2,306
edits
Changes
Jump to navigation
Jump to search
Created page with "Reference: http://www.howtoforge.com/debian-squeeze-ldap-server-with-openldap-and-phpldapadmin Reference: https://www.youtube.com/watch?v=DM_UQVVVtoY continued https://www.yo..."
Reference: http://www.howtoforge.com/debian-squeeze-ldap-server-with-openldap-and-phpldapadmin
Reference: https://www.youtube.com/watch?v=DM_UQVVVtoY continued https://www.youtube.com/watch?v=kSCx3tzC0cA
Reference: http://askubuntu.com/questions/127389/how-to-configure-ubuntu-as-an-ldap-client
= Installation =
<syntaxhighlight lang="bash">
apt-get update
apt-get upgrade
</syntaxhighlight>
<syntaxhighlight lang="bash">
apt-get install slapd
</syntaxhighlight>
When prompted enter a password for the administrator of the LDAP server.
Now we need to install ldap-utils and phpLDAPadmin, now apache2 and php will also be installed because it's a part of the dependencies for phpLDAPadmin.
<syntaxhighlight lang="bash">
apt-get install ldap-utils phpldapadmin
</syntaxhighlight>
Open /etc/ldap/ldap.conf with your favorite editor.
<syntaxhighlight lang="bash">
pico /etc/ldap/ldap.conf
</syntaxhighlight>
Uncomment BASE and URI
<syntaxhighlight lang="bash">
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=fyzix,dc=net
URI ldap://127.0.0.1
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
</syntaxhighlight>
After editing the BASE ''dc='' variables run the following command to configure domain changes
<syntaxhighlight lang="bash">
dpkg-reconfigure slapd
</syntaxhighlight>
Select NO and follow the guide, type in your domain, e.g. example.com, choose recommend settings.
Now open /etc/phpldapadmin/config.php:
<syntaxhighlight lang="bash">
pico /etc/phpldapadmin/config.php
</syntaxhighlight>
<syntaxhighlight lang="bash">
$servers = new Datastore();
$servers->newServer('ldap_pla');
$servers->setValue('server','name','Quorra LDAP Server');
$servers->setValue('server','host','10.1.38.93');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=burn,dc=net'));
$servers->setValue('login','bind_id','cn=admin,dc=burncycl,dc=net');
</syntaxhighlight>
Your server is now up and running, ready to be used. You should be able to access phpLDAPadmin on http://10.1.38.93/phpldapadmin; log in with the password you configured for phpLDAPadmin.
== Modify posixaccount template ==
Modify this template to use '''/home/$username''' as opposed to '''/home/users/$username'''. Additionally, allow '''/bin/bash''' as a shell.
''/etc/phpldapadmin/templates/creation/posixAccount.xml''
<syntaxhighlight lang="bash">
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
<template>
<askcontainer>1</askcontainer>
<description>New User Account</description>
<icon>ldap-user.png</icon>
<invalid>0</invalid>
<rdn>cn</rdn>
<!--<regexp>^ou=People,o=.*,</regexp>-->
<title>Generic: User Account</title>
<visible>1</visible>
<objectClasses>
<objectClass id="inetOrgPerson"></objectClass>
<objectClass id="posixAccount"></objectClass>
</objectClasses>
<attributes>
<attribute id="givenName">
<display>First name</display>
<icon>ldap-uid.png</icon>
<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
<order>1</order>
<page>1</page>
</attribute>
<attribute id="sn">
<display>Last name</display>
<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
<!-- <onchange>=autoFill(homeDirectory;/home/%uid|0-1/l%/%uid%)</onchange> -->
<order>2</order>
<page>1</page>
</attribute>
<attribute id="cn">
<display>Common Name</display>
<order>3</order>
<page>1</page>
</attribute>
<attribute id="uid">
<display>User ID</display>
<onchange>=autoFill(homeDirectory;/home/%uid%)</onchange>
<order>4</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="homeDirectory">
<display>Home directory</display>
<!-- <onchange>=autoFill(homeDirectory;/home/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
<order>8</order>
<page>1</page>
</attribute>
<attribute id="uidNumber">
<display>UID Number</display>
<icon>terminal.png</icon>
<order>6</order>
<page>1</page>
<readonly>1</readonly>
<value>=php.GetNextNumber(/;uidNumber)</value>
</attribute>
<attribute id="gidNumber">
<display>GID Number</display>
<!-- <onchange>=autoFill(homeDirectory;/home/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
<order>7</order>
<page>1</page>
<value><![CDATA[=php.PickList(/;(&(objectClass=posixGroup));gidNumber;%cn%;;;;cn)]]></value>
</attribute>
<attribute id="loginShell">
<display>Login shell</display>
<order>9</order>
<page>1</page>
<!-- <value><![CDATA[=php.PickList(/;(&(objectClass=posixAccount));loginShell;%loginShell%;;;;loginShell)]]></value> -->
<type>select</type>
<value id="/bin/sh">/bin/sh</value>
<value id="/bin/csh">/bin/csh</value>
<value id="/bin/tsh">/bin/tsh</value>
<value id="/bin/bash">/bin/bash</value>
</attribute>
<attribute id="userPassword">
<display>Password</display>
<!-- <helper>
<display>Encryption</display>
<id>enc</id>
<value>=php.PasswordEncryptionTypes()</value>
</helper> -->
<icon>lock.png</icon>
<order>5</order>
<page>1</page>
<post>=php.PasswordEncrypt(%enc%;%userPassword%)</post>
<spacer>1</spacer>
<verify>1</verify>
</attribute>
</attributes>
</template>
</syntaxhighlight>
== Adding objects People / Groups ==
http://ipaddres_to_phpldapadmin
Click '''Create new entry here''' > Click '''Generic: Organization Unit''' > Name the unit ''people'' > Commit
Click '''Create new entry here''' > Click '''Generic: Organization Unit''' > Name the unit ''groups'' > Commit
Click '''ou=groups''' > Click '''Create a child entry''' > Click '''Generic: Posix Group''' > Name the group ''genusers'' for "General users"
Click '''ou=people''' > Click '''Create a child entry''' > Click '''Generic: User Account''' > Name the user fill in the relevant fields. '''Be sure to assign user to genusers GID'''.
= SSL/TLS for OpenLDAP =
Reference: http://rogermoffatt.com/2011/08/24/ubuntu-openldap-with-ssltls/
Reference: http://labs.opinsys.com/blog/2010/01/28/setting-up-openldap-on-ubuntu-10-04-lucid-part2/
The references are okay. But, some steps are missing. Hopefully my documentation is more thorough.
== Prerequisites ==
<syntaxhighlight lang="bash">
apt-get update
apt-get upgrade
</syntaxhighlight>
<syntaxhighlight lang="bash">
apt-get install gnutls-bin
</syntaxhighlight>
== Server side configuration ==
=== Generate certificates ===
OpenLDAP needs specially formatted certs. To do this use '''certtool'''
==== Generate CA certs ====
First make the temp directory where certs can land.
<syntaxhighlight lang="bash">
mkdir -p /root/certs/
</syntaxhighlight>
The CA key needs to be created and signed:
<syntaxhighlight lang="bash">
certtool --generate-privkey --outfile /etc/ssl/private/ldap-ca-key.pem
</syntaxhighlight>
<syntaxhighlight lang="bash">
certtool --generate-self-signed --load-privkey /etc/ssl/private/ldap-ca-key.pem \
--outfile /root/certs/ldap-ca-cert.pem
</syntaxhighlight>
You'll get asked a bunch of questions. Feel free to hit enter for most of them (i.e. leave them blank) .Below are the important variables. '''Be sure the common name matches the hostname of the OpenLDAP server.''' This will generate a certificate that is good for 10 years.
<syntaxhighlight lang="bash">
Common name: ca.edu.example.org
The certificate will expire in (days): 3650
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint): -1
Will the certificate be used to sign other certificates? (y/N): y
</syntaxhighlight>
Fix permissions – the resulting files need to be readable by the openldap group.
To do this, add the openldap user to the '''ssl-cert''' group and then ensure the certs and key are owned by the ssl-cert group. Remember that the directory ''/etc/ssl/private'' has strict permissions on it so you need to get this right.
<syntaxhighlight lang="bash">
adduser openldap ssl-cert
</syntaxhighlight>
If the group isn't '''ssl-cert''' for '''ldap-ca-key.pem''' change the group.
<syntaxhighlight lang="bash">
chgrp ssl-cert /etc/ssl/private/ldap-ca-key.pem
</syntaxhighlight>
To verify the permissions
<syntaxhighlight lang="bash">
cd /etc/ssl/private
ls -la
</syntaxhighlight>
==== Generate server certs ====
Next create the server key and certificate and sign it:
<syntaxhighlight lang="bash">
certtool --generate-privkey --outfile /root/certs/ldap-server.key
</syntaxhighlight>
<syntaxhighlight lang="bash">
certtool --generate-certificate --load-privkey /root/certs/ldap-server.key \
--outfile /root/certs/ldap-server.crt --load-ca-certificate /root/certs/ldap-ca-cert.pem \
--load-ca-privkey /etc/ssl/private/ldap-ca-key.pem
</syntaxhighlight>
Again, you'll get asked a bunch of questions. Feel free to hit enter for most of them (i.e. leave them blank). Below are the important variables.''' Be sure the common name matches the hostname of the OpenLDAP server.''' This will generate a certificate that is good for 10 years.
<syntaxhighlight lang="bash">
Common name: ldap.edu.example.org
The certificate will expire in (days): 3650
Will the certificate be used for signing (required for TLS)? (y/N): y
Will the certificate be used for encryption (not required for TLS)? (y/N): y
</syntaxhighlight>
Install the certs
<syntaxhighlight lang="bash">
install -D -o openldap -g openldap -m 600 /root/certs/ldap-server.crt \
/etc/ssl/certs/ldap-server.crt
install -D -o openldap -g openldap -m 600 /root/certs/ldap-server.key \
/etc/ssl/certs/ldap-server.key
install -D -o openldap -g openldap -m 600 /root/certs/ldap-ca-cert.pem \
/etc/ssl/certs/ldap-ca-cert.pem
</syntaxhighlight>
=== Create ldif file ===
Create a suitable ''ssl.ldif'' file for importing into the configuration database.
<syntaxhighlight lang="bash">
pico /etc/ldap/ssl.ldif
</syntaxhighlight>
Contents:
<syntaxhighlight lang="bash">
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ldap-ca-cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap-server.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/certs/ldap-server.key
</syntaxhighlight>
Import ''ssl.ldiff''
<syntaxhighlight lang="bash">
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ssl.ldif -v
</syntaxhighlight>
The -v gives you a verbose output. Make sure that you see the new entries being printed out, if it just says something like:
<syntaxhighlight lang="bash">
modifying entry "cn=config"
modify complete
</syntaxhighlight>
Then this DOES NOT mean it has worked. It quite likely means it hasn’t processed the file because of errors and no changes will actually have been made. You need to see it list the entries it has modified.
For example, this is a working version
<syntaxhighlight lang="bash">
ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
add olcTLSCACertificateFile:
/etc/ssl/certs/ldap-ca-cert.pem
add olcTLSCertificateFile:
/etc/ssl/certs/ldap-server.crt
add olcTLSCertificateKeyFile:
/etc/ssl/certs/ldap-server.key
modifying entry "cn=config"
modify complete
</syntaxhighlight>
=== Make OpenLDAP listen on SSL port ===
Modify ''/etc/default/slapd''
<syntaxhighlight lang="bash">
pico /etc/default/slapd
</syntaxhighlight>
Find the line that says
<syntaxhighlight lang="bash">
SLAPD_SERVICES="ldap:/// ldapi:///"
</syntaxhighlight>
Modify it to say
<syntaxhighlight lang="bash">
SLAPD_SERVICES="ldap://10.1.38.93/ ldapi://10.1.38.93/ ldaps://10.1.38.93/"
</syntaxhighlight>
I have statically bound slapd to my IP address (change to whatever IP address you're using). I have also removed the non-secure ''ldap:///''
Restart slapd
<syntaxhighlight lang="bash">
service slapd restart
</syntaxhighlight>
To verify the new configuration
<syntaxhighlight lang="bash">
netstat -nap|grep slapd
</syntaxhighlight>
Should see something like this:
<syntaxhighlight lang="bash">
root@Quorra:~# netstat -nap|grep slapd
tcp 0 0 10.1.38.93:636 0.0.0.0:* LISTEN 4210/slapd
tcp 0 0 10.1.38.93:389 0.0.0.0:* LISTEN 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.33:38183 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.33:57876 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:60777 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:41237 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:41252 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:43690 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:41238 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:46109 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:38866 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:41254 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:41249 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:60675 ESTABLISHED 4210/slapd
unix 2 [ ACC ] STREAM LISTENING 12661 4210/slapd 10.1.38.93
unix 2 [ ] DGRAM 1928089 4210/slapd
</syntaxhighlight>
== Fix untrusted certificate problem ==
Modify ''/etc/ldap/ldap.conf''
<syntaxhighlight lang="bash">
pico /etc/ldap/ldap.conf
</syntaxhighlight>
Add these lines to your config.
<syntaxhighlight lang="bash">
TLS_CACERT /etc/ssl/certs/ldap-ca-cert.pem
TLS_REQCERT never
</syntaxhighlight>
The first line points to the ''ldap-ca-cert.pem''. The second line resolves to the untrusted certificate problem.
Exmaple ''/etc/ldap/ldap.conf''
<syntaxhighlight lang="bash">
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=burn,dc=net
URI ldaps://10.1.38.93
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
#TLS_CACERT /root/certs/ca-certificates.crt
TLS_CACERT /etc/ssl/certs/ldap-ca-cert.pem
TLS_REQCERT never
</syntaxhighlight>
Restart slapd
<syntaxhighlight lang="bash">
service slapd restart
</syntaxhighlight>
== Client side configuration ==
=== Prerequisites ===
<syntaxhighlight lang="bash">
apt-get install libnss-ldapd libpam-ldapd
</syntaxhighlight>
Configure to your LDAP Server URI:
Example: '''ldaps://10.1.38.93'''
LDAP server search base: '''dc=burn,dc=net'''
Modify to match your configuration.
Check server SSL certificates: '''never'''
During installation select ldap for the following nss services:
group
passwd
shadow
This configured /etc/nsswitch.conf, /etc/pam.d/common-auth and /etc/nslcd.conf automatically to work correctly.
Go ahead and Override /etc/pam.d/common-*?
=== Fetch/Install CA-cert ===
On the client copy ''/etc/ssl/certs/ldap-ca-cert.pem'' from the server to ''/etc/ssl/certs/'' on the client:
<syntaxhighlight lang="bash">
scp -P 32022 root@10.1.38.93:/etc/ssl/certs/ldap-ca-cert.pem /etc/ssl/certs/ldap-ca-cert.pem
</syntaxhighlight>
Modify the IP address to match your server's IP.
=== Modify client side ldap.conf ===
Then add the following lines in ''/etc/ldap/ldap.conf'':
<syntaxhighlight lang="bash">
pico /etc/ldap/ldap.conf
</syntaxhighlight>
<syntaxhighlight lang="bash">
URI ldaps://10.1.38.93/
TLS_CACERT /etc/ssl/certs/ldap-ca-cert.pem
TLS_REQCERT never
</syntaxhighlight>
Again, modify the IP address to match your server's IP.
Example client side ''/etc/ldap/ldap.conf''
<syntaxhighlight lang="bash">
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=burn,dc=net
URI ldap://10.1.38.93
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
#TLS_CACERT /etc/ssl/certs/ca-certificates.crt
CA_CERTREQ never
TLS_REQCERT never
</syntaxhighlight>
The '''TLS_REQCERT never''' directive is important.
=== Test the configuration ===
<syntaxhighlight lang="bash">
ldapsearch -x -h 10.1.38.93 -ZZ -b dc=burn,dc=net
</syntaxhighlight>
or
<syntaxhighlight lang="bash">
ldapsearch -x -W -D 'cn=admin,dc=burn,dc=net' -b "" -s base
</syntaxhighlight>
or
<syntaxhighlight lang="bash">
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
</syntaxhighlight>
= Install / Configure NFS remote home directories =
Reference: http://www.cs.wcupa.edu/~rkline/linux/ldap-nfs.html
== Server ==
We are going to make our machine an NFS server and serve the /home directory to the client machine.
On the LDAP server, install the server package:
<syntaxhighlight lang="bash">
apt-get install nfs-kernel-server
</syntaxhighlight>
Modify ''/etc/exports'' to export home directories on LDAP server to client by adding this line:
<syntaxhighlight lang="bash">
/home 192.168.122.0/24(rw,sync,no_subtree_check)
</syntaxhighlight>
Restart the NFS service and verify the exports:
<syntaxhighlight lang="bash">
service nfs-kernel-server restart
exportfs
</syntaxhighlight>
== Client ==
Now, the NFS client.
Install the client software:
<syntaxhighlight lang="bash">
apt-get install nfs-common
</syntaxhighlight>
Mount LDAP NFS home directory. You can modify the ipaddress to whatever the LDAP/NFS server's ip is.
<syntaxhighlight lang="bash">
mount -o vers=3 10.1.38.93:/home /home
</syntaxhighlight>
Verify the directory mounted
<syntaxhighlight lang="bash">
df -h
ls -l /home
</syntaxhighlight>
Set up the client so that it mounts automatically. Edit ''/etc/fstab'' and add this line at the end:
<syntaxhighlight lang="bash">
10.1.38.93:/home /home nfs nfsvers=3 0 0
</syntaxhighlight>
Again, you can change the ipaddress to match whatever the ip is of the LDAP/NFS server.
Reference: https://www.youtube.com/watch?v=DM_UQVVVtoY continued https://www.youtube.com/watch?v=kSCx3tzC0cA
Reference: http://askubuntu.com/questions/127389/how-to-configure-ubuntu-as-an-ldap-client
= Installation =
<syntaxhighlight lang="bash">
apt-get update
apt-get upgrade
</syntaxhighlight>
<syntaxhighlight lang="bash">
apt-get install slapd
</syntaxhighlight>
When prompted enter a password for the administrator of the LDAP server.
Now we need to install ldap-utils and phpLDAPadmin, now apache2 and php will also be installed because it's a part of the dependencies for phpLDAPadmin.
<syntaxhighlight lang="bash">
apt-get install ldap-utils phpldapadmin
</syntaxhighlight>
Open /etc/ldap/ldap.conf with your favorite editor.
<syntaxhighlight lang="bash">
pico /etc/ldap/ldap.conf
</syntaxhighlight>
Uncomment BASE and URI
<syntaxhighlight lang="bash">
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=fyzix,dc=net
URI ldap://127.0.0.1
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
</syntaxhighlight>
After editing the BASE ''dc='' variables run the following command to configure domain changes
<syntaxhighlight lang="bash">
dpkg-reconfigure slapd
</syntaxhighlight>
Select NO and follow the guide, type in your domain, e.g. example.com, choose recommend settings.
Now open /etc/phpldapadmin/config.php:
<syntaxhighlight lang="bash">
pico /etc/phpldapadmin/config.php
</syntaxhighlight>
<syntaxhighlight lang="bash">
$servers = new Datastore();
$servers->newServer('ldap_pla');
$servers->setValue('server','name','Quorra LDAP Server');
$servers->setValue('server','host','10.1.38.93');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=burn,dc=net'));
$servers->setValue('login','bind_id','cn=admin,dc=burncycl,dc=net');
</syntaxhighlight>
Your server is now up and running, ready to be used. You should be able to access phpLDAPadmin on http://10.1.38.93/phpldapadmin; log in with the password you configured for phpLDAPadmin.
== Modify posixaccount template ==
Modify this template to use '''/home/$username''' as opposed to '''/home/users/$username'''. Additionally, allow '''/bin/bash''' as a shell.
''/etc/phpldapadmin/templates/creation/posixAccount.xml''
<syntaxhighlight lang="bash">
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
<template>
<askcontainer>1</askcontainer>
<description>New User Account</description>
<icon>ldap-user.png</icon>
<invalid>0</invalid>
<rdn>cn</rdn>
<!--<regexp>^ou=People,o=.*,</regexp>-->
<title>Generic: User Account</title>
<visible>1</visible>
<objectClasses>
<objectClass id="inetOrgPerson"></objectClass>
<objectClass id="posixAccount"></objectClass>
</objectClasses>
<attributes>
<attribute id="givenName">
<display>First name</display>
<icon>ldap-uid.png</icon>
<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
<order>1</order>
<page>1</page>
</attribute>
<attribute id="sn">
<display>Last name</display>
<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
<!-- <onchange>=autoFill(homeDirectory;/home/%uid|0-1/l%/%uid%)</onchange> -->
<order>2</order>
<page>1</page>
</attribute>
<attribute id="cn">
<display>Common Name</display>
<order>3</order>
<page>1</page>
</attribute>
<attribute id="uid">
<display>User ID</display>
<onchange>=autoFill(homeDirectory;/home/%uid%)</onchange>
<order>4</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="homeDirectory">
<display>Home directory</display>
<!-- <onchange>=autoFill(homeDirectory;/home/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
<order>8</order>
<page>1</page>
</attribute>
<attribute id="uidNumber">
<display>UID Number</display>
<icon>terminal.png</icon>
<order>6</order>
<page>1</page>
<readonly>1</readonly>
<value>=php.GetNextNumber(/;uidNumber)</value>
</attribute>
<attribute id="gidNumber">
<display>GID Number</display>
<!-- <onchange>=autoFill(homeDirectory;/home/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
<order>7</order>
<page>1</page>
<value><![CDATA[=php.PickList(/;(&(objectClass=posixGroup));gidNumber;%cn%;;;;cn)]]></value>
</attribute>
<attribute id="loginShell">
<display>Login shell</display>
<order>9</order>
<page>1</page>
<!-- <value><![CDATA[=php.PickList(/;(&(objectClass=posixAccount));loginShell;%loginShell%;;;;loginShell)]]></value> -->
<type>select</type>
<value id="/bin/sh">/bin/sh</value>
<value id="/bin/csh">/bin/csh</value>
<value id="/bin/tsh">/bin/tsh</value>
<value id="/bin/bash">/bin/bash</value>
</attribute>
<attribute id="userPassword">
<display>Password</display>
<!-- <helper>
<display>Encryption</display>
<id>enc</id>
<value>=php.PasswordEncryptionTypes()</value>
</helper> -->
<icon>lock.png</icon>
<order>5</order>
<page>1</page>
<post>=php.PasswordEncrypt(%enc%;%userPassword%)</post>
<spacer>1</spacer>
<verify>1</verify>
</attribute>
</attributes>
</template>
</syntaxhighlight>
== Adding objects People / Groups ==
http://ipaddres_to_phpldapadmin
Click '''Create new entry here''' > Click '''Generic: Organization Unit''' > Name the unit ''people'' > Commit
Click '''Create new entry here''' > Click '''Generic: Organization Unit''' > Name the unit ''groups'' > Commit
Click '''ou=groups''' > Click '''Create a child entry''' > Click '''Generic: Posix Group''' > Name the group ''genusers'' for "General users"
Click '''ou=people''' > Click '''Create a child entry''' > Click '''Generic: User Account''' > Name the user fill in the relevant fields. '''Be sure to assign user to genusers GID'''.
= SSL/TLS for OpenLDAP =
Reference: http://rogermoffatt.com/2011/08/24/ubuntu-openldap-with-ssltls/
Reference: http://labs.opinsys.com/blog/2010/01/28/setting-up-openldap-on-ubuntu-10-04-lucid-part2/
The references are okay. But, some steps are missing. Hopefully my documentation is more thorough.
== Prerequisites ==
<syntaxhighlight lang="bash">
apt-get update
apt-get upgrade
</syntaxhighlight>
<syntaxhighlight lang="bash">
apt-get install gnutls-bin
</syntaxhighlight>
== Server side configuration ==
=== Generate certificates ===
OpenLDAP needs specially formatted certs. To do this use '''certtool'''
==== Generate CA certs ====
First make the temp directory where certs can land.
<syntaxhighlight lang="bash">
mkdir -p /root/certs/
</syntaxhighlight>
The CA key needs to be created and signed:
<syntaxhighlight lang="bash">
certtool --generate-privkey --outfile /etc/ssl/private/ldap-ca-key.pem
</syntaxhighlight>
<syntaxhighlight lang="bash">
certtool --generate-self-signed --load-privkey /etc/ssl/private/ldap-ca-key.pem \
--outfile /root/certs/ldap-ca-cert.pem
</syntaxhighlight>
You'll get asked a bunch of questions. Feel free to hit enter for most of them (i.e. leave them blank) .Below are the important variables. '''Be sure the common name matches the hostname of the OpenLDAP server.''' This will generate a certificate that is good for 10 years.
<syntaxhighlight lang="bash">
Common name: ca.edu.example.org
The certificate will expire in (days): 3650
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint): -1
Will the certificate be used to sign other certificates? (y/N): y
</syntaxhighlight>
Fix permissions – the resulting files need to be readable by the openldap group.
To do this, add the openldap user to the '''ssl-cert''' group and then ensure the certs and key are owned by the ssl-cert group. Remember that the directory ''/etc/ssl/private'' has strict permissions on it so you need to get this right.
<syntaxhighlight lang="bash">
adduser openldap ssl-cert
</syntaxhighlight>
If the group isn't '''ssl-cert''' for '''ldap-ca-key.pem''' change the group.
<syntaxhighlight lang="bash">
chgrp ssl-cert /etc/ssl/private/ldap-ca-key.pem
</syntaxhighlight>
To verify the permissions
<syntaxhighlight lang="bash">
cd /etc/ssl/private
ls -la
</syntaxhighlight>
==== Generate server certs ====
Next create the server key and certificate and sign it:
<syntaxhighlight lang="bash">
certtool --generate-privkey --outfile /root/certs/ldap-server.key
</syntaxhighlight>
<syntaxhighlight lang="bash">
certtool --generate-certificate --load-privkey /root/certs/ldap-server.key \
--outfile /root/certs/ldap-server.crt --load-ca-certificate /root/certs/ldap-ca-cert.pem \
--load-ca-privkey /etc/ssl/private/ldap-ca-key.pem
</syntaxhighlight>
Again, you'll get asked a bunch of questions. Feel free to hit enter for most of them (i.e. leave them blank). Below are the important variables.''' Be sure the common name matches the hostname of the OpenLDAP server.''' This will generate a certificate that is good for 10 years.
<syntaxhighlight lang="bash">
Common name: ldap.edu.example.org
The certificate will expire in (days): 3650
Will the certificate be used for signing (required for TLS)? (y/N): y
Will the certificate be used for encryption (not required for TLS)? (y/N): y
</syntaxhighlight>
Install the certs
<syntaxhighlight lang="bash">
install -D -o openldap -g openldap -m 600 /root/certs/ldap-server.crt \
/etc/ssl/certs/ldap-server.crt
install -D -o openldap -g openldap -m 600 /root/certs/ldap-server.key \
/etc/ssl/certs/ldap-server.key
install -D -o openldap -g openldap -m 600 /root/certs/ldap-ca-cert.pem \
/etc/ssl/certs/ldap-ca-cert.pem
</syntaxhighlight>
=== Create ldif file ===
Create a suitable ''ssl.ldif'' file for importing into the configuration database.
<syntaxhighlight lang="bash">
pico /etc/ldap/ssl.ldif
</syntaxhighlight>
Contents:
<syntaxhighlight lang="bash">
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ldap-ca-cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap-server.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/certs/ldap-server.key
</syntaxhighlight>
Import ''ssl.ldiff''
<syntaxhighlight lang="bash">
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ssl.ldif -v
</syntaxhighlight>
The -v gives you a verbose output. Make sure that you see the new entries being printed out, if it just says something like:
<syntaxhighlight lang="bash">
modifying entry "cn=config"
modify complete
</syntaxhighlight>
Then this DOES NOT mean it has worked. It quite likely means it hasn’t processed the file because of errors and no changes will actually have been made. You need to see it list the entries it has modified.
For example, this is a working version
<syntaxhighlight lang="bash">
ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
add olcTLSCACertificateFile:
/etc/ssl/certs/ldap-ca-cert.pem
add olcTLSCertificateFile:
/etc/ssl/certs/ldap-server.crt
add olcTLSCertificateKeyFile:
/etc/ssl/certs/ldap-server.key
modifying entry "cn=config"
modify complete
</syntaxhighlight>
=== Make OpenLDAP listen on SSL port ===
Modify ''/etc/default/slapd''
<syntaxhighlight lang="bash">
pico /etc/default/slapd
</syntaxhighlight>
Find the line that says
<syntaxhighlight lang="bash">
SLAPD_SERVICES="ldap:/// ldapi:///"
</syntaxhighlight>
Modify it to say
<syntaxhighlight lang="bash">
SLAPD_SERVICES="ldap://10.1.38.93/ ldapi://10.1.38.93/ ldaps://10.1.38.93/"
</syntaxhighlight>
I have statically bound slapd to my IP address (change to whatever IP address you're using). I have also removed the non-secure ''ldap:///''
Restart slapd
<syntaxhighlight lang="bash">
service slapd restart
</syntaxhighlight>
To verify the new configuration
<syntaxhighlight lang="bash">
netstat -nap|grep slapd
</syntaxhighlight>
Should see something like this:
<syntaxhighlight lang="bash">
root@Quorra:~# netstat -nap|grep slapd
tcp 0 0 10.1.38.93:636 0.0.0.0:* LISTEN 4210/slapd
tcp 0 0 10.1.38.93:389 0.0.0.0:* LISTEN 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.33:38183 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.33:57876 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:60777 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:41237 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:41252 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:43690 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:41238 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:46109 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:38866 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:41254 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:41249 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:60675 ESTABLISHED 4210/slapd
unix 2 [ ACC ] STREAM LISTENING 12661 4210/slapd 10.1.38.93
unix 2 [ ] DGRAM 1928089 4210/slapd
</syntaxhighlight>
== Fix untrusted certificate problem ==
Modify ''/etc/ldap/ldap.conf''
<syntaxhighlight lang="bash">
pico /etc/ldap/ldap.conf
</syntaxhighlight>
Add these lines to your config.
<syntaxhighlight lang="bash">
TLS_CACERT /etc/ssl/certs/ldap-ca-cert.pem
TLS_REQCERT never
</syntaxhighlight>
The first line points to the ''ldap-ca-cert.pem''. The second line resolves to the untrusted certificate problem.
Exmaple ''/etc/ldap/ldap.conf''
<syntaxhighlight lang="bash">
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=burn,dc=net
URI ldaps://10.1.38.93
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
#TLS_CACERT /root/certs/ca-certificates.crt
TLS_CACERT /etc/ssl/certs/ldap-ca-cert.pem
TLS_REQCERT never
</syntaxhighlight>
Restart slapd
<syntaxhighlight lang="bash">
service slapd restart
</syntaxhighlight>
== Client side configuration ==
=== Prerequisites ===
<syntaxhighlight lang="bash">
apt-get install libnss-ldapd libpam-ldapd
</syntaxhighlight>
Configure to your LDAP Server URI:
Example: '''ldaps://10.1.38.93'''
LDAP server search base: '''dc=burn,dc=net'''
Modify to match your configuration.
Check server SSL certificates: '''never'''
During installation select ldap for the following nss services:
group
passwd
shadow
This configured /etc/nsswitch.conf, /etc/pam.d/common-auth and /etc/nslcd.conf automatically to work correctly.
Go ahead and Override /etc/pam.d/common-*?
=== Fetch/Install CA-cert ===
On the client copy ''/etc/ssl/certs/ldap-ca-cert.pem'' from the server to ''/etc/ssl/certs/'' on the client:
<syntaxhighlight lang="bash">
scp -P 32022 root@10.1.38.93:/etc/ssl/certs/ldap-ca-cert.pem /etc/ssl/certs/ldap-ca-cert.pem
</syntaxhighlight>
Modify the IP address to match your server's IP.
=== Modify client side ldap.conf ===
Then add the following lines in ''/etc/ldap/ldap.conf'':
<syntaxhighlight lang="bash">
pico /etc/ldap/ldap.conf
</syntaxhighlight>
<syntaxhighlight lang="bash">
URI ldaps://10.1.38.93/
TLS_CACERT /etc/ssl/certs/ldap-ca-cert.pem
TLS_REQCERT never
</syntaxhighlight>
Again, modify the IP address to match your server's IP.
Example client side ''/etc/ldap/ldap.conf''
<syntaxhighlight lang="bash">
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=burn,dc=net
URI ldap://10.1.38.93
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
#TLS_CACERT /etc/ssl/certs/ca-certificates.crt
CA_CERTREQ never
TLS_REQCERT never
</syntaxhighlight>
The '''TLS_REQCERT never''' directive is important.
=== Test the configuration ===
<syntaxhighlight lang="bash">
ldapsearch -x -h 10.1.38.93 -ZZ -b dc=burn,dc=net
</syntaxhighlight>
or
<syntaxhighlight lang="bash">
ldapsearch -x -W -D 'cn=admin,dc=burn,dc=net' -b "" -s base
</syntaxhighlight>
or
<syntaxhighlight lang="bash">
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
</syntaxhighlight>
= Install / Configure NFS remote home directories =
Reference: http://www.cs.wcupa.edu/~rkline/linux/ldap-nfs.html
== Server ==
We are going to make our machine an NFS server and serve the /home directory to the client machine.
On the LDAP server, install the server package:
<syntaxhighlight lang="bash">
apt-get install nfs-kernel-server
</syntaxhighlight>
Modify ''/etc/exports'' to export home directories on LDAP server to client by adding this line:
<syntaxhighlight lang="bash">
/home 192.168.122.0/24(rw,sync,no_subtree_check)
</syntaxhighlight>
Restart the NFS service and verify the exports:
<syntaxhighlight lang="bash">
service nfs-kernel-server restart
exportfs
</syntaxhighlight>
== Client ==
Now, the NFS client.
Install the client software:
<syntaxhighlight lang="bash">
apt-get install nfs-common
</syntaxhighlight>
Mount LDAP NFS home directory. You can modify the ipaddress to whatever the LDAP/NFS server's ip is.
<syntaxhighlight lang="bash">
mount -o vers=3 10.1.38.93:/home /home
</syntaxhighlight>
Verify the directory mounted
<syntaxhighlight lang="bash">
df -h
ls -l /home
</syntaxhighlight>
Set up the client so that it mounts automatically. Edit ''/etc/fstab'' and add this line at the end:
<syntaxhighlight lang="bash">
10.1.38.93:/home /home nfs nfsvers=3 0 0
</syntaxhighlight>
Again, you can change the ipaddress to match whatever the ip is of the LDAP/NFS server.