just a quick and dirty guide how to setup LDAP and Authentication via LDAP on Debian Wheezy boxes.

 

heavily as reference were used

• http://geco.phys.columbia.edu/~jrollins/howtos/ldap.html,
• http://wiki.debian.org/LDAP/PAM and
• http://wiki.debian.org/LDAP/NSS

LDAP Server

first, we need to setup the LDAP server, therefore lets install OpenLDAP.

aptitude install slapd ldap-utils

there are some anserws to give, at least with a

dpkg-reconfigure slapd

• Omit OpenLDAP server configuration? No
• DNS domain name: rekmp.net
• Organization name: rekmp.net
• Administrator password: <choose one>
• Confirm password: <the same>
• Database backend to use: HDB
• Do you want the database to be removed when slapd is purged? No
• Move old database? Yes
• Allow LDAPv2 protocol? No

adapt BASE and URI in /etc/ldap/ldap.conf

BASE dc=rekmp,dc=net
URI ldap://ldap.rekmp.net/

your LDAP server is now configured and running, if you are interested in the configuration itself, just do a

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

in any case we need to add two OrganizationalUnits for the users and the groups, create a file called orgunits.ldif with the following contents.

dn: ou=Groups,dc=rekmp,dc=net
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: ou=People,dc=rekmp,dc=net
ou: People
objectClass: top
objectClass: organizationalUnit

and add it into your LDAP database

ldapadd -x -D cn=admin,dc=rekmp,dc=net -w <password> -f orgunits.ldif

to check if it was successful you can have a look w/

ldapsearch -x -D cn=admin,dc=rekmp,dc=net -w <password>

it should look like the following

# extended LDIF
#
# LDAPv3
# base  (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# rekmp.net

dn: dc=rekmp,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
o: rekmp.net
dc: rekmp

# admin, rekmp.net
dn: cn=admin,dc=rekmp,dc=net
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <censored :-)>

# Groups, rekmp.net
dn: ou=Groups,dc=rekmp,dc=net
ou: Groups
objectClass: top
objectClass: organizationalUnit

# People, rekmp.net
dn: ou=People,dc=rekmp,dc=net
ou: People
objectClass: top
objectClass: organizationalUnit

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4

the first user we setup, we will do it directly with ldapadd. so create a file called newuser.ldif

dn: uid=tux,ou=People,dc=rekmp,dc=net
uid: tux
cn: Tux Pinguin
givenName: Tux
sn: Pinguin
mail: tux@rekmp.net
objectClass: inetOrgPerson
objectClass: posixAccount
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/tux

dn: cn=tux,ou=Groups,dc=rekmp,dc=net
objectClass: posixGroup
cn: tux
gidNumber: 1000

and add it to your database the same way as before.

ldapadd -x -D cn=admin,dc=rekmp,dc=net -w <password> -f newuser.ldif

LDAP server is now finished, if you like you can just play around with phpldapadmin or ldap-account-manager.

LDAP client

just install

aptitude install libpam-ldapd libnss-ldapd nslcd

and give following answer for libnss-ldapd

• [*] group, [*] passwd, [*] shadow

and following for nslcd

• LDAP server URI: ldap://ldap.rekmp.net/
• LDAP server search base: dc=rekmp,dc=net
• LDAP authentication to use: none
• Use StartTLS? No

additionally you need to modify /etc/nslcd.conf to be able to change the passwords by root

# The DN used for password modifications by root.
rootpwmoddn cn=admin,dc=rekmp,dc=net
rootpwmodpw <password>

don’t forget to restart nslcd

/etc/init.d/nslcd restart

test it w/ id and getent

id tux
getent passwd tux

that’s it, you are finished. 🙂 enjoy it.