Ubuntu 12.04 LTS server and OpenLdap

With the assumption that Ubuntu 12.04 LTS Server is already installed, it should work with any other version with some changes if any. No assurance that it will work for your setup, worked for me so I am sharing it

I have used dc=testlab,dc=dev as my domain, cn=admin,dc=testlab,dc=dev as my ldap admin user, and test as my password throughout this guide, please feel free to change it to your liking

So lets start, check a very important /etc/hosts file since the ldap dn will be populated from this file and would be based on its domain name, and if this does not match the dn then you will possibly get invalid bind credentials error at the end when you will try ldap binding.

nano /etc/hosts

Verify the following, please substitue ip and host/domain name according to your setup.

192.168.1.20   ldap.testlab.dev ldap

Update all packages and install updates if any

apt-get update && apt-get upgrade -y

The base DN or suffix of ldap tree will be populated/created based on the domain name specified in /etc/hosts file, in my case it is testlab.dev
Lets proceed with install and install following required packages

sudo apt-get install slapd ldap-utils -y

the password would test like I mentioned in the beginning
Now lets add some logging level for ldap
nano log.ldif and paste the following in it then save the file and exit out

dn: cn=config changetype: modify add: olcLogLevel olcLogLevel: stats

Add the above ldif file to ldap database

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f log.ldif

Done, at this point we have working OpneLDAP server
Now let set it up so we can actually use it, here we are going to use it for user authentication
Install libnss-ldap package

sudo apt-get install libnss-ldap -y

There would few questions here, answer them like following

ldap://127.0.0.1 dc=testlab,dc=dev 3 Yes No cn=admin,dc=testlab,dc=dev test

If you make a mistake you can try again using

sudo dpkg-reconfigure ldap-auth-config

Now configure the LDAP profile for NSS

sudo auth-client-config -t nss -p lac_ldap

There should not be any error, if you have some error(s) go back and check your config
Finally tell system to use ldap for authentication, the option should be selected already hit space bar to select it if its not already, do not uncheck Unix authentication

sudo pam-auth-update

Optionally, make few change to /etc/ldap.conf and copy it over to /etc/ldap/ directory

nano /etc/ldap.conf

and verify these

host 127.0.0.1 base dc=testlab,dc=dev uri ldap://127.0.0.1/ rootbinddn cn=admin,dc=testlab,dc=dev ldap_version 3 bind_policy soft

That is it, we have configured our ldap server successfully and is ready to authenticate user
Now lets add some indices to ldap database to ease the lookup
nano indices.ldif and paste the following

dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: uid eq,pres,sub

Now add the above ldif data

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f indices.ldif

Verify new indices

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcDbIndex

You should see all above indices !
Let add some objects under our ldap tree using ldif file, for testing purposes I am going to add only one OU to hold and only user
nano base.ldif and paste the following to it, save it and exit out of it

dn: ou=Users,dc=testlab,dc=dev objectClass: organizationalUnit ou: Users  dn: uid=rkhan,ou=Users,dc=testlab,dc=dev objectClass: organizationalPerson objectClass: person objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: rkhan sn: Khan givenName: Ryaz cn: Ryaz Khan displayName: Ryaz Khan uidNumber: 10000 gidNumber: 10000 userPassword: test gecos: Ryaz Khan loginShell: /bin/bash homeDirectory: /profiles/rkhan mail: ryaz.khan@live.com telephoneNumber: 000-000-0000 st: NY manager: uid=rkhan,ou=Users,dc=testlab,dc=dev shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 title: System Administrator

Now add the above ldif data to ldap database

ldapadd -x -D cn=admin,dc=testlab,dc=dev -w test -f base.ldif

and again password is test
Great !
Now we have one user in our ldap database, so lets try the search indices we created earlier

ldapsearch -x -LLL -b dc=testlab,dc=dev 'uid=rkhan' uid uidNumber displayName ldapsearch -x -LLL -b dc=testlab,dc=dev 'uid=*kh*' uid uidNumber displayName ldapsearch -x -LLL -b dc=testlab,dc=dev 'uid=*an' uid uidNumber displayName ldapsearch -x -LLL -b dc=testlab,dc=dev 'uid=rk*' uid uidNumber displayName

All above queries should retrieve user rkhan from ldap database
Great !
Now let test our ldap authentication

ssh rkhan@localhost

I was able to login to the system as rkhan with ldap credentials so should you, rkhan might be welcomed with error about home path not found etc.. that is because you probably have not created /profile/rkhan, remember we are not using any script to create user we are just using ldif which will/should not create any directory on Linux system.

Have a fun playing with LDAP monster, feel free to ask me any question(s)

References

LDAP – Ubuntu Official Documentation

Troubleshoot

If you don’t setup the /etc/hosts file in the start then you will endup with

ldap_bind: Invalid credentials (49)

So by default the ldap tree [base DN] comes from /etc/hosts file, whatever domain you have there would be your new DN or ldap base tree, and if you have dont have any domain in there then your base DN would be nodomain and that’s exactly what happened here. There are two ways I know to correct this, first one easy and script does the job, second one is also easy but involved manual process

Method 1

sudo dpkg-reconfigure slapd

And answer like

No testlab.dev testlab.dev test test HDB No Yes No

Now try to run

ldapadd -x -D cn=admin,dc=testlab,dc=dev -w test -f base.ldif

Hopefully you will be happy

Method 2

nano /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif

Change

olcSuffix: dc=nodomain

with

olcSuffix: dc=testlab,dc=dev

Change dn, don’t change anything else unless you sure what you are doing

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=nodomain" write by * none

with

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=testlab,dc=dev" write by * none

Change

olcRootDN: cn=admin,dc=nodomain

with

olcRootDN: cn=admin,dc=testlab,dc=dev

Remove existing ldap database

rm /var/lib/ldap/*

Restart ldap

service slapd restart

Add the following to the top your base.ldif file otherwise you will get no such object (32) error.

dn: dc=testlab,dc=dev dc: TESTLAB objectClass: top objectClass: domain

Now run the add command again and hopefully you will by happy

ldapadd -x -D cn=admin,dc=testlab,dc=dev -w test -f base.ldif

关注公众号『窗外天空』

获取更多建站运营运维新知！
互联网创业、前沿技术......