Michael Hammer/ server config/ LDAP server

Home

About me

Blog

Software

Projects

Science

c++ debian electronics gentoo hardware howto mac privat software 
apt-get install slapd

If you have configured debconf (dpkg-reconfigure debconf) to ask question with priorites higher then medium then you should get asked the following questions:

The main configuration file for the server process is /etc/ldap/slapd.conf where we should modify the index, so let's add (cited from debian wiki):

index   objectClass             eq
index   cn                      pres,sub,eq
index   sn                      pres,sub,eq
index   memberUid               pres,sub,eq
index   default                 sub
index   uid                     eq
index   uniqueMember            eq
index   gidNumber               eq
index   mail,givenName          eq,subinitial
index   dc                      eq
If you analyze this you can see that the index is especially suitable if you want to store unix user informations in ldap - that's what we want. To rebuild the index 
/etc/init.d/slapd stop
slapindex
chown -R openldap:openldap /var/lib/ldap
/etc/init.d/slapd start

I like to edit my ldap tree with the tool ldapvi

apt-get install ldapvi

Now we can edit the tree through binding as cn=admin and the passwort we gave during installation

ldapvi -d -h ldap://localhost -D cn=admin,dc=example,dc=com

Now let's add our first user entry. Therefore we have to add an organizational unit to store all the users we well add in future. We could name this people if we want too. I'd also like to add an ou for all the groups we want to add and I'll call it groups.

add ou=groups,dc=example,dc=com
ou: groups
objectClass: top
objectClass: organizationalUnit

add ou=people,dc=example,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit

add cn=users,ou=groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: users
gidNumber: 100

dn: cn=Michael Hammer,ou=people,dc=example,dc=com
givenName: Michael
sn: Hammer
cn: Michael Hammer
uid: huhu
uidNumber: 1234567
gidNumber: 1234567
homeDirectory: /home/mueli
loginShell: /bin/zsh
maildrop: michael@derhammer.net
mailbox: /var/vmail/derhammer.net/michael
associatedDomain: derhammer.net
associatedDomain: michael-hammer.at
objectClass: domainRelatedObject
objectClass: inetOrgPerson
objectClass: mailUser
objectClass: posixAccount
objectClass: top
mail: bugs@michael-hammer.at
mail: mail@michael-hammer.at
mail: michael@derhammer.net
mail: postmaster@derhammer.net
mail: postmaster@michael-hammer.at
mail: root@derhammer.net
Now we should be able to use this content for the naming service. 
apt-get install libnss-ldap

(Hint: We want use libpam_ldap because we are authentication against kerberos and not LDAP).

Now we have to configure libnss-ldap to find the content inside the ldap server. Few config options have already been given through debconf but here is the whole config file

base dc=example,dc=com
uri ldap://localhost

ldap_version 3
scope one

pam_filter      objectclass=posixAccount
pam_login_attribute     uid
pam_member_attribute    memberuid

nss_base_passwd     ou=people,dc=example,dc=com
nss_base_shadow     ou=people,dc=example,dc=com
nss_base_group      ou=groups,dc=example,dc=com

suffix          "dc=example,dc=com"
The last step is to configure the naming system to use `libnss-ldap` what is done through the `/etc/nsswitch.conf` 
passwd:         files ldap
group:          files ldap
shadow:         files ldap

Now we can test the configuration

/etc/init.d/nscd restart
getent passwd