======Open LDAP Provider Installation on Debian Squeeze.======
Using SSH from a terminal, login as root to the virtual machine you have created for use as the LDAP provider, using the root password set at creation.
:~$ssh root@vm36.student.lab
root@vm36.student.lab's password:NaNaKiNg
====Preliminary configuration adaptation.====
At the virtual machine prompt use pico to edit the /etc/hosts file to match:
127.0.0.1 localhost
10.80.3.36 vm36.student.lab vm36
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
And save the file with +.
====Packet Installation.====
- Now, at the prompt, install the ssh nmap package using the command:
root@vm36:~#apt-get install ssh nmap
* Enter 'Y' when prompted and press .
- Next install the slapd and ldap-utils packages using the command:
root@vm36:~#apt-get install slapd ldap-utils
* Again, enter 'Y' and press when prompted.
* When prompted enter an administrator password for slapd,(CaK30RD3aTH) and press .
* Reenter the password to confirm and press .
Confirm that slapd is running using the command:
~# nmap -p 389 localhost
The response received should look like:
Starting Nmap 5.00 ( http://nmap.org ) at 2010-10-27 15:05 CEST
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
PORT STATE SERVICE
389/tcp open ldap
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
====Configuring the LDAP====
- Use pico to edit the file /etc/ldap/ldap.conf
* Change the line "#BASE dc=example, dc=com" to read "BASE dc=student, dc=lab"
* Change the line "#URI ldap://ldaps1.example.com" to read "URI ldap://vm36.student.lab ldap://vm36.student.lab:666"
* Save the file using the + command.
- Create and edit a file for configuration changes using the command '~/pico olc-mod1.ldif'. Entering the following content.
# 1.
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
# 2.1.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uid eq
-
# 2.2.
add: olcDbIndex
olcDbIndex: cn eq
-
# 2.3.
add: olcDbIndex
olcDbIndex: ou eq
-
# 2.4.
add: olcDbIndex
olcDbIndex: dc eq
* Use the + command to save and exit from pico.
- Implement the changes with the fololowing command:
~# ldapmodify -QY EXTERNAL -H ldapi:/// -f ~/olc-mod1.ldif
If the changes are implemented the screen should display:
modifying entry "cn=config"
modifying entry "olcDatabase={1}hdb,cn=config"
~#
===Create a Basic Tree===
- Create and edit a file using 'pico ~/tree.ldif' so it contains the following:
dn: ou=people,dc=student,dc=lab
ou: people
objectClass: organizationalUnit
dn: ou=groups,dc=student,dc=lab
ou: groups
objectClass: organizationalUnit
*Save and Exit using the + command
- implement the changes using the following command:
~# ldapadd -cxWD cn=admin,dc=student,dc=lab -f ~/tree.ldif
Enter LDAP Password:CaK30RD3aTH
The screen should display:
adding new entry "ou=people,dc=student,dc=lab"
adding new entry "ou=groups,dc=student,dc=lab"
~#
Perform a test. Run an ldapsearch with an anonymous bind (no DN specified) to check that the new organizational units have indeed been added to the database. Using the command:
~#ldapsearch -xLLL
Check that the output looks like the following and does not contain any obvious errors:
~# ldapsearch -xLLL
dn: dc=student,dc=lab
objectClass: top
objectClass: dcObject
objectClass: organization
o: student.lab
dc: student
dn: cn=admin,dc=student,dc=lab
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
dn: ou=people,dc=student,dc=lab
ou: people
objectClass: organizationalUnit
dn: ou=groups,dc=student,dc=lab
ou: groups
objectClass: organizationalUnit
~#
===Create a User Account===
- Create a new user account, called genUsr. First create ane edit a file:
* Use the command '~/genUsr.ldif'
* Enter the following contents:
dn: cn=genUsr,ou=groups,dc=student,dc=lab
cn: genUsr
gidNumber: 20000
objectClass: top
objectClass: posixGroup
dn: uid=genUsr,ou=people,dc=student,dc=lab
uid: genUsr
uidNumber: 20000
gidNumber: 20000
cn: Generic
sn: User
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/genUsr
userPassword: Guest1
- Implement the account using the command:
ldapadd -cxWD cn=admin,dc=student,dc=lab -f ~/genUsr.ldif
- Run a search for the new genUsr entry using the command:
ldapsearch -xLLL uid=genUsr
* The resulting output should look like:
dn: uid=genUsr,ou=people,dc=student,dc=lab
uid: genUsr
uidNumber: 20000
gidNumber: 20000
cn: General
sn: User
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/genUsr
It is possible to test authentication for a LDAP account by using the 'whoami' command:
* Use the -w option followed by the assigned password specify the password in the command line.
ldapwhoami -xD uid=genUsr,ou=people,dc=student,dc=lab -w Guest1
* The same specification requirement is required for ldapsearch.
* In all such cases the principle is the same: authentication and authorization must take place before any such single commands are processed.
====References====
- [[http://www.rjsystems.nl/en/2100-d6-openldap-provider.php|Tech Notes-OpenLDAP provider on Debian Squeeze]]