Differences

This shows you the differences between two versions of the page.

--- user:jbrant:csit1320:ldap_install [2010/05/13 18:44] – jbrant
+++ user:jbrant:csit1320:ldap_install [2010/05/15 11:12] (current) – jbrant
@@ Line 1: / Line 1: @@
+The document that I followed to install ldap and kerbrouce sugested that I setup log monitoring so that is thee first thing I did was:
+cd /var/log; tail -F daemon.log user.log auth.log debug kern.log syslog dmesg messages kerberos/{krb5kdc,kadmin,krb5lib}.log
+My system was set up with three servers, one system where the ldap and Kerbrose Application was installed and two cleint systems:
+  *vm14.student.lab	 	 Application server 	ip 10.88.3.14
+  *vm15.student.lab		 Client system   	ip 10.88.3.15
+  *vm16.student.lab	         Client system  	ip 10.88.3.16
+Next I needed to setup the host files on each system. \\
+Host file for vm14:
+.80.3.14       vm14.student.lab vm14 #ldap server \\
+.80.3.15      vm15.student.lab vm15  #client \\
+.80.3.16    vm16.student.lab vm16  #client
+Host file for vm15:
+.80.3.14      vm14.student.lab  vm14 afs1     #ldap server \\
+.80.3.15      vm15.student.lab  vm15  #client
+Host file for vm16:
+.80.3.14      vm14.student.lab vm14 afs1  #ldap server \\
+.80.3.16      vm16.student.lab vm16  #client
+Log on to vm14.student.lab \\
+NOTE from this point on all entries will be shown in **Bold** and where you see //PASSWORD// enter a password of your choosing.
+====== Server installation ======
+The process that I followed sugested that the server compnent to install is called slapd
+apt-get install slapd ldap-utils
+Debconf answers for reference:\\
+Omit OpenLDAP server configuration? **No**
+DNS domain name: **student.lab**
+Organization name? **student.lab**
+Administrator password: //PASSWORD//
+Confirm password: //PASSWORD//
+Database backend to use: **HDB**
+Do you want the database to be removed when slapd is purged? **No**
+Allow LDAPv2 protocol? **No**
+Enable the following two lines in /etc/ldap/ldap.conf, create the file if necessary:\\
+%%//BASE dc=student, dc=lab// %% \\
+%%//URI ldap://10.80.3.14// %%
+====== Server Configuration ======
+Then, let's edit the server's configuration file in /etc/ldap/slapd.conf to tune its behavior. \\
+Make sure all the schema files are enabled:
+**include /etc/ldap/schema/core.schema** \\
+**include /etc/ldap/schema/cosine.schema** \\
+**include /etc/ldap/schema/nis.schema** \\
+**include /etc/ldap/schema/inetorgperson.schema**
+Change the verbosity level from 0 or “none” to 256:
+**loglevel 256**
+Search for line “index objectClass eq” and add the second line below
+index objectClass eq \\
+**index uid eq**
+To apply the new index option, run the following commands:
+**invoke-rc.d slapd stop** \\
+**slapindex** \\
+**chown -R openldap:openldap /var/lib/ldap** \\
+**invoke-rc.d slapd start** \\
+**Initial test using ldapsearch and slapcat**
+**ldapsearch -x**
+# extended LDIF \\
+# \\
+# LDAPv3 \\
+# base <dc=**student**, dc=**lab**> (default) with scope subtree\\
+# filter: (objectclass=*)\\
+# requesting: ALL\\
+#
+# student.lab \\
+dn: dc=student,dc=lab \\
+objectClass: top \\
+objectClass: dcObject \\
+objectClass: organization \\
+o: student.lab \\
+dc: student
+# admin, student.lab \\
+dn: cn=admin,dc=student,dc=lab \\
+objectClass: simpleSecurityObject \\
+objectClass: organizationalRole \\
+cn: admin \\
+description: LDAP administrator
+# search result \\
+search: 2 \\
+result: 0 Success
+# numResponses: 3 \\
+# numEntries: 2
+**slapcat**
+dn: dc=student,dc=lab \\
+objectClass: top \\
+objectClass: dcObject \\
+objectClass: organization \\
+o: student.lab \\
+dc: student \\
+structuralObjectClass: organization \\
+etc …
+dn: cn=admin,dc=student,dc=lab \\
+objectClass: simpleSecurityObject \\
+objectClass: organizationalRole \\
+cn: admin \\
+description: LDAP administrator \\
+userPassword:: e2NyeXB0fVdSZDJjRFdRODluNHM= \\
+structuralObjectClass: organizationalRole \\
+entryUUID: 350b330a-87d3-102c-8c1d-1ffeac40db98 \\
+creatorsName: \\
+restarting
+To load the LDIF file into the server \\
+**Invoke-rc.d slapd stop** \\
+**slapadd -c -v -l /var/tmp/ou.ldif** \\
+**invoke-rc.d slapd start**
+Next I use ldapsearch to verify the entries have been created.\\
+**ldapsearch -x ou=people**
+# extended LDIF \\
+# \\
+# LDAPv3 \\
+# base <dc=student, dc=lab> (default) with scope subt \\
+# filter: ou=people \\
+# requesting: ALL \\
+#
+# People, student.lab \\
+dn: ou=People,dc=student,dc=lab \\
+ou: People \\
+objectClass: organizationalUnit
+# search result \\
+search: 2 \\
+result: 0 Success
+# numResponses: 2 \\
+# numEntries: 1
+====== User Creation ======
+Next I created a user accounts by editing: /var/tmp/user1.ldif
+**vi /var/tmp/user1.ldif**
+dn: cn=**mirko**,ou=group,dc=**student**,dc=**lab** \\
+cn: **mirko** \\
+gidNumber: **20000** \\
+objectClass: top \\
+objectClass: posixGroup
+dn: uid=**mirko**,ou=people,dc=**student**,dc=**lab** \\
+uid: **mirko** \\
+uidNumber: **20000** \\
+gidNumber: **20000** \\
+cn: **Mirko** \\
+sn: **Mirko** \\
+objectClass: top \\
+objectClass: person \\
+objectClass: posixAccount \\
+objectClass: shadowAccount \\
+loginShell: /bin/bash \\
+homeDirectory: /home/**mirko** \\
+To load the LDIF file into the server: \\
+**ldapadd -c -x -D cn=admin,dc=student,dc=lab -W -f /var/tmp/user1.ldif ** \\
+Enter LDAP Password: //PASSWORD//
+adding new entry “cn=mirko,ou=group,dc=student,dc=lab”
+adding new entry “uid=mirko,ou=people,dc=student,dc=lab”
+Now to define the new user's password: \\
+**ldappasswd -x -D cn=admin,dc=student,dc=lab -W -S uid=mirko,ou=people,dc=student,dc=lab**
+New password: NEW USER //PASSWORD//
+Re-enter new password: NEW USER //PASSWORD//
+Enter LDAP Password: //ADMIN PASSWORD//
+next I verified that the account is setup. \\
+**ldapsearch -x uid=mirko**
+# extended LDIF \\
+# \\
+# LDAPv3 \\
+# base <dc=student, dc=lab> (default) with scope subtree \\
+# filter: uid=mirko \\
+# requesting: ALL
+#
+# mirko, people, student.lab \\
+dn: uid=mirko,ou=people,dc=student,dc=lab \\
+uid: mirko \\
+uidNumber: 20000 \\
+gidNumber: 20000 \\
+cn: Mirko \\
+sn: Mirko \\
+objectClass: top \\
+objectClass: person \\
+objectClass: posixAccount \\
+loginShell: /bin/bash \\
+homeDirectory: /home/mirko
+# search result \\
+search: 2 \\
+result: 0 Success
+# numResponses: 2 \\
+# numEntries: 1
+====== NSS configuration ======
+To enable the system see LDAP accounts, we need to install libnss-ldap \\
+**apt-get install libnss-ldap nscd**
+LDAP server URI: %%ldap://%% **10.80.3.14 /**
+Distinguished name of the search base: **dc=student,dc=lab**
+LDAP version to use: **3**
+Does the LDAP database require login? **No**
+Special LDAP privileges for root? **No** \\
+Make the configuration file readable/writeable by its owner only? **No** \\
+Allow LDAP admin account to behave like local root? **Yes**
+Make local root Database admin. **No**
+Does the LDAP database require login? **No**
+LDAP administrative account: **cn=admin,dc=h15,dc=ri**
+LDAP administrative password: //PASSWORD//
+Local crypt to use when changing passwords. **md5**
+To configure the NSS module further:
+**vi /etc/libnss-ldap.conf**
+base **dc=student,dc=lab** \\
+%%uri ldap://%% **10.80.3.14**
+Finally, to activate the LDAP NSS module:
+**vi /etc/nsswitch.conf**
+replacing the following two lines:
+passwd: **files ldap**\\
+group: **files ldap**
+====== PAM configuration ======
+The final step in this article pertains to integrating LDAP into the system authentication procedure. \\
+Let's install and configure libpam-ldap. (You might have already done this step automatically, during libnss-ldap installation — in that case Debian will just report the package is already installed).
+**apt-get install libpam-ldap**
+Make local root Database admin. **No**
+Does the LDAP database require login? **No**
+Local crypt to use when changing passwords. **md5**
+To configure the PAM module:
+**vi /etc/pam_ldap.conf.**
+base **dc=student,dc=lab**
+%%uri ldap: //%%**10.80.3.14** \\
+**vi /etc/pam.d/common-account** \\
+need to make sure these line are included
+**account sufficient pam_unix.so** \\
+**account required pam_ldap.so**
+# Enable if using Kerberos: #account required pam_krb5.so
+**vi /etc/pam.d/common-auth**
+need to make sure these line are included
+# Disable the three lines if using Kerberos:  \\
+**auth [success=1 default=ignore] pam_unix.so nullok_secure**
+**auth required pam_ldap.so use_first_pass**
+**auth required pam_permit.so**
+# Enable the three lines if using Kerberos:
+#auth sufficient pam_unix.so nullok_secure
+#auth sufficient pam_krb5.so use_first_pass
+#auth required pam_deny.so
+**vi /etc/pam.d/common-password**
+need to make sure these lines are included
+password sufficient pam_unix.so nullok obscure md5
+#Disable if using Kerberos:
+#password required pam_ldap.so use_first_pass
+#Enable if using Kerberos:
+password required pam_krb5.so use_first_pass
+/etc/pam.d/common-session
+session required pam_unix.so
+session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
+# Enable if using Kerberos:
+session optional pam_krb5.so minimum_uid=1000
+====== Client Configuration ======
+These commands need to run on both clients\\
+**apt_get install pam_ldap libnss_ldap** \\
+**apt-get install pam_ldap libnss_ldap** \\
+**apt-get install pam-ldap libnss-ldap** \\
+**apt-get install libpam-ldap**
+After that to save time and reduce typos I scp these files over to vm15 and vm16 from vm14
+/etc/nsswitch.conf \\
+/etc/pam.d/common-account\\
+/etc/pam.d/ common-auth \\
+/etc/pam.d/common-password \\
+/etc/pam.d/common-session
+log in to vm14 and do a:
+scp /etc/pam.d/common* root@vm15.student.lab \\
+scp /etc/pam.d/common* root@vm16.student.lab
+This finishes the LDAP install next comes the Kerberos install.
+==== Refrance: ====
+http://techpubs.spinlocksolutions.com/dklar/ldap.html

Lab46 Wiki

User Tools

Site Tools

Differences

Page Tools