This blog posting is a part of a series of blog postings:
- Part 1 – OpenLDAP setup
- Part 2 – SSL/TLS
- Part 3 – Schemas for samba, autofs and kerberos
- Part 4 – Kerberos setup
- Part 5 – DNS settings for kerberos using dnsmasq
- Part 6 – NFSv4 with kerberos
- Part 7 – Autofs
The OpenLDAP packages in Ubuntu have seen quite a bit of changes over the past few years. The packaging has changed the configuration file format to the new config backend and there’s no directory initialization in the package scripts anymore. This means that when the slapd package is installed, it doesn’t ask for basic directory information anymore, but one needs to do full configuration himself.
I documented the setup that I made on Ubuntu 10.04 alpha 2 to get OpenLDAP working in different configurations.
The goal of this setup is to have OpenLDAP running so that users can authenticate to it using pam-ldap and nss-ldap can get user and group information.
The following documents were used when testing this:
On the server the following packages are needed:
After installing the packages the following files are present under /etc/ldap/slapd.d:
The schemas need to be loaded in the server as by default there are none:
To create the actual database that stores the entries in the directory, one needs to create an ldif file. In this example we use dc=edu,dc=example,dc=org as the directory suffix and place the database under /var/lib/ldap/.
ldapadd is used to modify the cn=config entries:
Next the new database needs to be populated with ou=People and ou=Groups to hold hold the user and group information.
Use ldapadd to apply init_database.ldif:
Finally modify the ACL to limit access to the database. Here we allow anonymous access to read the directory:
Modify the database:
The following commands can be useful while configuring and debugging:
Once the server responds to queries, it’s time to configure the client.
The client setup uses the new nss-ldapd and pam-ldapd modules that provide local daemon functionality:
During installation select ldap for the following nss services:
This configured /etc/nsswitch.conf, /etc/pam.d/common-auth and /etc/nslcd.conf automatically to work correctly.
To add some test users we can use ldapscripts package. The installation can be done either on the ldap server or on a remote server as the scripts connect to the server specified in the configuration file. After installing the ldapscripts package one needs to configure it.
Adding users with ldapadduser may take time if machine random number entropy
pool is low. To use pseudo-random number generation (with weaker passwords),
you may also change:
Creating groups and users and changing passwords can be done with simple commands:
To test that everything works correctly, let’s try getent and logins:
And everything seems to work as planned. Great! The setup is still lacking encryption and other features that need to be added next. The next steps are to get tls working and get kerberos+samba+autofs to use the ldap installation.