Table of Contents
The document that I followed to install ldap and kerbrouce sugested that I setup log monitoring so that is thee first thing I did was:
cd /var/log; tail -F daemon.log user.log auth.log debug kern.log syslog dmesg messages kerberos/{krb5kdc,kadmin,krb5lib}.log
My system was set up with three servers, one system where the ldap and Kerbrose Application was installed and two cleint systems:
*vm14.student.lab Application server ip 10.88.3.14 *vm15.student.lab Client system ip 10.88.3.15 *vm16.student.lab Client system ip 10.88.3.16
Next I needed to setup the host files on each system.
Host file for vm14:
10.80.3.14 vm14.student.lab vm14 #ldap server
10.80.3.15 vm15.student.lab vm15 #client
10.80.3.16 vm16.student.lab vm16 #client
Host file for vm15:
10.80.3.14 vm14.student.lab vm14 afs1 #ldap server
10.80.3.15 vm15.student.lab vm15 #client
Host file for vm16:
10.80.3.14 vm14.student.lab vm14 afs1 #ldap server
10.80.3.16 vm16.student.lab vm16 #client
Log on to vm14.student.lab
NOTE from this point on all entries will be shown in Bold and where you see PASSWORD enter a password of your choosing.
Server installation
The process that I followed sugested that the server compnent to install is called slapd
apt-get install slapd ldap-utils
Debconf answers for reference:
Omit OpenLDAP server configuration? No
DNS domain name: student.lab
Organization name? student.lab
Administrator password: PASSWORD
Confirm password: PASSWORD
Database backend to use: HDB
Do you want the database to be removed when slapd is purged? No
Allow LDAPv2 protocol? No
Enable the following two lines in /etc/ldap/ldap.conf, create the file if necessary:
//BASE dc=student, dc=lab//
//URI ldap://10.80.3.14//
Server Configuration
Then, let's edit the server's configuration file in /etc/ldap/slapd.conf to tune its behavior.
Make sure all the schema files are enabled:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
Change the verbosity level from 0 or “none” to 256:
loglevel 256
Search for line “index objectClass eq” and add the second line below
index objectClass eq
index uid eq
To apply the new index option, run the following commands:
invoke-rc.d slapd stop
slapindex
chown -R openldap:openldap /var/lib/ldap
invoke-rc.d slapd start
Initial test using ldapsearch and slapcat
ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=student, dc=lab> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# student.lab
dn: dc=student,dc=lab
objectClass: top
objectClass: dcObject
objectClass: organization
o: student.lab
dc: student
# admin, student.lab
dn: cn=admin,dc=student,dc=lab
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
slapcat
dn: dc=student,dc=lab
objectClass: top
objectClass: dcObject
objectClass: organization
o: student.lab
dc: student
structuralObjectClass: organization
etc …
dn: cn=admin,dc=student,dc=lab
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e2NyeXB0fVdSZDJjRFdRODluNHM=
structuralObjectClass: organizationalRole
entryUUID: 350b330a-87d3-102c-8c1d-1ffeac40db98
creatorsName:
restarting
To load the LDIF file into the server
Invoke-rc.d slapd stop
slapadd -c -v -l /var/tmp/ou.ldif
invoke-rc.d slapd start
Next I use ldapsearch to verify the entries have been created.
ldapsearch -x ou=people
# extended LDIF
#
# LDAPv3
# base <dc=student, dc=lab> (default) with scope subt
# filter: ou=people
# requesting: ALL
#
# People, student.lab
dn: ou=People,dc=student,dc=lab
ou: People
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
User Creation
Next I created a user accounts by editing: /var/tmp/user1.ldif
vi /var/tmp/user1.ldif
dn: cn=mirko,ou=group,dc=student,dc=lab
cn: mirko
gidNumber: 20000
objectClass: top
objectClass: posixGroup
dn: uid=mirko,ou=people,dc=student,dc=lab
uid: mirko
uidNumber: 20000
gidNumber: 20000
cn: Mirko
sn: Mirko
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/mirko
To load the LDIF file into the server:
ldapadd -c -x -D cn=admin,dc=student,dc=lab -W -f /var/tmp/user1.ldif
Enter LDAP Password: PASSWORD
adding new entry “cn=mirko,ou=group,dc=student,dc=lab”
adding new entry “uid=mirko,ou=people,dc=student,dc=lab”
Now to define the new user's password:
ldappasswd -x -D cn=admin,dc=student,dc=lab -W -S uid=mirko,ou=people,dc=student,dc=lab
New password: NEW USER PASSWORD
Re-enter new password: NEW USER PASSWORD
Enter LDAP Password: ADMIN PASSWORD
next I verified that the account is setup.
ldapsearch -x uid=mirko
# extended LDIF
#
# LDAPv3
# base <dc=student, dc=lab> (default) with scope subtree
# filter: uid=mirko
# requesting: ALL
#
# mirko, people, student.lab
dn: uid=mirko,ou=people,dc=student,dc=lab
uid: mirko
uidNumber: 20000
gidNumber: 20000
cn: Mirko
sn: Mirko
objectClass: top
objectClass: person
objectClass: posixAccount
loginShell: /bin/bash
homeDirectory: /home/mirko
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
NSS configuration
To enable the system see LDAP accounts, we need to install libnss-ldap
apt-get install libnss-ldap nscd
LDAP server URI: ldap:// 10.80.3.14 /
Distinguished name of the search base: dc=student,dc=lab
LDAP version to use: 3
Does the LDAP database require login? No
Special LDAP privileges for root? No
Make the configuration file readable/writeable by its owner only? No
Allow LDAP admin account to behave like local root? Yes
Make local root Database admin. No
Does the LDAP database require login? No
LDAP administrative account: cn=admin,dc=h15,dc=ri
LDAP administrative password: PASSWORD
Local crypt to use when changing passwords. md5
To configure the NSS module further:
vi /etc/libnss-ldap.conf
base dc=student,dc=lab
uri ldap:// 10.80.3.14
Finally, to activate the LDAP NSS module:
vi /etc/nsswitch.conf
replacing the following two lines:
passwd: files ldap
group: files ldap
PAM configuration
The final step in this article pertains to integrating LDAP into the system authentication procedure.
Let's install and configure libpam-ldap. (You might have already done this step automatically, during libnss-ldap installation — in that case Debian will just report the package is already installed).
apt-get install libpam-ldap
Make local root Database admin. No
Does the LDAP database require login? No
Local crypt to use when changing passwords. md5
To configure the PAM module:
vi /etc/pam_ldap.conf.
base dc=student,dc=lab
uri ldap: //10.80.3.14
vi /etc/pam.d/common-account
need to make sure these line are included
account sufficient pam_unix.so
account required pam_ldap.so
# Enable if using Kerberos: #account required pam_krb5.so
vi /etc/pam.d/common-auth
need to make sure these line are included
# Disable the three lines if using Kerberos:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth required pam_ldap.so use_first_pass
auth required pam_permit.so
# Enable the three lines if using Kerberos: #auth sufficient pam_unix.so nullok_secure #auth sufficient pam_krb5.so use_first_pass #auth required pam_deny.so
vi /etc/pam.d/common-password
need to make sure these lines are included
password sufficient pam_unix.so nullok obscure md5
#Disable if using Kerberos: #password required pam_ldap.so use_first_pass
#Enable if using Kerberos: password required pam_krb5.so use_first_pass /etc/pam.d/common-session session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
# Enable if using Kerberos: session optional pam_krb5.so minimum_uid=1000
Client Configuration
These commands need to run on both clients
apt_get install pam_ldap libnss_ldap
apt-get install pam_ldap libnss_ldap
apt-get install pam-ldap libnss-ldap
apt-get install libpam-ldap
After that to save time and reduce typos I scp these files over to vm15 and vm16 from vm14
/etc/nsswitch.conf
/etc/pam.d/common-account
/etc/pam.d/ common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
log in to vm14 and do a:
scp /etc/pam.d/common* root@vm15.student.lab
scp /etc/pam.d/common* root@vm16.student.lab
This finishes the LDAP install next comes the Kerberos install.