Ok, following on from Part 1 now
we've got our virtual machine all set up and running we're going to prepare it
and set up the LDAP server.
In order to
be able to SSH into the machine, rather than using the console provided by the
vSphere client, I always start by changing the IP address. To do this type:
sudo vi /etc/network/interfaces
And hit
return.
You will be prompted for the sudo password, which is the
password you set up for the user created in part 1.
This is what the file will look like. You need to start by
changing the 'dhcp' to 'static.
Then you can
add the fields for the address, netmask, network, broadcast, gateway,
dns-search and dns-nameservers. You will need to put in your own IP address, etc,
here.
Now you will
need to restart the network. To do this type:
sudo /etc/init.d/networking
restart
And hit
return. You will now be able to SSH into the server using the IP address.
Now you will
want to enable the root user, as it is easier than using the sudo command.
To do this
type:
sudo passwd root
And hit
enter. First you will need to enter the sudo password, which is the password
for the user you created in part one. You will then be prompted to enter and
verify the root password.
Once you've
done this you'll be able to su to the root user.
To do this
type su and enter the root password that you just set.
As this is a
new machine there may be updates that need to be installed.
To this
type:
apt-get update
apt-get upgrade
And hit
return. When prompted about whether you would like to proceed with the upgrade,
type 'y' and hit return.
When the
updates have run, you may need to update the system. To do this simply type:
reboot
And hit
return. If you are using a client such as Putty to SSH into the server you will
be temporarily kicked out and will need to restart your session.
To simplify
administration of your server and it's features you may want to install Webmin.
To do this
type:
apt-get install perl libnet-ssleay-perl
libauthen-pam-perl libpam-runtime libio-pty-perl libnet-ldap-perl
apt-show-versions python
wget
http://prdownloads.sourceforge.net/webadmin/webmin_1.690_all.deb
**Webmin 1.690 was the current webmin
version at the time of writing. This may have changed**
dpkg -i webmin_1.690_all.deb
Once you
have installed this you will be able to access Webmin by opening your web
browser and typing "https://<ipaddress/hostname>:1000" in the
address bar. Now you will be able to upload and download files, and maintain
your server using a web GUI
Before
installing the LDAP server you need to edit the hosts file:
vi /etc/hosts
You need to
change the second line (starting 127.0.1.1) so that it is
<hostname>.<domain> and then tab across and put the hostname in
again.
euro.pec is
our domain name, in order to get your server running you need to ensure that
you replace this with your own domain name.
Now edit the
hostname file, and ensure that it matches the hostname of your machine.
vi /etc/hostname
Now you can
install the LDAP server.
apt-get install slapd
ldap-utils
You will be
prompted to choose an administrator password.
Once the
installation is finished you can check
everything installed properly by running two searches one to check the DIT and
one to check your own data (dc=euro,dc=pec), first:
ldapsearch -Q -LLL -Y EXTERNAL
-H ldapi:/// -b cn=config dn
The result
should look like:
dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn:
cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn:
cn={2}nis,cn=schema,cn=config
dn:
cn={3}inetorgperson,cn=schema,cn=config
dn: olcBackend={0}hdb,cn=config
dn:
olcDatabase={-1}frontend,cn=config
dn:
olcDatabase={0}config,cn=config
dn:
olcDatabase={1}hdb,cn=config
Then run:
ldapsearch -x -LLL -H ldap:/// -b dc=euro,dc=pec dn
The result
should look like:
dn: dc=euro,dc=pec
dn: cn=admin,dc=euro,dc=pec
In order to
get this second search to run properly you need to have the correct domain name
set in the /etc/hosts file.
The next
step to getting your LDAP server up and running is to introduce content to the
database.
For this you
will need to create an ldif file , you can call it whatever you want, the file
I'm using is called load.ldif
There are
two ways you can create this file: you can use a text editor such as Notepad,
and then upload it to the server using webmin, or you can create it on the server using the 'vi' command,
i.e 'vi load.ldif'
The test data I'm using is:
dn: ou=Users,dc=euro,dc=pec
objectClass: organizationalUnit
ou: Users
dn: ou=Groups,dc=euro,dc=pec
objectClass: organizationalUnit
ou: Groups
dn: cn=IS,ou=Groups,dc=euro,dc=pec
objectClass: posixGroup
cn: miners
gidNumber: 5000
dn: uid=jade,ou=Users,dc=euro,dc=pec
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: Jade
sn: Whelan
givenName: Jade
cn: Jade Whelan
displayName: Jade Whelan
uidNumber: 10000
gidNumber: 5000
userPassword: passw0rd
gecos: Jade Whelan
loginShell: /bin/bash
homeDirectory: /home/jade
In order to create this file I am using 'vi
load.ldif' and copying the data in.
To load this data into the database, the command is:ldapadd -x -D cn=admin,dc=euro,dc=pec -W -f load.ldif
Remember to make you have the right domain name and filename, and then press enter
You should see:
adding new entry
"ou=Users,dc=euro,dc=pec"
adding new entry
"ou=Groups,dc=euro,dc=pec"
adding new entry
"cn=IS,ou=Groups,dc=euro,dc=pec"
adding new entry
"uid=jade,ou=Users,dc=euro,dc=pec"
Now to
ensure the data has been input properly you can run the following search:
ldapsearch -x -LLL -b
dc=euro,dc=pec 'uid=jade' cn gidNumber
The result
should be:
dn: uid=jade,dc=euro,dc=pec
cn: Jade Whelan
gidNumber: 5000
There are a
number of different switches used when querying and modifying LDAP
- · -x - a 'simple' binding, meaning the default SASL method will not be used.
- · -LLL - disable printing unnecessary information
- · uid=jade - a filter to locate the user with 'uid=jade'. This is handy if you only need to find/delete/modify one user entry
- · cn gidNumber - requests a certain attribute to be shown, without this all attributes will be shown.
Something
that is really useful with LDAP is enabling logging. It's not enabled by
default so you have to turn it on after you've installed the LDAP software. We
are going to be using the 'stats' level of logging. To enable logging, you
first need to create an ldif file. I'm using the filename logging.ldif and the
'vi' method.
The
information that needs to be in the file is:
changetype: modify
add: olcLogLevel
olcLogLevel: stats
Once you have created the file, in order to enable logging you need to run:
ldapmodify -Q -Y EXTERNAL -H
ldapi:/// -f logging.ldif
This will produce a large amount of logs Once your system is up and running you'll be able to throttle back the logging to a less verbose level.
Now you need to restart the logging daemon:
service rsyslog restart
First run:
ldapsearch
-Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcAccess
The result should look like:
o
attrs=userPassword
by self write
by anonymous auth
by dn="cn=admin,dc=euro,dc=pec" write
by * none
to attrs=shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=euro,dc=pec" write
by * none
by self write
by anonymous auth
by dn="cn=admin,dc=euro,dc=pec" write
by * none
to attrs=shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=euro,dc=pec" write
by * none
The next search will display the ACLs of the slapd-config database:
ldapsearch -Q -LLL -Y EXTERNAL -H
ldapi:/// -b cn=config '(olcDatabase={0}config)' olcAccess
The result
should look like:
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,
cn=external,cn=auth manage by * break
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,
cn=external,cn=auth manage by * break
Once you
have your LDAP server up and running you will need to install libraries on the
client that know how and when to contact it. On Ubuntu this is usually
accomplished using the libnss-ldap package. This package will also bring in
other useful tools. To install this package run:
apt-get install libnss-ldap
You will be
prompted to enter the URI (Uniform Resource Identifier) of your LDAP server,
this can either be the hostname:port number or the ipaddress:port number. The
default port number LDAP is 389. It's best to use the IP address rather than
the hostname, in case of DNS failures.
You will then need to add the distinguished name of your server, this is usually your domain name.
You will
then need to select the version of LDAP you will be using, the default
selection is the newest versions, (at the moment it's 3) but you can also roll
back to the previous version if you wish.
You will
also be asked if you want to make the local user the database admin, the
default selection is yes., you will then be asked if the LDAP database requires
a login, the default option for this is no.
Now you need
to configure the LDAP user for the root account, we are using admin.euro.pec,
but you can also use Manager, Administrator or whatever you fancy, with your
domain name as the suffix.
You can then
set the account password.
If you make
a mistake, or want to go back and change you can run:
dpkg-reconfigure
ldap-auth-config
Now you can
configure the LDAP profile NSS:
auth-client-config -t nss -p
lac_ldap
Then you
need to configure the server to use LDAP for authentication:
pam-auth-update
Ensure that
all the boxes are marked with stars. You need Winbind to be running in order to get Samba
automatically syncing users LDAP users.
Ok, now for
the last leg of this part.
We now need
to install some LDAP tools that will help us to create, modify and delete users
and groups. This can be done using ldap-utils, but the long string of options
needed can make this hard to use. The ldapscripts package contains wrapper
scripts that are a lot easier to use.
apt-get install ldapscripts
Once this is
installed you will need to edit the /etc/ldapscripts/ldapscripts.conf file. These
screenshots will be shown in pairs, the first should be changed to match the
second.
Now you need
to create the ldapscripts.passwd file to allow the rootDN access to the database:
sh -c "echo -n 'password'
> /etc/ldapscripts/ldapscripts.passwd"
You need to
replace the word 'password' with the password for you databases root user.
Now you need
to modify the permissions of the file:
chmod 400
/etc/ldapscripts/ldapscripts.passwd
Now the file
will be locked down so no one can access the password.
The scripts
are now set up to help you manage your directory. There are a number of ways
you can use them, such as:
ldapaddgroup Avengers - This will add a new group called Avengers to your database,
ldapadduser SteveRogers
Avengers
- This will create a
user with the uid SteveRogers, and put him in the Avengers group.
ldapsetpasswd SteveRogers - This will allow you to set/change the
users password. When you set up the user it doesn't prompt you to enter the
password, so it's best to run this after ldapadduser.
There are
many other things you can do with ldapscripts, you can also use ldapmodify to
change user attributes such as gecos, cn or displayName.
One extra
thing that might be handy is to set up the pam_mkhomedir module. Even though
the makehomes option in the ldapscripts.conf file is set to yes, I choose not
to rely solely on that. The module is really easy to set up.
vi
/usr/share/pam-configs/my_mkhomedir
Then you
need this information in the file:
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
Then finally
you activate it by running:
pam-auth-update
and making
sure the box is marked with a star:
And now you
have your LDAP server up and running!
You'll be
able to add users and groups with your LDAP scripts and all of their home
directories will also be created.
If you are
adding users in bulk I recommend using a file like we did when adding the first
user. It's a lot easier than retyping "ldapadduser user group" over
and over again, and you can also set the password in the file so you wouldn't
need to run the ldapsetpasswd command.
Next I'll be
taking you through getting Samba working with LDAP.
If there is anything you guys feel I have missed, anything you wanna add
or anything you would like to know, drop it in the comments section!
On to part 3
<3
No comments:
Post a Comment