rilpoint_mw113

LDAP - Domain Server

(Replaced content with 'File:Example.jpg')
 
Line 1: Line 1:
-
[[File:Example.jpg]]
+
==Introduction==
 +
 
 +
 
 +
 
 +
BOSS Server contains the LDAP Server for Configuring the Linux Based Domain systems.
 +
The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services(database) over an Internet Protocol (IP) network.  LDAP is a lightweight protocol for accessing X.500 directory services through the TCP/IP protocol stack. LDAP port number is 389.
 +
 
 +
The main advantages of the LDAP server are
 +
 
 +
→ It simplifies user administration tasks by managing users in a central directory.
 +
 
 +
→ It is a client – server technology. (LDAP Linux client for only authentication)
 +
 
 +
→ A directory service is a network  accessible database.
 +
 
 +
      → NFS integrated with the LDAP server for centralized storage on Linux based systems
 +
 
 +
→ Samba integrated with the LDAP server for centralized storage on Linux and windows based system
 +
 
 +
→ Postfix Mail server integrated with the LDAP server for centralized user authentication and a shared address directory for mail agents.
 +
 
 +
→ Apache web server integrated with the LDAP server for centralized user authentication
 +
 
 +
 
 +
 
 +
[[File:LDAP1.jpg]]
 +
 
 +
 
 +
 
 +
==Directory structure==
 +
An LDAP database stores information on objects in a hierarchical manner. Objects have attributes that contain the information that is stored about the object. Objects also have classes that define which attributes must and may be stored on the object. Objects in an LDAP database are distinguished by their Distinguished Name (DN) which indicates their place in the hierarchical tree.
 +
The protocol accesses LDAP directories are based on X.500 model
 +
An entry consists of a set of attributes.
 +
An attribute has a name (an attribute type or attribute description) and one or more values. The attributes are defined in a schema .
 +
Each entry has a unique identifier: its Distinguished Name (DN). This consists of its Relative Distinguished Name (RDN), constructed from some attribute(s) in the entry, followed by the parent entry's DN.
 +
Think of the DN as the full file path and the RDN as its relative filename in its parent folder (e.g. if /foo/bar/myfile.txt were the DN, then myfile.txt would be the RDN).
 +
For example, if DN is dc=cdacchennai, dc=in , then the RDN will be  dc=secondaryserver, dc=cdacchennai, dc=in where secondaryserver is the subdomain of the domain dc=cdacchennai, dc=in.
 +
 
 +
The below entry is represented as LDAP Data Interchange Format (LDIF) for storing the data into LDAP directory.
 +
dn: cn=Ravi Shankar,dc=example,dc=com
 +
cn: Ravi Shankar
 +
givenName: Ravi
 +
sn: Shankar
 +
telephoneNumber: +1 888 555 6789
 +
telephoneNumber: +1 888 555 1232
 +
mail:  ravishankar@example.com
 +
manager: cn=admin,dc=example,dc=com
 +
objectClass: inetOrgPerson
 +
objectClass: organizationalPerson
 +
objectClass: person
 +
objectClass: top
 +
"dn" is the distinguished name of the entry; it's neither an attribute nor a part of the entry. "cn=Ravi Shankar" is the entry's RDN (Relative Distinguished Name), and "dc=example,dc=com" is the DN of the parent entry, where "dc" denotes 'Domain Component'. The other lines show the attributes in the entry. Attribute names are typically mnemonic strings, like "cn" for common name, "dc" for domain component, "mail" for e-mail address and "sn" for surname. A server holds a subtree starting from a specific entry, e.g. "dc=example,dc=com" and its children.
 +
 
 +
==LDAP Server Configuration==
 +
 
 +
The below detail shows the configuration details of the LDAP server
 +
 
 +
Consider LDAP server system name is ldapserver.cdacchennai.in (Host Name)
 +
and Domain name is cdacchennai.in (You have to setup this domain with DNS server or You should have this setup already in your LAN)
 +
 
 +
LDAP server domain is dc=cdacchennai,dc=in
 +
 
 +
The users are allowed to ping the LDAP server in their LAN with the following command
 +
 
 +
# ping ldapserver.cdacchennai.in
 +
 
 +
[[File:LDAP2.jpg]]
 +
 
 +
The following configuration setting shows the LDAP server authentication with the BOSS client  system.
 +
 
 +
 
 +
==1. Installing the LDAP server Packages==
 +
 
 +
Below are the steps to setup a LDAP Server on BOSS Server.
 +
 
 +
# apt-get install slapd ldap-utils db4.8-util
 +
 
 +
Enter the LDAP admin password during installation
 +
 
 +
 
 +
Re-enter the same admin password
 +
 
 +
 
 +
This installs the basic LDAP packages in the system.
 +
 
 +
Testing the Initial Setup
 +
 
 +
root@master:~#
 +
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
 +
 
 +
SASL/EXTERNAL authentication started
 +
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 +
SASL SSF: 0
 +
dn: cn=config
 +
dn: cn=module{0},cn=config
 +
dn: cn=schema,cn=config
 +
dn: cn={0}core,cn=schema,cn=config
 +
dn: cn={1}cosine,cn=schema,cn=config
 +
dn: cn={2}nis,cn=schema,cn=config
 +
dn: cn={3}inetorgperson,cn=schema,cn=config
 +
dn: olcBackend={0}hdb,cn=config
 +
dn: olcDatabase={-1}frontend,cn=config
 +
dn: olcDatabase={0}config,cn=config
 +
dn: olcDatabase={1}hdb,cn=config
 +
 
 +
Generate the Encrypted Password for cdacchennai domain
 +
 
 +
#slappasswd
 +
New Password: <your-password >
 +
Re-enter New Password: <your-password >
 +
{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 +
Now set the admin password to config directory for the domain dc=cdacchennai,dc=in
 +
# ldapmodify -Y EXTERNAL -H ldapi:///
 +
SASL/EXTERNAL authentication started
 +
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 +
SASL SSF: 0
 +
# input follows ( set password generated above for 'olcRootPW' )
 +
 
 +
dn: olcDatabase={0}config,cn=config
 +
add: olcRootPW
 +
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 +
 
 +
# press 'Ctrl+D' to quit
 +
 
 +
 
 +
 
 +
Create the configuration file
 +
# vi config.ldif
 +
dn: olcDatabase={1}hdb,cn=config
 +
changetype: modify
 +
replace: olcSuffix
 +
olcSuffix: dc=cdacchennai,dc=in
 +
-
 +
replace: olcRootDN
 +
olcRootDN: cn=admin,dc=cdacchennai,dc=in
 +
-
 +
replace: olcAccess
 +
olcAccess: to attrs=userPassword by dn="cn=admin,dc=cdacchennai,dc=in" write by anonymous auth by self write by * none
 +
olcAccess: to attrs=shadowLastChange by self write by * read
 +
olcAccess: to dn.base="" by * read
 +
olcAccess: to * by dn="cn=admin,dc=cdacchennai,dc=in" write by * read
 +
-
 +
 
 +
Change the LDAP server Configuration Setting
 +
# ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif
 +
 
 +
SASL/EXTERNAL authentication started
 +
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 +
SASL SSF: 0
 +
modifying entry "olcDatabase={1}hdb,cn=config"
 +
 
 +
 
 +
Testing the LDAP server
 +
# ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb
 +
<enter the admin password>
 +
 
 +
It should give the following details
 +
 
 +
dn: olcDatabase={1}hdb,cn=config
 +
objectClass: olcDatabaseConfig
 +
objectClass: olcHdbConfig
 +
olcDatabase: {1}hdb
 +
olcDbDirectory: /var/lib/ldap
 +
olcLastMod: TRUE
 +
olcRootPW: {SSHA}XXXXXXXXXXZZZZZZZZZZZZZZZ
 +
olcDbCheckpoint: 512 30
 +
olcDbConfig: {0}set_cachesize 0 2097152 0
 +
olcDbConfig: {1}set_lk_max_objects 1500
 +
olcDbConfig: {2}set_lk_max_locks 1500
 +
olcDbConfig: {3}set_lk_max_lockers 1500
 +
olcDbIndex: objectClass eq
 +
olcSuffix: dc=server,dc=world
 +
olcRootDN: cn=admin,dc=server,dc=world
 +
olcAccess: {0}to attrs=userPassword by dn="cn=admin,dc=server,dc=world" write
 +
by anonymous auth by self write by * none
 +
olcAccess: {1}to attrs=shadowLastChange by self write by * read
 +
olcAccess: {2}to dn.base="" by * read
 +
olcAccess: {3}to * by dn="cn=admin,dc=server,dc=world" write by * read
 +
 
 +
 
 +
==Add New Directory to the Domain dc=cdacchennai,dc=in==
 +
 
 +
Create the file base.ldif
 +
 
 +
dn: dc=cdacchennai,dc=in
 +
objectClass: top
 +
objectClass: dcObject
 +
objectclass: organization
 +
o: cdacchennai in
 +
dc: cdacchennai
 +
description: LDAP cdacchennai server
 +
 
 +
dn: ou=people,dc=cdacchennai,dc=in
 +
objectClass: organizationalUnit
 +
ou: people
 +
 
 +
dn: ou=groups,dc=cdacchennai,dc=in
 +
objectClass: organizationalUnit
 +
ou: groups
 +
 
 +
Add new Directory
 +
# ldapadd -x -D cn=admin,dc=cdacchennai,dc=in  -W -f base.ldif
 +
<Enter admin password>
 +
 
 +
 
 +
adding new entry "dc=cdacchennai,dc=in"
 +
 
 +
adding new entry "ou=people,dc=cdacchennai,dc=in"
 +
 
 +
adding new entry "ou=groups,dc=cdacchennai,dc=in"
 +
 
 +
 
 +
3. Adding existing local users to LDAP Directory
 +
 
 +
Create One or more users in the local system(ie, LDAP server) with the following command
 +
#adduser user1
 +
 
 +
Create the file ldapuser.sh
 +
 
 +
# vi ldapuser.sh
 +
 
 +
#!/bin/bash
 +
 
 +
SUFFIX='dc=cdacchennai,dc=in'
 +
LDIF='ldapuser.ldif'
 +
 
 +
echo -n > $LDIF
 +
for line in `grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/g"`
 +
do
 +
    UID1=`echo $line | cut -d: -f1`
 +
    NAME=`echo $line | cut -d: -f5 | cut -d, -f1`
 +
    if [ ! "$NAME" ]
 +
    then
 +
        NAME=$UID1
 +
    else
 +
        NAME=`echo $NAME | sed -e "s/%/ /g"`
 +
    fi
 +
    SN=`echo $NAME | awk '{print $2}'`
 +
    if [ ! "$SN" ]
 +
    then
 +
        SN=$NAME
 +
    fi
 +
    GIVEN=`echo $NAME | awk '{print $1}'`
 +
    UID2=`echo $line | cut -d: -f3`
 +
    GID=`echo $line | cut -d: -f4`
 +
    PASS=`grep $UID1: /etc/shadow | cut -d: -f2`
 +
    SHELL=`echo $line | cut -d: -f7`
 +
    HOME=`echo $line | cut -d: -f6`
 +
    EXPIRE=`passwd -S $UID1 | awk '{print $7}'`
 +
    FLAG=`grep $UID1: /etc/shadow | cut -d: -f9`
 +
    if [ ! "$FLAG" ]
 +
    then
 +
        FLAG="0"
 +
    fi
 +
    WARN=`passwd -S $UID1 | awk '{print $6}'`
 +
    MIN=`passwd -S $UID1 | awk '{print $4}'`
 +
    MAX=`passwd -S $UID1 | awk '{print $5}'`
 +
    LAST=`grep $UID1: /etc/shadow | cut -d: -f3`
 +
 
 +
    echo "dn: uid=$UID1,ou=people,$SUFFIX" >> $LDIF
 +
    echo "objectClass: inetOrgPerson" >> $LDIF
 +
    echo "objectClass: posixAccount" >> $LDIF
 +
    echo "objectClass: shadowAccount" >> $LDIF
 +
    echo "uid: $UID1" >> $LDIF
 +
    echo "sn: $SN" >> $LDIF
 +
    echo "givenName: $GIVEN" >> $LDIF
 +
    echo "cn: $NAME" >> $LDIF
 +
    echo "displayName: $NAME" >> $LDIF
 +
    echo "uidNumber: $UID2" >> $LDIF
 +
    echo "gidNumber: $GID" >> $LDIF
 +
    echo "userPassword: {crypt}$PASS" >> $LDIF
 +
    echo "gecos: $NAME" >> $LDIF
 +
    echo "loginShell: $SHELL" >> $LDIF
 +
    echo "homeDirectory: $HOME" >> $LDIF
 +
    echo "shadowExpire: $EXPIRE" >> $LDIF
 +
    echo "shadowFlag: $FLAG" >> $LDIF
 +
    echo "shadowWarning: $WARN" >> $LDIF
 +
    echo "shadowMin: $MIN" >> $LDIF
 +
    echo "shadowMax: $MAX" >> $LDIF
 +
    echo "shadowLastChange: $LAST" >> $LDIF
 +
    echo >> $LDIF
 +
done
 +
 +
 
 +
 
 +
 
 +
Now run the script,
 +
 
 +
# sh ldapuser.sh
 +
 
 +
 
 +
Add the user to the LDAP directory
 +
 
 +
ldapadd -x -D cn=admin,dc=cdacchennai,dc=in  -W  -f  ldapuser.ldif
 +
<Enter the admin password >
 +
 
 +
adding new entry "uid= user1,ou=people,dc=cdacchennai,dc= in"
 +
 
 +
adding new entry "uid= user2,ou=people,dc=cdacchennai,dc= in"
 +
 
 +
 
 +
4. Adding existing local groups to LDAP Directory
 +
 
 +
Create the file ldapgroup.sh
 +
 
 +
# vi ldapgroup.sh
 +
 
 +
#!/bin/bash
 +
 
 +
SUFFIX='dc=cdacchennai,dc=in'
 +
LDIF='ldapgroup.ldif'
 +
 
 +
echo -n > $LDIF
 +
for line in `grep "x:[1-9][0-9][0-9][0-9]:" /etc/group`
 +
do
 +
    CN=`echo $line | cut -d: -f1`
 +
    GID=`echo $line | cut -d: -f3`
 +
    echo "dn: cn=$CN,ou=groups,$SUFFIX" >> $LDIF
 +
    echo "objectClass: posixGroup" >> $LDIF
 +
    echo "cn: $CN" >> $LDIF
 +
    echo "gidNumber: $GID" >> $LDIF
 +
    users=`echo $line | cut -d: -f4 | sed "s/,/ /g"`
 +
    for user in ${users} ; do
 +
        echo "memberUid: ${user}" >> $LDIF
 +
    done
 +
    echo >> $LDIF
 +
done
 +
 
 +
 
 +
Run the script
 +
# sh ldapgroup.sh
 +
 
 +
 
 +
Add the groups to LDAP Directory
 +
# ldapadd -x -D cn=admin,dc=cdacchennai,dc=in -W -f ldapgroup.ldif
 +
<Enter the admin password>
 +
 
 +
adding new entry "cn=user1,ou=groups,dc=cdacchennai,dc= in"
 +
 
 +
 
 +
==Deleting user or group in LDAP Directory==
 +
 
 +
ldapdelete -x -W -D 'cn=admin,dc=cdacchennai,dc=in'  "uid=user1, ou=people, dc=cdacchennai,dc=in"
 +
<Enter admin password>
 +
 
 +
 
 +
ldapdelete -x -W -D 'cn=admin,dc=cdacchennai,dc=in'  "uid=user1, ou=groups, dc=cdacchennai,dc=in"
 +
<Enter admin password>
 +
 
 +
 
 +
 
 +
 
 +
Restart the LDAP server
 +
 
 +
#/etc/init.d/slapd restart
 +
 
 +
 
 +
 
 +
==IV  LDAP Client in BOSS Client machine==
 +
 
 +
Test the LDAP server
 +
 
 +
Check the client machine, whether you are reaching the LDAP server
 +
 
 +
Here  LDAP server Name is ldapserver.cdacchennai.in
 +
 
 +
so now ping with the LDAP server
 +
 
 +
#ping ldapserver.cdacchennai.in
 +
 
 +
If you are not able to ping with the ldap server, then edit the resolv.conf to configure your DNS
 +
 
 +
cat /etc/resolv.conf
 +
nameserver cdacchennai.in
 +
 
 +
 
 +
 
 +
 
 +
==Configuring LDAP Client==
 +
 
 +
Install the following packages
 +
 
 +
# apt-get install libnss-ldap libpam-ldap ldap-utils
 +
 
 +
 
 +
(1) specify LDAP server's URI
 +
 
 +
 
 +
 
 +
 
 +
(2) specify suffix
 +
 
 +
 
 +
 
 +
(3) specify LDAP version
 +
 
 +
 
 +
 
 +
(4) specify LDAP account for root
 +
 
 +
 
 +
 
 +
 
 +
 
 +
(5) specify password for LDAP account for root
 +
 
 +
 
 +
 
 +
 
 +
 
 +
(6) OKto next
 +
 
 +
 
 +
(7) select the one you like. ( this example selects 'no' )
 +
 
 +
 
 +
(8) select the one you like. ( this example selects 'No' )
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
Now change the following settings
 +
vi /etc/nsswitch.conf
 +
# line 7: add
 +
 
 +
passwd: compat ldap
 +
group: compat ldap
 +
shadow: compat ldap
 +
 
 +
# line 19: change
 +
 
 +
netgroup: ldap
 +
 
 +
 
 +
 
 +
 
 +
 
 +
root@www:~#
 +
vi  /etc/pam.d/common-session
 +
 
 +
# add at the last if needed ( create home directory automatically at first login )
 +
 
 +
session optional pam_mkhomedir.so skel=/etc/skel umask=077
 +
 
 +
Reboot the system
 +
 
 +
Once all the settings are done, reboot the system.
 +
 
 +
root@www:~#
 +
shutdown -r now
 +
 
 +
==Login into the Client Machine==
 +
 
 +
Now login as a LDAP user which is available in the LDAP server in the login screen of the client machine.
 +
 
 +
ldapclient login: user1                            # user on LDAP
 +
Password:           # Password for LDAP user
 +
Creating directory '/home/user1'.
 +
user1@ldapclient:~$
 +
# logged in
 +
 
 +
 
 +
Try to change the LDAP passwd
 +
 
 +
Open a terminal and try to change the passwd
 +
user1@ldapclient:~$  passwd
 +
 
 +
Enter login(LDAP) password:
 +
# current password
 +
 
 +
New password:
 +
# new password
 +
 
 +
Re-enter new password:
 +
# confirm
 +
 
 +
LDAP password information changed
 +
passwd: password updated successfully

Current revision as of 07:17, 2 February 2012