With the assumption that Ubuntu 12.04 LTS Server is already installed, it should work with any other version with some changes if any. No assurance that it will work for your setup, worked for me so I am sharing it
I have used dc=testlab,dc=dev as my domain, cn=admin,dc=testlab,dc=dev as my ldap admin user, and test as my password throughout this guide, please feel free to change it to your liking
So lets start, check a very important /etc/hosts file since the ldap dn will be populated from this file and would be based on its domain name, and if this does not match the dn then you will possibly get invalid bind credentials error at the end when you will try ldap binding.
nano /etc/hosts
Verify the following, please substitue ip and host/domain name according to your setup.
192.168.1.20 ldap.testlab.dev ldap
Update all packages and install updates if any
apt-get update && apt-get upgrade -y
The base DN or suffix of ldap tree will be populated/created based on the domain name specified in /etc/hosts
file, in my case it is testlab.dev
Lets proceed with install and install following required packages
sudo apt-get install slapd ldap-utils -y
the password would test like I mentioned in the beginning
Now lets add some logging level for ldap
nano log.ldif
and paste the following in it then save the file and exit out
dn: cn=config changetype: modify add: olcLogLevel olcLogLevel: stats
Add the above ldif file to ldap database
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f log.ldif
Done, at this point we have working OpneLDAP server
Now let set it up so we can actually use it, here we are going to use it for user authentication
Install libnss-ldap package
sudo apt-get install libnss-ldap -y
There would few questions here, answer them like following
ldap://127.0.0.1 dc=testlab,dc=dev 3 Yes No cn=admin,dc=testlab,dc=dev test
If you make a mistake you can try again using
sudo dpkg-reconfigure ldap-auth-config
Now configure the LDAP profile for NSS
sudo auth-client-config -t nss -p lac_ldap
There should not be any error, if you have some error(s) go back and check your config
Finally tell system to use ldap for authentication, the option should be selected already hit space bar to select it if its not already, do not uncheck Unix authentication
sudo pam-auth-update
Optionally, make few change to /etc/ldap.conf and copy it over to /etc/ldap/ directory
nano /etc/ldap.conf
and verify these
host 127.0.0.1 base dc=testlab,dc=dev uri ldap://127.0.0.1/ rootbinddn cn=admin,dc=testlab,dc=dev ldap_version 3 bind_policy soft
That is it, we have configured our ldap server successfully and is ready to authenticate user
Now lets add some indices to ldap database to ease the lookup
nano indices.ldif
and paste the following
dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: uid eq,pres,sub
Now add the above ldif data
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f indices.ldif
Verify new indices
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcDbIndex
You should see all above indices !
Let add some objects under our ldap tree using ldif file, for testing purposes I am going to add only one OU to hold and only user
nano base.ldif
and paste the following to it, save it and exit out of it
dn: ou=Users,dc=testlab,dc=dev objectClass: organizationalUnit ou: Users dn: uid=rkhan,ou=Users,dc=testlab,dc=dev objectClass: organizationalPerson objectClass: person objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: rkhan sn: Khan givenName: Ryaz cn: Ryaz Khan displayName: Ryaz Khan uidNumber: 10000 gidNumber: 10000 userPassword: test gecos: Ryaz Khan loginShell: /bin/bash homeDirectory: /profiles/rkhan mail: ryaz.khan@live.com telephoneNumber: 000-000-0000 st: NY manager: uid=rkhan,ou=Users,dc=testlab,dc=dev shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 title: System Administrator
Now add the above ldif data to ldap database
ldapadd -x -D cn=admin,dc=testlab,dc=dev -w test -f base.ldif
and again password is test
Great !
Now we have one user in our ldap database, so lets try the search indices we created earlier
ldapsearch -x -LLL -b dc=testlab,dc=dev 'uid=rkhan' uid uidNumber displayName ldapsearch -x -LLL -b dc=testlab,dc=dev 'uid=*kh*' uid uidNumber displayName ldapsearch -x -LLL -b dc=testlab,dc=dev 'uid=*an' uid uidNumber displayName ldapsearch -x -LLL -b dc=testlab,dc=dev 'uid=rk*' uid uidNumber displayName
All above queries should retrieve user rkhan from ldap database
Great !
Now let test our ldap authentication
ssh rkhan@localhost
I was able to login to the system as rkhan with ldap credentials so should you, rkhan might be welcomed with error about home path not found etc.. that is because you probably have not created /profile/rkhan
, remember we are not using any script to create user we are just using ldif which will/should not create any directory on Linux system.
Have a fun playing with LDAP monster, feel free to ask me any question(s)
References
LDAP – Ubuntu Official Documentation
Troubleshoot
If you don’t setup the /etc/hosts file in the start then you will endup with
ldap_bind: Invalid credentials (49)
So by default the ldap tree [base DN] comes from /etc/hosts file, whatever domain you have there would be your new DN or ldap base tree, and if you have dont have any domain in there then your base DN would be nodomain and that’s exactly what happened here. There are two ways I know to correct this, first one easy and script does the job, second one is also easy but involved manual process
Method 1
sudo dpkg-reconfigure slapd
And answer like
No testlab.dev testlab.dev test test HDB No Yes No
Now try to run
ldapadd -x -D cn=admin,dc=testlab,dc=dev -w test -f base.ldif
Hopefully you will be happy
Method 2
nano /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif
Change
olcSuffix: dc=nodomain
with
olcSuffix: dc=testlab,dc=dev
Change dn, don’t change anything else unless you sure what you are doing
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=nodomain" write by * none
with
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=testlab,dc=dev" write by * none
Change
olcRootDN: cn=admin,dc=nodomain
with
olcRootDN: cn=admin,dc=testlab,dc=dev
Remove existing ldap database
rm /var/lib/ldap/*
Restart ldap
service slapd restart
Add the following to the top your base.ldif file otherwise you will get no such object (32)
error.
dn: dc=testlab,dc=dev dc: TESTLAB objectClass: top objectClass: domain
Now run the add command again and hopefully you will by happy
ldapadd -x -D cn=admin,dc=testlab,dc=dev -w test -f base.ldif

获取更多建站运营运维新知!互联网创业、前沿技术......
最新评论
水淀粉vdfv
有其他下载方式么,网站上的点击下载后没有任何反应,或者直接发给我一下?83835079@qq.com
你好,我的型号ELECOM WRC-X3200GST3,ARMv8 Processor rev 4构架,CPU mediatek/mt7622,找了很久没有找到
我的也是这样。一直无法确认ARCH架构,或是不支持。一直没办法用。不知道怎么办了
您好,现在安装上了,可是ssr plus+配置好节点也没用,一直都是未运行,节点是有效的; 另外那个passwall2一找开就提示"无法确认ARCH架构,或是不支持", 麻烦大佬帮忙看下是什么问题,谢谢!