sRm3tA

ppt.cc/fVjECx ppt.cc/fEnHsx ppt.cc/fRZTnx ppt.cc/fSZ3cx ppt.cc/fLOuCx ppt.cc/fE9Nux ppt.cc/fL5Kyx ppt.cc/fIr1ax ppt.cc/f71Yqx tecmint.com linuxcool.com linux.die.net linux.it.net.cn ostechnix.com unix.com ubuntugeek.com runoob.com man.linuxde.net bit.ly/2EzoUDo bit.ly/2tW6eYT bit.ly/2X6vadl bit.ly/2viLpHU linuxprobe.com linuxtechi.com howtoforge.com linuxstory.org systutorials.com ghacks.net linuxopsys.com v.gd/2P9wTx v.gd/FtfpqE v.gd/eMfHsm v.gd/Ub7mqv v.gd/RReVk0 v.gd/vS3uTI v.gd/4Zxmba

Wednesday, 15 November 2017

Setting up OpenLDAP server with OpenSSH-LPK on Ubuntu 14.04

This post documents how to set up a secure OpenLDAP server that is able to make OpenLDAP client servers accept authorized SSH access requests from users. The following steps assume the OpenLDAP server (slapd) and phpLDAPadmin are installed as referenced in the initial setup.

Instructions and references

Initial setup
OpenSSH-LPK and ssh-ldap-pubkey (on LDAP clients)
Force authentication
Secure LDAP with SSL/TLS

Understanding cn=config (LDAP database)

The default installation of OpenLDAP in recent versions of Ubuntu uses the new runtime configuration (RTC) system or olc (OpenLDAP Configuration). This installation uses cn=config (the LDAP database) for configuration rather than the old style slapd.conf.

Schemas

The schemas can be imported dynamically into cn=config database, without restarting slapd. The schemas to be imported can placed in /etc/ldap/schema.

The following schema in ldif format will be used and discussed in the subsequent sections:

openssh-lpk.ldif
ldap_disable_bind_anon.ldif
ssl.ldif

Importing openssh-lpk scheme

ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-lpk.ldif

where openssh-lpk.ldif is:

dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
  DESC 'MANDATORY: OpenSSH Public key'
  EQUALITY octetStringMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
  DESC 'MANDATORY: OpenSSH LPK objectclass'
  MAY ( sshPublicKey $ uid )
  )

Forcing authentication

By default, OpenLDAP allows anonymous query from any client servers. You may want to enable authentication so that only authenticated clients are able to query the server:

ldapadd -Y EXTERNAL -H ldapi:/// -f ldap_disable_bind_anon.ldif

where ldap_disable_bind_anon.ldif is:

dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

Securing LDAP with TLS

Install the package that provides certtool:
```
apt-get install gnutls-bin
```

Generate new certificate (self-signed) and key:

mkdir -p /etc/ldap/gnutls
cd  /etc/ldap/gnutls
certtool --generate-self-signed --load-privkey ldap.gnutls.key --outfile ldap.gnutls.crt

Fix permission of private key:

chmod +r /etc/ldap/gnutls/ldap.gnutls.key

Importing SSL schema

ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif

where ssl.ldif is:

dn: cn=config
changetype: Modify
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/gnutls/ldap.gnutls.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/gnutls/ldap.gnutls.crt
-
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

Enabling LDAPS

By default, only ldap and ldapi (Unix domain socket) are enabled. Make ldaplisten to only 127.0.0.1 and keep the latter so that you can run ldap utilty commands against ldapi:/// without providing credentials if working on the same server.

Edit /etc/default/slapd and ensure the following line:

SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"

Configuring /etc/ldap/ldap.conf

Edit /etc/ldap/ldap.conf and add the following line:

TLS_REQCERT never

Testing the above LDAPS config

ldapsearch -d 9 -D "cn=Bob,ou=users,dc=example,dc=com" \
 -w password -b "dc=example,dc=com" -H "ldaps://ldap.example.org" "objectClass=*"

Customizing phpLDAPadmin config and templates

You can customize template configurations (/etc/phpldapadmin/config.php).

For example, change the base uid and gid to a greater value:

$servers->setValue('auto_number','min',array('uidNumber'=>3000,'gidNumber'=>3000));

Add

$config->custom->appearance['theme'] = 'tango';

You can also customize templates for various components, for example, POSIX account:

/etc/phpldapadmin/templates/creation/posixAccount.xml

Customize themes and styles:

/usr/share/phpldapadmin/lib/page.php
/usr/share/phpldapadmin/htdocs/css/tango/style.css

Adding a user with SSH public key in phpLDAPadmin

First, create a user with the “Generic: User Account” template. Then, go to the “objectClass” attribute section, click “add value”, and choose the “ldapPublicKey” attribute. After you submit, go back to the user edit page, click “Add new attribute” on the top part, and choose “sshPublicKey”, paste the public key into the text area, and finally click “Update Object”.

----------------

Setting up OpenLDAP client with SSH access on Ubuntu 14.04

This post documents how to set up an OpenLDAP client server (Ubuntu 14.04) that can make its OpenSSH server to load authorized keys from a pre-configured OpenLDAP server with ldaps:// available (discussed in the above post, please read this first if you haven’t). Users are able to SSH access this client server, while their SSH public keys are stored on the OpenLDAP server. The SSH authentication process on the client server is mainly facilitated by ssh-ldap-pubkey.

Install packages

apt-get -y install libpam-ldap nscd ldap-utils
apt-get -y install python-pip python-ldap
# https://github.com/jirutka/ssh-ldap-pubkey
pip install ssh-ldap-pubkey

Configure SSH server

Add the following lines to /etc/ssh/sshd_config:

AuthorizedKeysCommand /usr/local/bin/ssh-ldap-pubkey-wrapper
AuthorizedKeysCommandUser nobody

Restart SSH server
```
service ssh restart
```

Configure PAM

Edit /etc/ldap.conf:

uri ldaps://ldap.example.com
binddn cn=OpenLDAP Client,ou=users,dc=example,dc=com
bindpw password

Edit /etc/pam.d/common-auth and add the following line:
```
account required    pam_access.so
```
Edit /etc/pam.d/common-password and remove use_authtok parameter

Edit /etc/pam.d/common-session and add the following line:

session required    pam_mkhomedir.so skel=/etc/skel umask=0022

Configure NSS, login access control and sudo

Edit /etc/nsswitch.conf:

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

Edit /etc/security/access.conf, replace ldap-team with actual group name:
```
- : ALL EXCEPT root (admin) (wheel) (ldap-team): ALL EXCEPT LOCAL
```
Edit /etc/sudoers using visudo command and add the following lines. Replace ldap-team with actual group name:
```
%ldap-team ALL=(ALL) ALL
```
Restart nscd
```
service nscd restart
```
```
附录：setup-ldap-client.sh:
```

#!/bin/bash
# vim: softtabstop=4 shiftwidth=4 expandtab fenc=utf-8 spell spelllang=en cc=120

set -e

# Check Ubuntu release
[ "$(lsb_release -sc)" = "trusty" ] || {
    echo 'This script should be run on Ubuntu 14.04.' >&2
    exit 1
}

# LDAP group name of team members to be granted access on this server,
LDAP_TEAM_NAME=$1
LDAP_BASE="dc=example,dc=com"
LDAP_URI="ldaps://ldap.example.com"
LDAP_BINDDN="cn=OpenLDAP Client,ou=users,dc=example,dc=com"
LDAP_BINDPW="password"

USAGE="usage: ./$(basename $0) LDAP_TEAM_NAME"

# Check required positional parameters
[ $# -ne 1 ] && {
    echo "$USAGE" >&2
    exit 1
}
# Install required packages
export DEBIAN_FRONTEND=noninteractive
# The following command will implicitly install libnss-ldap
apt-get -y install libpam-ldap nscd ldap-utils
apt-get -y install python-pip python-ldap
pip install ssh-ldap-pubkey

# Configure SSH server
grep 'AuthorizedKeysCommand' /etc/ssh/sshd_config > /dev/null || {
    cat >> /etc/ssh/sshd_config <<EOF
AuthorizedKeysCommand /usr/local/bin/ssh-ldap-pubkey-wrapper
AuthorizedKeysCommandUser nobody
EOF
}

# Restart SSH server
service ssh restart

# Edit /etc/ldap.conf
mv /etc/ldap.conf /etc/ldap.conf.bak
cat > /etc/ldap.conf <<EOF
base $LDAP_BASE
uri $LDAP_URI
ldap_version 3
binddn $LDAP_BINDDN
bindpw $LDAP_BINDPW
pam_password md5
nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,messagebus,news,pollinate,proxy,root,sshd,sync,sys,syslog,uucp,www-data
bind_timelimit 3
timelimit 3
EOF

# Edit /etc/ldap/ldap.conf
cp /etc/ldap/ldap.conf /etc/ldap/ldap.conf.bak
grep 'TLS_REQCERT' /etc/ldap/ldap.conf > /dev/null || {
    cat >> /etc/ldap/ldap.conf <<EOF
TLS_REQCERT     never
EOF
}

# Configure PAM
# Add pam_access.so
grep 'pam_access.so' /etc/pam.d/common-auth > /dev/null || {
    cat >> /etc/pam.d/common-auth <<EOF
account required    pam_access.so
EOF
}

# Remove use_authtok from /etc/pam.d/common-password
sed -i -r 's/(.*)(use_authtok)(.*)/\1\3/g' /etc/pam.d/common-password

# Add pam_mkhomedir.so
grep 'pam_mkhomedir.so' /etc/pam.d/common-session > /dev/null || {
    cat >> /etc/pam.d/common-session <<EOF
session required    pam_mkhomedir.so skel=/etc/skel umask=0022
EOF
}

# Configure NSS
sed -i -r 's/(^passwd:)(\s+)(.*)/\1\2compat ldap/' /etc/nsswitch.conf
sed -i -r 's/(^group:)(\s+)(.*)/\1\2compat ldap/' /etc/nsswitch.conf
sed -i -r 's/(^shadow:)(\s+)(.*)/\1\2compat ldap/' /etc/nsswitch.conf

# Edit /etc/security/access.conf
grep -- '^- : ALL EXCEPT root' /etc/security/access.conf > /dev/null || {
    cat >> /etc/security/access.conf <<EOF
+ : ($LDAP_TEAM_NAME) : ALL
- : ALL EXCEPT root (admin) (wheel) : ALL EXCEPT LOCAL
EOF
}

# Edit /etc/sudoers
grep -F -- "%$LDAP_TEAM_NAME" /etc/sudoers > /dev/null || {
    cat >> /etc/sudoers <<EOF
%$LDAP_TEAM_NAME ALL=(ALL) ALL
EOF
}

# Restart nscd
service nscd restart
----------------------------------


Setting up nss-ldapd on Ubuntu 14.04

The last few posts discussed ‘setting up an OpenLDAP server’ and ‘configuring basic client server’. However, that client server uses nss-ldap with some known issues as presented here. With this old and seemingly buggy setup, I simply can’t make nss_initgroups_ignoreuses option work to bypass querying the LDAP server when authenticating local or system users on the server, and have no idea what nssldap-update-ignoreusers command actually does. When the LDAP server is down or there is network issues connecting the LDAP server, the default configuration will simply block local users from logging in the server (at least for a long time until the query is considered timed out). Also, as I found after checking /var/log/auth.log, it queries the LDAP server even when doing a Bash completion, because it was very slow when I pressed the TAB key after a path name. Setting bind_policy option to soft and timelimit and bind_timelimit to smaller values may just alleviate the symptom but does not solve the problem.

So I decide to use nss-ldapd that comes with the libnss-ldapd package.


apt-get install libpam-ldap nscd ldap-utils libnss-ldapd




Running the above command will automatically remove the libnss-ldap package and prompt interacive post-install steps for you to configure the LDAP parameters. You can disable this interactive behavior and directly place your config in /etc/nslcd.conf with the following command:


export DEBIAN_FRONTEND=noninteractive
apt-get -y install libpam-ldap nscd ldap-utils libnss-ldapd




Then, put your config in /etc/nslcd.conf:


uid nslcd
gid nslcd
uri ldaps://ldap.example.com
base dc=example,dc=com
binddn cn=OpenLDAP Client,ou=users,dc=example,dc=com
bindpw password
tls_reqcert never
nss_initgroups_ignoreusers ALLLOCAL
bind_timelimit 3
timelimit 3




The last line nss_initgroups_ignoreusers ALLLOCAL prevents group membership lookups through LDAP for all local users.

The remaining settings for PAM, sudoers and access.conf are essentially the same as the old nss-ldap setup. Just make sure to restart the LDAP nameservice daemon, nslcd, after making changes to /etc/nslcd.conf:


service nslcd restart




If nscd cache daemon is also enabled and you make some changes to the user from the LDAP, you may want to clear the cache:


nscd --invalidate=passwd
nscd --invalidate=group




The nslcd daemon also has the advantage that it can be easily stopped in order to temporarily disable the LDAP lookup. This makes the management of LDAP access more easy.

Finally, here is the setup script：

```
#!/bin/bash
# vim: softtabstop=4 shiftwidth=4 expandtab fenc=utf-8 spell spelllang=en cc=120

set -e

# Check Ubuntu release
[ "$(lsb_release -sc)" = "trusty" ] || {
    echo 'This script should be run on Ubuntu 14.04.' >&2
    exit 1
}

# LDAP group name of team members to be granted access on this server,
LDAP_TEAM_NAME=$1
LDAP_BASE="dc=example,dc=com"
LDAP_URI="ldaps://ldap.example.com"
LDAP_BINDDN="cn=OpenLDAP Client,ou=users,dc=example,dc=com"
LDAP_BINDPW="password"

USAGE="usage: ./$(basename $0) LDAP_TEAM_NAME"

# Check required positional parameters
[ $# -ne 1 ] && {
    echo "$USAGE" >&2
    exit 1
}
# Install required packages
export DEBIAN_FRONTEND=noninteractive
apt-get -y install libpam-ldap nscd ldap-utils libnss-ldapd
apt-get -y install python-pip python-ldap
pip install ssh-ldap-pubkey

# Configure SSH server
grep 'AuthorizedKeysCommand' /etc/ssh/sshd_config > /dev/null || {
    cat >> /etc/ssh/sshd_config <<EOF
AuthorizedKeysCommand /usr/local/bin/ssh-ldap-pubkey-wrapper
AuthorizedKeysCommandUser nobody
EOF
}

# Restart SSH server
service ssh restart

# Edit /etc/ldap.conf
# If using nss-ldapd, /etc/ldap.conf will be not used by nslcd. However, it is
# still read by /usr/local/bin/ssh-ldap-pubkey-wrapper to authorize SSH users
mv /etc/ldap.conf /etc/ldap.conf.bak
cat > /etc/ldap.conf <<EOF
base $LDAP_BASE
uri $LDAP_URI
ldap_version 3
binddn $LDAP_BINDDN
bindpw $LDAP_BINDPW
pam_password md5
nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,messagebus,news,pollinate,proxy,root,sshd,sync,sys,syslog,uucp,www-data
bind_timelimit 3
timelimit 3
EOF

cat > /etc/nslcd.conf <<EOF
uid nslcd
gid nslcd
uri $LDAP_URI
base $LDAP_BASE
binddn $LDAP_BINDDN
bindpw $LDAP_BINDPW
tls_reqcert never
nss_initgroups_ignoreusers ALLLOCAL
bind_timelimit 3
timelimit 3
reconnect_retrytime 3
EOF

# Edit /etc/ldap/ldap.conf
cp /etc/ldap/ldap.conf /etc/ldap/ldap.conf.bak
grep 'TLS_REQCERT' /etc/ldap/ldap.conf > /dev/null || {
    cat >> /etc/ldap/ldap.conf <<EOF
TLS_REQCERT     never
EOF
}

# Configure PAM
# Add pam_access.so
grep 'pam_access.so' /etc/pam.d/common-auth  > /dev/null || {
    cat >> /etc/pam.d/common-auth <<EOF
account required    pam_access.so
EOF
}

# Remove use_authtok from /etc/pam.d/common-password
sed -i -r 's/(.*)(use_authtok)(.*)/\1\3/g' /etc/pam.d/common-password

# Add pam_mkhomedir.so
grep 'pam_mkhomedir.so' /etc/pam.d/common-session > /dev/null || {
    cat >> /etc/pam.d/common-session <<EOF
session required    pam_mkhomedir.so skel=/etc/skel umask=0022
EOF
}

# Configure NSS
sed -i -r 's/(^passwd:)(\s+)(.*)/\1\2compat ldap/' /etc/nsswitch.conf
sed -i -r 's/(^group:)(\s+)(.*)/\1\2compat ldap/' /etc/nsswitch.conf
sed -i -r 's/(^shadow:)(\s+)(.*)/\1\2compat ldap/' /etc/nsswitch.conf

# Edit /etc/security/access.conf
grep -- '^- : ALL EXCEPT root' /etc/security/access.conf > /dev/null || {
    cat >> /etc/security/access.conf <<EOF
+ : ($LDAP_TEAM_NAME) : ALL    
- : ALL EXCEPT root staging-devops (admin) (wheel) : ALL EXCEPT LOCAL
EOF
}

# Edit /etc/sudoers
grep -F -- "%ldap-admin" /etc/sudoers > /dev/null || {
    cat >> /etc/sudoers <<EOF
%ldap-admin ALL=(ALL) ALL
EOF
}
grep -F -- "%$LDAP_TEAM_NAME" /etc/sudoers > /dev/null || {
    cat >> /etc/sudoers <<EOF
%$LDAP_TEAM_NAME ALL=(ALL) ALL
EOF
}

# Set vim as default editor
echo 3 | update-alternatives --config editor
echo

# Restart nscd
service nscd restart

# Restart nslcd
service nslcd restart
```
```
----------------------------------------
```
在Linux vps,安装OpenLDAP及管理工具phpldapadmin

总结：

先写总结，再写正文，嘿嘿嘿。这还是第一次认真的写个文档，写个总结，哈哈。大概在一个月前，第一次听说这个东西，完全没有概念，刚开始的时候看理论的知识，看了几次之后就没看了，看不懂啊。太抽象了，真的太抽象了。然后就把它晾在一边了，又过了一段时间，想了想，既然知道了这个东西，还是得好好学学，好好了解一下。整个过程是在虚拟机上测试完成，期间遇到了太多太多的坑，一个问题就是好几天。这些只是基础的一些东西，还得好好的看看官方文档，嘿嘿嘿。

最大的收获就是整个学习过程中的解决问题的办法和思想，理论的知识看不懂，没关系，一定要一定要动手去做，有时候看书，觉得挺有理，但是不去动手做，永远都学不会，当你动手做的过程中就慢慢的理解了这个东西是干嘛的；还有一点就是不要怕难，就算一个东西再难，只要肯花时间，肯动手做，一定学的会；还有思考的方式，当你在一个问题是纠结一天了，几天的时候，不要陷进去了，换个方向想想，另一种解决办法马上就出来了。

文档信息

目的：搭建一套完整的OpenLDAP系统，实现账号的统一管理。

1：OpenLDAP服务端的搭建

2：PhpLDAPAdmin的搭建

3：OpenLDAP的打开日志信息

  4：OpenLDAP与migrationtools实现导入系统账号的相关信息

  5：OpenLDAP客户端的配置

6：OpenLDAP与SSH

7：OpenLDAP限制用户登录系统

8：OpenLDAP强制用户一登录系统更改密码

9：OpenLDAP与系统账号结合Samba

10：OpenLDAP的主从

11：OpenLDAP的双主

作       者：李乐

日期：2017-01-09

联系方式：836217653@qq.com

系统环境信息

操作系统：CentOS release 6.7

基础的环境准备：

关闭防火墙：/etc/init.d/iptables stop && chkconfig iptables off

关闭NetworkManager：/etc/init.d/NetworkManager stop && chkconfig NetworkManager off

SeLinux设为disabled：getenforce 是否为Disabled，若不是，则修改：

      1：临时的生效 setenforce 0，再getenforce的时候为permissive

      2：修改配置文件，然后重启 vim /etc/sysconfig/selinux 把SELINUX=disabled

yum源仓库的配置：

      1）mkdir /yum

      2）vim /etc/yum.repos.d/ll.repo

  [local]

name = local

baseurl = file:///yum

gpgcheck = 0

enabled = 1

      3）挂载 mount /mnt/hgfs/软件/CentOS-6.7-x86_64-bin-DVD1to2/CentOS-6.7-x86_64-bin-DVD1.iso /yum -o loop

      4）yum clean all 清除缓存

      5）yum makecache 创建缓存

一：OpenLDAP服务器的搭建

1）安装OpenLDAP的相关

      yum -y install openldap openldap-servers openldap-clients openldap-devel compat-openldap 其中compat-openldap这个包与主从有很大的关系

安装完后，可以看到自动创建了ldap用户：



可以通过rpm -qa |grep openldap查看安装了哪些包：



2）OpenLDAP的相关配置文件信息

/etc/openldap/slapd.conf：OpenLDAP的主配置文件，记录根域信息，管理员名称，密码，日志，权限等

/etc/openldap/slapd.d/*：这下面是/etc/openldap/slapd.conf配置信息生成的文件，每修改一次配置信息，这里的东西就要重新生成

/etc/openldap/schema/*：OpenLDAP的schema存放的地方

/var/lib/ldap/*：OpenLDAP的数据文件

/usr/share/openldap-servers/slapd.conf.obsolete 模板配置文件

/usr/share/openldap-servers/DB_CONFIG.example 模板数据库配置文件

  OpenLDAP监听的端口：

默认监听端口：389（明文数据传输）

加密监听端口：636（密文数据传输）

3）初始化OpenLDAP的配置

  cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

4）修改配置文件

首先，slappasswd生成密文密码123456，拷贝这个到/etc/openldap/slapd.conf里



这里的rootpw必须顶格写，而且与后面的密码文件用Tab键隔开

修改对应的



5）重新生成配置文件信息文件

先检测/etc/openldap/slapd.conf是否有错误：slaptest -f /etc/openldap/slapd.conf



这里报错是因为在第三步后没有重新生成配置文件，启动slapd。而是直接修改配置文件去了。先启动slapd：/etc/init.d/slapd restart



这里又报错，这是因为没有给/var/lib/ldap授权，授权后chown -R ldap.ldap /var/lib/ldap/，再重启slapd，/etc/init.d/slapd restart，可以看到成功的



接着回到检测/etc/openldap/slapd.conf是否有错误：slaptest -f /etc/openldap/slapd.conf



可以看到没问题，然后重新生成配置文件的配置信息：

先删除最先的配置文件生成的信息：rm -rf /etc/openldap/slapd.d/*

重新生成：slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

查看是否生成的是自己修改的配置文件信息：cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif



授权：chown -R ldap.ldap /etc/openldap/slapd.d/

重启：/etc/init.d/slapd restart

到这里为止，OpenLDAP服务端基本上完成了，我们可以通过PhpLDAPAdmin来登录看一下，那先得安装PhpLDAPAdmin

二：PhpLDAPAdmin的搭建

1）安装EPEL仓库，镜像里没有PhpLDAPAdmin这个的安装包，所以得安装EPEL仓库

rpm -ivh http://mirrors.ukfast.co.uk/sites/dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

yum clean all

yum makecache

2）安装PhpLDAPAdmin

yum install -y phpldapadmin

3）修改phpldapadmin的配置文件，访问控制权限vim /etc/httpd/conf.d/phpldapadmin.conf，允许谁访问

4）修改配置文件：vim /etc/phpldapadmin/config.php

$servers->setValue(‘login’,’attr’,’dn’); 这一行的注释去掉

//$servers->setValue(‘login’,’attr’,’uid’); 这一行注释掉

5）重启httpd服务/etc/init.d/httpd restart

6）在浏览器输入OpenLDAP服务端的IP 10.0.0.138/ldapadmin

7）登录，输入管理员的DN，也就是配置文件里配置的



8）认证，报错

这是因为在第一步搭建OpenLDAP服务端的时候，并没有把管理员的账号信息导入，编辑root.ldif，然后导入

dn: dc=lemon,dc=com

objectclass: dcObject

objectclass: organization

o: Yunzhi,Inc.

dc: lemon

dn: cn=Captain,dc=lemon,dc=com

objectclass: organizationalRole

cn: Captain

这里得注意每一个属性： 后必须有空格，但是值的后面不能有任何空格

然后导入：ldapadd -x -D “cn=Captain,dc=lemon,dc=com” -W -f root.ldif

然后再通过浏览器去访问的话：

也可以通过命令行查询：ldapsearch -x -b “cn=Captain,dc=lemon,dc=com”

到这里，PhpLDAPAdmin搭建完了，接下来，咱们得把日志打开，这样的话好排错，嘿嘿嘿

三：OpenLDAP的打开日志信息

1：现在配置文件里加上日志行，这里的日志级别有很多种，-1的话会记录很多日志信息

vim /etc/openldap/slapd.conf 加上loglevel -1

   这里修改了配置文件，所有得重新生成配置文件的信息

  rm -rf /etc/openldap/slapd.d/*

  slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

  chown -R ldap.ldap /etc/openldap/slapd.d/

2：在 vim /etc/rsyslog.conf加上

local4.* /var/log/slapd/slapd.log



然后重启/etc/init.d/rsyslog restart

3：创建日志文件目录，授权

  mkdir /var/log/slapd

  chmod 755 /var/log/slapd/

  chown ldap.ldap /var/log/slapd/

4：重启slapd服务，/etc/init.d/slapd restart

5：就可以看到日志信息了cat /var/log/slapd/slapd.log

四：OpenLDAP与migrationtools实现导入系统账号的相关信息

1：安装migrationtools

yum -y install migrationtools

2：修改migrationtools的配置文件，在/usr/share/migrationtools/这个目录下有很多migrationtools的文件

vim /usr/share/migrationtools/migrate_common.ph 修改以下的两个地方



3：生成基础的数据文件，可以自己修改这个生成的base.ldif文件，把不需要的去掉

  /usr/share/migrationtools/migrate_base.pl > base.ldif

4：把base.ldif导入OpenLDAP

  ldapadd -x -D “cn=Captain,dc=lemon,dc=com” -W -f base.ldif



这里会报错，我们可以通过-c参数强制加入

导入之后，通过PhpLdapAdmin可以看到已经导入进来了：



5：把系统的用户生成ldif文件

  cd /usr/share/migrationtools

./migrate_passwd.pl /etc/passwd passwd.ldif

./migrate_group.pl /etc/group group.ldif



可以看到生成的文件，然后根据自己需要修改这两个ldif文件：

passwd.ldif只留一个test1测试用户：



group.ldif留对应的test1：

把用户导入进去：ldapadd -x -D “cn=Captain,dc=lemon,dc=com” -W -f passwd.ldif

把组导进去：ldapadd -x -D “cn=Captain,dc=lemon,dc=com” -W -f group.ldif

然后就可以看到：

在这里就已经完成把系统的账号属性导入了OpenLDAP，然后就通过添加OpenLDAP用户，来进行验证，所以得先做好客户端的设置

五：OpenLDAP客户端的配置

1：停掉sssd服务 service sssd stop && chkconfig sssd off

2：安装nslcd服务 yum install nss-pam-ldapd

3：修改vim /etc/nslcd.conf这个配置文件

4：修改vim /etc/pam_ldap.conf



5： vim /etc/pam.d/system-auth 修改，把sss行的注释掉，改成ldap的



6：vim /etc/nsswitch.conf 修改nsswitch.conf配置文件，修改后，默认登录的用户通过本地配置文件进行查找并匹配。当匹配不到用户信息时，会通过后端配置的LDAP认证服务进行匹配

7：vim /etc/sysconfig/authconfig 确保标记的已打开为yes

USESHADOW=yes 启用密码验证

USELDAPAUTH=yes 启用OpenLDAP验证

USELOCAUTHORIZE=yes 启用本地验证

USELDAP=yes 启用LDAP认证协议



8：重启nslcd服务

/etc/init.d/nslcd restart

9：验证，先通过OpenLDAP增加一个用户，在test1的基础上，复制一个test2的条目



后面的根据自己的修改

可以看到已经成功的添加了test2的用户，这是OpenLDAP添加的，在本地是没有的，用cat /etc/passwd 看是没有test2用户的

测试：su – test2

在/etc/pam.d/system-auth配置文件里添加这一行：session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022

重启 /etc/init.d/nslcd restart

在进行测试：就可以了

查看系统用户列表：

服务端查询：ldapsearch -x -b “ou=People,dc=lemon,dc=com” |grep dn

客户端查询：ldapsearch -H ldap://10.0.0.138 -x -b “ou=People,dc=lemon,dc=com” |grep dn

查询单个用户：ldapsearch -x -b “uid=test1,ou=People,dc=lemon,dc=com” |grep dn

客户端的配置到这里ok啦。有账号肯定要能通过ssh登录系统

六：OpenLDAP与SSH

1：vim /etc/ssh/sshd_config

2：vim /etc/pam.d/sshd 用于第一次登陆的账户自动创建家目录

3：vim /etc/pam.d/password-auth

4：重启sshd

七：OpenLDAP限制用户登录系统

在账号中，不能让每个用户都能登录系统，所以要限制用户登录

1：vim /etc/pam.d/sshd 在这里加上pam_access.so模块

2：vim /etc/security/access.conf 这里限制test2用户ssh登录系统

测试：可以看到就只有test2登录不上

八：OpenLDAP强制用户一登录系统更改密码

1：修改配置文件

在前面打开注释

moduleload ppolicy.la

modulepath /usr/lib/openldap

modulepath /usr/lib64/openldap

还要在database config前面加上这两段

access to attrs=userPassword

by self write

by anonymous auth

by dn=”cn=Captain,dc=lemon,dc=com” write

by * none

access to *

by self write

by dn=”cn=Captain,dc=lemon,dc=com” write

by * read

在文件的末尾添加：

overlay ppolicy

ppolicy_default cn=Captain,ou=pwpolicies,dc=lemon,dc=com

2：重新生成配置文件数据库：

[root@lele openldap]# vim /etc/openldap/slapd.conf

[root@lele openldap]# rm -rf /etc/openldap/slapd.d/*

[root@lele openldap]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

config file testing succeeded

[root@lele openldap]# chown -R ldap.ldap /etc/openldap/slapd.d/

[root@lele openldap]# /etc/init.d/slapd restart

Stopping slapd: [ OK ]

Starting slapd: [ OK ]

可以通过配置文件的数据信息看到ppolicy模块已经加进来了

cat /etc/openldap/slapd.d/cn\=config/cn\=module\{0\}.ldif

3：编辑

cat 1.ldif

dn: ou=pwpolicies,dc=lemon,dc=com

objectClass: organizationalUnit

ou: pwpolicies

4：ldapadd -x -D “cn=Captain,dc=lemon,dc=com” -W -f 1.ldif

添加进去

可以在PhpLdapAdmin上看到：

5：添加cn=Captain,ou=pwpolicies,dc=lemon,dc=com这个的一些属性值

[root@ll ~]# cat 2.ldif

dn: cn=Captain,ou=pwpolicies,dc=lemon,dc=com

cn: Captain

objectClass: pwdPolicy

objectClass: person

pwdAllowUserChange: TRUE

pwdAttribute: userPassword

pwdExpireWarning: 259200

pwdFailureCountInterval: 0

pwdGraceAuthNLimit: 5

pwdInHistory: 5

pwdLockout: TRUE

pwdLockoutDuration: 300

pwdMaxAge: 2592000

pwdMaxFailure: 5

pwdMinAge: 0

pwdMinLength: 8

pwdMustChange: TRUE

pwdSafeModify: TRUE

sn: dummy value

把属性值添加进去

在PhpLdapAdmin可以看到：

6：在vim /etc/pam_ldap.conf中的末尾添加：使得客户端能识别服务端的密码策略

   pam_password md5

bind_policy soft

pam_lookup_policy yes

pam_password clear_remove_old

7：重启nslcd

/etc/init.d/nslcd restart

8：测试

修改用户的属性，用test3做测试

[root@ll ~]# cat modify.ldif

dn: uid=test3,ou=people,dc=lemon,dc=com

changetype: modify

replace: pwdReset

pwdReset: TRUE

ldapmodify -x -D “cn=Captain,dc=le,dc=com” -W -f modify.ldif 导入

ldapwhoami -x -D uid=test3,ou=people,dc=lemon,dc=com -W -e ppolicy -v   查看test3用户的策略信息

这里显示输入test3 的原始密码，然后输入新修改的密码

当修改完后，就没有必须改变密码的那一句话了

这里可以啦

九：OpenLDAP与系统账号结合Samba

默认的Samba服务器支持本地系统用户（smbpasswd添加后）访问Samba资源，不支持OpenLDAP服务器账号访问Samba共享资源，配置完后，OpenLDAP每新增一个用户，就自动支持Samba，就可以用这个账号直接访问Samba，不需要存在于本地用户，不用smbpasswd用户

1：安装samba

yum -y install samba

2：把Samba.schema文件拷贝到LDAP的schema目录下，把原来的覆盖掉

cp /usr/share/doc/samba-3.6.23/LDAP/samba.schema /etc/openldap/schema/

3：修改配置文件vim /etc/openldap/slapd.conf

在include的地方，加上Samba的schema



3：修改了配置文件，就有重新生成配置文件数据

rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

config file testing succeeded

chown -R ldap.ldap /etc/openldap/slapd.d/

/etc/init.d/slapd restart

4：修改Samba的配置文件

添加：

  security = user

passdb backend = ldapsam:ldap://10.0.0.138

ldap suffix = “dc=lemon,dc=com”

ldap group suffix = “cn=group”

ldap user suffix = “ou=people”

ldap admin dn = “cn=Captain,dc=lemon,dc=com”

ldap delete dn = no

pam password change = yes

ldap passwd sync = yes

ldap ssl = no

对应这里的

在最后的时候添加共享的文件：

[public]

comment = Public Stuff

path = /tmp/lile

public = yes

writable = yes

printable = no

5：创建共享文件夹，并且授权

mkdir /tmp/lile

chmod 777 /tmp/lile/

6：把OpenLDAP的密码传给Samba，smbpasswd -w 123456 这里的密码是OpenLDAP的管理员密码

若不加，会报错：



7：重启smb

/etc/init.d/smb restart

/etc/init.d/nmb restart

8： Samba开通之后，可以看到这里的开关也打开了

9：测试

先把系统用户test1用smbpasswd -a test1 加到Samba的用户下，就可以看到：

test1用户下多了Samba的特性，原来是没有的

然后基于test1，在PhpLdapAdmin添加test2用户，不用smbpasswd，就只是OpenLDAP用户，复制的时候一定要重新改一下这里的密码，要不然登不进，

然后，就可以用windos去访问了，这里有一个概念就是OpenLDAP添加了的用户，不要再用smbpasswd去添加了，可以直接登录Samba

十：OpenLDAP的主从

1：做主从和双主的时候，一定要确认安装了 compat-openldap这个包

2：在主上的配置文件 10.0.0.138：

备份原来的配置文件：cp /etc/openldap/slapd.conf /etc/openldap/slapd.bak

先停掉服务 /etc/init.d/slapd stop

vim /etc/openldap/slapd.conf 修改配置文件

添加 index entryCSN,entryUUID eq

这里的注释去掉：

在文件的最后添加：

overlay syncprov 后端工作再overlay模式

syncprov-checkpoint 100 10   当满足修改100个条目或者10分钟的条件时主动以推的方式执行

syncprov-sessionlog 100 会话日志条目的最大数量

然后重新生成配置文件的数据文件：

rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

chown -R ldap.ldap /etc/openldap/slapd.conf

chown -R ldap.ldap /etc/openldap/slapd.d

/etc/init.d/slapd restart

3：导出主的数据文件 ldapsearch -x -b ‘dc=lemon,dc=com’ > root.ldif，拷贝到从上scp scp root.ldif 10.0.0.140:~/

4：把主的配置文件slapd.conf 拷贝到从10.0.0.140上用scp /etc/openldap/slapd.conf 10.0.0.140:~/

5：从上从主上拷贝了配置文件，

去掉：

overlay syncprov

syncprov-checkpoint 100 10

syncprov-sessionlog 100

然后再加上

syncrepl rid=003

provider=ldap://10.0.0.138:389/

type=refreshOnly

retry=”60 10 600 +” 尝试时间

interval=00:00:00:10 设置同步更新时间（日：时：分：秒）

searchbase=”dc=lemon,dc=com”

scope=sub 匹配根域所有条目

schemachecking=off 同步更新时是否开启schema语法检测

bindmethod=simple 同步验证模式为简单模式（即明文）

binddn=”cn=Captain,dc=lemon,dc=com” 使用Captain用户读取目录树信息

attrs=”*,+” 同步所有属性信息

credentials=123456 管理员密码

重新生成数据配置文件

  rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

  chown -R ldap.ldap /etc/openldap/slapd.conf

chown -R ldap.ldap /etc/openldap/slapd.d

/etc/init.d/slapd restart

6：测试

在主的10.0.0.138上添加一个test7的用户，在从上刷新一下，是同步到的

十一：OpenLDAP的双主

在主从的基础上，修改配置，这是主的:

serverID 2

overlay syncprov

syncrepl rid=001       （这里的格式一定要注意，中间这一段要用Tab键Tab一下，如果不的话会报错如下）

　　provider=ldap://10.0.0.140

　　type=refreshAndPersist

　　searchbase=”dc=lemon,dc=com”

　　schemachecking=simple

　　binddn=”cn=Captain,dc=lemon,dc=com”

　　credentials=123456

　　retry=”60 +”

mirrormode on

这是从的：

serverID 1

overlay syncprov

syncrepl rid=001        （这里的格式一定要注意，中间这一段要用Tab键Tab一下）

　　provider=ldap://10.0.0.138:389/

　　retry=”60 10 600 +”

　　searchbase=”dc=lemon,dc=com”

　　schemachecking=off

　　bindmethod=simple

　　binddn=”cn=Captain,dc=lemon,dc=com”

　　credentials=123456

mirrormode on
测试：在两台机上分别新建一个用户，看是否在对方能刷新到，主从与双主都只是备份的关系，若一台挂了，立即切换到另一台，则需做高可用和负载均衡.
-------------------

OpenLDAP Installation and Configuration in Ubuntu 12.10 Server / Debian 6

OpenLDAP is a free open source Light Weight Directory Access protocol developed by the OpenLDAP project. It is a platform independent protocol, so that it runs on all Linux/Unix like systems, Windows, AIX, Solaris and Android.

In this tutorial i am gonna to show you how to install and configure OpenLDAP server in Ubuntu 12.10 server. Though it is tested on Ubuntu 12.10, it may work on Debian too. In this how-to my testbox details are given below.
```
Operating System : Ubuntu 12.10 Server
Hostname         : server.unixmen.com
IP Address       : 192.168.1.200
```
Replace the above values with your own scenario.

Install OpenLDAP in Ubuntu 12.10 server
```
unixmen@server:~$ sudo apt-get install slapd ldap-utils
```
During the installtion it will ask the password for LDAP admin account. Enter your admin password here.

Re-enter the password.

Configure OpenLDAP

Open the “/etc/ldap/ldap.conf” file and find and edit the lines as shown below with your domain name and IP Address.
```
unixmen@server:~$ sudo vi /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE    dc=unixmen,dc=com
URI     ldap://192.168.1.200
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
```
Run the Configuration assistant.
```
unixmen@server:~$ sudo dpkg-reconfigure slapd
```
The following screen should appear. Select “No” and press Enter.

Enter the DNS domain name.

Enter the Organization name(i.e your company name).

Enter the LDAP admin password which you created in the earlier step.

Re-enter the password.

Select the backend database.

Select Yes to delete the database automatically when we are planning to remove LDAP server.

.

Select Yes to move old database.

Select No and Press Enter.

LDAP server is up and running now.

Test LDAP server

Enter the following command “ldapsearch -x”, then you will have the following result.
```
unixmen@server:~$ ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=unixmen,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# unixmen.com
dn: dc=unixmen,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: unixmen
dc: unixmen

# admin, unixmen.com
dn: cn=admin,dc=unixmen,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
```
LDAP Server Administration

Administration of LDAP server in command mode is quite difficult, so that here i have used a easier GUI administration tool called “phpldapadmin”.

Install phpldapadmin
```
unixmen@server:~$ sudo apt-get install phpldapadmin
```
Create a symbolic link for phpldapadmin directory.
```
unixmen@server:~$ sudo ln -s /usr/share/phpldapadmin/ /var/www/phpldapadmin
```
Now open the “/etc/phpldapadmin/config.php” file and replace the domain names with your own values. Goto “Define LDAP Servers” section in the config file and edit the following lines as shown below.
```
unixmen@server:~$ sudo vi /etc/phpldapadmin/config.php 
$servers = new Datastore();
$servers->newServer('ldap_pla');
$servers->setValue('server','name','Unixmen LDAP Server');
$servers->setValue('server','host','192.168.1.200');
$servers->setValue('server','base',array('dc=unixmen,dc=com'));
$servers->setValue('login','bind_id','cn=admin,dc=unixmen,dc=com');
```
Restart the apache service.
```
unixmen@server:~$ sudo /etc/init.d/apache2 restart
```
Make sure that you have opened apache server port “80” and LDAP default port “389” in your firewall/router configuration.
```
unixmen@server:~$ sudo ufw allow 80
Rules updated
Rules updated (v6)
unixmen@server:~$ sudo ufw allow 389
Rules updated
Rules updated (v6)
```
Now point your web browser with “http://192.168.1.200/phpldapadmin”. The following screen should appear.

Click “login” on the left pane and make sure the domain details are correct and enter ldap admin password which you have created in the previous steps and press “Authenticate”.

Now the main console screen of phpldapadmin will open. You can see the LDAP domain “unixmen.com” will be found there. Here you can add objects such as Organizational Unit, Users and groups etc.

Sample Configuration

Lets create some sample objects using phpldapadmin interface and check them whether they are presented in the LDAP server configuration.

Click on the “+” sign near the line “dc=unixmen” and click “Create new entry here” link.

Select “Generic-Organizational Unit” and enter the name of the Organizational unit(Ex.sales) and Click “Create Object”.

Click “Commit”.

Now the newly created OU will be found under the main ldap domain.

Click on the sales ou tree on the left pane and click on “Create a child entry”.

Select “Generic:Address book entry”. Enter firstname as “senthil”, last name as “kumar” and Common name(cn) as “senthil kumar” and click “Create Object”.

Click “Commit”.

Now the newly created user “senthil kumar” will be found under “sales” ou.

Also you can verify using the command “ldapsearch -x”.
```
unixmen@server:~$ ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=unixmen,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# unixmen.com
dn: dc=unixmen,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: unixmen
dc: unixmen

# admin, unixmen.com
dn: cn=admin,dc=unixmen,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# sales, unixmen.com
dn: ou=sales,dc=unixmen,dc=com
objectClass: organizationalUnit
objectClass: top
ou: sales

# senthil kumar, sales, unixmen.com
dn: cn=senthil kumar,ou=sales,dc=unixmen,dc=com
cn: senthil kumar
givenName: senthil
sn: kumar
objectClass: inetOrgPerson
objectClass: top

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4
```
```
 
```
```
from  https://www.unixmen.com/openldap-installation-configuration-ubuntu-12-1013-0413-10-debian-67-2/ 
```
--------------

Setting up OpenLDAP

Davor Ocelic

SPINLOCK — advanced GNU/Linux and Unix solutions for commercial and education sectors.
<docelic@spinlocksolutions.com>

Copyright � 2006-2014 Davor Ocelic

Last update: Nov 30, 2016. — Verify everything is up to date
This documentation is free; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
It is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

Abstract
The purpose of this article is to give you a straightforward, Debian/Ubuntu-friendly way of installing and configuring OpenLDAP.
By the end of this guide, you will have a functional LDAP server that will serve as a central authentication system for user logins onto all machines in the network, without the need to manually create users' accounts on individual machines.
However, for improved authentication security and a true networked solution, it is recommended to use LDAP in combination with Kerberos, with a matching Kerberos setup explained in MIT Kerberos 5 Guide.
(If you would be interested in that solution, follow the MIT Kerberos 5 Guide first.)
This article is part of Spinlock Solutions's practical 4-piece introductory series to infrastructure-based Unix networks, containing Debian GNU Guide, MIT Kerberos 5 Guide, OpenLDAP Guide and OpenAFS Guide.

Table of Contents

Introduction

The role of LDAP within a network

Glue layers: integrating LDAP with system software

Conventions

OpenLDAP

Server installation

Initial configuration

Initial test

Creating basic tree structure

Creating user accounts

NSS configuration

PAM configuration

Logging in into the system

Conclusion

Links
Introduction

LDAP is a service that has been traditionally captivating system administrators' and advanced users' interest, but its (seemingly or not) high entry barrier and infrastructure requirements have been preventing many from using it.
LDAP has already been the topic of numerous publications. Here, we will present only the necessary summary; enough information to establish the context and to achieve practical results.
You do not need to follow any external links; however, the links have been provided both throughout the article and listed all together at the end, to serve as pointers to more precise technical treatment of individual topics.
The role of LDAP within a network

OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol. Directory itself is a tree-structured, read-optimized database. Yellow pages or a phonebook are good associations to have in mind, even though LDAP is much more powerful.
We will use OpenLDAP to provide a central authentication location for user logins anywhere on the network, with their home directories being automatically created on their first access to individual machines.
This guide can be followed standalone to make OpenLDAP both perform authentication and serve user meta data. However, using LDAP for authentication as shown here is not secure due to plain text connections made to the LDAP server and passwords traveling over the wire. It is therefore advised to use LDAP in combination with a superior and secure network authentication mechanism Kerberos, which is explained in another article from the series, the MIT Kerberos 5 Guide.
That said, let's move onto our LDAP setup.
From a technical perspective, LDAP directory consists of a set of hierarchically organized entries. Each entry belongs to certain Object Classes and contains various key=value pairs called attributes.
Each entry is uniquely identified by a Distinguished name ("DN"). DN is formed as a list of components, separated by commas, that provide "full path" to the entry, starting from the top of the tree. For example, company Example, Inc. would have the root of the tree in dc=example,dc=com. A person employed by Example, Inc. would then have a corresponding LDAP entry with DN cn=person,ou=People,dc=example,dc=com.
Which attributes may or must be present in an entry is governed by the entry's objectClasses.
You might notice that the individual components of the DN, such as cn=person above, are also formed as key=value pairs. Those "keys", cn, ou and dc, stand for Common Name, Organizational Unit and Domain Component. They are a part of every-day LDAP terminology that you will get used to.
Let's quickly identify LDAP-specific elements in our setup:
LDAP is not in any way related to traditional system usernames or other data. However, part of its functionality in our setup will consist in storing information traditionally found in Unix files /etc/passwd and /etc/group, thus making that data network-accessible at a centralized location.
People's login names will be used in pairing people with the corresponding information in the LDAP tree. For example, username person will map to an LDAP entry uid=person,ou=People,dc=example,dc=com.

LDAP can be configured to contain user passwords. Passwords can be used both for authenticating as specific users and gaining access to protected entries, and for verifying whether the user knows the correct password.
When a user opens a LDAP client and moves to browse the directory, his DN and password are used to establish the identity and access privileges. When LDAP is configured to perform user authentication, his DN and password are only used to perform a connection to the LDAP directory — successful connection ("bind") implies the user knew the correct password.
You can find the complete OpenLDAP documentation at the OpenLDAP website. For an authoritative OpenLDAP book, see Gerald Carter's LDAP System Administration by O'Reilly.
Glue layers: integrating LDAP with system software

NSS

On all GNU/Linux-based platforms, NSS is available for network data retrieval configuration. NSS is an implementation of the Name Service Switch mechanism.
NSS will allow for inclusion of LDAP into the "user data" path of all services, regardless of whether they natively support LDAP or not.
You can find the proper introduction (and complete documentation) on the NSS website. Also take a look at the nsswitch.conf(5) manual page.

PAM

Likewise, on all GNU/Linux-based platforms, another piece of the puzzle, Linux-PAM, is available for service-specific authentication configuration. Linux-PAM is an implementation of PAM ("Pluggable Authentication Modules") from Sun Microsystems.
Network services, instead of having hard-coded authentication interfaces and decision methods, invoke PAM through a standard, pre-defined interface. It is then up to PAM to perform any and all authentication-related work, and report the result back to the application.
Exactly how PAM reaches the decision is none of the service's business. In traditional set-ups, that is most often done by asking and verifying usernames and passwords. In advanced networks, that could be retina scans or — Kerberos tickets, as explained in another article from the series, MIT Kerberos 5 Guide.
You can find the proper introduction (and complete documentation) on the Linux-PAM website. Pay special attention to the PAM Configuration File Syntax page. Also take a look at the Linux-PAM(7) and pam(7) manual pages.
Conventions

Let's agree on a few conventions before going down to work:
Our platform of choice, where we will demonstrate a practical setup, will be Debian GNU. The setup will also work on Ubuntu, and if any notable differences exist they will be noted.

If using Debian GNU, install and configure sudo. On Ubuntu sudo will already be installed and configured to work for your regular user account.
Sudo is a program that will allow you to carry out system administrator tasks from your normal user account. All the examples in this article requiring root privileges use sudo, so you will be able to copy-paste them to your shell.
To install sudo on Debian GNU only, run:

su -c 'apt-get install sudo'
If asked for a password, type in the root user's password.
To configure sudo on Debian GNU only, run the the following, replacing USERNAME with your login name:

su -c 'echo "USERNAME ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers'

Packages that we will install during the complete procedure will ask us a series of questions through the so-called debconf interface. To configure debconf to a known state, run:

sudo dpkg-reconfigure debconf
When asked, answer interface=Dialog and priority=low.

Monitoring log files is crucial in detecting problems. The straightforward, catch-all routine to this is opening a terminal and running:

cd /var/log; sudo tail -F daemon.log sulog user.log auth.log debug kern.log syslog dmesg messages kerberos/{krb5kdc,kadmin,krb5lib}.log

The command will keep printing log messages to the screen as they arrive.

Our test system will be called monarch.spinlock.hr and have an IP address of 192.168.7.12. Both the server and the client will be installed on the same machine. However, to differentiate between client and server roles where relevant, the client will be referred to as monarch.spinlock.hr and the server as ldap1.spinlock.hr. The following addition will be made to /etc/hosts to completely support this scheme:

192.168.7.12 monarch.spinlock.hr monarch krb1.spinlock.hr krb1 ldap1.spinlock.hr ldap1

Caution
Note that in some installations the system's network hostname is assigned to the localhost address 127.0.0.1. This can and will cause problems for network operations, so make sure that your "localhost" entry in /etc/hosts looks exactly like the following (nothing more, nothing less):

127.0.0.1 localhost

Finally, test that the network setup is as expected. Pinging the hostnames should report proper FQDNs and IPs as shown:

ping -c1 localhost PING localhost (127.0.0.1) 56(84) bytes of data. .... ping -c1 monarch PING monarch.spinlock.hr (192.168.7.12) 56(84) bytes of data. .... ping -c1 ldap1 PING ldap1.spinlock.hr (192.168.7.12) 56(84) bytes of data. ....
OpenLDAP
Server installation

OpenLDAP's server component is called slapd, and is basically all that we will need.
```
sudo apt-get install slapd ldap-utils
```
Debconf answers for reference:
```
Omit OpenLDAP server configuration? No

DNS domain name: spinlock.hr

Organization name? spinlock.hr

Administrator password: PASSWORD

Confirm password: PASSWORD

Database backend to use: MDB

Do you want the database to be removed when slapd is purged? No

Allow LDAPv2 protocol? No
```
As soon as the installation is done, the OpenLDAP server (command slapd) will start.
Initial configuration
Introduction

For a general introduction, it is important to know that the server-side configuration, including the ObjectClasses, attributes, syntaxes, matching rules and other details of the LDAP data structure are, at startup, loaded from the configuration files found under the directory /etc/ldap/slapd.d/.
These configuration files are kept in the LDIF format as it is expected that the configuration would be modified using the standard LDAP data modification utilities in runtime, and that the slapd server would then save the new values as LDIF files to preserve configuration data across restarts.
However, when manual interventions to the files are required, the LDIF-formatted files still allow for reasonably convenient text-based editing.
This configuration style, modifiable in runtime, is known under a couple different names, notably olc (On-Line Configuration), cn=config and slapd.d.
Previously, OpenLDAP used a standard, text-based configuration file found in /etc/ldap/slapd.conf. However, while still supported, that approach is no longer recommended as it requires server restarts to apply configuration changes, and cn=config is nowadays the default method.

Note
Since the /etc/ldap/slapd.conf configuration has traditionally been documented in this Guide, it will be kept listed in addition to slapd.d for reference, but it should be considered obsolete.
If you happen to have a /etc/ldap/slapd.conf file in your configuration and no /etc/ldap/slapd.d/ directory, convert to slapd.d by running:

sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d
And then make sure that your slapd has been started with -F /etc/ldap/slapd.d instead of with -f /etc/ldap/slapd.conf by running the following two checks:

grep -e -F /etc/init.d/slapd ps aux | grep slapd
(Both should list "-F" instead of "-f".)
cn=config configuration

The cn=config is a special LDAP database that keeps the OpenLDAP server configuration, and is viewable and modifiable in runtime.
Changes made to it are instantly applied to the running server and are also saved under /etc/ldap/slapd.d/, to preserve the configuration across server restarts.
So here is what we want to do:
To make the necessary configuration changes, we want to take advantage of the existing, default configuration in cn=config which is allowing local root user to connect to the slapd socket in /var/run/slapd/ldapi and modify the cn=config database.
Using this approach, we first want verify that all the necessary LDAP schema definitions (core, cosine, nis and inetorgperson) have been loaded.
Any errors about duplicate entries in this step are fine, and the relevant part that is instructing our client to authenticate as local user and to connect to the slapd Unix socket is "-Y EXTERNAL -H ldapi:///":

sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/core.ldif sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
(Another way to make sure these schemas are loaded is to run ls -al /etc/ldap/slapd.d/cn=config/cn=schema/.)
Then we want to replace the default "olcLogLevel: none" with "olcLogLevel: 256":

echo "dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: 256" > /var/tmp/loglevel.ldif sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /var/tmp/loglevel.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
Then we want to add an "eq" (equality) search index for the attribute "uid":

echo " dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: uid eq " > /var/tmp/uid_eq.ldif sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /var/tmp/uid_eq.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}mdb,cn=config"
And finally, we want to allow the LDAP administrator account to see and modify the cn=config configuration database in the same way that write access would be granted on the actual data tree dc=spinlock, dc=hr.
This will effectively allow accessing and modifying slapd configuration from any location as long as the user knows the correct administrator DN and password. It will come very handy in the learning phase, for viewing and modifying the configuration using a graphical LDAP client:

echo "dn: olcDatabase={0}config,cn=config changetype: modify add: olcAccess olcAccess: to * by dn="cn=admin,dc=spinlock,dc=hr" write" > /var/tmp/access.ldif sudo ldapmodify -c -Y EXTERNAL -H ldapi:/// -f /var/tmp/access.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config"
slapd.conf configuration (obsolete)

For reference, here is the equivalent configuration as the above, in the old slapd.conf style:

Note
This whole section should be ignored unless you are purposely using /etc/ldap/slapd.conf or are attempting to compare it to slapd.d.
Make sure all the schema files are enabled:

include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema
Change the verbosity level from 0 or "none" to 256:

loglevel 256
Search for line "index objectClass eq" and add another search index. In particular combinations, it may be possible to receive no results when the searched entries are not indexed, so this step is important:

index objectClass eq index uid eq
To make the new index option apply, run the following commands:

sudo invoke-rc.d slapd stop sudo slapindex sudo chown -R openldap:openldap /var/lib/ldap sudo invoke-rc.d slapd start
Client-side configuration

Our OpenLDAP server is already running, so let's configure /etc/ldap/ldap.conf, a common configuration file for all LDAP clients. This will allow us to run ldapsearch and other commands without having to specify all the basic parameters by hand each time.
Enable the following two lines in /etc/ldap/ldap.conf, creating the file if necessary:

BASE dc=spinlock, dc=hr URI ldap://192.168.7.12/
Initial test

It's already the time to test the installation. Our OpenLDAP server does not contain much information, but a basic read operation can be performed normally.
In LDAP terms, read operation is called a "search". To perform a search using generic command-line utilities, we have ldapsearch and slapcat available.
Ldapsearch (and other LDAP utilities prefixed "ldap") perform operations "online", using the LDAP protocol.
Slapcat (and other OpenLDAP utilities prefixed "slap") perform operations "offline", directly by opening files on the local filesystem. For this reason, they can only be ran locally on the OpenLDAP server and they require administrator privileges. When they involve writing to the database, the OpenLDAP server usually needs to be stopped first.
In the output of the two search commands, you will notice two LDAP entries, one representing the top level element in the tree, and another representing the LDAP administrator's entry. In the slapcat output, notice the extra attributes not printed with ldapsearch. One of those is userPassword, which is not shown to us when we are anonymously accessing the directory using ldapsearch, due to the default access restrictions in place.
```
ldapsearch -x

# extended LDIF
#
# LDAPv3
# base <dc=spinlock, dc=hr> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# spinlock.hr
dn: dc=spinlock,dc=hr
objectClass: top
objectClass: dcObject
objectClass: organization
o: spinlock.hr
dc: spinlock

# admin, spinlock.hr
dn: cn=admin,dc=spinlock,dc=hr
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
```
```
sudo slapcat

dn: dc=spinlock,dc=hr
objectClass: top
objectClass: dcObject
objectClass: organization
o: spinlock.hr
dc: spinlock
structuralObjectClass: organization
entryUUID: 350a2db6-87d3-102c-8c1c-1ffeac40db98
creatorsName:
modifiersName:
createTimestamp: 20080316183324Z
modifyTimestamp: 20080316183324Z
entryCSN: 20080316183324.797498Z#000000#000#000000

dn: cn=admin,dc=spinlock,dc=hr
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e2NyeXB0fVdSZDJjRFdRODluNHM=
structuralObjectClass: organizationalRole
entryUUID: 350b330a-87d3-102c-8c1d-1ffeac40db98
creatorsName:
modifiersName:
createTimestamp: 20080316183324Z
modifyTimestamp: 20080316183324Z
entryCSN: 20080316183324.804398Z#000000#000#000000
```
Creating basic tree structure

As explained, the LDAP database is structured as a tree. The top level element in the tree for your organization is often its domain name. In case of a domain spinlock.hr, the toplevel tree element would be dc=spinlock,dc=hr.
On the next level below, an organization is often divided into "organizational units", such as people, groups, hosts, services, networks, protocols, etc.
Accordingly, to support people's Unix "meta data" in our LDAP directory, we will be interested in creating two of the mentioned organizational units, People and Group. The two will roughly correspond to the Unix /etc/passwd and /etc/group files.
Ldap data is interchanged in a textual format called LDIF. Command-line LDAP utilities receive and produce data in this format. Note that the LDIF stream can also contain commands, such as for adding, modifying or removing LDAP entries.
Knowing this, we'll put together a simple LDIF file, /var/tmp/ou.ldif, that will instruct the server to add the two organizational units. Pay attention to the empty line separating the entries:
```
dn: ou=People,dc=spinlock,dc=hr
ou: People
objectClass: organizationalUnit

dn: ou=Group,dc=spinlock,dc=hr
ou: Group
objectClass: organizationalUnit
```
To load the LDIF file into the server, let's show an example using the offline tool, slapadd:
```
sudo invoke-rc.d slapd stop
sudo slapadd -c -v -l /var/tmp/ou.ldif

added: "ou=People,dc=spinlock,dc=hr" (00000003)
added: "ou=Group,dc=spinlock,dc=hr" (00000004)
_#################### 100.00% eta   none elapsed            none fast!         
Closing DB...

sudo invoke-rc.d slapd start
```
Let's use ldapsearch to verify the entries have been created.
```
ldapsearch -x ou=people

# extended LDIF
#
# LDAPv3
# base <dc=spinlock, dc=hr> (default) with scope subtree
# filter: ou=people
# requesting: ALL
#

# People, spinlock.hr
dn: ou=People,dc=spinlock,dc=hr
ou: People
objectClass: organizationalUnit

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
```
Creating user accounts

In the same manner we've created the two organizational units, let's create our first group and a person belonging to it. Again, we approach the problem by constructing and loading an LDIF file, /var/tmp/user1.ldif, paying attention to the empty line separating the entries:
```
dn: cn=mirko,ou=group,dc=spinlock,dc=hr
cn: mirko
gidNumber: 20000
objectClass: top
objectClass: posixGroup

dn: uid=mirko,ou=people,dc=spinlock,dc=hr
uid: mirko
uidNumber: 20000
gidNumber: 20000
cn: Mirko
sn: Mirko
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/mirko
```
To load the LDIF file into the server, let's show an example using the online tool, ldapadd. Since, as said previously, ldapadd uses the LDAP protocol, we'll have to bind to the server as system administrator and type in the correct admin password (defined during slapd installation):
```
ldapadd -c -x -D cn=admin,dc=spinlock,dc=hr -W -f /var/tmp/user1.ldif

Enter LDAP Password: PASSWORD

adding new entry "cn=mirko,ou=group,dc=spinlock,dc=hr"

adding new entry "uid=mirko,ou=people,dc=spinlock,dc=hr"
```
Now to define the new user's password, let's run an online tool ldappasswd. (This step is not needed if you plan to use LDAP in combination with Kerberos as explained in MIT Kerberos 5 Guide.)
```
ldappasswd -x -D cn=admin,dc=spinlock,dc=hr -W -S uid=mirko,ou=people,dc=spinlock,dc=hr

New password: NEW USER PASSWORD

Re-enter new password: NEW USER PASSWORD

Enter LDAP Password:  ADMIN PASSWORD

Result: Success (0)
```
Note
You might notice that all entries always have to be "fully qualified" and that you cannot omit the suffix (dc=spinlock,dc=hr) or other components of the DN. This often leads to command line examples that are long and cryptic, and look just like boring, unnecessary work. If you perceive that as a problem, you'll solve it by either getting accustomed to it to the point of not noticing it any more, or you will later switch to using graphical LDAP clients that fill in most of that information for you.
Now let's use ldapsearch to verify the user entry has been created. Note that the password field, userPassword, will not be shown even if we created it, due to the configured access restrictions that apply to anonymous users.
```
ldapsearch -x uid=mirko

# extended LDIF
#
# LDAPv3
# base <dc=spinlock, dc=hr> (default) with scope subtree
# filter: uid=mirko
# requesting: ALL
#

# mirko, people, spinlock.hr
dn: uid=mirko,ou=people,dc=spinlock,dc=hr
uid: mirko
uidNumber: 20000
gidNumber: 20000
cn: Mirko
sn: Mirko
objectClass: top
objectClass: person
objectClass: posixAccount
loginShell: /bin/bash
homeDirectory: /home/mirko

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
```
Congratulations! You now have a working LDAP setup.
NSS configuration

Now that we have a new user created in LDAP, we should allow the system to see it. For example, let's test for existence of users root and mirko. The administrator will be present, while mirko will not:
```
id root
uid=0(root) gid=0(root) groups=0(root)

id mirko
id: mirko: No such user
```
To enable the system see and use LDAP accounts, we need to install libnss-ldap, libpam-ldap and nscd.
```
sudo apt-get install libnss-ldap libpam-ldap nscd
```
All debconf answers for reference:
```
LDAP server URI: ldap://192.168.7.12/ (Note the "ldap://", not "ldapi://")

Distinguished name of the search base: dc=spinlock,dc=hr

LDAP version to use: 3

Does the LDAP database require login? No

Special LDAP privileges for root? No

Make the configuration file readable/writable by its owner only? No

Allow LDAP admin account to behave like local root? Yes

Make local root Database admin. No

Does the LDAP database require login? No

LDAP administrative account: cn=admin,dc=spinlock,dc=hr

LDAP administrative password: PASSWORD

Local crypt to use when changing passwords. md5

PAM profiles to enable: --->
  If not using Kerberos, select 'Unix authentication' and 'LDAP Authentication'
  If using Kerberos, select 'Unix authentication' and 'Kerberos authentication'
```
Debconf answers will be saved and reflected in the configuration file /etc/libnss-ldap.conf. To confirm the configuration, locate and verify the following two lines in /etc/libnss-ldap.conf:
```
base dc=spinlock,dc=hr
uri ldap://192.168.7.12/
```
Finally, to activate the LDAP NSS module, edit /etc/nsswitch.conf by replacing the two lines mentioning passwd and group with the following:
```
passwd:         files ldap
group:          files ldap
```
Nscd (the Name Service Caching Daemon) is used to cache metadata locally, instead of querying the LDAP server each time. It is a very efficient service in the long run, but we will stop it for for the moment, during testing, to always retrieve the data directly from the LDAP server:
```
sudo invoke-rc.d nscd stop
```
Now we can verify that LDAP users have become visible:
```
id mirko

uid=20000(mirko) gid=20000(mirko) groups=20000(mirko)
```
PAM configuration

The final step in this article pertains to integrating LDAP into the system authentication procedure.
We will need to verify the configuration of the package libpam-ldap that has been installed in the previous step.
The default PAM configuration will require the user to be present either in the local password file or in LDAP, and to know the correct password, for the authentication process to continue.
First, the debconf answers related to libpam-ldap have already been saved and reflected in the configuration file /etc/pam_ldap.conf.
To confirm the configuration, locate and verify the following two lines in /etc/pam_ldap.conf:
```
base dc=spinlock,dc=hr
uri ldap://192.168.7.12/
```
Second, the answer to the debconf question "PAM profiles to enable" has aso been reflected in the four PAM-related configuration files: /etc/pam.d/common-account, /etc/pam.d/common-auth, /etc/pam.d/common-password and /etc/pam.d/common-session.
Here's how the active parts of these config files should look like, for reference:
/etc/pam.d/common-account

# Disable if using Kerberos: account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so # Enable if using Kerberos: #account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so account requisite pam_deny.so account required pam_permit.so # Enable if using Kerberos: #account required pam_krb5.so minimum_uid=1000
/etc/pam.d/common-auth

# Disable if using Kerberos: auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so use_first_pass # Enable if using Kerberos: #auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000 #auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass auth requisite pam_deny.so auth required pam_permit.so
/etc/pam.d/common-password

# Disable if using Kerberos: password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass # Enable if using Kerberos: #password [success=2 default=ignore] pam_krb5.so minimum_uid=1000 #password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password requisite pam_deny.so password required pam_permit.so
/etc/pam.d/common-session

session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so # Enable if using Kerberos: #session optional pam_krb5.so minimum_uid=1000 session required pam_unix.so # Disable if using Kerberos: session optional pam_ldap.so
It is advisable not to be making basic changes in these files manually, as modifications require detailed knowledge of the PAM config file syntax.
Changes can be made by running the following line that will reconfigure the package and re-generate the configuration files:
```
sudo dpkg-reconfigure libpam-ldap 
```
For manual modifications, you will want to look at PAM Configuration File Syntax and pay special attention to seemingly insignificant variations — with PAM, they often make a whole world of difference.
Finally, you will want to start nscd that was stopped during one of the previous steps:
```
sudo invoke-rc.d nscd start
```
Note that authentication through LDAP, as shown here, is not secure, due to connections to the LDAP server being made in plain text and passwords traveling over the wire.
Instead of encrypting the connection to the LDAP server, one could install Kerberos as explained in MIT Kerberos 5 Guide. If Kerberos is set up after LDAP, run dpkg-reconfigure libpam-ldap afterwards to choose "Unix authentication" and "Kerberos authentication" instead of "LDAP Authentication", and verify the resulting PAM configuration files as per the actual /etc/pam.d/ configs provided above.
Logging in into the system

When users authenticate successfully, and they log in, they will be placed in their home directory. In a central network authentication scheme, where the user accounts are created centrally instead of on the individual machines, their home directories may not exist on particular systems. This problem can be solved by using the pam_mkhomedir PAM module, which can create the users' home directories on the fly, if they are found missing during login.
Add the following line to the bottom of /etc/pam.d/common-session:
```
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
```
Implicitly, this means that the users' home directories will be created separately on all of the individual machines they log in to. This may present a problem as people will have different files on different machines. It won't be completely unacceptable in itself if Kerberos is used as the Kerberized network will allow secure and passwordless copying of files between the machines, but it will still be far from a perfect solution. To solve that problem with an advanced, secure, heavy-duty distributed network filesystem, you could read the next article in the series, the OpenAFS Guide.
In any case, having everything adjusted as shown using pam_mkhomedir, login to the system should succeed as user mirko:
```
Login: mirko
Password: PASSWORD

Debian GNU/Linux tty5

Creating directory '/home/mirko'.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
mirko@host:~$
```
Conclusion

At this point, you have a functional LDAP installation.
You can rely on LDAP for central network authentication and sharing of user metadata (user IDs, group IDs, real names, group memberships, etc.).
With a good foundation we've built, for further information on LDAP, please refer to other available resources:
- Official documentation: http://www.openldap.org/doc/admin24/
- Mailing lists: http://www.openldap.org/lists/
- IRC: channel #ldap at the FreeNode network (irc.freenode.net)
- For commercial consultation and infrastructure-based networks containing LDAP, contact Spinlock Solutions or organizations listed on the OpenLDAP support page.
Finally, as said above, the described authentication through LDAP is not done in a network-secure manner, due to plain text connections and passwords traveling over the wire. To solve that problem, using Kerberos for network authentication instead of LDAP is recommended, as explained in the previous article in the series, the MIT Kerberos 5 Guide.
Also, as said above, the users' home directories will be created separately on all of the hosts the users would log in to. To solve that problem and have a shared home directory on all of the systems, using a distributed filesystem AFS is recommended, as explained in the next article in the series, the OpenAFS Guide.
from http://techpubs.spinlocksolutions.com/dklar/ldap.html

-------------------

使用OpenLDAP管理系统权限

Configuring Your System to Authenticate Using OpenLDAP

This section provides a brief overview of how to configure your Red Hat Linux system to authenticate using OpenLDAP. Unless you’re an OpenLDAP expert, you will probably need more documentation than is provided here. Please refer to the references provided in the section called LDAP Resources on the Web for more information.

Install the Necessary LDAP Packages

First, you’ll need to make sure that the appropriate packages are installed on both the LDAP server and the LDAP client machines. The LDAP server needs the openldap package.

The LDAP client machines need the following packages installed: openldap,auth_ldap, nss_ldap and pam_ldap.

Edit Configuration Files

Edit `/etc/openldap/slapd.conf`

The slapd.conf file, located in /etc/openldap, contains the configuration information needed by your slapd LDAP server. You’ll need to edit this file to make it specific to your domain and your server.

The suffix line names the domain for which the LDAP server will provide information. The suffix line should be changed from:

suffix 		"dc=your-domain, dc=com"

so that it reflects your domain name. For example:

suffix		"dc=acmewidgets, dc=com"

suffix 		"dc=acmeuniversity, dc=org"

The rootdn entry is the DN for a user who is unrestricted by the access control or administrative limit parameters set for operations on the LDAP directory. The rootdn user can be thought of as the root user for the LDAP directory. The rootdn line needs to be changed

from:

rootdn		"cn=root, dc=your-domain, dc=com"

to something like:

rootdn		"cn=root, dc=redhat, dc=com"

rootdn		"cn=ldapmanager, dc=my_organization, dc=org"

Change the rootpw line from:

rootpw 		secret

to something like

rootpw		{crypt}s4L9sOIJo4kBM

In the above example, you’re using an encrypted root password, which is a much better idea than leaving a plain text root password in the slapd.conf file. To make this crypt string, you should either copy it out of a passwd file, or use Perl:

perl -e "print crypt('passwd','a_salt_string');"

In the previous Perl line, salt_string is a two character salt, and passwd is the plain text version of the password.

You could also copy a passwd entry out of /etc/passwd, but this won’t work if the passwd entry is an MD5 password (the default in Red Hat Linux 6.2).

Edit `ldap.conf`

Edit the ldap.conf files in /etc and in /etc/openldap on the LDAP server and clients.

Edit /etc/ldap.conf, the configuration file for nss_ldap and pam_ldap, to reflect your organization and search base. The file /etc/openldap/ldap.conf is the configuration file for the command line tools like ldapsearch,ldapadd, etc., and it will also need to be edited for your LDAP setup. Client machines will need to have both of these files modified for your system.

Edit `/etc/nsswitch.conf`

To use nss_ldap, you’ll need to add ldap to the appropriate fields in /etc/nsswitch.conf. (Be very careful when editing this file; be sure that you know what you’re doing.) For

example:

passwd: files ldap
shadow: files ldap
group: files ldap

Copy the PAM Configuration Files

To use pam_ldap, you’ll need to copy the PAM configuration files from /usr/doc/nss_ldap<version>/pam.d/ to your /etc/pam.d/ directory. These are a set of PAM configuration files that allow all of the standard PAM-enabled applications to use LDAP for authentication. (PAM is beyond the scope of this LDAP overview, so if you need help, consult the section called User Authentication with PAM in Chapter 2 and/or PAM man pages.)

Migrate Your Old Authentication Information to LDAP Format

The /usr/share/openldap/migration directory contains a set of shell and Perl scripts for migrating your old authentication information into LDAP format. (Yes, you’ll need to have Perl on your system to use these scripts.)

First, you’ll need to modify the migrate_common.ph file so that it reflects your domain. The default DNS domain should be changed from:

$DEFAULT_MAIL_DOMAIN = "padl.com";

to something like:

$DEFAULT_MAIL_DOMAIN = "your_company.com";

The default base should also be changed, from:

$DEFAULT_BASE = "dc=padl,dc=com";

to something like:

$DEFAULT_BASE = "dc=your_company,dc=com";

Next, you’ll need to decide which script to use. The following table should tell you:

Table 8-1. LDAP Migration Scripts

Existing name service	Is LDAP running?	Use this script:
`/etc` flat files	yes	`migrate_all_online.sh`
`/etc` flat files	no	`migrate_all_offline.sh`
NetInfo	yes	`migrate_all_netinfo_online.sh`
NetInfo	no	`migrate_all_netinfo_offline.sh`
NIS (YP)	yes	`migrate_all_nis_online.sh`
NIS (YP)	No	`migrate_all_nis_offline.sh`

Run the appropriate script based on your existing name service.

The README and the migration-tools.txt files in /usr/share/openldap/migratio provide more details.

------------------

LDAP服务器的概念和原理

1. 目录服务

目录是一个为查询、浏览和搜索而优化的专业分布式数据库，它呈树状结构组织数据，就好象Linux/Unix系统中的文件目录一样。目录数据库和关系数据库不同，它有优异的读性能，但写性能差，并且没有事务处理、回滚等复杂功能，不适于存储修改频繁的数据。所以目录天生是用来查询的，就好象它的名字一样。目录服务是由目录数据库和一套访问协议组成的系统。类似以下的信息适合储存在目录中：

企业员工信息，如姓名、电话、邮箱等；
公用证书和安全密钥；
公司的物理设备信息，如服务器，它的IP地址、存放位置、厂商、购买时间等；

LDAP是轻量目录访问协议(Lightweight Directory Access Protocol)的缩写，LDAP是从X.500目录访问协议的基础上发展过来的，目前的版本是v3.0。与LDAP一样提供类似的目录服务软件还有ApacheDS、Active Directory、Red Hat Directory Service 。

2. LDAP特点

LDAP的结构用树来表示，而不是用表格。正因为这样，就不能用SQL语句了
LDAP可以很快地得到查询结果，不过在写方面，就慢得多
LDAP提供了静态数据的快速查询方式
Client/server模型，Server 用于存储数据，Client提供操作目录信息树的工具
这些工具可以将数据库的内容以文本格式（LDAP 数据交换格式，LDIF）呈现在您的面前
LDAP是一种开放Internet标准，LDAP协议是跨平台的Interent协议

3. LDAP组织数据的方式

4. 基本概念

在浏览LDAP相关文档时经常会遇见一些概念，下面是常见概念的简单解释。

4.1 Entry

条目，也叫记录项，是LDAP中最基本的颗粒，就像字典中的词条，或者是数据库中的记录。通常对LDAP的添加、删除、更改、检索都是以条目为基本对象的。

dn：每一个条目都有一个唯一的标识名（distinguished Name ，DN），如上图中一个 dn：”cn=baby,ou=marketing,ou=people,dc=mydomain,dc=org” 。通过DN的层次型语法结构，可以方便地表示出条目在LDAP树中的位置，通常用于检索。
rdn：一般指dn逗号最左边的部分，如cn=baby。它与RootDN不同，RootDN通常与RootPW同时出现，特指管理LDAP中信息的最高权限用户。
Base DN：LDAP目录树的最顶部就是根，也就是所谓的“Base DN”，如”dc=mydomain,dc=org”。

4.2 Attribute

每个条目都可以有很多属性（Attribute），比如常见的人都有姓名、地址、电话等属性。每个属性都有名称及对应的值，属性值可以有单个、多个，比如你有多个邮箱。

属性不是随便定义的，需要符合一定的规则，而这个规则可以通过schema制定。比如，如果一个entry没有包含在 inetorgperson 这个 schema 中的objectClass: inetOrgPerson，那么就不能为它指定employeeNumber属性，因为employeeNumber是在inetOrgPerson中定义的。

LDAP为人员组织机构中常见的对象都设计了属性(比如commonName，surname)。下面有一些常用的别名：

属性	别名	语法	描述	值(举例)
commonName	cn	Directory	String	姓名
surname	sn	Directory	String	姓
organizationalUnitName	ou	Directory	String	单位（部门）名称
organization	o	Directory	String	组织（公司）名称
telephoneNumber		Telephone	Number	电话号码
objectClass			内置属性	organizationalPerson

4.3 ObjectClass

对象类是属性的集合，LDAP预想了很多人员组织机构中常见的对象，并将其封装成对象类。比如人员（person）含有姓（sn）、名（cn）、电话(telephoneNumber)、密码(userPassword)等属性，单位职工(organizationalPerson)是人员(person)的继承类，除了上述属性之外还含有职务（title）、邮政编码（postalCode）、通信地址(postalAddress)等属性。

通过对象类可以方便的定义条目类型。每个条目可以直接继承多个对象类，这样就继承了各种属性。如果2个对象类中有相同的属性，则条目继承后只会保留1个属性。对象类同时也规定了哪些属性是基本信息，必须含有(Must 活Required，必要属性)：哪些属性是扩展信息，可以含有（May或Optional，可选属性）。

对象类有三种类型：结构类型（Structural）、抽象类型(Abstract)和辅助类型（Auxiliary）。结构类型是最基本的类型，它规定了对象实体的基本属性，每个条目属于且仅属于一个结构型对象类。抽象类型可以是结构类型或其他抽象类型父类，它将对象属性中共性的部分组织在一起，称为其他类的模板，条目不能直接集成抽象型对象类。辅助类型规定了对象实体的扩展属性。每个条目至少有一个结构性对象类。

对象类本身是可以相互继承的，所以对象类的根类是top抽象型对象类。以常用的人员类型为例，他们的继承关系：

下面是inetOrgPerson对象类的在schema中的定义，可以清楚的看到它的父类SUB和可选属性MAY、必要属性MUST(继承自organizationalPerson)，关于各属性的语法则在schema中的attributetype定义。

# inetOrgPerson
# The inetOrgPerson represents people who are associated with an
# organization in some way.  It is a structural class and is derived
# from the organizationalPerson which is defined in X.521 [X521].
objectclass     ( 2.16.840.1.113730.3.2.2
    NAME 'inetOrgPerson'
        DESC 'RFC2798: Internet Organizational Person'
    SUP organizationalPerson
    STRUCTURAL
        MAY (
                audio $ businessCategory $ carLicense $ departmentNumber $
                displayName $ employeeNumber $ employeeType $ givenName $
                homePhone $ homePostalAddress $ initials $ jpegPhoto $
                labeledURI $ mail $ manager $ mobile $ o $ pager $
                photo $ roomNumber $ secretary $ uid $ userCertificate $
                x500uniqueIdentifier $ preferredLanguage $
                userSMIMECertificate $ userPKCS12 )
        )

4.4 Schema

对象类（ObjectClass）、属性类型（AttributeType）、语法（Syntax）分别约定了条目、属性、值，他们之间的关系如下图所示。所以这些构成了模式(Schema)——对象类的集合。条目数据在导入时通常需要接受模式检查，它确保了目录中所有的条目数据结构都是一致的。

schema（一般在/etc/ldap/schema/目录）在导入时要注意前后顺序。

4.5 backend & database

ldap的后台进程slapd接收、响应请求，但实际存储数据、获取数据的操作是由Backends做的，而数据是存放在database中，所以你可以看到往往你可以看到backend和database指令是一样的值如 bdb 。一个 backend 可以有多个 database instance，但每个 database 的 suffix 和 rootdn 不一样。openldap 2.4版本的模块是动态加载的，所以在使用backend时需要moduleload back_bdb指令。

bdb是一个高性能的支持事务和故障恢复的数据库后端，可以满足绝大部分需求。许多旧文档里（包括官方）说建议将bdb作为首选后端服务（primary backend），但2.4版文档明确说hdb才是被首先推荐使用的，这从 2.4.40 版默认安装后的配置文件里也可以看出。hdb是基于bdb的，但是它通过扩展的索引和缓存技术可以加快数据访问，修改entries会更有效率，有兴趣可以访问上的链接或slapd.backends。

另外config是特殊的backend，用来在运行时管理slapd的配置，它只能有一个实例，甚至无需显式在slapd.conf中配置。

4.6 TLS & SASL

分布式LDAP 是以明文的格式通过网络来发送信息的，包括client访问ldap的密码（当然一般密码已然是二进制的），SSL/TLS 的加密协议就是来保证数据传送的保密性和完整性。

SASL （Simple Authenticaion and Security Layer）简单身份验证安全框架，它能够实现openldap客户端到服务端的用户验证，也是ldapsearch、ldapmodify这些标准客户端工具默认尝试与LDAP服务端认证用户的方式（前提是已经安装好 Cyrus SASL）。SASL有几大工业实现标准：Kerveros V5、DIGEST-MD5、EXTERNAL、PLAIN、LOGIN。

Kerveros V5是里面最复杂的一种，使用GSSAPI机制，必须配置完整的Kerberos V5安全系统，密码不再存放在目录服务器中，每一个dn与Kerberos数据库的主体对应。DIGEST-MD5稍微简单一点，密码通过saslpasswd2生成放在sasldb数据库中，或者将明文hash存到LDAP dn的userPassword中，每一个authid映射成目录服务器的dn，常和SSL配合使用。参考将 LDAP 客户端配置为使用安全性

EXTERNAL一般用于初始化添加schema时使用，如ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif。

4.7 LDIF

LDIF（LDAP Data Interchange Format，数据交换格式）是LDAP数据库信息的一种文本格式，用于数据的导入导出，每行都是“属性: 值”对，见 openldap ldif格式示例

OpenLDAP(2.4.3x)服务器安装配置方法见这里。

参考

LDAP基础概念 LDAP-HOWTO openldap doc admin24

Total Pageviews

Wednesday, 15 November 2017

Setting up OpenLDAP server with OpenSSH-LPK on Ubuntu 14.04

Instructions and references

Understanding cn=config (LDAP database)

Schemas

Importing openssh-lpk scheme

Forcing authentication

Securing LDAP with TLS

Importing SSL schema

Enabling LDAPS

Configuring /etc/ldap/ldap.conf

Testing the above LDAPS config

Customizing phpLDAPadmin config and templates

Adding a user with SSH public key in phpLDAPadmin

Setting up OpenLDAP client with SSH access on Ubuntu 14.04

Install packages

Configure SSH server

Configure PAM

Configure NSS, login access control and sudo

Setting up nss-ldapd on Ubuntu 14.04

在Linux vps,安装OpenLDAP及管理工具phpldapadmin

OpenLDAP Installation and Configuration in Ubuntu 12.10 Server / Debian 6

Install OpenLDAP in Ubuntu 12.10 server

Configure OpenLDAP

Test LDAP server

LDAP Server Administration

Install phpldapadmin

Sample Configuration

--------------

Setting up OpenLDAP

Davor Ocelic

Introduction

The role of LDAP within a network

Glue layers: integrating LDAP with system software

NSS

PAM

Conventions

Caution

OpenLDAP

Server installation

Initial configuration

Introduction

Note

cn=config configuration

slapd.conf configuration (obsolete)

Note

Client-side configuration

Initial test

Creating basic tree structure

Creating user accounts

Note

NSS configuration

PAM configuration

/etc/pam.d/common-account

/etc/pam.d/common-auth

/etc/pam.d/common-password

/etc/pam.d/common-session

Logging in into the system

Conclusion

from http://techpubs.spinlocksolutions.com/dklar/ldap.html

使用OpenLDAP管理系统权限

Configuring Your System to Authenticate Using OpenLDAP

Install the Necessary LDAP Packages

Edit Configuration Files

Edit /etc/openldap/slapd.conf

Edit ldap.conf

Edit /etc/nsswitch.conf

Copy the PAM Configuration Files

Migrate Your Old Authentication Information to LDAP Format

LDAP服务器的概念和原理

1. 目录服务

2. LDAP特点

3. LDAP组织数据的方式

4. 基本概念

4.1 Entry

4.2 Attribute

4.3 ObjectClass

4.4 Schema

4.5 backend & database

Edit `/etc/openldap/slapd.conf`

Edit `ldap.conf`

Edit `/etc/nsswitch.conf`