LDAP Service
apt-get install slapd ldap-utils
You can configure slapd with dpkg-reconfigure
slapd and create the initial database.
- DNS domain name (will be seperated to
dc=example,dc=net) - Organzation (will be the
ou=field of the base record) - Password (for database - not for
cn=configitself, crypt salts here are all for1234- use an other one!) - Backend HDB
- Allow LDAPv2 (enter NO)
With squeeze the configuration of ldap has moved from the file
/etc/ldap/slapd.conf to a directory based
configuration. One of the challanges at the beginning is to get
access to the config directory with base cn=config. To
do so we create a ldif file (e.g. db.ldiff)
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}sgCbYZK3TFhp3Q9KtKDl/kKTwrBodUP
dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess
What we do is to give the user cn=admin,cn=config a
password 1234. Of course you want to choose a really
strong password and create a {SSHA} crypt with
slappasswd. Replace olcRootPW with this
crypt and then load this file into ldap with
ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldiff
I like to edit my ldap tree with the tool ldapvi
apt-get install ldapvi
We can edit the cn=config tree through binding as
cn=admin,cn=config and the passwort we inserted
above
ldapvi -h ldap://localhost -D cn=admin,dc=config -b cn=config
No we modify the index to enhace the access time (cited from debian wiki) and therefore we add
?? olcDatabase={1}hdb,cn=config
olcDbIndex: cn,sn,uid,displayName pres,sub,eq
olcDbIndex: default sub
olcDbIndex: mail,givenName eq,subinitial
olcDbIndex: objectClass eq
olcDbIndex: uidNumber,gidNumber,dc eq
With the new config system a background process should rebuild
the index and we do not have to do a slapindex call.
Further we need an additional schema (download the appropriate
ldiff file) for postfix we
will allready add here.
ldapadd -D cn=admin,cn=config -W -f postfix.schema.ldiff
Let us add our first user entry. We can once again use
ldapvi for editing.
ldapvi -d -h ldap://localhost -D cn=admin,dc=example,dc=net
Therefore we have to add an organizational unit to store all the
users we well add in future. We could name this people
if we want too. We also add an ou for all the groups
we want to add and I'll call it groups.
add ou=groups,dc=example,dc=net
ou: groups
objectClass: top
objectClass: organizationalUnit
add ou=people,dc=example,dc=net
ou: people
objectClass: top
objectClass: organizationalUnit
add cn=users,ou=groups,dc=example,dc=net
objectClass: posixGroup
objectClass: top
cn: users
gidNumber: 100
memberUid: mueli
add: cn=Michael Hammer,ou=people,dc=example,dc=net
givenName: Michael
sn: Hammer
cn: Michael Hammer
uid: huhu
uidNumber: 1234567
gidNumber: 1234567
homeDirectory: /home/mueli
loginShell: /bin/zsh
maildrop: michael@example.net
mailbox: /var/vmail/example.net/michael
associatedDomain: example.net
objectClass: domainRelatedObject
objectClass: inetOrgPerson
objectClass: mailUser
objectClass: posixAccount
objectClass: top
mail: mail@example.net
mail: postmaster@example.net
userPassword: {SSHA}sgCbYZK3TFhp3Q9KtKDl/kKTwrBodUP
As we are adding the group users in ldap we have to
remove it from the clients file database
groupdel users
Naming Service and Authentication
Now we should be able to use this content for the naming service.
apt-get install libnss-ldap libpam-ldap
Now we have to configure libnss-ldap to find the
content inside the ldap server. Few config options have already
been given through debconf but here is the whole config file
base dc=example,dc=net
uri ldap://localhost
ldap_version 3
scope one
timelimit 3
bind_timelimit 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_min_uid 1000
pam_max_uid 5000
pam_password exop
nss_base_passwd ou=people,dc=example,dc=net
nss_base_shadow ou=people,dc=example,dc=net
nss_base_group ou=groups,dc=example,dc=net
The last step is to configure the naming system to use
libnss-ldap what is done through the
/etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
Now we can test the configuration
/etc/init.d/nscd restart
getent passwd
getent group
getent group users
<- Previous | Home | Next ->