The OpenLDAP packages in Ubuntu have seen quite a bit of changes over the past few years. The packaging has changed the configuration file format to the new config backend and there’s no directory initialization in the package scripts anymore. This means that when the slapd package is installed, it doesn’t ask for basic directory information anymore, but one needs to do full configuration himself.
I documented the setup that I made on Ubuntu 10.04 alpha 2 to get OpenLDAP working in different configurations.
The goal of this setup is to have OpenLDAP running so that users can authenticate to it using pam-ldap and nss-ldap can get user and group information.
The following documents were used when testing this:
Server setup
On the server the following packages are needed:
sudo apt-get install slapd ldap-utils
After installing the packages the following files are present under /etc/ldap/slapd.d:
/etc/ldap/slapd.d/
/etc/ldap/slapd.d/cn=config
/etc/ldap/slapd.d/cn=config/cn=schema
/etc/ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif
/etc/ldap/slapd.d/cn=config/cn=schema.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
/etc/ldap/slapd.d/cn=config.ldif
The schemas need to be loaded in the server as by default there are none:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif
To create the actual database that stores the entries in the directory, one needs to create an ldif file. In this example we use dc=edu,dc=example,dc=org as the directory suffix and place the database under /var/lib/ldap/.
create_database.ldif:
# Load hdb backend module
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb
# Create the hdb database and place the files under /var/lib/ldap
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=edu,dc=example,dc=org
olcRootDN: uid=admin,ou=People,dc=edu,dc=example,dc=org
olcRootPW: example
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
ldapadd is used to modify the cn=config entries:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f create_database.ldif
Next the new database needs to be populated with ou=People and ou=Groups to hold hold the user and group information.
init_database.ldif
dn: dc=edu,dc=example,dc=org objectClass: dcObject objectclass: organization o: edu.example.org dc: edu description: LDAP root dn: ou=People,dc=edu,dc=example,dc=org objectClass: top objectClass: organizationalUnit ou: People dn: ou=Groups,dc=edu,dc=example,dc=org objectClass: top objectClass: organizationalUnit ou: Groups
Use ldapadd to apply init_database.ldif:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f init_database.ldif
Finally modify the ACL to limit access to the database. Here we allow anonymous access to read the directory:
acls.ldif:
dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="uid=admin,ou=People,dc=edu,dc=example,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.subtree="" by * read
olcAccess: {2}to * by dn="uid=admin,ou=People,dc=edu,dc=example,dc=org" write by * read
Modify the database:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f acls.ldif
The following commands can be useful while configuring and debugging:
# Show the current configuration: sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config # Show the current data in the directory as anonymous user: ldapsearch -x -h localhost -b dc=edu,dc=example,dc=org # Dump the database with metadata: sudo slapcat
Once the server responds to queries, it’s time to configure the client.
Client setup
The client setup uses the new nss-ldapd and pam-ldapd modules that provide local daemon functionality:
sudo apt-get install libnss-ldapd libpam-ldapd
During installation select ldap for the following nss services:
- group
- passwd
This configured /etc/nsswitch.conf, /etc/pam.d/common-auth and /etc/nslcd.conf automatically to work correctly.
To add some test users we can use ldapscripts package. The installation can be done either on the ldap server or on a remote server as the scripts connect to the server specified in the configuration file. After installing the ldapscripts package one needs to configure it.
/etc/ldapscripts/ldapscripts.conf:
SERVER="ldap://localhost" BINDDN="uid=admin,ou=People,dc=edu,dc=example,dc=org" BINDPWD="example" SUFFIX="dc=edu,dc=example,dc=org" # Global suffix GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX) USUFFIX="ou=People" # Users ou (just under $SUFFIX)
Adding users with ldapadduser may take time if machine random number entropy
pool is low. To use pseudo-random number generation (with weaker passwords),
you may also change:
PASSWORDGEN="cat /dev/urandom | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
Creating groups and users and changing passwords can be done with simple commands:
sudo ldapaddgroup testgroup sudo ldapadduser testuser testgroup sudo ldapsetpasswd testuser
To test that everything works correctly, let’s try getent and logins:
getent passwd getent group ssh testuser@localhost
And everything seems to work as planned. Great! The setup is still lacking encryption and other features that need to be added next. The next steps are to get tls working and get kerberos+samba+autofs to use the ldap installation.
Veli-Matti Lintu
28.01.2010
Thanks for this,
most hopefull now to get it right
Greeetings
JT
16.02.2010
Thanks for the great instructions. Even with such a good step by step instructions I wasn’t able to get it working. Maybe you could point me to the correct direction?
I’ve been trying this with Ubuntu 9.10 and originally thought libpam-ldapd was a spelling mistake with an extra ‘d’, as it’s a new package in Lucid and not preset in Karmic. I tried first with installing the package from Lucid repository but didn’t get far. Using your server example and client side from https://wiki.edubuntu.org/Edubuntu/WikiSite/SimpleLDAPSetup I got very close but not quite there.
Problem is that LDAP users and groups are showing with getent and I can su to the created accounts (as root) but cannot login with passwords. I can see with an LDAP browser that SHAA-hash is used in LDAP for passwords. Is this wrong and if, how can I fix it?
Best regards,
-J. Talvio
16.02.2010
First make sure that the ldap binds work correctly as the user you are trying to use. For example ldapsearch can be used for this:
ldapsearch -D uid=testuser,ou=People,dc=edu,dc=example,dc=org -W -x -b dc=edu,dc=example,dc=org
If this works, then the pam setup is probably the problem. There may be differences between Karmic and Lucid here, so checking the /etc/pam.d/common-* rules manually may be necessary to get it working correctly.
17.02.2010
Thank you for the quick response! I finally got it working and have done and re-done this example now quite many times. My problem came down to a simple typo (ldapi where it should have been ldap).
For anyone trying to do this with Karmic instead of Lucid use:
apt-get install nslcd libpam-ldap ldapscripts
That should get all necessary stuff on client side, I think. Configure as described in the original post.
Best regards,
-J. Talvio