangs during boot when using LDAP

If the client hangs at: Starting kernel log, then set the bind_policy to soft in /etc/ldap.conf.

 

while navigating new laws,

while navigating new laws, regulations and industry trends. But many nurse educators lack the tools needed to be effective in transforming nursing education. carpentry solutions

tariq

I love the blog. Great post. It is very true, people must learn how to learn before they can learn. lol i know it sounds funny but its very true. . . http://melodicdecoy2986.blog5.net/5309201/would-you-find-the-best-way-to-get-your-text-your-ex-back-michael-fiore

Only a grinning visitant here

Only a grinning visitant here to share the adoration (:, btw exceptional style. ka magra

jay

Hey what a splendid post I

Hey what a splendid post I have run over and trust me I have been looking out for this comparative sort of post for recent week and barely ran over this. Much thanks and will search for more postings from you. Facebook page statistics

tariq

So luck to come across your excellent blog. Your blog brings me a great deal of fun.. Good luck with the site. https://www.evernote.com/shard/s742/sh/616f4bbc-b899-41e6-b4b4-5f0183299ff5/c7ae5029db55e4ad39cb9dce0801fd4a

mayazoe

Easily, the article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates. Just saying thanks will not just be sufficient, for the fantasti c lucidity in your writing. I will instantly grab your rss feed to stay informed of any updates. Ohsas 18001 vicenza

mayazoe

Great post full of useful tips! My site is fairly new and I am also having a hard time getting my readers to leave comments. Analytics shows they are coming to the site but I have a feeling “nobody wants to be first”. best when researched first on whatsthebestbed

Pleasant learning picking up

Pleasant learning picking up article. This post is truly the best on this significant theme. explained here

fatihin

johncarter2038

My friend mentioned to me your blog, so I thought I’d read it for myself. Very interesting insights, will be back for more! Best Countertop Microwave Ovens

mayazoe

Hey – great blog, just looking around some blogs, seems a really nice platform you are using. I’m currently using WordPress for a few of my blogs but looking to change one of them over to a platform similar to yours as a trial run. Anything in particular you would recommend about it? http://musikanten.dk/

mayazoe

his is my first time i visit here. I found so many entertaining stuff in your blog, especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the leisure here! Keep up the excellent work. dry mix concrete plant

It will be valuable to anyone

It will be valuable to anyone who employess it, including me. bench bed chair plans Numerologist review survival book battery restoration Yoga Burn review

mayazoe

his is my first time i visit here. I found so many entertaining stuff in your blog, especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the leisure here! Keep up the excellent work. http://www.blondinen.dk/

This was a truly incredible

This was a truly incredible challenge and ideally I can go to the following one. It was alot of fun and I truly lived it up.. http://locksmith-yuba-city.lowratelocksmith.com/

mayazoe

Hi I found your site by mistake when i was searching yahoo for this acne issue, I must say your site is really helpful I also love the design, its amazing!. I don’t have the time at the moment to fully read your site but I have bookmarked it and also add your RSS feeds. I will be back in a day or two. thanks for a great site. stronger and more supportive back support

howdy was simply checking

howdy was simply checking whether you minded a remark. i like your site and the thme you picked is super. I will be back. Clash of Clans Hack

This is a splendid site! I'm

This is a splendid site! I'm exceptionally content with the remarks!.. bunn coffee maker parts

I haven't any word to value

I haven't any word to value this post.....Really i am awed from this post....the individual who make this post it was an incredible human..thanks for imparted this to us. ladies fashion uk

shiprabrock

I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. In fact your creative writing abilities has inspired me to start my own BlogEngine blog now. Really the blogging is spreading its wings rapidly. Your write up is a fine example of it. MST rims

A debt of gratitude is in

A debt of gratitude is in order For sharing this Superb article.I utilize this Article to demonstrate my task in college.it is valuable For me Great Work. orange county roofing company

Useful info

While reading your post, I came to know about LDAP. Since I have a project based on this topic, this piece of information is very useful to me. I have executed this and it works successfully. Thank you. Expecting more useful blogs like this. cheap wholesale tablets

I have perused your article,

I have perused your article, it is extremely enlightening and supportive for me.I respect the profitable data you offer in your articles. A debt of gratitude is in order for posting it.. SEO for attorneys

Hi there, I found your blog

Hi there, I found your blog via Google while searching for such kinda informative post and your post looks very interesting for me. 借款

"Boredom is a killer—which is

"Boredom is a killer—which is why a cure for boredom can be a lifesaver. The truth is, portable Bluetooth speakers have been the handheld solution to elevate the moment, whether at the beach, the middle of a party, or a lazy afternoon at home for years now—and your brand can get in on that excitement. Right now—with C2BPromo.com, you can put you logo on a wide array of Promotional Bluetooth Speakers, in all different shapes and sizes, from waterproof to resilient wood—with models coming in at 6-7 dollars all the way up to high-end luxury designs. Multiple surfaces on almost every customized Bluetooth speaker can showcase your logo—so no matter which way it’s turned, your name is always center staged." Logo Speakers

Howdy. I discovered your site

Howdy. I discovered your site utilizing msn. This is an extremely elegantly composed article. I'll make sure to bookmark it and return to peruse a greater amount of your valuable data. A debt of gratitude is in order for the post. I'll unquestionably return. voyance par telephone

A debt of gratitude is in

A debt of gratitude is in order for the decent blog. It was extremely valuable for me. I'm glad I discovered this web journal. Much thanks to you for imparting to us,I too dependably discover some new information from your post. baroque plastic cutlery

Business solutions in

Business solutions in Singapore Much obliged for each other useful site. The spot else might just I understand that sort of data written in such a perfect means? I have an endeavor that I'm a few seconds ago working on, and I have been watchful for such data. singapore seo services

Informative Blog I read that

Informative Blog I read that Post and got it fine and educational. If it's not too much trouble share more like that... voyance magie

"I mainly attribute it to

"I mainly attribute it to social and economic factors. Minority men are more likely to be unemployed, incarcerated or dead. I was fortunate to have the great support of my father," said Christopher Prado, 21, president of the student government at Cal State East Bay and the first member of his Mexican-American family to attend college. click here

I haven't any word to value

I haven't any word to value this post.....Really i am awed from this post....the individual who make this post it was an incredible human..thanks for imparted this to us. economical printing

Decent to be going to your

Decent to be going to your web journal once more, it has been months for me. Well this article i"ve been sat tight for so long. I require this article to finish my task in the school, and it has same theme with your article. Much obliged, awesome offer. fake nails

I truly value this superb

I truly value this superb post that you have accommodated us. I guarantee this would be helpful for a large portion of the general population. how do you become a court reporter

I haven't any word to value

I haven't any word to value this post.....Really i am awed from this post....the individual who make this post it was an incredible human..thanks for imparted this to us. http://rewardedessays.weebly.com/

much obliged for this usefull

much obliged for this usefull article, sitting tight for this article like this once more. explained here

This online journal is truly

This online journal is truly awesome. The data here will definitely be of some help to me. Much obliged!. deals from miami to key west

I haven't any word to value

I haven't any word to value this post.....Really i am awed from this post....the individual who make this post it was an incredible human..thanks for imparted this to us. lowest price on bookmarks

I have been looking at a

I have been looking at a couple of your stories and i can state really well done. I will bookmark your online journal additional Info

Awesome post I might want to

Awesome post I might want to thank you for the endeavors you have made in composing this fascinating and learned article. read full article

A debt of gratitude is in

A debt of gratitude is in order for posting this information. I simply need to tell you that I simply look at your site and I discover it extremely intriguing and instructive. I can hardly wait to peruse loads of your posts. more

"I know it's been happening

"I know it's been happening in terms of enrollment and some say boys are getting the short shrift," Higgins said. "I don't necessarily see a problem unless it indicates an inequity in the system, and I don't think that's true." 55 printing Discount Code

I haven't any word to value

I haven't any word to value this post.....Really i am awed from this post....the individual who make this post it was an incredible human..thanks for imparted this to us. http://cheap55printing.com

I have perused your article,

I have perused your article, it is exceptionally instructive and accommodating for me.I respect the important data you offer in your articles. A debt of gratitude is in order for posting it.. click for source

It's fitting time to make a

It's fitting time to make a few arrangements for the future and the time has come to be glad. I have perused this post and on the off chance that I might I be able to wish to recommend you few fascinating things or counsel. Maybe you could compose next articles alluding to this article. I longing to peruse much more things about it! bike transport pune

On the off chance that you

On the off chance that you set out to make me think today; mission fulfilled! I truly like you"re composing style and how you express your thoughts. Much obliged to you. taxi from delhi to jaipur

Great site! I really cherish

Great site! I really cherish how it is simple on my eyes it is. I am considering how I may be informed at whatever point another post has been made. I have subscribed to your RSS which may do the trap? Have an incredible kit tattoo

I haven't any word to value

I haven't any word to value this post.....Really i am awed from this post....the individual who make this post it was an incredible human..thanks for imparted this to us. jaipur airport to ajmer cab fare

Much thanks for the sharing!

Much thanks for the sharing! COOL.. More about the author