OpenLDAP
TODO: Update with TO_WIKI Reference: http://www.howtoforge.com/debian-squeeze-ldap-server-with-openldap-and-phpldapadmin
Reference: https://www.youtube.com/watch?v=DM_UQVVVtoY continued https://www.youtube.com/watch?v=kSCx3tzC0cA
Reference: http://askubuntu.com/questions/127389/how-to-configure-ubuntu-as-an-ldap-client
Installation
apt-get update
apt-get upgrade
apt-get install slapd
When prompted enter a password for the administrator of the LDAP server.
Now we need to install ldap-utils and phpLDAPadmin, now apache2 and php will also be installed because it's a part of the dependencies for phpLDAPadmin.
apt-get install ldap-utils phpldapadmin
Open /etc/ldap/ldap.conf with your favorite editor.
pico /etc/ldap/ldap.conf
Uncomment BASE and URI
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=fyzix,dc=net
URI ldap://127.0.0.1
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
After editing the BASE dc= variables run the following command to configure domain changes
dpkg-reconfigure slapd
Select NO and follow the guide, type in your domain, e.g. example.com, choose recommend settings.
Now open /etc/phpldapadmin/config.php:
pico /etc/phpldapadmin/config.php
$servers = new Datastore();
$servers->newServer('ldap_pla');
$servers->setValue('server','name','Quorra LDAP Server');
$servers->setValue('server','host','10.1.38.93');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=burn,dc=net'));
$servers->setValue('login','bind_id','cn=admin,dc=burncycl,dc=net');
Your server is now up and running, ready to be used. You should be able to access phpLDAPadmin on http://10.1.38.93/phpldapadmin; log in with the password you configured for phpLDAPadmin.
Modify posixaccount template
Modify this template to use /home/$username as opposed to /home/users/$username. Additionally, allow /bin/bash as a shell.
/etc/phpldapadmin/templates/creation/posixAccount.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
<template>
<askcontainer>1</askcontainer>
<description>New User Account</description>
<icon>ldap-user.png</icon>
<invalid>0</invalid>
<rdn>cn</rdn>
<!--<regexp>^ou=People,o=.*,</regexp>-->
<title>Generic: User Account</title>
<visible>1</visible>
<objectClasses>
<objectClass id="inetOrgPerson"></objectClass>
<objectClass id="posixAccount"></objectClass>
</objectClasses>
<attributes>
<attribute id="givenName">
<display>First name</display>
<icon>ldap-uid.png</icon>
<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
<order>1</order>
<page>1</page>
</attribute>
<attribute id="sn">
<display>Last name</display>
<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
<!-- <onchange>=autoFill(homeDirectory;/home/%uid|0-1/l%/%uid%)</onchange> -->
<order>2</order>
<page>1</page>
</attribute>
<attribute id="cn">
<display>Common Name</display>
<order>3</order>
<page>1</page>
</attribute>
<attribute id="uid">
<display>User ID</display>
<onchange>=autoFill(homeDirectory;/home/%uid%)</onchange>
<order>4</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="homeDirectory">
<display>Home directory</display>
<!-- <onchange>=autoFill(homeDirectory;/home/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
<order>8</order>
<page>1</page>
</attribute>
<attribute id="uidNumber">
<display>UID Number</display>
<icon>terminal.png</icon>
<order>6</order>
<page>1</page>
<readonly>1</readonly>
<value>=php.GetNextNumber(/;uidNumber)</value>
</attribute>
<attribute id="gidNumber">
<display>GID Number</display>
<!-- <onchange>=autoFill(homeDirectory;/home/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
<order>7</order>
<page>1</page>
<value><![CDATA[=php.PickList(/;(&(objectClass=posixGroup));gidNumber;%cn%;;;;cn)]]></value>
</attribute>
<attribute id="loginShell">
<display>Login shell</display>
<order>9</order>
<page>1</page>
<!-- <value><![CDATA[=php.PickList(/;(&(objectClass=posixAccount));loginShell;%loginShell%;;;;loginShell)]]></value> -->
<type>select</type>
<value id="/bin/sh">/bin/sh</value>
<value id="/bin/csh">/bin/csh</value>
<value id="/bin/tsh">/bin/tsh</value>
<value id="/bin/bash">/bin/bash</value>
</attribute>
<attribute id="userPassword">
<display>Password</display>
<!-- <helper>
<display>Encryption</display>
<id>enc</id>
<value>=php.PasswordEncryptionTypes()</value>
</helper> -->
<icon>lock.png</icon>
<order>5</order>
<page>1</page>
<post>=php.PasswordEncrypt(%enc%;%userPassword%)</post>
<spacer>1</spacer>
<verify>1</verify>
</attribute>
</attributes>
</template>
Adding objects People / Groups
http://ipaddres_to_phpldapadmin
Click Create new entry here > Click Generic: Organization Unit > Name the unit people > Commit
Click Create new entry here > Click Generic: Organization Unit > Name the unit groups > Commit
Click ou=groups > Click Create a child entry > Click Generic: Posix Group > Name the group genusers for "General users"
Click ou=people > Click Create a child entry > Click Generic: User Account > Name the user fill in the relevant fields. Be sure to assign user to genusers GID.
SSL/TLS for OpenLDAP
Reference: http://rogermoffatt.com/2011/08/24/ubuntu-openldap-with-ssltls/
Reference: http://labs.opinsys.com/blog/2010/01/28/setting-up-openldap-on-ubuntu-10-04-lucid-part2/
The references are okay. But, some steps are missing. Hopefully my documentation is more thorough.
Prerequisites
apt-get update
apt-get upgrade
apt-get install gnutls-bin
Server side configuration
Generate certificates
OpenLDAP needs specially formatted certs. To do this use certtool
Generate CA certs
First make the temp directory where certs can land.
mkdir -p /root/certs/
The CA key needs to be created and signed:
certtool --generate-privkey --outfile /etc/ssl/private/ldap-ca-key.pem
certtool --generate-self-signed --load-privkey /etc/ssl/private/ldap-ca-key.pem \
--outfile /root/certs/ldap-ca-cert.pem
You'll get asked a bunch of questions. Feel free to hit enter for most of them (i.e. leave them blank) .Below are the important variables. Be sure the common name matches the hostname of the OpenLDAP server. This will generate a certificate that is good for 10 years.
Common name: ca.edu.example.org
The certificate will expire in (days): 3650
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint): -1
Will the certificate be used to sign other certificates? (y/N): y
Fix permissions – the resulting files need to be readable by the openldap group.
To do this, add the openldap user to the ssl-cert group and then ensure the certs and key are owned by the ssl-cert group. Remember that the directory /etc/ssl/private has strict permissions on it so you need to get this right.
adduser openldap ssl-cert
If the group isn't ssl-cert for ldap-ca-key.pem change the group.
chgrp ssl-cert /etc/ssl/private/ldap-ca-key.pem
To verify the permissions
cd /etc/ssl/private
ls -la
Generate server certs
Next create the server key and certificate and sign it:
certtool --generate-privkey --outfile /root/certs/ldap-server.key
certtool --generate-certificate --load-privkey /root/certs/ldap-server.key \
--outfile /root/certs/ldap-server.crt --load-ca-certificate /root/certs/ldap-ca-cert.pem \
--load-ca-privkey /etc/ssl/private/ldap-ca-key.pem
Again, you'll get asked a bunch of questions. Feel free to hit enter for most of them (i.e. leave them blank). Below are the important variables. Be sure the common name matches the hostname of the OpenLDAP server. This will generate a certificate that is good for 10 years.
Common name: ldap.edu.example.org
The certificate will expire in (days): 3650
Will the certificate be used for signing (required for TLS)? (y/N): y
Will the certificate be used for encryption (not required for TLS)? (y/N): y
Install the certs
install -D -o openldap -g openldap -m 600 /root/certs/ldap-server.crt \
/etc/ssl/certs/ldap-server.crt
install -D -o openldap -g openldap -m 600 /root/certs/ldap-server.key \
/etc/ssl/certs/ldap-server.key
install -D -o openldap -g openldap -m 600 /root/certs/ldap-ca-cert.pem \
/etc/ssl/certs/ldap-ca-cert.pem
Create ldif file
Create a suitable ssl.ldif file for importing into the configuration database.
pico /etc/ldap/ssl.ldif
Contents:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ldap-ca-cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap-server.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/certs/ldap-server.key
Import ssl.ldiff
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ssl.ldif -v
The -v gives you a verbose output. Make sure that you see the new entries being printed out, if it just says something like:
modifying entry "cn=config"
modify complete
Then this DOES NOT mean it has worked. It quite likely means it hasn’t processed the file because of errors and no changes will actually have been made. You need to see it list the entries it has modified.
For example, this is a working version
ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
add olcTLSCACertificateFile:
/etc/ssl/certs/ldap-ca-cert.pem
add olcTLSCertificateFile:
/etc/ssl/certs/ldap-server.crt
add olcTLSCertificateKeyFile:
/etc/ssl/certs/ldap-server.key
modifying entry "cn=config"
modify complete
Make OpenLDAP listen on SSL port
Modify /etc/default/slapd
pico /etc/default/slapd
Find the line that says
SLAPD_SERVICES="ldap:/// ldapi:///"
Modify it to say
SLAPD_SERVICES="ldap://10.1.38.93/ ldapi://10.1.38.93/ ldaps://10.1.38.93/"
I have statically bound slapd to my IP address (change to whatever IP address you're using). I have also removed the non-secure ldap:///
Restart slapd
service slapd restart
To verify the new configuration
netstat -nap|grep slapd
Should see something like this:
root@Quorra:~# netstat -nap|grep slapd
tcp 0 0 10.1.38.93:636 0.0.0.0:* LISTEN 4210/slapd
tcp 0 0 10.1.38.93:389 0.0.0.0:* LISTEN 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.33:38183 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.33:57876 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:60777 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:41237 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:41252 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:43690 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:41238 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:46109 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:38866 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:41254 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:41249 ESTABLISHED 4210/slapd
tcp 0 0 10.1.38.93:389 10.1.38.103:60675 ESTABLISHED 4210/slapd
unix 2 [ ACC ] STREAM LISTENING 12661 4210/slapd 10.1.38.93
unix 2 [ ] DGRAM 1928089 4210/slapd
Fix untrusted certificate problem
Modify /etc/ldap/ldap.conf
pico /etc/ldap/ldap.conf
Add these lines to your config.
TLS_CACERT /etc/ssl/certs/ldap-ca-cert.pem
TLS_REQCERT never
The first line points to the ldap-ca-cert.pem. The second line resolves to the untrusted certificate problem.
Exmaple /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=burn,dc=net
URI ldaps://10.1.38.93
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
#TLS_CACERT /root/certs/ca-certificates.crt
TLS_CACERT /etc/ssl/certs/ldap-ca-cert.pem
TLS_REQCERT never
Restart slapd
service slapd restart
Client side configuration
Prerequisites
apt-get install libnss-ldapd libpam-ldapd
Configure to your LDAP Server URI:
Example: ldaps://10.1.38.93
LDAP server search base: dc=burn,dc=net
Modify to match your configuration.
Check server SSL certificates: never
During installation select ldap for the following nss services:
group passwd shadow
This configured /etc/nsswitch.conf, /etc/pam.d/common-auth and /etc/nslcd.conf automatically to work correctly.
Go ahead and Override /etc/pam.d/common-*?
Fetch/Install CA-cert
On the client copy /etc/ssl/certs/ldap-ca-cert.pem from the server to /etc/ssl/certs/ on the client:
scp -P 32022 root@10.1.38.93:/etc/ssl/certs/ldap-ca-cert.pem /etc/ssl/certs/ldap-ca-cert.pem
Modify the IP address to match your server's IP.
Modify client side ldap.conf
Then add the following lines in /etc/ldap/ldap.conf:
pico /etc/ldap/ldap.conf
URI ldaps://10.1.38.93/
TLS_CACERT /etc/ssl/certs/ldap-ca-cert.pem
TLS_REQCERT never
Again, modify the IP address to match your server's IP.
Example client side /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=burn,dc=net
URI ldap://10.1.38.93
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
#TLS_CACERT /etc/ssl/certs/ca-certificates.crt
CA_CERTREQ never
TLS_REQCERT never
The TLS_REQCERT never directive is important.
Test the configuration
ldapsearch -x -h 10.1.38.93 -ZZ -b dc=burn,dc=net
or
ldapsearch -x -W -D 'cn=admin,dc=burn,dc=net' -b "" -s base
or
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
Install / Configure NFS remote home directories
Reference: http://www.cs.wcupa.edu/~rkline/linux/ldap-nfs.html
Server
We are going to make our machine an NFS server and serve the /home directory to the client machine.
On the LDAP server, install the server package:
apt-get install nfs-kernel-server
Modify /etc/exports to export home directories on LDAP server to client by adding this line:
/home 192.168.122.0/24(rw,sync,no_subtree_check)
Restart the NFS service and verify the exports:
service nfs-kernel-server restart
exportfs
Client
Now, the NFS client.
Install the client software:
apt-get install nfs-common
Mount LDAP NFS home directory. You can modify the ipaddress to whatever the LDAP/NFS server's ip is.
mount -o vers=3 10.1.38.93:/home /home
Verify the directory mounted
df -h
ls -l /home
Set up the client so that it mounts automatically. Edit /etc/fstab and add this line at the end:
10.1.38.93:/home /home nfs nfsvers=3 0 0
Again, you can change the ipaddress to match whatever the ip is of the LDAP/NFS server.