OpenLDAP

What is required

OpenLDAP / slapd - LDAP Server pam_ldap - For unix password authentication nss_ldap - For unix name lookup. auth_ldap -

Before you start here is a script for you.

If you want to setup openldap server for user authentication download and run this script. This will do all the work in 1min.

Install

Where can LDAP take us

OpenLDAP uses slapd which stands for standalone LDAP daemon.

ldap-utils is a set of helper tools for running ldap.

aptitude install slapd ldap-utils

Set administrative password for ldap.

Now we will reconfigure it again so you get familiar with details. There seem to be a bug in debian when reconfiguring and it requires deleting the bacup version of ldap directory. Details follow.

Lets reconfigure the slapd and give it proper domain names so we all are on the same page.:

dpkg-reconfigure slapd

You can keep all the other settings as default

* Omit OpenLDAP server configuration? No * DNS domain name: mycompany.com * Organization name: mycompany.com * Administrator password: **** * Database backend to use: HDB (default) * Do you want the database to be removed when slapd is purged? No * Allow LDAPv2 protocol? No

It is Easy!

Now you have a ldap deamon working congratulations. It will allow connections, etc. What needs to happen now is you need to setup the ldap structure. Think of it as database tables and columns but in ldap world this is folders like structure. Just an fyi: mycompany.com becomes dc=mycompany,dc=com, and admin@mycompany.com becomes cn=admin,dc=mycompany,dc=com

You can look at /etc/ldap/slapd.conf for details if you want to educate yourself.

Start the open ldap deamon

/etc/init.d/slapd start

Lets check if we can query the ldap server:

ldapsearch -x -b dc=mycompany,dc=com

You should see the entries for "mycompany" and for "admin".

# search result search: 2

You have a working ldap server.

1. Convert Linux users to ldap 2. Setup Linux client to authenticate against ldap 4. Create global addressbook 5. Migrate Windows NT domain to ldap with few simple steps.

Temporary Debian bug

Reconfiguring is not working

dpkg-reconfigure slapd Stopping OpenLDAP: slapd. Moving old database directory to /var/backups: Backup path /var/backups/unknown-2.4.11-1.ldapdb exists. Giving up...

* You need to:

rm -r /var/backups/unknown-2.4.11-1.ldapdb/

And then it works.

dpkg-reconfigure slapd Stopping OpenLDAP: slapd. Moving old database directory to /var/backups: - directory unknown... done. Creating initial slapd configuration... done. Creating initial LDAP directory... done. Starting OpenLDAP: slapd.

If you don't do that you will get:

ldapadd -x -W -D "cn=admin,dc=mycompany,dc=com" -f directory.ldiff Enter LDAP Password: ldap_bind: Invalid credentials (49)

This will fix the issue.

Authentication

Options for OpenLdap authentication

The authentications has many options for you to choose, from plain passwords, kerberos, or some other outside authentication mechanism.

Connect to openldap

Lets connect to see what our server has.

Install luma

aptitude update aptitude install luma

Start Luma

luma

Click on Settings

Click on Edit Server List

Click on Add

Type in the server name: Mycompany

Click on network and type in a hostname then save.

Save and OK

Click on Choose plugin and click on addressbook, then browser to see who and what is already in.

Simple addressbook

Lets create a simple addressbook which will take few seconds. Sample ideas

First we create organizational unit. Organizational unit (ou) is an addressbook, or some other type of unit that will hold our records.

Create a file called directory.ldiff and inside put this:

dn: ou=addressbook, dc=mycompany, dc=com objectClass: top objectClass: organizationalUnit ou: addressbook

Above means:

``dn: ou=addressbook, dc=mycompany, dc=com`` - This creates organizational unit addressbook.mycompany.com ``objectClass: top`` - Tells it its a top level Organizational Unit ``objectClass: organizationalUnit`` - Tells it what type of object is it. In this case it is OrganizationalUnit. ``ou: addressbook`` - Again stating the name of the ou.

Now import the file:

ldapadd -x -f directory.ldiff -D "cn=admin,dc=mycompany,dc=com" -W

Now lets add one more just to get a hold of adding things and see where they are placed.

Comment out the content of the directory.ldiff and put this in at the bottom, then import it again.

dn: ou=accounting, ou=addressbook, dc=mycompany, dc=com objectClass: top objectClass: organizationalUnit ou: accounting

The reson we need to commend out the previous entries is because if we left it the ldap would say: First entry in the file already exists. It would not add the second one. It would stop processing file. Above created an organizational unit accounting.addressbook.mycompany.com

Now lets add our first contact. We create out definition like this. Create contact.ldiff and paste below code:

dn: cn=Jane Doe, ou=addressbook, dc=mycompany, dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Jane Doe gn: Jane sn: Doe mail: jane.doe@example.com physicalDeliveryOfficeName: Conglomo, Inc., Financial Services postalAddress: PO BOX 55555 organizationName: Conglomo, Inc., Financial Services street: 123 N. Michigan Ave l: Baton Rouge st: LA postalCode: 70555 telephoneNumber: 555-555-5555 facsimileTelephoneNumber: 555-555-5556 pager: 555-555-5557 mobile: 555-555-5558 homePhone: 555-555-5559 ou: addressbook

Chang what you need to. Here are some definitions of fields:

The Definitions are somewhat standard. On top we see objectClass: person and objectClassInetOrgPerson which is one of the standard objects of ldap. We are not using nothing custom. These types already came with ldap. We are setting some of the attributes of InetOrgPerson: ``cn`` -Common Name ``mail``-aka email ``street``-Street address ``st`` -State ``l`` - City ``ou`` - Department aka the Organizational Unit ``postalCode`` - Zipcode ....

And import it again.

ldapadd -x -f contact.ldiff -D "cn=admin,dc=mycompany,dc=com" -W

Extra records can be added to the same file as long as a blank line is used to separate each different entry.

Now you should see it in luma when you do browse.

Now lets gets some details on our options:

Attribute ObjectClass Meaning commonName, cn person Individual's full name givenName, gn inetOrgPerson Individual's first name surname, sn person Individual's last name physicalDeliveryOfficeName organizationalPerson Department or delivery office name mail inetOrgPerson Email address postalAddress organizationalPerson Street mailing address l organizationalPerson City st organizationalPerson State postalCode organizationalPerson Postal (ZIP) code telephoneNumber organizationalPerson Work number facsimileTelephoneNumber organizationalPerson Fax number pager inetOrgPerson Pager number mobile inetOrgPerson Mobile phone number homePhone inetOrgPerson Home phone number

More schema definitions can be found here

For example you could create other structures like below, note the difference between ou and o:

dn: ou=addressbook, dc=mycompany, dc=com objectClass: top objectClass: organizationalUnit ou: addressbook #Partners dn: ou=partners ou=addressbook, dc=mycompany, dc=com objectClass: top objectClass: organizationalUnit ou: partners #xyzAgent dn: o=xyzAgancy, ou=partners, ou=addressbook, dc=mycompany, dc=com objectClass: top objectClass: organization o: xyzAgancy

And add a person like:

dn: cn="John Smith",o=xyzAgency ,ou=partners,ou=addressbook, dc=mycompany, dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: John Smith gn: John sn: Smith mail: Jsmith@example.com organizationName: Conglomo, Inc., Financial Services street: 123 N. Michigan Ave l: Chicago o: xyzAgancy st: IL postalCode: 60645 telephoneNumber: 773-123-5555 facsimileTelephoneNumber: 555-555-5556 pager: 555-555-5557 mobile: 555-555-5558 homePhone: 555-555-5559

Thunderbird

Mozilla Thunderbird 2.0+ will autocomplete email address as soon as you add them to ldap directory. MozillaSchema Addressbook to LDAP Mappings.

Outlook

or simply got to the registry and add in HKEY_CURRENT_USER\Software\Policies\Microsoft\Offi ce\10.0\Outlook\LDAP the DWORD DisableVLVBrowsing and set the value to 1 for Outlook 2003 use HKEY_CURRENT_USER\Software\Policies\Microsoft\Offi ce\11.0\Outlook\LDAP

OpenLdap for User Authentication

Setup_OpenLdap_server.sh

This will install, configure ldap server, copy base settings from your linux server, users, groups, so that you can start authenticating clients in 1min.

http://lucasmanual.com/out/setup_openldap_server.sh

Download it and run. Example:

wget http://lucasmanual.com/out/setup_openldap_server.sh sh setup_openldap_server.sh

Migrating Unix Accounts to OpenLdap

Right now the database in ldap is empty so we will need to add user,groups,etc.

We do that using migrationtools which copy all the information from the file based system to ldap.

Install migrationtools

aptitude install migrationtools

Lets see what programs are available to us

ls /usr/share/migrationtools/ migrate_aliases.pl migrate_group.pl migrate_all_netinfo_offline.sh migrate_hosts.pl migrate_all_netinfo_online.sh migrate_netgroup_byhost.pl migrate_all_nis_offline.sh migrate_netgroup_byuser.pl migrate_all_nis_online.sh migrate_netgroup.pl migrate_all_nisplus_offline.sh migrate_networks.pl migrate_all_nisplus_online.sh migrate_passwd.pl migrate_all_offline.sh migrate_profile.pl migrate_all_online.sh migrate_protocols.pl migrate_automount.pl migrate_rpc.pl migrate_base.pl migrate_services.pl migrate_common.ph migrate_slapd_conf.pl

The migrate_all_online wil run all the scripts.

Before we run it we need to change the domain in migrate_common.ph. By default the file is set to padl.com so we meed to change it to mycompany.com

cd /usr/share/migrationtools/ vi migrate_common.ph

Change all the padl to mycompany or tell vi editor to do it for you with this command:

:%s/padl/mycompany/gc

And just press y to confirm.

There 2 more issues we need to take account of:Bug 537406 We need to add misc.schema to our slapd.conf setup, and if we get an error when doing migration we need to restart it with a command that will bypass the error.

Add this line right below the last include line in /etc/ldap/slapd.conf, and restart slapd.

include /etc/ldap/schema/misc.schema

Lets do our migration to the system., but first check if slapd is running:

ps aux|grep slapd #You should see openldap 3557 0.7 0.9 112236 4808 ? Ssl 13:42 0:12 /usr/sbin/slapd -g openldap -u openldap -f /etc/ldap/slapd.conf

./migrate_all_online.sh Enter the X.500 naming context you wish to import into: [dc=mycompany,dc=com] Enter the hostname of your LDAP server [ldap]: hpdebian #This is the hostname of the computer you are on. Type in hostname if you are not sure what it is. Enter the manager DN: [cn=admin,dc=mycompany,dc=com]: Enter the credentials to bind with: Do you wish to generate a DUAConfigProfile [yes|no]? no

If you received an error like:

adding new entry "cn=ssh,ou=Group,dc=mycompany,dc=com" adding new entry "cn=lucas,ou=Group,dc=mycompany,dc=com" adding new entry "cn=openldap,ou=Group,dc=mycompany,dc=com" adding new entry "cn=localhost,ou=Hosts,dc=mycompany,dc=com" adding new entry "cn=dellxps.mycompany,ou=Hosts,dc=mycompany,dc=com" adding new entry "cn=localhost,ou=Hosts,dc=mycompany,dc=com" ldap_add: Already exists (68) /usr/bin/ldapadd : returned non-zero exit status: saving failed LDIF to /tmp/nis.ldif.lMsKHTfGYh

Somehow the migrationtools is generating the localhost twice. This is not a big problem as we can rerun the script and this time it will continue and skip the errors.

LDAPADD="/usr/bin/ldapadd -c" ./migrate_all_online.sh

[Optional] If you got familiar with the migration and you would like to start from scratch, you can reconfigure the slapd with dpkg-reconfigure slapd and when asked tell it to delete the old database. That way you will start from scratch. It will Delete all ldap/slapd databases. You will need to add the misc.schema back in in slapd.conf file.

dpkg-reconfigure slapd

[Optional]Don't forget to delete rm -r /var/backups/unknown-2.4.11-1.ldapdb and reconfigure slapd again if you see that dpkg-reconfigure slapd failed with Giving up...

Congratulations. Your system was just migrated to ldap based server. Now we just need to setup your system to use ldap, and connect any clients to our ldap.

Just to make sure everything is fine, see if you can search for yourself:

ldapsearch -x uid=lucas -b "dc=mycompany,dc=com"

Linux Client Integration with LDAP

There are few choices you can make on how to integrate ldap with linux.

Lets do the basic first.

Install ldap utils

aptitude install ldap-utils

See if you can connect to the ldap server. Replace the ip address with yours.

ldapsearch -x -b dc=mycompany,dc=com -h 192.168.1.110 or ldapsearch -x -b ou=People,dc=mycompany,dc=com -h 192.168.1.110

libnss-ldap

[definition] libpam - PAM system (Pluggable Authentication Module) is used to for user's authentication. Checking if provided login and password are correct, accomplish some other tasks and finally decide for example whether the user may login or not.

[definition]libnss -This package provides a Name Service Switch that allows your LDAP server act as a name service. This means providing user account information, group id's, host information, aliases, netgroups, and basically anything else that you would normally get from /etc flat files or NIS. run "getent passwd" to see few of the information available.

libpam checks if user name and password is correct, while libnss looks up the available names.

Install libnss-ldap. libnss-ldap will allow you to talk to you ldap server as it was regular /etc folder that contains (/etc/passwd, /etc/hosts, /etc/group , ..etc). In this case ldap will store all that information.

aptitude install libnss-ldap

Change example to your domain name

LDAP Server Host: 127.0.0.1 DN of Search Base: dc=mycompany,dc=com LDAP Version: 3 Database requires login: no Make config readable by owner only: yes

If at any point you want to reconfigure these settings, or your are getting "nss_ldap: failed to bind to LDAP server" run:

dpkg-reconfigure libnss-ldap

LDAP server Uniform Resource Identifier: ldap://127.0.0.1 Distinguished name of the search base: dc=mycompany,dc=com LDAP Version to use: [Default] 3 Does the LDAP database require login:[default] No Special LDAP privileges for root:[default] Yes Make the configuration file readable/writable by its owners only:[default]No LDAP Account for root: cn=admin,dc=mycompany,dc=com LDAP Password: ****

Now in order for the system to use ldap you need to tell about its existence. We do that in nsswitch.conf. It tells the system to not only check in the regular files, but also check in the ldap server for the users, groups, etc.

Edit the file /etc/nsswitch.conf and add ldap word at the end so it to look like the following:

passwd: compat ldap group: compat ldap shadow: compat ldap

Now that you told nsswitch to look at ldap here are is a short list of what parts of your linux system can be integrated with ldap. Look at the example file in vi /usr/share/doc/libnss-ldap/examples/nsswitch.ldap to see what services are supported by ldap backed in you system. (passwords,groups,networks, protocol, rpc,ethers...)

The change we made to nsswitch will allow you to search the ldap now.

Congratulations your system knows how to talk to ldap now. Right now the database in ldap is empty so we will need to add user,groups,etc later. For now see how many groups we have in the original system. If you run command getent group This will search the local database (/etc/passwd) first, then LDAP later based on your nsswith.conf configuration.

getent group ssh:x:103: users:x:20001: guests:x:20002: admins:x:20000: .....

libpam-ldap

[definition] libpam - PAM system (Pluggable Authentication Module) is used to for user's authentication. Checking if provided login and password are correct, accomplish some other tasks and finally decide for example whether the user may login or not.

[definition]libnss -This package provides a Name Service Switch that allows your LDAP server act as a name service. This means providing user account information, group id's, host information, aliases, netgroups, and basically anything else that you would normally get from /etc flat files or NIS. run "getent passwd" to see few of the information available.

libpam checks if user name and password is correct, while libnss looks up the available names.

Install libpam-ldap

aptitude install libpam-ldap

Reconfigure libpam-ldap

dpkg-reconfigure libpam-ldap

Follow instructions on setting up linux client to login to ldap server

Edit /etc/ldao

vi /etc/ldap/ldap.conf

Add the url of the ldap server.

BASE dc=mycompany,dc=com URI ldap://ldap.mycompany.com

Make sure you add ldap.mycompany.com to /etc/hosts like this:

#ipaddress ldap.mycompany.com #example 192.168.1.110 ldap.mycompany.com

Edit PAM settings

vi /etc/pam.d/common-account # Comment out the next line #account required pam_unix.so # and add these two account sufficient pam_ldap.so account required pam_unix.so try_first_pass

vi /etc/pam.d/common-auth # from #auth required pam_unix.so nullok_secure # to auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass

vi /etc/pam.d/common-password # from #password required pam_unix.so nullok obscure min=4 max=8 md5 # to password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass

vi /etc/pam.d/common-session session optional pam_ldap.so session required pam_unix.so

Troubleshooting

result: 32 No such object

Error:

ldapsearch -x # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1

FIX

ldapsearch -x -b "dc=mycompany,dc=com" .........sult: 4 Size limit exceeded # numResponses: 501 # numEntries: 500

Ldap Editors

[Optional][Not used in this manual] ldapvi There is also another vi based ldap browser that allows you to change ldap.

aptitude instal ldapvi #Then, to use it: ldapvi -D "cn=admin,dc=mycompany,dc=com"

References