I wanted to use the LDAP to authenticate the users on several computers and for several services. It took me a while to find out how to set this up. This page will provide you with the information to use OpenLDAP to authenticate users.
Before you can use OpenLDAP you have to install it first:
apt-get install slapd ldap-utils libldap2
Now you need to configure OpenLDAP. The configuration can be found in 2 files in the /etc/ldap
directory. The files are ldap.conf
and sldap.conf
.
In the ldap.conf
make sure the BASE
and URI
line look like:
BASE dc=debooy, dc=eu URI ldap://ldap.debooy.eu/
In the slap.conf
make sure that there are 2 index
entries:
index objectClass eq index uid eq
Also consider to set the loglevel
(temporary?) to 256.
Now restart OpenLDAP to use the new configuration and check the contents.
invoke-rc.d slapd stop slapindex chown openldap:openldap /var/lib/ldap/* ls -l /var/lib/ldap/ invoke-rc.d slapd start ldapsearch -x
The result should look like:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (objectclass=*) # requesting: ALL # # debooy.eu dn: dc=debooy,dc=eu objectClass: top objectClass: dcObject objectClass: organization o: debooy.eu dc: debooy # admin, debooy.eu dn: cn=admin,dc=debooy,dc=eu objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
Now that the OpenLDAP is reacting we can start to fill it up with a tree structure to store the users and groups. To do so make an 'ldif' file with the required files:
dn: ou=People,dc=debooy,dc=eu ou: People objectClass: organizationalUnit dn: ou=Group,dc=debooy,dc=eu ou: Group objectClass: organizationalUnit
Load it with the following command:
ldapadd -c -x -D cn=admin,dc=debooy,dc=eu -W -f initldap.ldif
Now that the structure is present we can insert the users. For each user create a file like:
dn: cn=dummy,ou=group,dc=debooy,dc=eu cn: dummy gidNumber: 20000 objectClass: top objectClass: posixGroup dn: uid=dummy,ou=people,dc=debooy,dc=eu uid: dummy uidNumber: 20000 gidNumber: 20000 cn: dummy, john sn: dummy objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash homeDirectory: /home/dummy
Insert the file with the command:
ldapadd -c -x -D cn=admin,dc=debooy,dc=eu -W -f user.ldif
Now install the packages to use the LDAP with NSS and PAM:
apt-get install libnss-ldap nscd apt-get install libpam-ldap
For both the ldap packages the installer asks questions. Reply No
to each question. For the security reply with crypt
. NSCD is a Name Service Cache Daemon. It is used to cache the password, group, and host information. When the /etc/nsswitch.conf
file is changed then the new configuration is not used unless NSCD is re-started. Change the lines in the /etc/nsswitch.conf
for the users, groups and shadow as:
passwd: files ldap group: files ldap shadow: files ldap
Also change the /etc/libnss-ldap.conf
:
base dc=debooy,dc=eu uri ldap://ldap.debooy.eu/
Restarts the NSC service to clear the cache:
invoke-rc.d nscd stop invoke-rc.d nscd start
Now we can change the PAM configuration. For this you need to change 4 files.
base dc=debooy,dc=eu uri ldap://ldap.debooy.eu/
account sufficient pam_unix.so account required pam_ldap.so
auth [success=1 default=ignore] pam_unix.so nullok_secure auth required pam_ldap.so use_first_pass auth required pam_permit.so
session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Now you can check to see if the user is know. If so the you can logon as this user. The home directory is created as a result.
id dummy su - dummy