OpenLDAP

What is required

  1. OpenLDAP / slapd - LDAP Server
  2. pam_ldap - For unix password authentication
  3. nss_ldap - For unix name lookup.
  4. auth_ldap -

Before you start here is a script for you.

If you want to setup openldap server for user authentication download and run this script. This will do all the work in 1min.

Install

aptitude install slapd ldap-utils

dpkg-reconfigure slapd

    * Omit OpenLDAP server configuration? No
    * DNS domain name: mycompany.com
    * Organization name: mycompany.com
    * Administrator password: ****
    * Database backend to use: HDB  (default)
    * Do you want the database to be removed when slapd is purged? No
    * Allow LDAPv2 protocol? No

/etc/init.d/slapd start

ldapsearch -x -b dc=mycompany,dc=com

# search result
search: 2

You have a working ldap server.

1. Convert Linux users to ldap 2. Setup Linux client to authenticate against ldap 4. Create global addressbook 5. Migrate Windows NT domain to ldap with few simple steps.

Temporary Debian bug

dpkg-reconfigure slapd
Stopping OpenLDAP: slapd.
 Moving old database directory to /var/backups:

 Backup path /var/backups/unknown-2.4.11-1.ldapdb exists. Giving up...

* You need to:

rm -r /var/backups/unknown-2.4.11-1.ldapdb/

dpkg-reconfigure slapd
Stopping OpenLDAP: slapd.
 Moving old database directory to /var/backups:
 - directory unknown... done.
 Creating initial slapd configuration... done.
 Creating initial LDAP directory... done.
Starting OpenLDAP: slapd.

 ldapadd -x -W -D "cn=admin,dc=mycompany,dc=com" -f directory.ldiff 
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)

Authentication

Options for OpenLdap authentication

Connect to openldap

aptitude update
aptitude install luma

luma

luma1.png

luma2.png

luma3.png

Simple addressbook

dn:     ou=addressbook, dc=mycompany, dc=com
objectClass:    top
objectClass:    organizationalUnit
ou:     addressbook

``dn:     ou=addressbook, dc=mycompany, dc=com`` - This creates organizational unit addressbook.mycompany.com
``objectClass:    top``  - Tells it its a top level Organizational Unit
``objectClass:    organizationalUnit`` - Tells it what type of object is it. In this case it is OrganizationalUnit.
``ou:     addressbook`` - Again stating the name of the ou.

ldapadd -x -f directory.ldiff -D "cn=admin,dc=mycompany,dc=com" -W

dn:     ou=accounting, ou=addressbook, dc=mycompany, dc=com
objectClass:    top
objectClass:    organizationalUnit
ou:     accounting

dn: cn=Jane Doe, ou=addressbook, dc=mycompany, dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Jane Doe
gn: Jane
sn: Doe
mail: jane.doe@example.com
physicalDeliveryOfficeName: Conglomo, Inc., Financial Services
postalAddress: PO BOX 55555
organizationName: Conglomo, Inc., Financial Services
street: 123 N. Michigan Ave
l: Baton Rouge
st: LA
postalCode: 70555
telephoneNumber: 555-555-5555
facsimileTelephoneNumber: 555-555-5556
pager: 555-555-5557
mobile: 555-555-5558
homePhone: 555-555-5559
ou: addressbook

The Definitions are somewhat standard. On top we see objectClass: person and objectClassInetOrgPerson which is one of the standard objects of ldap. We are not using nothing custom. These types already came with ldap.
We are setting some of the attributes of InetOrgPerson:
``cn`` -Common Name
``mail``-aka email
``street``-Street address
``st`` -State
``l`` - City
``ou`` - Department aka the Organizational Unit
``postalCode`` - Zipcode
....

ldapadd -x -f contact.ldiff -D "cn=admin,dc=mycompany,dc=com" -W 

luma4.png

Attribute

ObjectClass

Meaning

commonName, cn

person

Individual's full name

givenName, gn

inetOrgPerson

Individual's first name

surname, sn

person

Individual's last name

physicalDeliveryOfficeName

organizationalPerson

Department or delivery office name

mail

inetOrgPerson

Email address

postalAddress

organizationalPerson

Street mailing address

l

organizationalPerson

City

st

organizationalPerson

State

postalCode

organizationalPerson

Postal (ZIP) code

telephoneNumber

organizationalPerson

Work number

facsimileTelephoneNumber

organizationalPerson

Fax number

pager

inetOrgPerson

Pager number

mobile

inetOrgPerson

Mobile phone number

homePhone

inetOrgPerson

Home phone number

More schema definitions can be found here

For example you could create other structures like below, note the difference between ou and o:

dn:     ou=addressbook, dc=mycompany, dc=com
objectClass:    top
objectClass:    organizationalUnit
ou:     addressbook

#Partners
dn:     ou=partners ou=addressbook, dc=mycompany, dc=com
objectClass:    top
objectClass:    organizationalUnit
ou:     partners

#xyzAgent
dn:      o=xyzAgancy, ou=partners, ou=addressbook, dc=mycompany, dc=com
objectClass:    top
objectClass:    organization
o:     xyzAgancy

And add a person like:

dn: cn="John Smith",o=xyzAgency ,ou=partners,ou=addressbook, dc=mycompany, dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: John Smith
gn: John
sn: Smith
mail: Jsmith@example.com
organizationName: Conglomo, Inc., Financial Services
street: 123 N. Michigan Ave
l: Chicago
o: xyzAgancy
st: IL
postalCode: 60645
telephoneNumber: 773-123-5555
facsimileTelephoneNumber: 555-555-5556
pager: 555-555-5557
mobile: 555-555-5558
homePhone: 555-555-5559

Thunderbird

  1. Mozilla Thunderbird 2.0+ will autocomplete email address as soon as you add them to ldap directory.
  2. MozillaSchema

  3. Addressbook to LDAP Mappings.

thunderbird_ldap.png

Outlook

or simply
got to the registry
and add in HKEY_CURRENT_USER\Software\Policies\Microsoft\Offi ce\10.0\Outlook\LDAP
the DWORD DisableVLVBrowsing and set the value to 1
for Outlook 2003 use
HKEY_CURRENT_USER\Software\Policies\Microsoft\Offi ce\11.0\Outlook\LDAP

OpenLdap for User Authentication

Setup_OpenLdap_server.sh

This will install, configure ldap server, copy base settings from your linux server, users, groups, so that you can start authenticating clients in 1min.

http://lucasmanual.com/out/setup_openldap_server.sh

Download it and run. Example:

wget http://lucasmanual.com/out/setup_openldap_server.sh
sh setup_openldap_server.sh

Migrating Unix Accounts to OpenLdap

luma5.png

aptitude install migrationtools

ls /usr/share/migrationtools/
migrate_aliases.pl              migrate_group.pl
migrate_all_netinfo_offline.sh  migrate_hosts.pl
migrate_all_netinfo_online.sh   migrate_netgroup_byhost.pl
migrate_all_nis_offline.sh      migrate_netgroup_byuser.pl
migrate_all_nis_online.sh       migrate_netgroup.pl
migrate_all_nisplus_offline.sh  migrate_networks.pl
migrate_all_nisplus_online.sh   migrate_passwd.pl
migrate_all_offline.sh          migrate_profile.pl
migrate_all_online.sh           migrate_protocols.pl
migrate_automount.pl            migrate_rpc.pl
migrate_base.pl                 migrate_services.pl
migrate_common.ph               migrate_slapd_conf.pl

cd /usr/share/migrationtools/
vi migrate_common.ph

:%s/padl/mycompany/gc

include         /etc/ldap/schema/misc.schema

Lets do our migration to the system., but first check if slapd is running:

ps aux|grep slapd
#You should see
openldap  3557  0.7  0.9 112236  4808 ?        Ssl  13:42   0:12 /usr/sbin/slapd -g openldap -u openldap -f /etc/ldap/slapd.conf

 ./migrate_all_online.sh 

Enter the X.500 naming context you wish to import into: [dc=mycompany,dc=com] 
Enter the hostname of your LDAP server [ldap]: hpdebian  #This is the hostname of the computer you are on. Type in hostname if you are not sure what it is.
Enter the manager DN: [cn=admin,dc=mycompany,dc=com]: 
Enter the credentials to bind with: 
Do you wish to generate a DUAConfigProfile [yes|no]? no

adding new entry "cn=ssh,ou=Group,dc=mycompany,dc=com"

adding new entry "cn=lucas,ou=Group,dc=mycompany,dc=com"

adding new entry "cn=openldap,ou=Group,dc=mycompany,dc=com"

adding new entry "cn=localhost,ou=Hosts,dc=mycompany,dc=com"

adding new entry "cn=dellxps.mycompany,ou=Hosts,dc=mycompany,dc=com"

adding new entry "cn=localhost,ou=Hosts,dc=mycompany,dc=com"
ldap_add: Already exists (68)

/usr/bin/ldapadd : returned non-zero exit status: saving failed LDIF to /tmp/nis.ldif.lMsKHTfGYh

LDAPADD="/usr/bin/ldapadd -c" ./migrate_all_online.sh

dpkg-reconfigure slapd

luma6.png

ldapsearch -x uid=lucas -b "dc=mycompany,dc=com"

Linux Client Integration with LDAP

aptitude install ldap-utils

ldapsearch -x -b dc=mycompany,dc=com -h 192.168.1.110
or
ldapsearch -x -b ou=People,dc=mycompany,dc=com -h 192.168.1.110

libnss-ldap

libpam checks if user name and password is correct, while libnss looks up the available names.

aptitude install libnss-ldap 

LDAP Server Host: 127.0.0.1
DN of Search Base: dc=mycompany,dc=com
LDAP Version: 3
Database requires login: no
Make config readable by owner only: yes

dpkg-reconfigure libnss-ldap

LDAP server Uniform Resource Identifier: ldap://127.0.0.1
Distinguished name of the search base: dc=mycompany,dc=com
LDAP Version to use: [Default] 3
Does the LDAP database require login:[default] No
Special LDAP privileges for root:[default] Yes
Make the configuration file readable/writable by its owners only:[default]No
LDAP Account for root: cn=admin,dc=mycompany,dc=com
LDAP Password: ****

passwd: compat ldap
group: compat ldap
shadow: compat ldap

getent group
ssh:x:103:
users:x:20001:
guests:x:20002:
admins:x:20000:
.....

libpam-ldap

libpam checks if user name and password is correct, while libnss looks up the available names.

aptitude install libpam-ldap

dpkg-reconfigure libpam-ldap

vi /etc/ldap/ldap.conf 

BASE    dc=mycompany,dc=com
URI     ldap://ldap.mycompany.com

#ipaddress    ldap.mycompany.com
#example
192.168.1.110    ldap.mycompany.com

vi /etc/pam.d/common-account

# Comment out the next line
#account required pam_unix.so

# and add these two
account sufficient pam_ldap.so
account required pam_unix.so try_first_pass

vi /etc/pam.d/common-auth

# from
#auth required pam_unix.so nullok_secure

# to
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

vi /etc/pam.d/common-password

# from
#password required pam_unix.so nullok obscure min=4 max=8 md5

# to
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass

vi /etc/pam.d/common-session

session optional        pam_ldap.so
session required        pam_unix.so

Troubleshooting

result: 32 No such object

Error:

ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

FIX

ldapsearch -x  -b "dc=mycompany,dc=com"

.........sult: 4 Size limit exceeded

# numResponses: 501
# numEntries: 500

Ldap Editors

[Optional][Not used in this manual] ldapvi There is also another vi based ldap browser that allows you to change ldap.

aptitude instal ldapvi
#Then, to use it:
ldapvi -D "cn=admin,dc=mycompany,dc=com"

References

MyWiki: OpenLdap (last edited 2010-01-08 03:53:05 by LukaszSzybalski)