The document that I followed to install ldap and kerbrouce sugested that I setup log monitoring so that is thee first thing I did was: cd /var/log; tail -F daemon.log user.log auth.log debug kern.log syslog dmesg messages kerberos/{krb5kdc,kadmin,krb5lib}.log My system was set up with three servers, one system where the ldap and Kerbrose Application was installed and two cleint systems: *vm14.student.lab Application server ip 10.88.3.14 *vm15.student.lab Client system ip 10.88.3.15 *vm16.student.lab Client system ip 10.88.3.16 Next I needed to setup the host files on each system. \\ Host file for vm14: 10.80.3.14 vm14.student.lab vm14 #ldap server \\ 10.80.3.15 vm15.student.lab vm15 #client \\ 10.80.3.16 vm16.student.lab vm16 #client Host file for vm15: 10.80.3.14 vm14.student.lab vm14 afs1 #ldap server \\ 10.80.3.15 vm15.student.lab vm15 #client Host file for vm16: 10.80.3.14 vm14.student.lab vm14 afs1 #ldap server \\ 10.80.3.16 vm16.student.lab vm16 #client Log on to vm14.student.lab \\ NOTE from this point on all entries will be shown in **Bold** and where you see //PASSWORD// enter a password of your choosing. ====== Server installation ====== The process that I followed sugested that the server compnent to install is called slapd apt-get install slapd ldap-utils Debconf answers for reference:\\ Omit OpenLDAP server configuration? **No** DNS domain name: **student.lab** Organization name? **student.lab** Administrator password: //PASSWORD// Confirm password: //PASSWORD// Database backend to use: **HDB** Do you want the database to be removed when slapd is purged? **No** Allow LDAPv2 protocol? **No** Enable the following two lines in /etc/ldap/ldap.conf, create the file if necessary:\\ %%//BASE dc=student, dc=lab// %% \\ %%//URI ldap://10.80.3.14// %% ====== Server Configuration ====== Then, let's edit the server's configuration file in /etc/ldap/slapd.conf to tune its behavior. \\ Make sure all the schema files are enabled: **include /etc/ldap/schema/core.schema** \\ **include /etc/ldap/schema/cosine.schema** \\ **include /etc/ldap/schema/nis.schema** \\ **include /etc/ldap/schema/inetorgperson.schema** Change the verbosity level from 0 or “none” to 256: **loglevel 256** Search for line “index objectClass eq” and add the second line below index objectClass eq \\ **index uid eq** To apply the new index option, run the following commands: **invoke-rc.d slapd stop** \\ **slapindex** \\ **chown -R openldap:openldap /var/lib/ldap** \\ **invoke-rc.d slapd start** \\ **Initial test using ldapsearch and slapcat** **ldapsearch -x** # extended LDIF \\ # \\ # LDAPv3 \\ # base (default) with scope subtree\\ # filter: (objectclass=*)\\ # requesting: ALL\\ # # student.lab \\ dn: dc=student,dc=lab \\ objectClass: top \\ objectClass: dcObject \\ objectClass: organization \\ o: student.lab \\ dc: student # admin, student.lab \\ dn: cn=admin,dc=student,dc=lab \\ objectClass: simpleSecurityObject \\ objectClass: organizationalRole \\ cn: admin \\ description: LDAP administrator # search result \\ search: 2 \\ result: 0 Success # numResponses: 3 \\ # numEntries: 2 **slapcat** dn: dc=student,dc=lab \\ objectClass: top \\ objectClass: dcObject \\ objectClass: organization \\ o: student.lab \\ dc: student \\ structuralObjectClass: organization \\ etc … dn: cn=admin,dc=student,dc=lab \\ objectClass: simpleSecurityObject \\ objectClass: organizationalRole \\ cn: admin \\ description: LDAP administrator \\ userPassword:: e2NyeXB0fVdSZDJjRFdRODluNHM= \\ structuralObjectClass: organizationalRole \\ entryUUID: 350b330a-87d3-102c-8c1d-1ffeac40db98 \\ creatorsName: \\ restarting To load the LDIF file into the server \\ **Invoke-rc.d slapd stop** \\ **slapadd -c -v -l /var/tmp/ou.ldif** \\ **invoke-rc.d slapd start** Next I use ldapsearch to verify the entries have been created.\\ **ldapsearch -x ou=people** # extended LDIF \\ # \\ # LDAPv3 \\ # base (default) with scope subt \\ # filter: ou=people \\ # requesting: ALL \\ # # People, student.lab \\ dn: ou=People,dc=student,dc=lab \\ ou: People \\ objectClass: organizationalUnit # search result \\ search: 2 \\ result: 0 Success # numResponses: 2 \\ # numEntries: 1 ====== User Creation ====== Next I created a user accounts by editing: /var/tmp/user1.ldif **vi /var/tmp/user1.ldif** dn: cn=**mirko**,ou=group,dc=**student**,dc=**lab** \\ cn: **mirko** \\ gidNumber: **20000** \\ objectClass: top \\ objectClass: posixGroup dn: uid=**mirko**,ou=people,dc=**student**,dc=**lab** \\ uid: **mirko** \\ uidNumber: **20000** \\ gidNumber: **20000** \\ cn: **Mirko** \\ sn: **Mirko** \\ objectClass: top \\ objectClass: person \\ objectClass: posixAccount \\ objectClass: shadowAccount \\ loginShell: /bin/bash \\ homeDirectory: /home/**mirko** \\ To load the LDIF file into the server: \\ **ldapadd -c -x -D cn=admin,dc=student,dc=lab -W -f /var/tmp/user1.ldif ** \\ Enter LDAP Password: //PASSWORD// adding new entry “cn=mirko,ou=group,dc=student,dc=lab” adding new entry “uid=mirko,ou=people,dc=student,dc=lab” Now to define the new user's password: \\ **ldappasswd -x -D cn=admin,dc=student,dc=lab -W -S uid=mirko,ou=people,dc=student,dc=lab** New password: NEW USER //PASSWORD// Re-enter new password: NEW USER //PASSWORD// Enter LDAP Password: //ADMIN PASSWORD// next I verified that the account is setup. \\ **ldapsearch -x uid=mirko** # extended LDIF \\ # \\ # LDAPv3 \\ # base (default) with scope subtree \\ # filter: uid=mirko \\ # requesting: ALL # # mirko, people, student.lab \\ dn: uid=mirko,ou=people,dc=student,dc=lab \\ uid: mirko \\ uidNumber: 20000 \\ gidNumber: 20000 \\ cn: Mirko \\ sn: Mirko \\ objectClass: top \\ objectClass: person \\ objectClass: posixAccount \\ loginShell: /bin/bash \\ homeDirectory: /home/mirko # search result \\ search: 2 \\ result: 0 Success # numResponses: 2 \\ # numEntries: 1 ====== NSS configuration ====== To enable the system see LDAP accounts, we need to install libnss-ldap \\ **apt-get install libnss-ldap nscd** LDAP server URI: %%ldap://%% **10.80.3.14 /** Distinguished name of the search base: **dc=student,dc=lab** LDAP version to use: **3** Does the LDAP database require login? **No** Special LDAP privileges for root? **No** \\ Make the configuration file readable/writeable by its owner only? **No** \\ Allow LDAP admin account to behave like local root? **Yes** Make local root Database admin. **No** Does the LDAP database require login? **No** LDAP administrative account: **cn=admin,dc=h15,dc=ri** LDAP administrative password: //PASSWORD// Local crypt to use when changing passwords. **md5** To configure the NSS module further: **vi /etc/libnss-ldap.conf** base **dc=student,dc=lab** \\ %%uri ldap://%% **10.80.3.14** Finally, to activate the LDAP NSS module: **vi /etc/nsswitch.conf** replacing the following two lines: passwd: **files ldap**\\ group: **files ldap** ====== PAM configuration ====== The final step in this article pertains to integrating LDAP into the system authentication procedure. \\ Let's install and configure libpam-ldap. (You might have already done this step automatically, during libnss-ldap installation — in that case Debian will just report the package is already installed). **apt-get install libpam-ldap** Make local root Database admin. **No** Does the LDAP database require login? **No** Local crypt to use when changing passwords. **md5** To configure the PAM module: **vi /etc/pam_ldap.conf.** base **dc=student,dc=lab** %%uri ldap: //%%**10.80.3.14** \\ **vi /etc/pam.d/common-account** \\ need to make sure these line are included **account sufficient pam_unix.so** \\ **account required pam_ldap.so** # Enable if using Kerberos: #account required pam_krb5.so **vi /etc/pam.d/common-auth** need to make sure these line are included # Disable the three lines if using Kerberos: \\ **auth [success=1 default=ignore] pam_unix.so nullok_secure** **auth required pam_ldap.so use_first_pass** **auth required pam_permit.so** # Enable the three lines if using Kerberos: #auth sufficient pam_unix.so nullok_secure #auth sufficient pam_krb5.so use_first_pass #auth required pam_deny.so **vi /etc/pam.d/common-password** need to make sure these lines are included password sufficient pam_unix.so nullok obscure md5 #Disable if using Kerberos: #password required pam_ldap.so use_first_pass #Enable if using Kerberos: password required pam_krb5.so use_first_pass /etc/pam.d/common-session session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 # Enable if using Kerberos: session optional pam_krb5.so minimum_uid=1000 ====== Client Configuration ====== These commands need to run on both clients\\ **apt_get install pam_ldap libnss_ldap** \\ **apt-get install pam_ldap libnss_ldap** \\ **apt-get install pam-ldap libnss-ldap** \\ **apt-get install libpam-ldap** After that to save time and reduce typos I scp these files over to vm15 and vm16 from vm14 /etc/nsswitch.conf \\ /etc/pam.d/common-account\\ /etc/pam.d/ common-auth \\ /etc/pam.d/common-password \\ /etc/pam.d/common-session log in to vm14 and do a: scp /etc/pam.d/common* root@vm15.student.lab \\ scp /etc/pam.d/common* root@vm16.student.lab This finishes the LDAP install next comes the Kerberos install. ==== Refrance: ==== http://techpubs.spinlocksolutions.com/dklar/ldap.html