This blog posting is a part of a series of blog postings:
- Part 1 – OpenLDAP setup
- Part 2 – SSL/TLS
- Part 3 – Schemas for samba, autofs and kerberos
- Part 4 – Kerberos setup
- Part 5 – DNS settings for kerberos using dnsmasq
- Part 6 – NFSv4 with kerberos
- Part 7 – Autofs
The OpenLDAP packages in Ubuntu have seen quite a bit of changes over the past few years. The packaging has changed the configuration file format to the new config backend and there’s no directory initialization in the package scripts anymore. This means that when the slapd package is installed, it doesn’t ask for basic directory information anymore, but one needs to do full configuration himself.
I documented the setup that I made on Ubuntu 10.04 alpha 2 to get OpenLDAP working in different configurations.
The goal of this setup is to have OpenLDAP running so that users can authenticate to it using pam-ldap and nss-ldap can get user and group information.
The following documents were used when testing this:
Server setup
On the server the following packages are needed:
sudo apt-get install slapd ldap-utils
After installing the packages the following files are present under /etc/ldap/slapd.d:
/etc/ldap/slapd.d/
/etc/ldap/slapd.d/cn=config
/etc/ldap/slapd.d/cn=config/cn=schema
/etc/ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif
/etc/ldap/slapd.d/cn=config/cn=schema.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
/etc/ldap/slapd.d/cn=config.ldif
The schemas need to be loaded in the server as by default there are none:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif
To create the actual database that stores the entries in the directory, one needs to create an ldif file. In this example we use dc=edu,dc=example,dc=org as the directory suffix and place the database under /var/lib/ldap/.
create_database.ldif:
# Load hdb backend module
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb
# Create the hdb database and place the files under /var/lib/ldap
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=edu,dc=example,dc=org
olcRootDN: uid=admin,ou=People,dc=edu,dc=example,dc=org
olcRootPW: example
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
ldapadd is used to modify the cn=config entries:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f create_database.ldif
Next the new database needs to be populated with ou=People and ou=Groups to hold hold the user and group information.
init_database.ldif
dn: dc=edu,dc=example,dc=org objectClass: dcObject objectclass: organization o: edu.example.org dc: edu description: LDAP root dn: ou=People,dc=edu,dc=example,dc=org objectClass: top objectClass: organizationalUnit ou: People dn: ou=Groups,dc=edu,dc=example,dc=org objectClass: top objectClass: organizationalUnit ou: Groups
Use ldapadd to apply init_database.ldif:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f init_database.ldif
Finally modify the ACL to limit access to the database. Here we allow anonymous access to read the directory:
acls.ldif:
dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="uid=admin,ou=People,dc=edu,dc=example,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.subtree="" by * read
olcAccess: {2}to * by dn="uid=admin,ou=People,dc=edu,dc=example,dc=org" write by * read
Modify the database:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f acls.ldif
The following commands can be useful while configuring and debugging:
# Show the current configuration: sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config # Show the current data in the directory as anonymous user: ldapsearch -x -h localhost -b dc=edu,dc=example,dc=org # Dump the database with metadata: sudo slapcat
Once the server responds to queries, it’s time to configure the client.
Client setup
The client setup uses the new nss-ldapd and pam-ldapd modules that provide local daemon functionality:
sudo apt-get install libnss-ldapd libpam-ldapd
During installation select ldap for the following nss services:
- group
- passwd
This configured /etc/nsswitch.conf, /etc/pam.d/common-auth and /etc/nslcd.conf automatically to work correctly.
To add some test users we can use ldapscripts package. The installation can be done either on the ldap server or on a remote server as the scripts connect to the server specified in the configuration file. After installing the ldapscripts package one needs to configure it.
/etc/ldapscripts/ldapscripts.conf:
SERVER="ldap://localhost" BINDDN="uid=admin,ou=People,dc=edu,dc=example,dc=org" BINDPWD="example" SUFFIX="dc=edu,dc=example,dc=org" # Global suffix GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX) USUFFIX="ou=People" # Users ou (just under $SUFFIX)
Adding users with ldapadduser may take time if machine random number entropy
pool is low. To use pseudo-random number generation (with weaker passwords),
you may also change:
PASSWORDGEN="cat /dev/urandom | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
Creating groups and users and changing passwords can be done with simple commands:
sudo ldapaddgroup testgroup sudo ldapadduser testuser testgroup sudo ldapsetpasswd testuser
To test that everything works correctly, let’s try getent and logins:
getent passwd getent group ssh testuser@localhost
And everything seems to work as planned. Great! The setup is still lacking encryption and other features that need to be added next. The next steps are to get tls working and get kerberos+samba+autofs to use the ldap installation.
Veli-Matti Lintu
Thanks for this,
most hopefull now to get it right 😉
Greeetings
JT
Thanks for the great instructions. Even with such a good step by step instructions I wasn’t able to get it working. Maybe you could point me to the correct direction?
I’ve been trying this with Ubuntu 9.10 and originally thought libpam-ldapd was a spelling mistake with an extra ’d’, as it’s a new package in Lucid and not preset in Karmic. I tried first with installing the package from Lucid repository but didn’t get far. Using your server example and client side from https://wiki.edubuntu.org/Edubuntu/WikiSite/SimpleLDAPSetup I got very close but not quite there.
Problem is that LDAP users and groups are showing with getent and I can su to the created accounts (as root) but cannot login with passwords. I can see with an LDAP browser that SHAA-hash is used in LDAP for passwords. Is this wrong and if, how can I fix it?
Best regards,
-J. Talvio
First make sure that the ldap binds work correctly as the user you are trying to use. For example ldapsearch can be used for this:
ldapsearch -D uid=testuser,ou=People,dc=edu,dc=example,dc=org -W -x -b dc=edu,dc=example,dc=org
If this works, then the pam setup is probably the problem. There may be differences between Karmic and Lucid here, so checking the /etc/pam.d/common-* rules manually may be necessary to get it working correctly.
I’ve got same problem as Janne Talvio on 16.02.2010 post but when I’m trying ”ldapsearch -D uid=testuser,ou=People,dc=edu,dc=example,dc=org -W -x -b dc=edu,dc=example,dc=org” it says I’m entered invalid credentials.
I’ve tried this howto several time and always got myself stuck with bad binding. Where should I search for the source of the problem?
Thank you for the quick response! I finally got it working and have done and re-done this example now quite many times. My problem came down to a simple typo (ldapi where it should have been ldap).
For anyone trying to do this with Karmic instead of Lucid use:
apt-get install nslcd libpam-ldap ldapscripts
That should get all necessary stuff on client side, I think. Configure as described in the original post.
Best regards,
-J. Talvio
I have one slight issue with this excellent blog on my alpha 3 10.04:
I get a directory creation error when trying to install nslcd:
The following NEW packages will be installed
libnss-ldapd libpam-ldapd nscd nslcd
0 upgraded, 4 newly installed, 0 to remove and 477 not upgraded.
Need to get 385kB of archives.
After this operation, 942kB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get: 1 http://gb.archive.ubuntu.com lucid/universe nscd 2.11.1-0ubuntu4 [202kB]
Get: 2 http://gb.archive.ubuntu.com lucid/universe nslcd 0.7.2 [115kB]
Get: 3 http://gb.archive.ubuntu.com lucid/universe libnss-ldapd 0.7.2 [40.0kB]
Get: 4 http://gb.archive.ubuntu.com lucid/universe libpam-ldapd 0.7.2 [27.1kB]
Fetched 385kB in 2s (129kB/s)
Preconfiguring packages …
Selecting previously deselected package nscd.
(Reading database … 116433 files and directories currently installed.)
Unpacking nscd (from …/nscd_2.11.1-0ubuntu4_i386.deb) …
Selecting previously deselected package nslcd.
Unpacking nslcd (from …/archives/nslcd_0.7.2_i386.deb) …
Selecting previously deselected package libnss-ldapd.
Unpacking libnss-ldapd (from …/libnss-ldapd_0.7.2_i386.deb) …
Selecting previously deselected package libpam-ldapd.
Unpacking libpam-ldapd (from …/libpam-ldapd_0.7.2_i386.deb) …
Processing triggers for man-db …
Processing triggers for ureadahead …
Setting up nscd (2.11.1-0ubuntu4) …
* Starting Name Service Cache Daemon nscd [ OK ]
Setting up nslcd (0.7.2) …
Warning: The home dir /var/run/nslcd/ you specified can’t be accessed: No such file or directory
Adding system user `nslcd’ (UID 117) …
Adding new group `nslcd’ (GID 124) …
Adding new user `nslcd’ (UID 117) with group `nslcd’ …
Not creating home directory `/var/run/nslcd/’.
So when I getent passwd I get:
nslcd:x:117:124:nslcd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false
I just checked the installation process and the same warning appears, but still it creates the /var/run/nslcd/ directory. I’m not sure which component outputs the error, but it seems like it can be ignored. The getent output looks also ok.
Veli-Matti,
thanks for a clear explanation, works like a charm on Lucid b2. One remark, though, as to help all true newbies out there: you need to install ldapscripts with ”apt-get install ldapscripts” and afterward edit the ldapscripts.conf, not overwite it with the data you supplied, otherwise the procedures won’t find the tools to do the job.
Just my 2 euro-cents.
Hi, thanks for your great howto! Everything works like a charm here.
But when I do an anonymous ldapsearch, I can see the data of the KDC (the principal’s keys for example). I think thats a security issue, isn’t it?
Did i miss a step in the howto?
Regards, Jan
Yes, the ACLs in the example allow way too much access to the data. I wrote the examples to detail the differences in configuration from earlier versions, so I didn’t include real production ACLs as those always depend on the actual data in the directory. E.g. if one uses samba, also the samba passwords need to be secured. The best way of course would be to first deny all access and then allow only access to those attributes that are needed. I’ll add a note in the text about this. The samba setup is also missing from the series, so I try to get back to ACLs also.
Veli-Matti
Hi.
I followed your instructions but i have a problem.
When i sudo ldapadduser testuser testgroup
and then getent passwd, the user is not listed.
What can i check ?
Thanks,
Giorgio
First make sure that the user is in the ldap directory. Running ”ldapsearch -x” should return it. After that make sure that nscd is not running (ps -ex should not list it). If it’s still not working, check the nss settings in /etc/nsswitch.conf and the settings for nslcd that is used by nss-ldapd in /etc/nslcd.conf. The settings to look for are uri and base and they should match your ldap server.
I hope that helps!
Hi,
Thank you for the response.
I can see user in ldap directory.
ps -ax return : 2272 ? Ssl 0:00 /usr/sbin/nscd
so it’s still up and running.
my nsswich.conf is :
passwd: files ldap
group: files ldap
shadow: files
in nslcd.conf the uri andthebase are correct.
I have to stop nscd ?
Giorgio
Ok. finally seems to work.
I started nslcd with the -d parameter to debug. I had an error in the binddn parameter.
I put there the admin dn and password.
At next reboot it’s seems to work.
Should i use anonymous bind ? or is correct to use admin dn?
Thanks!!!
Giorgio
Hello Giorgio,
I think that i have the same problem ! can you give me the complete line you entered in the
# The DN to bind with for normal lookups.
binddn
line ?
Thx,
Marco
Hello M@rco.
I still have problem with this setup.
nscd still running.
sudo getent passwd works showing the user i created but if i try to ssh with this users i have an auth error.
Another problem is that the user creation does not create the home dir.
Hello,
It seems that i have a similar problem to Marcos and Giorgios.
After running ’nslcd -d’ and doing ’getent passwd’ i get:
’nslcd: [8b4567] DEBUG: connection from pid=27329 uid=1000 gid=1000
nslcd: [8b4567] DEBUG: nslcd_passwd_all()
nslcd: [8b4567] DEBUG: myldap_search(base=”dc=edu,dc=example,dc=org/”, filter=”(objectClass=posixAccount)”)
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://127.0.0.1/)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri=”ldap://127.0.0.1/”)
nslcd: [8b4567] connected to LDAP server ldap://127.0.0.1/
nslcd: [8b4567] ldap_result() failed: No such object’
Tried using ’ldapsearch -D uid=testuser,ou=People,dc=edu,dc=example,dc=org -W -x -b dc=edu,dc=example,dc=org’ with ’example’ as passwd but get: ’ldap_bind: Invalid credentials (49)’
And ’ldapsearch -x’ gives:
’# extended LDIF
#
# LDAPv3
# base (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1’
thx
Hi,
I had the same problem that Lomik is reporting. If you check the output of ‘nslcd -d’, it says:
myldap_search(base=”dc=edu,dc=example,dc=org/”, filter=”(objectClass=posixAccount)”)
I solved it removing the ’/’ at the end of the ”base” option, in the /etc/nslcd.conf file.
Hope it also works for you.
Hey, you should add ”apt-get install ldapscripts” to you tut!
And do i have to use ldapadduser/group on the server to add users? I get error with ldapaddgroup bla
Error adding group bla to LDAP
on server it says:
Unable to read password file, exiting…
so i am not able to add groups or users with ldapscripts 🙁
pls help.
thx
Same problem I think, set my binddn in /etc/nslcd.conf then nslcd -d.
Debug when I try to login:
nslcd: [7b23c6] DEBUG: ldap_simple_bind_s(”uid=read-only,dc=bidcactus,dc=com”,”*****”) (uri=”ldaps://ldap1.server.com/”)
nslcd: [7b23c6] connected to LDAP server ldaps://ldap1.server.com/
nslcd: [7b23c6] ldap_result() failed: No such object
nslcd: [7b23c6] ”testuser”: user not found
Strange, because when I use libnss-ldap instead, it binds and can find users with no problem.
Hi,
every thing is working fine but the problem is i am unable to add users or groups as it is giving me the following error when I try to give command of ldapaddgroup testgroup. However, these commands are already installed on my server and I am trying to add user or group on server side.
you must have Openldap client commands installed before running these scripts
Hi, I had installed servers to support kereros and ldap, but whene kerbereos user changing their own password, it shows:
Current Kerberos password:
Enter new Kerberos password:
Retype new Kerberos password:
Password change rejected: Password not changed.
Kerberos database constraints violated while trying to change password.
passwd: Authentication token manipulation error
passwd: password unchanged
Hi there, thanks for the tutorial
I made this script:
—————————————————————-
#!/bin/sh
passwd=xxxxxx
dc1=host
dc2=com
hash_pw=`slappasswd -h ”{MD5}” -s $passwd`
tmpdir=/tmp
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif
#——————————————————————-#
#
# create_database.ldif
#
#——————————————————————-#
cat < $tmpdir/create_database.ldif
# Load dynamic backend modules
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb
# Create the database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=$dc1,dc=$dc2
olcRootDN: uid=admin,dc=$dc1,dc=$dc2
olcRootPW: $passwd
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
EOF
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f $tmpdir/create_database.ldif
#——————————————————————-#
#
# init_database.ldif
#
#——————————————————————-#
cat < $tmpdir/init_database.ldif
dn: dc=$dc1,dc=$dc2
objectClass: dcObject
objectclass: organization
o: $dc1.$dc2
dc: $dc1
description: LDAP root
dn: ou=People,dc=$dc1,dc=$dc2
objectClass: top
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=$dc1,dc=$dc2
objectClass: top
objectClass: organizationalUnit
ou: Groups
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f $tmpdir/init_database.ldif
#
# acl.ldif
#
cat < $tmpdir/acl.ldif
dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn=”uid=admin,ou=People,dc=$dc1,dc=$dc2″ write by anonymous auth by self write by * none
olcAccess: {1}to dn.subtree=”” by * read
olcAccess: {2}to * by dn=”uid=admin,ou=People,dc=$dc1,dc=$dc2″ write by * read
EOF
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f $tmpdir/acl.ldif
——————————————————————-
this apply directly what your tutorial said.
I’m on ubuntu 10.0.4 lts x64 and i tried many times to connect but without success.
Here some errors:
slapd starting
slapd[5526]: connection_read(13): no connection!
slapd[5526]: last message repeated 7 times
When I try to login from client:
conn=1000 op=0 do_bind: invalid dn (admin)
And when I try to log-in directly with ldapsearch -D uid=admin,ou=People,dc=….
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
I dont have /etc/ldapscripts/ldapscripts.conf file. why?
ldapscript package needs to be installed with ”apt-get install ldapscripts”
This was excellent, and fixed a problem I had been battling with for ours. The official 10.04 Documentation on the Ubuntu website follows a process that is no longer valid under the standard install of 10.04. Well done for this fix.
Didn’t really work:
# ldapadd -Y EXTERNAL -H ldapi:/// -f init_database.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry ”dc=example,dc=com”
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
Any clues on how to fix it?
Hi
This for document thanks Ubuntu for 10-4 very problem openldap
Great article!
Help is appreciated.
I can’t seem to find how to enable/add more ”administrators” to be able to write to the directory.
Also, how do I enable authentication different from ”-Y EXTERNAL -H ldapi:///”.
Many thanks,
Aleks