This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
# slappasswdNew password: Re-enter new password: {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ
# slappasswdNew password: Re-enter new password: {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ
SLAPD the stand-alone LDAP daemon
• This is the main LDAP server configuration file: /etc/openldap/slapd.conf– We'll now update it with the following information:
•• database: database format, here plain ldap files• suffix: the site fdqn (dnsdomainname)• rootdn: The root container Manager • rootpw: LDAP root password, is pasted from the
”slappasswd run”• directory: where my-site.com ldap three root is
found• dc: domain component• cn: common name• Options like: permission, password, database type, database location and
so on can be configured in this file• Start the LDAP daemon and check /var/log/messages
• The attributes of the my-site.com domain haven't yet been defined.• You haven't defined the OU organizational unit called People• Create /etc/openldap/my-site.com.ldif
– which should look like this:
• If you need more OU’s organizational unit’s just add them below last.
dn: dc=my-site,dc=comdc: my-sitedescription: Root LDAP entry for my-site.comobjectClass: dcObjectobjectClass: organizationalUnitou: rootobject dn: ou=People, dc=my-site,dc=comou: Peopledescription: All people in organisationobjectClass: organizationalUnit
dn: dc=my-site,dc=comdc: my-sitedescription: Root LDAP entry for my-site.comobjectClass: dcObjectobjectClass: organizationalUnitou: rootobject dn: ou=People, dc=my-site,dc=comou: Peopledescription: All people in organisationobjectClass: organizationalUnit
Import the LDIF files into the database
• Import the 3 main LDIF files to our database• First we add the organizational unit Public: my-site.com.ldif
• Next we add the root user: root.ldif
• Last we add extracted users: ldapusers.ldif
# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f my-site.com.ldifEnter LDAP Password:******adding new entry "dc=my-site,dc=com"adding new entry "ou=People, dc=my-site,dc=com"
# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f my-site.com.ldifEnter LDAP Password:******adding new entry "dc=my-site,dc=com"adding new entry "ou=People, dc=my-site,dc=com"
# ls /var/lib/ldap/my-site.com/. .. dn2id.dbb id2entry.dbb nextid.dbb objectClass.dbb
# ls /var/lib/ldap/my-site.com/. .. dn2id.dbb id2entry.dbb nextid.dbb objectClass.dbb
Configuring The LDAP Client• Edit the /etc/openldap/ldap.conf configuration file
– Eace up for clients by adding LDAP server and domain suffix:
• Edit the /etc/nsswitch.conf configuration file
• Instead of modifying nsswitch.conf manually you can run– Run yast ldap or /usr/bin/authconfig on other linuxes– Select Use LDAP– Give the LDAP server's IP address which in this case is 192.168.0.1– Give the base DN as "dc=my-site,dc=com" (no quotes). – Do not select TLS. (TLS is usally a good idea in production) – Automounting means mounting home-dirs on client from server’s– (Use MD5 and shadow passwords.)
HOST 192.168.0.1BASE dc=my-site,dc=com
HOST 192.168.0.1BASE dc=my-site,dc=com
passwd: files ldapshadow: files ldap
passwd: files ldapshadow: files ldap
Setup PAM on LDAP Client and test it
• Next is to add LDAP to PAM logins /etc/pam.d– pam.d/login need some new entries (also other LDAP logins might need)
• Restart SSH– So it re-reades the nsswitch.conf file
• Test LDAP Logins– Using ldapsearch on the client
– Using SSH or the Linux console• To see that client has contact with server
– Create ldapuser home• If you have automount it is not nessesary
– Exit and login with ldapuser at local console of client• Type pwd to see where you land, if land in ”/” root it means
• LDAP users changing their own passwords– LDAP users can modifytheir LDAP passwords using the regular passwd
command.
• Modifying LDAP users by user "root”– Script usage sample, modify users at root on LDAP server
$ passwdChanging password for user ldapuser.Enter login(LDAP) password: New password: Retype new password: LDAP password information changed for ldapuserpasswd: all authentication tokens updated successfully.
$ passwdChanging password for user ldapuser.Enter login(LDAP) password: New password: Retype new password: LDAP password information changed for ldapuserpasswd: all authentication tokens updated successfully.
# passwd ldapuserChanging password for user ldapuser.New password: Retype new password: passwd: all authentication tokens updated successfully.[root@bigboy tmp]# modifyldapuser ldapuser Enter LDAP Password: modifying entry "uid=ldapuser,ou=People,dc=example,dc=com"
# passwd ldapuserChanging password for user ldapuser.New password: Retype new password: passwd: all authentication tokens updated successfully.[root@bigboy tmp]# modifyldapuser ldapuser Enter LDAP Password: modifying entry "uid=ldapuser,ou=People,dc=example,dc=com"
Common LDAP administrative tasks
• Adding new LDAP users with addldapuser script– Add the user to the database– Create the Linux user kalle on the LDAP server w. useradd command– Run the addldapuser script with the username as the only argument. The
script prompts you for your LDAP "root" password.
– Create home directories for the user on all the LDAP client Linux boxes, otherwise they will have no home. Note that it is possible to let LDAP create temporary ”home’s” for users when they login, by using ”skel” catalog
# Configure stunnel to run as user "stunnel" placing temporary # files in the /usr/var/run/stunnel/ directorychroot = /var/lib/stunnel/stunnelpid = /var/run/stunnel.pidsetuid = stunnelsetgid = nogroup# Configure loggingdebug = 7output = /var/log/messages# Use it for client modeclient = yes# Service-level configuration[ldap]accept = 389connect = 192.168.0.1:636
# Configure stunnel to run as user "stunnel" placing temporary # files in the /usr/var/run/stunnel/ directorychroot = /var/lib/stunnel/stunnelpid = /var/run/stunnel.pidsetuid = stunnelsetgid = nogroup# Configure loggingdebug = 7output = /var/log/messages# Use it for client modeclient = yes# Service-level configuration[ldap]accept = 389connect = 192.168.0.1:636
Generate certificates and start stunnel client
• Creating the stunnel x509 certificates– See doc’s at /usr/share/doc/packages/stunnel
• While creating certificate a number of questions arrives– Common Name must be FDQN
• Install package stunnel for general ssl tunnel support• Configuring the stunnel LDAP server
– Modify stunnel user
– Edit the /etc/stunnel/stunnel.conf configuration file
# usermod -G stunnel# usermod -G stunnel
# Configure stunnel to run as user "stunnel" placing temporary # files in the /usr/var/run/stunnel/ directorychroot = /home/stunnel/pid = /stunnel.pidsetuid = stunnelsetgid = stunnel# Some debugging stuffdebug = 7output = /var/log/messages# Use it for client modeclient = no#cert = /usr/share/ssl/certs/stunnel.pem#key = /usr/share/ssl/certs/stunnel.pem# Service-level configuration[ldap]accept = 636connect = 389
# Configure stunnel to run as user "stunnel" placing temporary # files in the /usr/var/run/stunnel/ directorychroot = /home/stunnel/pid = /stunnel.pidsetuid = stunnelsetgid = stunnel# Some debugging stuffdebug = 7output = /var/log/messages# Use it for client modeclient = no#cert = /usr/share/ssl/certs/stunnel.pem#key = /usr/share/ssl/certs/stunnel.pem# Service-level configuration[ldap]accept = 636connect = 389
Generate certificates and start stunnel server
• Creating the stunnel x509 server certificates– See doc’s at /usr/share/doc/packages/stunnel
• While creating certificate a number of questions arrives– Common Name must be FDQN