«
»

Ubuntu LDAP client and server setup.


LDAP (Lightweight Directory Access Protocol) allows for central user, group, domain, authentication, and information storage.

The use of LDAP on your network allows your users to authenticate from any server that is setup to access it. My tutorial is split in two parts. Part one the LDAP server installation, and the second part is the LDAP client setup. I set up the ldap server with the ip address of 192.168.1.5. The client machines will be able to resolve the name ldap to 192.168.1.5. I will be using ubuntu for both client and server.

1. Server setup
1.1 Software installation
Package installation
# apt-get install slapd ldap-utils migrationtools

After the questions and then reconfigure slapd so dpkg asks us some more questions.
# dpkg-reconfigure slapd

Here are the options we want to choose.

Omit OpenLDAP server configuration? … No
DNS domain name: … domain.com
Name of your organization: … Company Name
Admin Password: XXXXX
Confirm Password: XXXXX
OK
BDB
Do you want your database to be removed when slapd is purged? … No
Move old database? … Yes
Allow LDAPv2 Protocol? … No

You know have your domain set up, and your administrator users "admin".

You now want to check your access to the ldap server by using the following command.
#ldapsearch -x -b dc=domain,dc=com

If you get an error message like:
ldap_bind: Can’t contact LDAP server (-1)

Most likely you haven’t started slapd so run the following command to start it.
#/etc/init.d/slapd start

It is now time to convert your users and populate your database.
1.2 Database population
The migrationtools allow you to quickly import all existing users and groups from your local system to LDAP.
#cd /usr/share/migrationtools/

Use your favorite editor to change the migrate_common.ph to replace the following parameters:
$DEFAULT_MAIL_DOMAIN = "domain.com";
$DEFAULT_BASE = "dc=domain,dc=com";

Import the group and passwd files into the ldap database.
# ./migrate_group.pl /etc/group ~/group.ldif
# ./migrate_passwd.pl /etc/passwd ~/passwd.ldif

Unfortunately, the script does not create the Group and People nodes, so we need to create it. To do this, create a file called ~/people_group.ldif and fill it up with:

dn: ou=People, dc=debuntu, dc=local
ou: People
objectclass: organizationalUnit

dn: ou=Group, dc=debuntu, dc=local
ou: Group
objectclass: organizationalUnit

Our users and groups are converted to LDAP’s ldif format. Let’s now import them into our LDAP database.
# cd
# ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/people_group.ldif
# ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/group.ldif
# ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/passwd.ldif

Expaination
* -x specify that we are not using sasl
* -W prompt for password
* -D is used to identify the administrator
* -f to specify the file where ldapadd should find the data to add

The server should be ready to identify your users. Time to set up the clients.

2. Client setup
Each client will need a set of packages. So, now that you are logged on one of your clients, install:

#apt-get install libnss-ldap libpam-ldap nscd
LDAP Account for root: cn=admin,dc=domain,dc=com
Password: XXXXX
Make local root database admin: yes
Database require logging in: No
Root login account: cn=admin,dc=domain,dc=com
Root login password: XXXXX

libnss-ldap will allow us to use ldap as a naming service, libpam-ldap allows pm to authenticate users through LDAP and finally nscd is a password, group and host lookup daemon which caches result so LDAP won’t be questionned any time the authentication as to be done.

Now, let’s edit the files and make sure you get the following setting:

#vi /etc/libnss-ldap.conf
host ldap
base dc=domain,dc=com
rootbinddn cn=admin,dc=domain,dc=com

#vi /etc/libnss-ldap.secret
XXXXXX

#vi /etc/pam_ldap.conf
host ldap
base dc=domain,dc=com
rootbinddn cn=admin,dc=domain,dc=com

#vi /etc/pam_ldap.secret
XXXXXX

pam configuration files need to be modfied a bit like:

#vi /etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
#if you want user homedir to be created on first login
#session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent

#vi /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

#vi /etc/pam.d/common-password
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5

#vi /etc/pam.d/common-session
session sufficient pam_ldap.so
session required pam_unix.so
session optional pam_foreground.so

Finally, let’s edit nsswitch so the system will be able to switch from local system authentication to ldap authentication.

# vim /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap

With this settings, login is going to be tried agains the local system users first. If it cannot find a match, it will then try to authenticate against the ldap server. Now, you should be able to connect on any client by using any LDAP user details.

This entry was posted on May 23, 2008, 11:30 am and is filed under Walkthroughs. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. No comments yet.

You must be logged in to post a comment.