Authentication via LDAP

Debian / LDAP

just a quick and dirty guide how to setup LDAP and Authentication via LDAP on Debian Wheezy boxes.

 

heavily as reference were used

LDAP Server

first, we need to setup the LDAP server, therefore lets install OpenLDAP.

aptitude install slapd ldap-utils

there are some anserws to give, at least with a

dpkg-reconfigure slapd
  • Omit OpenLDAP server configuration? No
  • DNS domain name: rekmp.net
  • Organization name: rekmp.net
  • Administrator password: <choose one>
  • Confirm password: <the same>
  • Database backend to use: HDB
  • Do you want the database to be removed when slapd is purged? No
  • Move old database? Yes
  • Allow LDAPv2 protocol? No

adapt BASE and URI in /etc/ldap/ldap.conf

BASE dc=rekmp,dc=net
URI ldap://ldap.rekmp.net/

your LDAP server is now configured and running, if you are interested in the configuration itself, just do a

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

in any case we need to add two OrganizationalUnits for the users and the groups, create a file called orgunits.ldif with the following contents.

dn: ou=Groups,dc=rekmp,dc=net
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: ou=People,dc=rekmp,dc=net
ou: People
objectClass: top
objectClass: organizationalUnit

and add it into your LDAP database

ldapadd -x -D cn=admin,dc=rekmp,dc=net -w <password> -f orgunits.ldif

to check if it was successful you can have a look w/

ldapsearch -x -D cn=admin,dc=rekmp,dc=net -w <password>

it should look like the following

# extended LDIF
#
# LDAPv3
# base  (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# rekmp.net

dn: dc=rekmp,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
o: rekmp.net
dc: rekmp

# admin, rekmp.net
dn: cn=admin,dc=rekmp,dc=net
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <censored :-)>

# Groups, rekmp.net
dn: ou=Groups,dc=rekmp,dc=net
ou: Groups
objectClass: top
objectClass: organizationalUnit

# People, rekmp.net
dn: ou=People,dc=rekmp,dc=net
ou: People
objectClass: top
objectClass: organizationalUnit

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4

the first user we setup, we will do it directly with ldapadd. so create a file called newuser.ldif

dn: uid=tux,ou=People,dc=rekmp,dc=net
uid: tux
cn: Tux Pinguin
givenName: Tux
sn: Pinguin
mail: tux@rekmp.net
objectClass: inetOrgPerson
objectClass: posixAccount
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/tux

dn: cn=tux,ou=Groups,dc=rekmp,dc=net
objectClass: posixGroup
cn: tux
gidNumber: 1000

and add it to your database the same way as before.

ldapadd -x -D cn=admin,dc=rekmp,dc=net -w <password> -f newuser.ldif

LDAP server is now finished, if you like you can just play around with phpldapadmin or ldap-account-manager.

LDAP client

just install

aptitude install libpam-ldapd libnss-ldapd nslcd

and give following answer for libnss-ldapd

  • [*] group, [*] passwd, [*] shadow

and following for nslcd

  • LDAP server URI: ldap://ldap.rekmp.net/
  • LDAP server search base: dc=rekmp,dc=net
  • LDAP authentication to use: none
  • Use StartTLS? No

additionally you need to modify /etc/nslcd.conf to be able to change the passwords by root

# The DN used for password modifications by root.
rootpwmoddn cn=admin,dc=rekmp,dc=net
rootpwmodpw <password>

don’t forget to restart nslcd

/etc/init.d/nslcd restart

test it w/ id and getent

id tux
getent passwd tux

that’s it, you are finished. 🙂 enjoy it.