How To Install LDAP For FreedomBox
# Based on http://techpubs.spinlocksolutions.com/dklar/ldap.html#idp5260208
sudo apt-get install slapd ldap-utils ldapscripts libnss-ldap libpam-ldap nscd dpkg-reconfigure -plow slapd
Configure OpenLDAP
- Omit Database configuration: No
- DNS domain name: example.org
Organization name: <my organization>
- Database backend to use: MDB
- Do you want the database to be remove when slapd is purged: yes
- Move old database: Yes
#Verify configuration: Look at the configuration using server side tools
sudo slapcat
Look at the configuration using a ldap client tool
ldapsearch -x -W -D cn=admin,dc=example,dc=org -H ldapi:/// -b dc=example,dc=org
Both comands should display the properties for two objects: the root organization object and the admin security object
# Break down of the ldapsearch command Quick tutorial on ldapsearch:
- -x simple authenication (i.e. username and password)
- -W prompt for password
-D distingushed name of the user logging into LDAP (i.e. cn=<username>,dc=example,dc=org)
#Load standard schema files (you can ignore any errors) These commands load the standard schemes for LDAP objects used to manage account information. They may already be loaded, but it never hurts to tell LDAP to add them again.
sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/core.ldif sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
#Configure LDAP client You can update the LDAP client configuration file to set some sane defaults to minimize typing.
/etc/ldap/ldap.conf:
# Uncomment BASE BASE=dc=example,dc=org # Uncomment URI URI=ldapi:///
Test configuration
ldapsearch -x sudo slapcat
#Create OU tree To store users and groups we first need to create organizational units (OUs) to store the objects in. The simplest way of adding objects is to create LDAP Interface File (LDIF) formated files and use the standard openldap commandlines tools import the data. Note the blank lines. In LDIF recorrds are blank line seperated.
ou.ldif
dn: ou=People,dc=example,dc=org ou: People objectClass: organizationalUnit dn: ou=Group,dc=example,dc=org ou: Group objectClass: organizationalUnit
ldapadd -c -x -D cn=admin,dc=example,dc=org -W -f ou.ldif
You can also create a user account using LDIF files, but below we show a way of using commandline scripts to make the process a little simpler. In keeping with the tradition of making a unique group for each user, we will make a group before creating the user account so we can set that users default group.
user.ldif
dn: cn=nick,ou=group,dc=example,dc=org cn: nick gidNumber: 20000 objectClass: top objectClass: posixGroup dn: uid=nick,ou=people,dc=example,dc=org uid: nick uidNumber: 20000 gidNumber: 20000 cn: Nick sn: Jones objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash homeDirectory: /home/nick
ldapadd -c -x -D cn=admin,dc=example,dc=org -W -f user.ldif
If you want to set a password for the user run this command:
ldappasswd -x -D cn=admin,dc=example,dc=org -W -S uid=nick,ou=people,dc=example,dc=org
#Integrating with local authenication. These steps are optional if you are only interested in web authenication or authorization. They show how to use LDAP as the source for local account information. At the end of these steps you should be able to log into the local computer using account information stored in the traditional /etc/passwd file or stored in the LDAP directory.
First verify a local account with the same username as the LDAP account you just created does not exist:
id nick
Update the Name Service Switch to look at your LDAP server
/etc/libnss-ldap.conf:
base dc=example,dc=org uri ldap://ldap-server
/etc/nsswitch.conf:
passwd: files ldap group: files ldap
Now verify that the local system can look up the account information for LDAP accounts:
id nick
PAM should already be configured to use LDAP to authenicate users logging in locally, but you will need to modify PAM to auto-create home directories when users log on the first time.
echo 'session required pam_mkhomedir.so skel=/etc/skel/ umask=0022' | sudo tee -a /etc/pam.d/common-session
Instead of using LDIF formatted files you can also use ldapscript commands that are similar to traditional adduser command. To use the commands you first need to update the ldapscripts configuration file to point at your local directory server.
/etc/ldapscripts/ldapscripts.conf:
# update BINDDN to "cn=admin,dc=example,dc=org" # update SUFFIX to "dc=example,dc=org"
You will also need to provide the password for the admin account created when configuring OpenLDAP. Be sure to use the echo command to create the password file instead of a editor. Most editors will automatically add extra characters to the end of the file and your password won't work anymore.
echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd