LDAP Installation

Documentation for LDAP Installation

based on Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS
Using bytesare.us as domain name
Config files (on ubuntu 12.04)
/etc/default/slapd
/usr/share/slapd/slapd.conf
/usr/share/slapd/DB_CONFIG

Setup and configure a local LDAP server

Install packages:

root@testkraxn ~ # apt-get install slapd nss-updatedb ldap-utils

Server configuration:

root@testkraxn ~ # dpkg-reconfigure slapd
Omit OpenLDAP server configuration? <No>
DNS domain name: bytesare.us
Organization name: BytesAreUs
Database backend to use: HDB
Do you want the database to
be removed when slapd is purged? <No>
Move old database? <Yes>

Check if your config database was created properly by firing test searches.

root@testkraxn ~ # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
...
root@testkraxn ~ # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc=bytesare,dc=us
dn: dc=bytesare,dc=us
objectClass: top
objectClass: dcObject
objectClass: organization
o: BytesAreUs
dc: bytesare

dn: cn=admin,dc=bytesare,dc=us
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

Migrate current system to ldap database using migrationtools

Install the migration scripts utility package and edit its config file to match your system.
Then run the scripts to create an initial migration ldif file.

root@testkraxn ~ # apt-get install migrationtools
root@testkraxn ~ # vim /etc/migrationtools/migrate_common.ph
# Adjust the following lines:
$DEFAULT_MAIL_DOMAIN = "bytesare.us";
$DEFAULT_BASE = "dc=bytesare,dc=us";
$DEFAULT_MAIL_HOST = "mail.bytesare.us";
$IGNORE_UID_BELOW = 1000;
$IGNORE_UID_ABOVE = 9999;

root@testkraxn ~ # cd /usr/share/migrationtools
root@testkraxn /usr/share/migrationtools # { ./migrate_base.pl; \
./migrate_passwd.pl /etc/passwd; \
./migrate_group.pl /etc/group; } > ~/migrationtools.ldif

Run the ldif script to import your current users into the ldap database.

root@testkraxn ~ # ldapadd -r -h 127.0.0.1 -D "cn=admin,dc=bytesare,dc=us" \
    -f ~/migrationtools.ldif
Creating naming context entries...
slapadd: could not add entry dn="dc=bytesare,dc=us" (line=1):
    txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30995)
Migration failed: saving failed LDIF to /tmp/nis.4809.ldif

The migrate script failed because it tried to add the dc=bytesare,dc=us entry which already exists.

Lets uncomment this first entry and add the ldif manually. (I needed a few trial/error iterations until the command finished.
Some entries in the generated ldif are screwed up, but the error messages are very helpful.
You can revert your ldap directory with dpkg-reconfigure slapd after a failed import try.)
Test your server with a search for a user:
In this example the root user is looked up.

root@testkraxn ~ # ldapsearch -x -b 'ou=People,dc=bytesare,dc=us' 'uid=ldaptestuser1'
root@testkraxn ~ # ldapsearch -h 127.0.0.1 -D "cn=admin,dc=bytesare,dc=us" -W -b 'ou=People,dc=bytesare,dc=us' 'uid=ldaptestuser1'
root@testkraxn ~ # ldapsearch -x -b 'ou=People,dc=bytesare,dc=us' '(objectCLass=posixAccount)' dn | grep uid
ldaptestuser1@testkraxn ~ % ldapsearch -h 127.0.0.1 -D "uid=ldaptestuser1,ou=People,dc=bytesare,dc=us" -W -b 'ou=People,dc=bytesare,dc=us' 'uid=ldaptestuser1'

The server is set up. Great!
You should be able to test it from a different host:

tester@differenthost ~ % ldapsearch -h 192.168.56.101 \
    -b 'ou=People,dc=bytesare,dc=us' -D 'cn=admin,dc=bytesare,dc=us' 'cn=root' -W

CREATING SNAPSHOT OF VM "LDAP SERVER SET UP"

Setup and configure client authentication

Install necessary packages:

root@testkraxn ~ # apt-get install ldap-auth-config ldap-auth-client nscd
# Configuring ldap-auth-config: (cam be re-run with 'dpkg-reconfigure ldap-auth-config'
Distinguished name of the search base:    dc=bytesare,dc=us
LDAP server Uniform Resource Identifier:  ldap:///127.0.0.1
LDAP version to use:                      3
Make local root Database admin:           <Yes>
Does the LDAP database require login?     <No>
Does the LDAP database require login?     <No>
LDAP account for root:                    <cn=admin,dc=bytesare,dc=us>
LDAP root account password:
Local crypt to use when changing passwd:  <crypt (default)>

Configure your client settings

root@testkraxn ~ # vim /etc/ldap/ldap.conf
BASE        dc=bytesare,dc=us
HOST        127.0.0.1
TLS_CACERT  /etc/ssl/certs/ca-certificates.crt

Enable ldap lookups for authentication. See also: Ubuntu Wiki Check available profiles first.

root@testkraxn /home/andre # auth-client-config -l
Available profiles are:
  cracklib
  kerberos_example
  lac_ldap
  ldap_example
root@testkraxn /home/andre # auth-client-config -L
Available types are:
  nss
  pam-account
  pam-auth
  pam-password
  pam-session
root@testkraxn ~ # auth-client-config -t nss -p lac_ldap
root@testkraxn ~ # pam-auth-update
root@testkraxn ~ # /etc/init.d/nscd restart
 * Restarting Name Service Cache Daemon nscd                            [ OK ]

Test your ldap client configuration: (see also: youtube)

First, create a test user that exists only in the AD using a ldif file:

root@testkraxn ~ # vim test.ldif
# ldaptestuser1, People, bytesare.us
dn: uid=ldaptestuser1,ou=People,dc=bytesare,dc=us
uid: ldaptestuser1
cn: ldaptestuser1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 99999
shadowWarning: 7
loginShell: /usr/bin/zsh
uidNumber: 8000
gidNumber: 117
homeDirectory: /home/ldaptestuser1
gecos: ldaptestuser1,,,
userPassword: ldaptestuser1

root@testkraxn ~ # ldapadd -h 127.0.0.1 -D "cn=admin,dc=bytesare,dc=us" -f test.ldif -W
adding new entry "uid=ldaptestuser1,ou=People,dc=bytesare,dc=us"
root@testkraxn ~ # ldapsearch -x -b 'ou=People,dc=bytesare,dc=us' '(cn=ldaptestuser1)'
# extended LDIF
# base <ou=People,dc=bytesare,dc=us> with scope subtree
# filter: (cn=ldaptestuser1)
# ldaptestuser1, People, bytesare.us
dn: uid=ldaptestuser1,ou=People,dc=bytesare,dc=us
...

Login as the new user to verify that ldap authentication works. The user only exists in the ldap database and he is able to logon.

root@testkraxn ~ # tail -fn0 /var/log/auth.log &
[1] 6221
root@testkraxn ~ # su ldaptestuser1
Apr 17 17:39:52 testkraxn su[6231]: Successful su for ldaptestuser1 by root
Apr 17 17:39:52 testkraxn su[6231]: pam_unix(su:session): session opened for user ldaptestuser1 by tester(uid=0)

Remove the test user after the test:

root@testkraxn ~ # ldapdelete -h 127.0.0.1 -W -D "cn=admin,dc=bytesare,dc=us" "uid=ldaptestuser1,ou=People,dc=bytesare,dc=us"

Configure other applications to use ldap authentication

Joomla

Because joomla is written in php, we need to make sure the necessary packages are installed. If they are not installed, joomla will just serve a blank page with no error messages indicating why - troubleshooting did indeed eat a few hours.

root@testkraxn ~ # apt-get install php5-ldap

Open up the joomla administrator interface and navigate to Extensions -> Plugin Manager -> Authentication - LDAP.
Configure the settings according to your server, here i will use the server described above.

Host:                   127.0.0.1
Port:                   389
LDAP V3:                Yes
Negotiate TLS:          No
Follow Referrals:       No
Authorisation Method:   Bind Directly as User
Base DN:                dc=bytesare,dc=us
Search String:          uid=[search],ou=People,dc=bytesare,dc=us
User's DN:              uid=[username],ou=People,dc=bytesare,dc=us
Connect Username:       (blank)
Connect Password:       (blank)
Map - Full Name:        cn
Map - email:            mail
Map - User ID:          uid

Note: Under some circumstances, you might lock yourself out by enabling the ldap plugin.
To prevent this, always stay logged in as an administrator while playing with the authentication plugins so you can disable the plugin anytime.
You can test the authentication apart from the admin interface, just use the non-administrative login to verify if the plugin works.

1. Make sure that the LDAP Plugin is enabled
2. Create a ldap user in your AD like in the previous chapter.
3. Also create a user with the same name in joomla, make sure to not provide a password.
4. Try to login as ldaptestuser1 on the home page.
Voilà - The user is logged in without telling his password to joomla!
5. Delete the testuser like in the previous chapter from the AD.