Wednesday, December 5, 2012

LDAP Server on Ubuntu 10.04 Lucid

PLATFORM:
* Ubuntu Server 10.04 LTS (Lucid)

PREREQUISITES:
* A standard vanilla Ubuntu 10.04 server install.
* An NFS server exporting the users home directorys

Network overview;
* domain name: irfan.com
* ldap-server192.168.0.194

Install The Packages

We want to install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:

#sudo apt-get install slapd ldap-utils
Notes:
By default slapd is configured with minimal options needed to run the slapd daemon.

The configuration example in the following sections will match the domain name of the server. For example, if the machine's Fully Qualified Domain Name (FQDN) is ldap.irfan.com, the default suffix will be dc=irfan,dc=com.

Populating the server
Notes:
OpenLDAP uses a separate directory which contains the cn=config Directory Information Tree (DIT). The cn=config DIT is used to dynamically configure the slapd daemon, allowing the modification of schema definitions, indexes, ACLs, etc without stopping the service.

The backend cn=config directory has only a minimal configuration and will need additional configuration options in order to populate the frontend directory. The frontend will be populated with a "classical" scheme that will be compatible with address book applications and with Unix Posix accounts. Posix accounts will allow authentication to various applications, such as web applications, email Mail Transfer Agent (MTA) applications, etc.

* For external applications to authenticate using LDAP they will each need to be specifically configured to do so. Refer to the individual application documentation for details.

* Remember to change dc=example,dc=com in the following examples to match your LDAP configuration.

First, some additional schema files need to be loaded. In a terminal enter:

#sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
#sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
#sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

Next, create an LDIF file

#vi ~/backend.ldif

With the following contents;

# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=irfan,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=irfan,dc=com
olcRootPW: mypassword
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=irfan,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=irfan,dc=com" write by * read
* Change olcRootPW: mypassword to a password of your choosing.

* Change dc=irfan,dc=com to suit your own domain details.

Now add the LDIF to the directory:

#sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

The frontend directory is now ready to be populated. Create a frontend.ldif file

#vi ~/frontend.ldif

Enter the following contents, once again making the necessary changes to suit your own network:

# Create top-level object in domain
dn: dc=irfan,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: irfan
dc: irfan
description: LDAP Server

# Admin user.
dn: cn=admin,dc=irfan,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: mypassword

dn: ou=people,dc=irfan,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=irfan,dc=com
objectClass: organizationalUnit
ou: groups

dn: uid=brettg,ou=people,dc=irfan,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: brettg
sn: Glasson
givenName: Brett
cn: Brett Glasson
displayName: Brett Glasson
uidNumber: 1000
gidNumber: 10000
userPassword: mypassword
gecos: Brett Glasson
loginShell: /bin/bash
homeDirectory: /home/brettg
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: brett.glasson@irfan.com
postalCode: 31000
l: Melbourne
o: irfan
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: BG

dn: cn=users,ou=groups,dc=irfan,dc=com
objectClass: posixGroup
cn: users
gidNumber: 10000

Notes:
In this example the directory structure, a user, and a group have been setup. In other examples you might see the objectClass: top added in every entry, but that is the default behaviour so you do not have to add it explicitly.

Add the entries to the LDAP directory:

#sudo ldapadd -x -D cn=admin,dc=irfan,dc=com -W -f frontend.ldif

We can check that the content has been correctly added with the ldapsearch utility. Execute a search of the LDAP directory:

#ldapsearch -xLLL -b "dc=irfan,dc=com" uid=brettg sn givenName cn
#ldapsearch -xLLL -b "dc=irfan,dc=com"

Which should return something like this;

dn: uid=brettg,ou=people,dc=,dc=com
cn: Brett Glasson
sn: Glasson
givenName: Brett
Posted by at

1 comment:

Subscribe to: Post Comments (Atom)