OpenLDAP
What is required
- OpenLDAP / slapd - LDAP Server
- pam_ldap - For unix password authentication
- nss_ldap - For unix name lookup.
- auth_ldap -
Before you start here is a script for you.
Install
- OpenLDAP uses slapd which stands for standalone LDAP daemon.
- ldap-utils is a set of helper tools for running ldap.
aptitude install slapd ldap-utils
- Set administrative password for ldap.
- Now we will reconfigure it again so you get familiar with details. There seem to be a bug in debian when reconfiguring and it requires deleting the bacup version of ldap directory. Details follow.
- Lets reconfigure the slapd and give it proper domain names so we all are on the same page.:
dpkg-reconfigure slapd
- You can keep all the other settings as default
* Omit OpenLDAP server configuration? No
* DNS domain name: mycompany.com
* Organization name: mycompany.com
* Administrator password: ****
* Database backend to use: HDB (default)
* Do you want the database to be removed when slapd is purged? No
* Allow LDAPv2 protocol? No- It is Easy!
Now you have a ldap deamon working congratulations. It will allow connections, etc. What needs to happen now is you need to setup the ldap structure. Think of it as database tables and columns but in ldap world this is folders like structure. Just an fyi: mycompany.com becomes dc=mycompany,dc=com, and admin@mycompany.com becomes cn=admin,dc=mycompany,dc=com
- You can look at /etc/ldap/slapd.conf for details if you want to educate yourself.
- Start the open ldap deamon
/etc/init.d/slapd start
- Lets check if we can query the ldap server:
ldapsearch -x -b dc=mycompany,dc=com
- You should see the entries for "mycompany" and for "admin".
# search result search: 2
You have a working ldap server.
1. Convert Linux users to ldap 2. Setup Linux client to authenticate against ldap 4. Create global addressbook 5. Migrate Windows NT domain to ldap with few simple steps.
Temporary Debian bug
- Reconfiguring is not working
dpkg-reconfigure slapd Stopping OpenLDAP: slapd. Moving old database directory to /var/backups: Backup path /var/backups/unknown-2.4.11-1.ldapdb exists. Giving up...
* You need to:
rm -r /var/backups/unknown-2.4.11-1.ldapdb/
- And then it works.
dpkg-reconfigure slapd Stopping OpenLDAP: slapd. Moving old database directory to /var/backups: - directory unknown... done. Creating initial slapd configuration... done. Creating initial LDAP directory... done. Starting OpenLDAP: slapd.
- If you don't do that you will get:
ldapadd -x -W -D "cn=admin,dc=mycompany,dc=com" -f directory.ldiff Enter LDAP Password: ldap_bind: Invalid credentials (49)
- This will fix the issue.
Authentication
Options for OpenLdap authentication
- The authentications has many options for you to choose, from plain passwords, kerberos, or some other outside authentication mechanism.
Connect to openldap
- Lets connect to see what our server has.
- Install luma
aptitude update aptitude install luma
- Start Luma
luma
Click on Settings
Click on Edit Server List
Click on Add
Type in the server name: Mycompany
- Click on network and type in a hostname then save.
Save and OK
- Click on Choose plugin and click on addressbook, then browser to see who and what is already in.
Simple addressbook
Lets create a simple addressbook which will take few seconds. Sample ideas
- First we create organizational unit. Organizational unit (ou) is an addressbook, or some other type of unit that will hold our records.
- Create a file called directory.ldiff and inside put this:
dn: ou=addressbook, dc=mycompany, dc=com objectClass: top objectClass: organizationalUnit ou: addressbook
- Above means:
``dn: ou=addressbook, dc=mycompany, dc=com`` - This creates organizational unit addressbook.mycompany.com ``objectClass: top`` - Tells it its a top level Organizational Unit ``objectClass: organizationalUnit`` - Tells it what type of object is it. In this case it is OrganizationalUnit. ``ou: addressbook`` - Again stating the name of the ou.
- Now import the file:
ldapadd -x -f directory.ldiff -D "cn=admin,dc=mycompany,dc=com" -W
- Now lets add one more just to get a hold of adding things and see where they are placed.
- Comment out the content of the directory.ldiff and put this in at the bottom, then import it again.
dn: ou=accounting, ou=addressbook, dc=mycompany, dc=com objectClass: top objectClass: organizationalUnit ou: accounting
- The reson we need to commend out the previous entries is because if we left it the ldap would say: First entry in the file already exists. It would not add the second one. It would stop processing file. Above created an organizational unit accounting.addressbook.mycompany.com
- Now lets add our first contact. We create out definition like this. Create contact.ldiff and paste below code:
dn: cn=Jane Doe, ou=addressbook, dc=mycompany, dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Jane Doe gn: Jane sn: Doe mail: jane.doe@example.com physicalDeliveryOfficeName: Conglomo, Inc., Financial Services postalAddress: PO BOX 55555 organizationName: Conglomo, Inc., Financial Services street: 123 N. Michigan Ave l: Baton Rouge st: LA postalCode: 70555 telephoneNumber: 555-555-5555 facsimileTelephoneNumber: 555-555-5556 pager: 555-555-5557 mobile: 555-555-5558 homePhone: 555-555-5559 ou: addressbook
- Chang what you need to. Here are some definitions of fields:
The Definitions are somewhat standard. On top we see objectClass: person and objectClassInetOrgPerson which is one of the standard objects of ldap. We are not using nothing custom. These types already came with ldap. We are setting some of the attributes of InetOrgPerson: ``cn`` -Common Name ``mail``-aka email ``street``-Street address ``st`` -State ``l`` - City ``ou`` - Department aka the Organizational Unit ``postalCode`` - Zipcode ....
- And import it again.
ldapadd -x -f contact.ldiff -D "cn=admin,dc=mycompany,dc=com" -W
- Extra records can be added to the same file as long as a blank line is used to separate each different entry.
- Now you should see it in luma when you do browse.
- Now lets gets some details on our options:
Attribute |
Meaning |
|
commonName, cn |
person |
Individual's full name |
givenName, gn |
inetOrgPerson |
Individual's first name |
surname, sn |
person |
Individual's last name |
physicalDeliveryOfficeName |
organizationalPerson |
Department or delivery office name |
inetOrgPerson |
Email address |
|
postalAddress |
organizationalPerson |
Street mailing address |
l |
organizationalPerson |
City |
st |
organizationalPerson |
State |
postalCode |
organizationalPerson |
Postal (ZIP) code |
telephoneNumber |
organizationalPerson |
Work number |
facsimileTelephoneNumber |
organizationalPerson |
Fax number |
pager |
inetOrgPerson |
Pager number |
mobile |
inetOrgPerson |
Mobile phone number |
homePhone |
inetOrgPerson |
Home phone number |
More schema definitions can be found here
For example you could create other structures like below, note the difference between ou and o:
dn: ou=addressbook, dc=mycompany, dc=com objectClass: top objectClass: organizationalUnit ou: addressbook #Partners dn: ou=partners ou=addressbook, dc=mycompany, dc=com objectClass: top objectClass: organizationalUnit ou: partners #xyzAgent dn: o=xyzAgancy, ou=partners, ou=addressbook, dc=mycompany, dc=com objectClass: top objectClass: organization o: xyzAgancy
And add a person like:
dn: cn="John Smith",o=xyzAgency ,ou=partners,ou=addressbook, dc=mycompany, dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: John Smith gn: John sn: Smith mail: Jsmith@example.com organizationName: Conglomo, Inc., Financial Services street: 123 N. Michigan Ave l: Chicago o: xyzAgancy st: IL postalCode: 60645 telephoneNumber: 773-123-5555 facsimileTelephoneNumber: 555-555-5556 pager: 555-555-5557 mobile: 555-555-5558 homePhone: 555-555-5559
Thunderbird
- Mozilla Thunderbird 2.0+ will autocomplete email address as soon as you add them to ldap directory.
Outlook
- Outlook 2007 is working with this addressbook.
Outlook 2003: outlook and openldap fix from microsoft
or simply got to the registry and add in HKEY_CURRENT_USER\Software\Policies\Microsoft\Offi ce\10.0\Outlook\LDAP the DWORD DisableVLVBrowsing and set the value to 1 for Outlook 2003 use HKEY_CURRENT_USER\Software\Policies\Microsoft\Offi ce\11.0\Outlook\LDAP
OpenLdap for User Authentication
Setup_OpenLdap_server.sh
This will install, configure ldap server, copy base settings from your linux server, users, groups, so that you can start authenticating clients in 1min.
http://lucasmanual.com/out/setup_openldap_server.sh
Download it and run. Example:
wget http://lucasmanual.com/out/setup_openldap_server.sh sh setup_openldap_server.sh
Migrating Unix Accounts to OpenLdap
- Right now the database in ldap is empty so we will need to add user,groups,etc.
- We do that using migrationtools which copy all the information from the file based system to ldap.
- Install migrationtools
aptitude install migrationtools
- Lets see what programs are available to us
ls /usr/share/migrationtools/ migrate_aliases.pl migrate_group.pl migrate_all_netinfo_offline.sh migrate_hosts.pl migrate_all_netinfo_online.sh migrate_netgroup_byhost.pl migrate_all_nis_offline.sh migrate_netgroup_byuser.pl migrate_all_nis_online.sh migrate_netgroup.pl migrate_all_nisplus_offline.sh migrate_networks.pl migrate_all_nisplus_online.sh migrate_passwd.pl migrate_all_offline.sh migrate_profile.pl migrate_all_online.sh migrate_protocols.pl migrate_automount.pl migrate_rpc.pl migrate_base.pl migrate_services.pl migrate_common.ph migrate_slapd_conf.pl
- The migrate_all_online wil run all the scripts.
Before we run it we need to change the domain in migrate_common.ph. By default the file is set to padl.com so we meed to change it to mycompany.com
cd /usr/share/migrationtools/ vi migrate_common.ph
- Change all the padl to mycompany or tell vi editor to do it for you with this command:
:%s/padl/mycompany/gc
And just press y to confirm.
There 2 more issues we need to take account of:Bug 537406 We need to add misc.schema to our slapd.conf setup, and if we get an error when doing migration we need to restart it with a command that will bypass the error.
- Add this line right below the last include line in /etc/ldap/slapd.conf, and restart slapd.
include /etc/ldap/schema/misc.schema
Lets do our migration to the system., but first check if slapd is running:
ps aux|grep slapd #You should see openldap 3557 0.7 0.9 112236 4808 ? Ssl 13:42 0:12 /usr/sbin/slapd -g openldap -u openldap -f /etc/ldap/slapd.conf
./migrate_all_online.sh Enter the X.500 naming context you wish to import into: [dc=mycompany,dc=com] Enter the hostname of your LDAP server [ldap]: hpdebian #This is the hostname of the computer you are on. Type in hostname if you are not sure what it is. Enter the manager DN: [cn=admin,dc=mycompany,dc=com]: Enter the credentials to bind with: Do you wish to generate a DUAConfigProfile [yes|no]? no
- If you received an error like:
adding new entry "cn=ssh,ou=Group,dc=mycompany,dc=com" adding new entry "cn=lucas,ou=Group,dc=mycompany,dc=com" adding new entry "cn=openldap,ou=Group,dc=mycompany,dc=com" adding new entry "cn=localhost,ou=Hosts,dc=mycompany,dc=com" adding new entry "cn=dellxps.mycompany,ou=Hosts,dc=mycompany,dc=com" adding new entry "cn=localhost,ou=Hosts,dc=mycompany,dc=com" ldap_add: Already exists (68) /usr/bin/ldapadd : returned non-zero exit status: saving failed LDIF to /tmp/nis.ldif.lMsKHTfGYh
- Somehow the migrationtools is generating the localhost twice. This is not a big problem as we can rerun the script and this time it will continue and skip the errors.
LDAPADD="/usr/bin/ldapadd -c" ./migrate_all_online.sh
[Optional] If you got familiar with the migration and you would like to start from scratch, you can reconfigure the slapd with dpkg-reconfigure slapd and when asked tell it to delete the old database. That way you will start from scratch. It will Delete all ldap/slapd databases. You will need to add the misc.schema back in in slapd.conf file.
dpkg-reconfigure slapd
[Optional]Don't forget to delete rm -r /var/backups/unknown-2.4.11-1.ldapdband reconfigure slapd again if you see that dpkg-reconfigure slapd failed with Giving up...
- Congratulations. Your system was just migrated to ldap based server. Now we just need to setup your system to use ldap, and connect any clients to our ldap.
- Just to make sure everything is fine, see if you can search for yourself:
ldapsearch -x uid=lucas -b "dc=mycompany,dc=com"
Linux Client Integration with LDAP
- There are few choices you can make on how to integrate ldap with linux.
- Lets do the basic first.
- Install ldap utils
aptitude install ldap-utils
- See if you can connect to the ldap server. Replace the ip address with yours.
ldapsearch -x -b dc=mycompany,dc=com -h 192.168.1.110 or ldapsearch -x -b ou=People,dc=mycompany,dc=com -h 192.168.1.110
libnss-ldap
[definition]libpam - PAM system (Pluggable Authentication Module) is used to for user's authentication. Checking if provided login and password are correct, accomplish some other tasks and finally decide for example whether the user may login or not.
[definition]libnss -This package provides a Name Service Switch that allows your LDAP server act as a name service. This means providing user account information, group id's, host information, aliases, netgroups, and basically anything else that you would normally get from /etc flat files or NIS. run "getent passwd" to see few of the information available.
libpam checks if user name and password is correct, while libnss looks up the available names.
- Install libnss-ldap. libnss-ldap will allow you to talk to you ldap server as it was regular /etc folder that contains (/etc/passwd, /etc/hosts, /etc/group , ..etc). In this case ldap will store all that information.
aptitude install libnss-ldap
- Change example to your domain name
LDAP Server Host: 127.0.0.1 DN of Search Base: dc=mycompany,dc=com LDAP Version: 3 Database requires login: no Make config readable by owner only: yes
- If at any point you want to reconfigure these settings, or your are getting "nss_ldap: failed to bind to LDAP server" run:
dpkg-reconfigure libnss-ldap
LDAP server Uniform Resource Identifier: ldap://127.0.0.1 Distinguished name of the search base: dc=mycompany,dc=com LDAP Version to use: [Default] 3 Does the LDAP database require login:[default] No Special LDAP privileges for root:[default] Yes Make the configuration file readable/writable by its owners only:[default]No LDAP Account for root: cn=admin,dc=mycompany,dc=com LDAP Password: ****
- Now in order for the system to use ldap you need to tell about its existence. We do that in nsswitch.conf. It tells the system to not only check in the regular files, but also check in the ldap server for the users, groups, etc.
- Edit the file /etc/nsswitch.conf and add ldap word at the end so it to look like the following:
passwd: compat ldap group: compat ldap shadow: compat ldap
Now that you told nsswitch to look at ldap here are is a short list of what parts of your linux system can be integrated with ldap. Look at the example file in vi /usr/share/doc/libnss-ldap/examples/nsswitch.ldap to see what services are supported by ldap backed in you system. (passwords,groups,networks, protocol, rpc,ethers...)
- The change we made to nsswitch will allow you to search the ldap now.
- Congratulations your system knows how to talk to ldap now. Right now the database in ldap is empty so we will need to add user,groups,etc later. For now see how many groups we have in the original system.
If you run command getent group This will search the local database (/etc/passwd) first, then LDAP later based on your nsswith.conf configuration.
getent group ssh:x:103: users:x:20001: guests:x:20002: admins:x:20000: .....
libpam-ldap
[definition]libpam - PAM system (Pluggable Authentication Module) is used to for user's authentication. Checking if provided login and password are correct, accomplish some other tasks and finally decide for example whether the user may login or not.
[definition]libnss -This package provides a Name Service Switch that allows your LDAP server act as a name service. This means providing user account information, group id's, host information, aliases, netgroups, and basically anything else that you would normally get from /etc flat files or NIS. run "getent passwd" to see few of the information available.
libpam checks if user name and password is correct, while libnss looks up the available names.
- Install libpam-ldap
aptitude install libpam-ldap
- Reconfigure libpam-ldap
dpkg-reconfigure libpam-ldap
vi /etc/ldap/ldap.conf
- Add the url of the ldap server.
BASE dc=mycompany,dc=com URI ldap://ldap.mycompany.com
- Make sure you add ldap.mycompany.com to /etc/hosts like this:
#ipaddress ldap.mycompany.com #example 192.168.1.110 ldap.mycompany.com
- Edit PAM settings
vi /etc/pam.d/common-account # Comment out the next line #account required pam_unix.so # and add these two account sufficient pam_ldap.so account required pam_unix.so try_first_pass
vi /etc/pam.d/common-auth # from #auth required pam_unix.so nullok_secure # to auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass
vi /etc/pam.d/common-password # from #password required pam_unix.so nullok obscure min=4 max=8 md5 # to password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass
vi /etc/pam.d/common-session session optional pam_ldap.so session required pam_unix.so
Troubleshooting
result: 32 No such object
Error:
ldapsearch -x # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1
FIX
ldapsearch -x -b "dc=mycompany,dc=com" .........sult: 4 Size limit exceeded # numResponses: 501 # numEntries: 500
Ldap Editors
[Optional][Not used in this manual] ldapvi There is also another vi based ldap browser that allows you to change ldap.
aptitude instal ldapvi #Then, to use it: ldapvi -D "cn=admin,dc=mycompany,dc=com"