Friday, October 3, 2008

Howto Configure Ubuntu 8.04 Hardy LDAP Client

Install LDAP Client:

#apt-get install libnss-ldap libpam-ldap nscd

LDAP server Uniform Resource Identifier: ldap://ldap.debuntu.local/
Distinguished name of the search base: dc=debuntu,dc=local
LDAP Version: 3
Make local root database admin: yes
Database require logging in: No
LDAP account for root: cn=admin,dc=debuntu,dc=local
Root login password: XXXX

libnss-ldap will allow us to use ldap as a naming service, libpam-ldap allows pm to authenticate users through LDAP and finally nscd is a password, group and host lookup daemon which caches result so LDAP won't be questionned any time the authentication as to be done.

Now, let's edit the files and make sure you get the following setting:

#vi /etc/ldap.conf
host ldap.debuntu.local ( or put ldap server ip )
base dc=debuntu,dc=local
rootbinddn cn=admin,dc=debuntu,dc=local
#uri ldapi://ldap.debuntu.local/ ( Comment out this variable )

#vi /etc/ldap.secret
XXXXX ( make sure this is correct password for ldap server login )

#vi /etc/ldap/ldap.conf
BASE dc=debuntu,dc=local
URI ldap://debuntu.local


#vi /etc/hosts
10.0.5.100 ldap.debuntu.local ldap

pam configuration files need to be modfied a bit like:

#vi /etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
#if you want user homedir to be created on first login
#session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent

#vi /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

#vi /etc/pam.d/common-password
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5

#vi /etc/pam.d/common-session
session sufficient pam_ldap.so
session required pam_unix.so
session optional pam_foreground.so

Finally, let's edit nsswitch so the system will be able to switch from local system authentication to ldap authentication.

# vim /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap

It's better reboot the system before you start to try LDAP Client connection. With this settings, login is going to be tried agains the local system users first. If it cannot find a match, it will then try to authenticate against the ldap server.
Now, you should be able to connect on any client by using any LDAP user details.

Compare user list from /etc/passwd with ldap client list:


# cat /etc/passwd ( Grab user list from local, my result look like this )
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
sysadmin:x:1000:1000:administrator,,,:/home/sysadmin:/bin/bash
openldap:x:105:113:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false

# getent passwd ( Grab user list from ldap server, my result look like this )
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
sysadmin:x:1000:1000:administrator,,,:/home/sysadmin:/bin/bash
openldap:x:105:113:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
sysadmin:x:1000:1000:administrator:/home/sysadmin:/bin/bash
kenneth:x:1001:1001:kenneth:/home/kenneth:/bin/bash
hansel:x:1002:1001:hansel:/home/hansel:/bin/bash
There are more user from LDAP server that is not in local list. Now try to playing around with LDAP user.
# touch 1
# ls -l
-rw-r--r-- 1 root root 0 2008-10-04 00:31 1
# chown kenneth 1
# ls -l
-rw-r--r-- 1 kenneth root 0 2008-10-04 00:31 1

- Beginner problem in LDAP Client -
"Could not chdir to home directory /home/user: No such file or directory". This problem appears when user login and system can't find home directory for this user, so let the system auto create home directory for every LDAP user when they login.
To solve this problem please edit /etc/pam.d/common-session and add this variable :
session required pam_mkhomedir.so skel=/etc/skel/
Posted by Last King of Kho's Kingdom at 1:14 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)