LDAP

This is an update of the LDAP part of my diskless client project, which is documented on my old site at http://www.xs4all.nl/~rjb/ . This is work in progress (updated 27042009)...

(to be merged for 9.04)

$ dpkg-reconfigure slapd
Omit OpenLDAP server configuration? No
DNS domain name: your_domain.com
Organization name: Your_organization
Database backend to use: HDB
Do you want the database to be removed when slapd is purged: Yes
Move old database: Yes
Administrator password:
Allow LDAPv2 protocol: No

/etc/phpldapadmin/config.php:

:1,$ s/dc=example,dc=com/dc=your_domain,dc=com/g

/etc/default/slapd:

SLAPD_SERVICES="ldaps:/// ldap://127.0.0.1/"
$ ldapmodify -x -D cn=admin,cn=config -W
(password)
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/slapd-cert.pem

dn: cn=config
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/slapd-cert.pem

dn: cn=config
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/slapd-key.pem

^D

(end of merge)

Reference: https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html

Installing the software

Let's install the software:

aptitude install slapd ldap-utils libpam-ldap libnss-ldap migrationtools phpldapadmin

In case you're wondering what all of this does, simply said:

  • slapd is the LDAP server
  • ldap-utils contains LDAP clients, among other things.
  • libpam-ldap contains a plugin which is used for validating logins, changing passwords etc... It uses LDAP, so it is in fact also an LDAP client. Installing this will also install ldap-auth-config.
  • libnss-ldap, another LDAP client, is part of NSS, which is responsible for deciding where to lookup data like passwd, group, shadow, hosts, networks etc. which formerly only was available in /etc. Now, the user can specify in /etc/nsswitch.conf where to look. He/she can specify for userinfo to look in /etc/passwd first, then LDAP. This will have an effect on the output of, for example an ls -l command.
  • migrationtools contains scripts which can copy and convert data from files in /etc, like /etc/passwd to the LDAP server.
  • phpldapadmin is a webinterface for LDAP.

When installing slapd, the system will ask what password to use for the administrator. Just invent one and remember it. When installing ldap-auth-config, the system will ask for URI of the LDAP server, which in our case will look something like this:

ldaps://server_hostname/

Replace server_hostname by your server's hostname.

Please note that in Ubuntu 8.04 or later a hostname is required; an IP address will not work anymore for secure connections.

Using ldaps instead of ldap or ldapi, enables us to use encrypted connections over the network. So if you want to use an LDAP server on machine A for authenticating users on machine B, you can do that without sending plain-text passwords over the network.

It will also ask for the distinguished name of the search base. The what? :-) Let's say it's a bit like the search domain in DNS, which in our case would be mydomain.com, in LDAP written as:

dc=mydomain,dc=com

You will have to replace mydomain and com to suit your needs, but you need to keep the rest: it's the LDAP way of specifying things. Note that this has no relationship with DNS, so you don't need to keep the LDAP dc's in sync with FQDN's. You can just invent an other name for your LDAP setup.

Answer No when asked if you would like to create a local root database, and No to the option "Database requires logging in".

Running the LDAP server: slapd

(obsolete part to be removed)

The configuration file for slapd is /etc/ldap/slapd.conf. Edit it (only relevant lines shown):

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        none
modulepath      /usr/lib/ldap
moduleload      back_hdb
sizelimit       500
tool-threads    1
backend         hdb

database        config
rootdn          "cn=admin,cn=config"
rootpw          {MD5}xxxxxxxxxxxxxxxxxxxxxxx

database        hdb
suffix          "dc=mydomain,dc=com"
directory       "/var/lib/ldap"
dbconfig        set_cachesize 0 2097152 0
dbconfig        set_lk_max_objects 1500
dbconfig        set_lk_max_locks 1500
dbconfig        set_lk_max_lockers 1500
index           objectClass eq
lastmod         on
checkpoint      512 30
password-hash   {md5}
TLSCertificateFile     /etc/ldap/slapd-cert.pem
TLSCertificateKeyFile  /etc/ldap/slapd-key.pem
TLSCACertificateFile   /etc/ldap/slapd-cert.pem
rootdn          "cn=Manager,dc=mydomain,dc=com"
rootpw          {MD5}xxxxxxxxxxxxxxxxxxxxxxxx

access to attrs=userPassword
        by dn="uid=root,ou=People,dc=mydomain,dc=com" write
        by anonymous auth
        by self write
        by * none

access to *
        by dn="uid=root,ou=People,dc=mydomain,dc=com" write
        by * read

Note that the 3rd block is for converting the (obsolete) slapd.conf into the slapd.d directory structure.

The MD5 hash above needs to be replaced by the hash returned by the following command:

slappasswd -h {md5}

When asked for a password, you need to type the new password for the LDAP Manager, which is like the "root" user in Unix. Just invent a password and remember it.

When you are finished editing /etc/ldap/slapd.conf it is time to convert it to the slapd.d directory structure (Ubuntu / Kubuntu >= 8.10 only). Run these commands:

slaptest -f slapd.conf -F slapd.d
chown -R openldap:openldap slapd.d
chmod 600 slapd.conf
mv -i slapd.conf slapd.conf.bak

The last command will prevent slapd.conf from being used.

(end of obsolete part)

Configure slapd:

$ dpkg-reconfigure slapd
Omit OpenLDAP server configuration? No
DNS domain name: your_domain.com
Organization name: Your_organization
Database backend to use: HDB
Do you want the database to be removed when slapd is purged: Yes
Move old database: Yes
Administrator password:
Allow LDAPv2 protocol: No

The DNS domain name will be converted to a "distinguished name of the search base" mentioned earlier. Earlier we specified it for the clients, now we do the same for the server.

Create a self-signed certificate and key pair. Type:

cd /etc/ldap
openssl req -new -x509 -nodes \
   -out slapd-cert.pem -keyout slapd-key.pem -days 999999
chmod 644 slapd-cert.pem
chown openldap:openldap slapd-key.pem
chmod 400 slapd-key.pem

When asked for CommonName type the hostname of your LDAP-server.

Please note that in Ubuntu 8.04 or later a hostname is required; an IP address will not work anymore for secure connections.

Tell slapd about the certificate:

$ ldapmodify -x -D cn=admin,cn=config -W
(password)
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/slapd-cert.pem

dn: cn=config
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/slapd-cert.pem

dn: cn=config
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/slapd-key.pem

Hit Ctrl-D to end the input.

Edit /etc/default/slapd.

SLAPD_SERVICES="ldaps:/// ldap://127.0.0.1/"

Type:

/etc/init.d/slapd restart

If this fails, try to debug it using:

slapd -d -1 -g openldap -u openldap -F /etc/ldap/slapd.d

If you see something like:

main: TLS init def ctx failed: -64

check if the TLS paths in slapd.conf match the locations of the SSL certificate and key. Also check the permissions of these files.

(probably obsolete; it may have been merged in /etc/ldap.conf)

The configuration file for the LDAP clients in ldap-utils is /etc/ldap/ldap.conf. Edit it. It should look like this:

BASE            dc=mydomain,dc=com
URI             ldaps://your_hostname:636/
TLS_REQCERT     allow

(end of obsolete part)

Test the LDAP server:

ldapsearch -D "cn=admin,dc=mydomain,dc=com" -W -x
ldapsearch -H 'ldaps://your_hostname/' -D "cn=admin,dc=mydomain,dc=com" -W -x
ldapsearch -H 'ldap://127.0.0.1/' -D "cn=admin,dc=mydomain,dc=com" -W -x
ldapsearch -W -x

You need to type the LDAP manager password for the first 3 commands. At the last command just type enter: here we test the anonymous login. In Ubuntu 8.04 you really need the hostname in the second command instead of the IP address. If you see something like:

result: 32 No such object

that's ok.

If you see something like:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

check if slapd is running, and if not, try to debug it using the command mentioned earlier (calling slapd directly, and using option -d -1). Also check out /etc/defaults/slapd, in particular the SLAPD_SERVICES option. It should look similar as the example mentioned earlier. No hash sign (#) should appear at the beginning of that line. If you are using Jaunty (9.04), there may be a bug which prevents the 2nd command (using ldaps) from working.

Migrating the files in /etc to LDAP

Next task is to convert /etc/passwd, /etc/shadow and /etc/group to LDAP. Go to /usr/share/migrationtools and edit migrate_common.ph. In Ubuntu 8.04 this file has been moved to /usr/share/perl5.

# $DEFAULT_MAIL_DOMAIN = "padl.com";
$DEFAULT_BASE = "dc=mydomain,dc=com";
# $DEFAULT_MAIL_HOST = "mail.padl.com";
$EXTENDED_SCHEMA = 1;

Type:

./migrate_base.pl > /tmp/base.ldif
./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
./migrate_group.pl /etc/group /tmp/group.ldif
ldapadd -D "cn=Manager,dc=mydomain,dc=com" -W -x -f /tmp/base.ldif
ldapadd -D "cn=Manager,dc=mydomain,dc=com" -W -x -f /tmp/passwd.ldif
ldapadd -D "cn=Manager,dc=mydomain,dc=com" -W -x -f /tmp/group.ldif
rm /tmp/base.ldif /tmp/passwd.ldif /tmp/group.ldif

Note that ldapadd has an option -c to continue after errors (instead of aborting).

A web GUI for LDAP: phpldapadmin

Edit the following lines in /usr/share/phpldapadmin/config/config.php:

$config->custom->session['blowfish'] = 'some random string';
$ldapservers->SetValue($i,'server','name','My LDAP Server');
$ldapservers->SetValue($i,'server','host','ldap://127.0.0.1/');
$ldapservers->SetValue($i,'server','port','389');
$ldapservers->SetValue($i,'server','base',array('dc=mydomain,dc=com'));
$ldapservers->SetValue($i,'server','auth_type','session');
$ldapservers->SetValue($i,'login','dn','');
$ldapservers->SetValue($i,'login','pass','');
$ldapservers->SetValue($i,'server','tls',false);
$ldapservers->SetValue($i,'server','low_bandwidth',false);
$ldapservers->SetValue($i,'appearance','password_hash','md5');
$ldapservers->SetValue($i,'login','attr','dn');

Replace some random string to something really random :-) Keep the IP 127.0.0.1 as-is (localhost).

Assuming you already have Apache, PHP and a webbrowser installed, startup a webbrowser and go to https://localhost/phpldapadmin/. Login as cn=Manager,dc=mydomain,dc=com. You can also login anonymously, but then you cannot see the password hashes and you cannot change anything.

This is a perfect moment to cleanup the LDAP. Remove everything, except Group and People.

Configuring the system to use LDAP

Edit /etc/ldap.conf:

  • Remove the 1st line containing ###DEBCONF### to prevent the system from overwriting this file
  • Comment out these lines, by placing a # at the beginning of each line:
    host 192.168.1.2
    base dc=mydomain,dc=com
    
  • Add this line:
    uri ldaps://your_hostname/
    
  • Uncomment the following line, by removing the #:
    #pam_password exop
    
    and make sure other pam_password lines start with a #

These changes are needed for security by using ldaps:// (with encryption) instead of ldap:// (without encryption).

Edit /etc/nsswitch.conf, changing these 3 lines:

passwd:         files ldap
group:          files ldap
shadow:         files ldap

Check if LDAP works with NSS:

getent passwd | grep 0:0

You should see 2 identical lines, one coming from /etc and one coming from LDAP.

Setting up PAM to work with LDAP

Edit /etc/pam.d/common-auth:

auth     sufficient   pam_unix.so nullok_secure
auth     requisite    pam_ldap.so use_first_pass

Edit /etc/pam.d/common-account:

account   sufficient   pam_unix.so
account   required     pam_ldap.so

Edit /etc/pam.d/common-password:

password   sufficient   pam_unix.so nullok obscure min=4 max=8 md5
password   requisite    pam_ldap.so

Edit /etc/pam.d/common-session:

session   required   pam_env.so readenv=1
session   required   pam_unix.so
session   optional   pam_ldap.so
session   required   pam_mkhomedir.so skel=/etc/skel/ umask=077
session   optional   pam_foreground.so

The first line has nothing to do with LDAP. It's there to read /etc/environment even when logging in using KDM. The home directory will be created automatically if it does not exist.

In order to turn off the caching of hosts, edit this line in /etc/nscd.conf:

enable-cache            hosts           no

Check if LDAP works with PAM. When you change a password, the corresponding password hash in the LDAP should also change, and you should be able to use this new password anywhere.

Recovering from a crash

If you cannot start slapd after a crash, you may be able to recover the database by installing the db4.2-util package and running the following command:

db4.2_recover -c -h -v /var/lib/ldap

After that, slapd should be able to run again.

Diskless client hangs during boot when using LDAP

If the client hangs at: Starting kernel log, then set the bind_policy to soft in /etc/ldap.conf.

 

larimar jewelry

Unfortunately my PC has a trouble. I have to repair it before try the codes. larimar jewelry

hafridi

his is my first time i visit here. I found so many entertaining stuff in your blog, especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the leisure here! Keep up the excellent work. rest on the sleep surface from sleepjunkie

devidmiller5060

I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work. Avid1 rims

高雄當鋪

That's very long, I am sure I'll be failed in my trials. 高雄當鋪

Nice Article

The step by step procedure for installing the LDAP server was very simple and easily followed. Thanks for the codes for running the program. I think this post will be a reference to all computer science students. Expecting more tutorials like these. cheap manufactured homes

hafridi

Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained! www.digitaljournal.com/pr/3201052

hafridi

Easily, the article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates. Just saying thanks will not just be sufficient, for the fantasti c lucidity in your writing. I will instantly grab your rss feed to stay informed of any updates. pool cues amazon

hafridi

My friend mentioned to me your blog, so I thought I’d read it for myself. Very interesting insights, will be back for more! acoustic

transplante capilar

Before set my notebook to the wanted adjustment, I must install the software first. transplante capilar

The article has actually

The article has actually peaks my interest. I am going to bookmark your web site and maintain checking for brand new information. Top things to do in London

imranuddin

I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. In fact your creative writing abilities has inspired me to start my own BlogEngine blog now. Really the blogging is spreading its wings rapidly. Your write up is a fine example of it. Mexican restaurants near me

shiprabrock

I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work. sistema di gestione qualità viterbo

imranuddin

Should there be another persuasive post you can share next time, I’ll be surely waiting for it. selections from sleepjunkie

imranuddin

Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have. Keep up the good work you are doing here. facebook

shiprabrock

Hi I found your site by mistake when i was searching yahoo for this acne issue, I must say your site is really helpful I also love the design, its amazing!. I don’t have the time at the moment to fully read your site but I have bookmarked it and also add your RSS feeds. I will be back in a day or two. thanks for a great site. best memory foam mattress

hafridi

I must say, I thought this was a pretty interesting read when it comes to this topic. Liked the material. . . . . 20x12 Moto Metal wheels

Nice Article

Thanks for the step by step installation tip. The details help to understand the commands better. All the detailed steps have been of great help including the codes for installing LDAP. You have always been a great help with such awesome tips. https://www.thetripleplay.net

hafridi

I must say, I thought this was a pretty interesting read when it comes to this topic. Liked the material. . . הלוואה בערבות מדינה

devidmiller5060

I am always searching online for articles that can help me. There is obviously a lot to know about this. I think you made some good points in Features also. Keep working, great job! Moto Metal wheels

hafridi

So luck to come across your excellent blog. Your blog brings me a great deal of fun.. Good luck with the site. sistema di gestione ambiente

devidmiller5060

I am always searching online for articles that can help me. There is obviously a lot to know about this. I think you made some good points in Features also. Keep working, great job! shopbrumano

devidmiller5060

I’ve read some good stuff here. Definitely worth bookmarking for revisiting. I surprise how much effort you put to create such a great informative website. Java for Android

Nice Article

You have always been a great help with such awesome tips. All the detailed steps have been of great help including the codes for installing LDAP. Thanks for the step by step installation tip. The details help to understand the commands better. Italian with ease

devidmiller5060

My friend mentioned to me your blog, so I thought I’d read it for myself. Very interesting insights, will be back for more! voyance gratuite par telephone

devidmiller5060

I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work. rainbowpages

shiprabrock

I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work. Fuel octane wheels

shiprabrock

Do know your audience. Don't start writing your articles unless you have a solid idea about the people who'll read them. plagiarism scanner

Nice Article

Thanks for the step by step installation tip. You have always been a great help with such awesome tips. All the detailed steps have been of great help including the codes for installing LDAP. The details help to understand the commands better. It’s working perfectly. wholesale ipad touch

shiprabrock

Great post full of useful tips! My site is fairly new and I am also having a hard time getting my readers to leave comments. Analytics shows they are coming to the site but I have a feeling “nobody wants to be first”. http://www.whatsthebestbed.org/guide-to-finding-black-friday-mattress-deals/

LDAP

I am eager to see the completed LDAP program. It seems really interesting and am curious to learn more. I am taking notes from rushmypapers services about similar types of programs. This enables me to have a complete understanding of what you are trying to achieve here.

Willard Washington DC wedding photos

The information you have posted is very useful. The sites you have referred was good. Thanks for sharing..Willard Washington DC wedding photos

To change your life, you have

To change your life, you have to change yourself. To change yourself, you have to change your Attitude about Life. MumbaitoGoa

devidmiller5060

I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. In fact your creative writing abilities has inspired me to start my own BlogEngine blog now. Really the blogging is spreading its wings rapidly. Your write up is a fine example of it. http://rainbowpages.fr/Astuce-Criminal-Case/

martingarix229

Hey, great blog, but I don’t understand how to add your site in my rss reader. Can you Help me please? facebook

martingarix229

Hey, great blog, but I don’t understand how to add your site in my rss reader. Can you Help me please? facebook

For First Packers and Movers

For Superlative Packers and

It is nice to keep the

It is nice to keep the program of your own. It is where everything will be learned easily. - Bobby Price