Michael Hammer/ server config/ LDAP server

Home

About me

Blog

Software

Projects

Science

Teaching

c++ debian electronics gentoo hardware howto mac privat software

LDAP Service

apt-get install slapd ldap-utils

You can configure slapd with dpkg-reconfigure slapd and create the initial database.

  • DNS domain name (will be seperated to dc=example,dc=net)
  • Organzation (will be the ou= field of the base record)
  • Password (for database - not for cn=config itself, crypt salts here are all for 1234 - use an other one!)
  • Backend HDB
  • Allow LDAPv2 (enter NO)

With squeeze the configuration of ldap has moved from the file /etc/ldap/slapd.conf to a directory based configuration. One of the challanges at the beginning is to get access to the config directory with base cn=config. To do so we create a ldif file (e.g. db.ldiff)

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}sgCbYZK3TFhp3Q9KtKDl/kKTwrBodUP

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

What we do is to give the user cn=admin,cn=config a password 1234. Of course you want to choose a really strong password and create a {SSHA} crypt with slappasswd. Replace olcRootPW with this crypt and then load this file into ldap with

  ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldiff

I like to edit my ldap tree with the tool ldapvi

apt-get install ldapvi

We can edit the cn=config tree through binding as cn=admin,cn=config and the passwort we inserted above

ldapvi -h ldap://localhost -D cn=admin,dc=config -b cn=config

No we modify the index to enhace the access time (cited from debian wiki) and therefore we add

?? olcDatabase={1}hdb,cn=config
olcDbIndex: cn,sn,uid,displayName pres,sub,eq
olcDbIndex: default sub
olcDbIndex: mail,givenName eq,subinitial
olcDbIndex: objectClass eq
olcDbIndex: uidNumber,gidNumber,dc eq

With the new config system a background process should rebuild the index and we do not have to do a slapindex call. Further we need an additional schema (download the appropriate ldiff file) for postfix we will allready add here.

ldapadd -D cn=admin,cn=config -W -f postfix.schema.ldiff

Let us add our first user entry. We can once again use ldapvi for editing.

ldapvi -d -h ldap://localhost -D cn=admin,dc=example,dc=net

Therefore we have to add an organizational unit to store all the users we well add in future. We could name this people if we want too. We also add an ou for all the groups we want to add and I'll call it groups.

add ou=groups,dc=example,dc=net
ou: groups
objectClass: top
objectClass: organizationalUnit

add ou=people,dc=example,dc=net
ou: people
objectClass: top
objectClass: organizationalUnit

add cn=users,ou=groups,dc=example,dc=net
objectClass: posixGroup
objectClass: top
cn: users
gidNumber: 100
memberUid: mueli

add: cn=Michael Hammer,ou=people,dc=example,dc=net
givenName: Michael
sn: Hammer
cn: Michael Hammer
uid: huhu
uidNumber: 1234567
gidNumber: 1234567
homeDirectory: /home/mueli
loginShell: /bin/zsh
maildrop: michael@example.net
mailbox: /var/vmail/example.net/michael
associatedDomain: example.net
objectClass: domainRelatedObject
objectClass: inetOrgPerson
objectClass: mailUser
objectClass: posixAccount
objectClass: top
mail: mail@example.net
mail: postmaster@example.net
userPassword: {SSHA}sgCbYZK3TFhp3Q9KtKDl/kKTwrBodUP

As we are adding the group users in ldap we have to remove it from the clients file database

groupdel users

Naming Service and Authentication

Now we should be able to use this content for the naming service.

apt-get install libnss-ldap libpam-ldap

Now we have to configure libnss-ldap to find the content inside the ldap server. Few config options have already been given through debconf but here is the whole config file

base dc=example,dc=net
uri ldap://localhost
ldap_version 3

scope one

timelimit 3
bind_timelimit 3

pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid

pam_min_uid 1000
pam_max_uid 5000
pam_password exop

nss_base_passwd         ou=people,dc=example,dc=net
nss_base_shadow         ou=people,dc=example,dc=net
nss_base_group          ou=groups,dc=example,dc=net

The last step is to configure the naming system to use libnss-ldap what is done through the /etc/nsswitch.conf

passwd:         files ldap
group:          files ldap
shadow:         files ldap

Now we can test the configuration

/etc/init.d/nscd restart
getent passwd
getent group
getent group users

<- Previous | Home | Next ->