Documentation for LDAP Installation
based on
Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS
Using bytesare.us as domain name
Config files (on ubuntu 12.04)
/etc/default/slapd
/usr/share/slapd/slapd.conf
/usr/share/slapd/DB_CONFIG
Setup and configure a local LDAP server
Install packages:
root@testkraxn ~ # apt-get install slapd nss-updatedb ldap-utils
Server configuration:
root@testkraxn ~ # dpkg-reconfigure slapd Omit OpenLDAP server configuration? <No> DNS domain name: bytesare.us Organization name: BytesAreUs Database backend to use: HDB Do you want the database to be removed when slapd is purged? <No> Move old database? <Yes>
Check if your config database was created properly by firing test searches.
root@testkraxn ~ # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn ...
root@testkraxn ~ # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc=bytesare,dc=us dn: dc=bytesare,dc=us objectClass: top objectClass: dcObject objectClass: organization o: BytesAreUs dc: bytesare dn: cn=admin,dc=bytesare,dc=us objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator
Migrate current system to ldap database using migrationtools
Install the migration scripts utility package and edit its config file to match your system.
Then run the scripts to create an initial migration ldif file.
root@testkraxn ~ # apt-get install migrationtools root@testkraxn ~ # vim /etc/migrationtools/migrate_common.ph # Adjust the following lines: $DEFAULT_MAIL_DOMAIN = "bytesare.us"; $DEFAULT_BASE = "dc=bytesare,dc=us"; $DEFAULT_MAIL_HOST = "mail.bytesare.us"; $IGNORE_UID_BELOW = 1000; $IGNORE_UID_ABOVE = 9999; root@testkraxn ~ # cd /usr/share/migrationtools root@testkraxn /usr/share/migrationtools # { ./migrate_base.pl; \ ./migrate_passwd.pl /etc/passwd; \ ./migrate_group.pl /etc/group; } > ~/migrationtools.ldif
Run the ldif script to import your current users into the ldap database.
root@testkraxn ~ # ldapadd -r -h 127.0.0.1 -D "cn=admin,dc=bytesare,dc=us" \ -f ~/migrationtools.ldif Creating naming context entries... slapadd: could not add entry dn="dc=bytesare,dc=us" (line=1): txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30995) Migration failed: saving failed LDIF to /tmp/nis.4809.ldif
The migrate script failed because it tried to add the dc=bytesare,dc=us entry which already exists.
Lets uncomment this first entry and add the ldif manually.
(I needed a few trial/error iterations until the command finished.
Some entries in the generated ldif are screwed up, but the error
messages are very helpful.
You can revert your ldap directory with dpkg-reconfigure slapd after a
failed import try.)
Test your server with a search for a user:
In this example the root user is looked up.
root@testkraxn ~ # ldapsearch -x -b 'ou=People,dc=bytesare,dc=us' 'uid=ldaptestuser1' root@testkraxn ~ # ldapsearch -h 127.0.0.1 -D "cn=admin,dc=bytesare,dc=us" -W -b 'ou=People,dc=bytesare,dc=us' 'uid=ldaptestuser1' root@testkraxn ~ # ldapsearch -x -b 'ou=People,dc=bytesare,dc=us' '(objectCLass=posixAccount)' dn | grep uid ldaptestuser1@testkraxn ~ % ldapsearch -h 127.0.0.1 -D "uid=ldaptestuser1,ou=People,dc=bytesare,dc=us" -W -b 'ou=People,dc=bytesare,dc=us' 'uid=ldaptestuser1'
The server is set up. Great!
You should be able to test it from a different host:
tester@differenthost ~ % ldapsearch -h 192.168.56.101 \
-b 'ou=People,dc=bytesare,dc=us' -D 'cn=admin,dc=bytesare,dc=us' 'cn=root' -W
CREATING SNAPSHOT OF VM "LDAP SERVER SET UP"
Setup and configure client authentication
Install necessary packages:
root@testkraxn ~ # apt-get install ldap-auth-config ldap-auth-client nscd
# Configuring ldap-auth-config: (cam be re-run with 'dpkg-reconfigure ldap-auth-config'
Distinguished name of the search base: dc=bytesare,dc=us
LDAP server Uniform Resource Identifier: ldap:///127.0.0.1
LDAP version to use: 3
Make local root Database admin: <Yes>
Does the LDAP database require login? <No>
Does the LDAP database require login? <No>
LDAP account for root: <cn=admin,dc=bytesare,dc=us>
LDAP root account password:
Local crypt to use when changing passwd: <crypt (default)>
Configure your client settings
root@testkraxn ~ # vim /etc/ldap/ldap.conf
BASE dc=bytesare,dc=us
HOST 127.0.0.1
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Enable ldap lookups for authentication. See also: Ubuntu Wiki Check available profiles first.
root@testkraxn /home/andre # auth-client-config -l Available profiles are: cracklib kerberos_example lac_ldap ldap_example root@testkraxn /home/andre # auth-client-config -L Available types are: nss pam-account pam-auth pam-password pam-session
root@testkraxn ~ # auth-client-config -t nss -p lac_ldap root@testkraxn ~ # pam-auth-update root@testkraxn ~ # /etc/init.d/nscd restart * Restarting Name Service Cache Daemon nscd [ OK ]
Test your ldap client configuration:
(see also: youtube)
First, create a test user that exists only in the AD using a ldif file:
root@testkraxn ~ # vim test.ldif # ldaptestuser1, People, bytesare.us dn: uid=ldaptestuser1,ou=People,dc=bytesare,dc=us uid: ldaptestuser1 cn: ldaptestuser1 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMax: 99999 shadowWarning: 7 loginShell: /usr/bin/zsh uidNumber: 8000 gidNumber: 117 homeDirectory: /home/ldaptestuser1 gecos: ldaptestuser1,,, userPassword: ldaptestuser1 root@testkraxn ~ # ldapadd -h 127.0.0.1 -D "cn=admin,dc=bytesare,dc=us" -f test.ldif -W adding new entry "uid=ldaptestuser1,ou=People,dc=bytesare,dc=us" root@testkraxn ~ # ldapsearch -x -b 'ou=People,dc=bytesare,dc=us' '(cn=ldaptestuser1)' # extended LDIF # base <ou=People,dc=bytesare,dc=us> with scope subtree # filter: (cn=ldaptestuser1) # ldaptestuser1, People, bytesare.us dn: uid=ldaptestuser1,ou=People,dc=bytesare,dc=us ...
Login as the new user to verify that ldap authentication works. The user only exists in the ldap database and he is able to logon.
root@testkraxn ~ # tail -fn0 /var/log/auth.log & [1] 6221 root@testkraxn ~ # su ldaptestuser1 Apr 17 17:39:52 testkraxn su[6231]: Successful su for ldaptestuser1 by root Apr 17 17:39:52 testkraxn su[6231]: pam_unix(su:session): session opened for user ldaptestuser1 by tester(uid=0)
Remove the test user after the test:
root@testkraxn ~ # ldapdelete -h 127.0.0.1 -W -D "cn=admin,dc=bytesare,dc=us" "uid=ldaptestuser1,ou=People,dc=bytesare,dc=us"
Configure other applications to use ldap authentication
Joomla
Because joomla is written in php, we need to make sure the necessary packages are installed. If they are not installed, joomla will just serve a blank page with no error messages indicating why - troubleshooting did indeed eat a few hours.
root@testkraxn ~ # apt-get install php5-ldap
Open up the joomla administrator interface and navigate to
Extensions ->
Plugin Manager ->
Authentication - LDAP.
Configure the settings according to your server, here i will use the server described above.
Host: 127.0.0.1 Port: 389 LDAP V3: Yes Negotiate TLS: No Follow Referrals: No Authorisation Method: Bind Directly as User Base DN: dc=bytesare,dc=us Search String: uid=[search],ou=People,dc=bytesare,dc=us User's DN: uid=[username],ou=People,dc=bytesare,dc=us Connect Username: (blank) Connect Password: (blank) Map - Full Name: cn Map - email: mail Map - User ID: uid
Note: Under some circumstances, you might lock yourself out by enabling the ldap plugin.
To prevent this, always stay logged in as an administrator while playing with the
authentication plugins so you can disable the plugin anytime.
You can test the authentication apart from the admin interface, just use the
non-administrative login to verify if the plugin works.
1. Make sure that the LDAP Plugin is enabled
2. Create a ldap user in your AD like in the previous chapter.
3. Also create a user with the same name in joomla, make sure to not provide a password.
4. Try to login as ldaptestuser1 on the home page.
Voilà - The user is logged in without telling his password to joomla!
5. Delete the testuser like in the previous chapter from the AD.