Differences between revisions 1 and 55 (spanning 54 versions)
Revision 1 as of 2004-01-11 21:34:12
Size: 1227
Editor: anonymous
Comment:
Revision 55 as of 2006-05-01 02:03:05
Size: 5059
Comment:
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
= Configuring LDAP Authentication for Debian =
== OpenLDAPSetup ==
1. Install the ["OpenLDAP"] package [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=slapd slapd]
= Initial LDAP Setup for Debian 3.1 (Sarge) =
''Updated 2005-08-02 by DanielDickinson (added new content; left old content at bottom of page).''
''Updated 2006-04-30 by DonovanBaarda (tweaked new content; removed old content).''
Line 6: Line 6:
Do '{{{apt-get install slapd}}}', answering prompts as required and generaly picking defaults except where they are obviously examples. If, '''read ["LDAPOverview"]''', you have not, do it now, you must.
Line 8: Line 8:
2. Edit the LDAP configuration file == Important Note On [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=nscd Nscd] ==
I highly recommend you do not install [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=nscd nscd] until after you have all your LDAP-based functionality working. This is because {{{nscd}}} (Name Service __Caching__ Daemon) caches reads from the directory which means that a change you make in the tree will not be immediately seen by your client. That makes debugging very difficult and confusing. Trust me. On the other hand it does help system speed once you're done.


== i. Install the OpenLDAP package [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=slapd slapd] ==
Do '{{{apt-get install slapd}}}' answering the prompts as follows:

 1. For the DNS domain name, enter your domain name.
   1. This will be translated from '{{{part1.part2.part3}}} to an {{{LDAP}}} base of '{{{dc=part1,dc=part2,dc=part3}}}'.
   1. For example, '{{{theend.ofthe.world}}}' would become '{{{dc=theend,dc=ofthe,dc=world}}}'.
   1. This becomes what is known as your ["BaseDN"].
 1. For your organzation you can enter any string; this becomes associated the '{{{ou}}}' field of your ["BaseDN"] record.
 1. Next enter your LDAP administrator password twice. This will set the password for '{{{cn=admin,[["BaseDN"}}}]] and give '{{{cn=admin,[["BaseDN"}}}]]' write access to everything in your LDAP tree.
 1. Accept the default of {{{No}}} to the question {{{Allow ["LDAPv2"}}} protocol]


== ii. Edit the LDAP configuration file ==
Line 11: Line 27:
 BASE dc=<yourhost>,dc=<your>,dc=<domain>  BASE dc=<your>,dc=<domain>
Line 15: Line 31:
3. Tune your LDAP server performance
Line 17: Line 32:
To improve LDAP performance, edit {{{/etc/ldap/slapd.conf}}} to set more indexes than the stable (a.k.a. 'woody') default of just objectClass (taken from the Mandrake documentation):{{{
  index objectClass,uid,uidNumber,gidNumber eq
  index cn,mail,surname,givenName eq,subinitial
== iii. Configuring 'chsh' and 'chfn' to work with LDAP ==
Edit '{{{/etc/ldap/slapd.conf}}}' to allow access for users to update their {{{loginShell}}} and {{{gecos}}} entries by adding the following before the '{{{access to *}}}' entry:

=== Skeleton ===
{{{
 access to attrs=loginShell,gecos
       by dn="cn=admin,[["BaseDN"]]" write
       by self write
       by * read
Line 22: Line 43:
4. Update the LDAP indexes === Example ===
{{{
 access to attrs=loginShell,gecos
       by dn="cn=admin,dc=example,dc=com" write
       by self write
       by * read
}}}
Line 24: Line 51:

== iv. For better performance do more indexing than the default. ==
Modify {{{/etc/ldap/slapd.conf}}} to contain the following:{{{
 index objectClass eq
 index cn pres,sub,eq
 index sn pres,sub,eq
 index uid pres,sub,eq
 index displayName pres,sub,eq
 index default sub
 index uidNumber eq
 index gidNumber eq
 index mail,givenName eq,subinitial
 index dc eq
}}}

== v. Update the LDAP indices ==
Line 29: Line 72:


== For SAMBA LDAP support ==

For Samba LDAP, slapd needs the Samba schema. The debian package seems to have a samba.schema file which is old and out of date, and a samba.schema.gz file which is actually the correct one. Do the following (as {{{root}}}):{{{
# cd /usr/share/doc/samba-doc/examples/LDAP
# gunzip samba.schema.gz
# cp samba.schema /etc/ldap/schema/
}}}

Now add the following line to /etc/ldap/slapd.conf after the other includes:{{{
include /etc/ldap/schema/samba.schema
}}}

And restart slapd:{{{
# /etc/init.d/slapd restart
}}}


== Access controls for subtree-specific LDAP Admins ==
If you choose to use ["LDAP"] for many functions, such having a single server for DNS, Authentication, and networking flat file database replacement, you may wish to have LDAP administrative users for each subtree in addition to the global admin ({{{dn="cn=admin,[["BaseDN"}}}]]"). The following example is useful when using a separate authentication tree which includes Samba.

=== Skeleton ===
{{{
 # The manager dn has full write access to the auth subtree
 # Everyone else has read access to not otherwise protected fields and entries
 access to dn.sub="ou=auth,[["BaseDN"]]"
         by dn="cn=Manager,ou=auth,[["BaseDN"]]" write
         by * read
}}}


=== Example ===
{{{
 # The manager dn has full write access to the auth subtree
 # Everyone else has read access to not otherwise protected fields and entries
 access to dn.sub="ou=auth,dc=example,dc=com"
         by dn="cn=Manager,ou=auth,dc=example,dc=com" write
         by * read
}}}
Line 30: Line 114:
 * ["LDAPAuthentication"] || Previous: [["LDAPOverview"]] || Top: ["LDAP"] || Next: ["LDAPMigrationTools"] ||

Initial LDAP Setup for Debian 3.1 (Sarge)

Updated 2005-08-02 by DanielDickinson (added new content; left old content at bottom of page). Updated 2006-04-30 by DonovanBaarda (tweaked new content; removed old content).

If, read ["LDAPOverview"], you have not, do it now, you must.

Important Note On [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=nscd Nscd]

I highly recommend you do not install [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=nscd nscd] until after you have all your LDAP-based functionality working. This is because nscd (Name Service Caching Daemon) caches reads from the directory which means that a change you make in the tree will not be immediately seen by your client. That makes debugging very difficult and confusing. Trust me. On the other hand it does help system speed once you're done.

i. Install the OpenLDAP package [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=slapd slapd]

Do 'apt-get install slapd' answering the prompts as follows:

  1. For the DNS domain name, enter your domain name.
    1. This will be translated from 'part1.part2.part3 to an LDAP base of 'dc=part1,dc=part2,dc=part3'.

    2. For example, 'theend.ofthe.world' would become 'dc=theend,dc=ofthe,dc=world'.

    3. This becomes what is known as your ["BaseDN"].
  2. For your organzation you can enter any string; this becomes associated the 'ou' field of your ["BaseDN"] record.

  3. Next enter your LDAP administrator password twice. This will set the password for 'cn=admin,[["BaseDN"]] and give 'cn=admin,[["BaseDN"]]' write access to everything in your LDAP tree.

  4. Accept the default of No to the question Allow ["LDAPv2" protocol]

ii. Edit the LDAP configuration file

To make using LDAP utilities like 'ldapsearch' a little less painful, edit /etc/ldap/ldap.conf (installed by the 'libldap2' package on the stable (a.k.a. 'woody') distribution) to set:

 BASE dc=<your>,dc=<domain>
 URI ldap://localhost

iii. Configuring 'chsh' and 'chfn' to work with LDAP

Edit '/etc/ldap/slapd.conf' to allow access for users to update their loginShell and gecos entries by adding the following before the 'access to *' entry:

Skeleton

 access to attrs=loginShell,gecos
       by dn="cn=admin,[["BaseDN"]]" write
       by self write
       by * read

Example

 access to attrs=loginShell,gecos
       by dn="cn=admin,dc=example,dc=com" write
       by self write
       by * read

iv. For better performance do more indexing than the default.

Modify /etc/ldap/slapd.conf to contain the following:

 index           objectClass            eq
 index          cn                      pres,sub,eq
 index          sn                      pres,sub,eq
 index          uid                     pres,sub,eq
 index          displayName             pres,sub,eq
 index          default                 sub
 index          uidNumber               eq
 index          gidNumber               eq
 index          mail,givenName          eq,subinitial
 index          dc                      eq

v. Update the LDAP indices

Make sure the indexes are updated by doing (as root):

  # /etc/init.d/slapd stop
  # slapindex
  # /etc/init.d/slapd start

For SAMBA LDAP support

For Samba LDAP, slapd needs the Samba schema. The debian package seems to have a samba.schema file which is old and out of date, and a samba.schema.gz file which is actually the correct one. Do the following (as root):

# cd /usr/share/doc/samba-doc/examples/LDAP 
# gunzip samba.schema.gz 
# cp samba.schema /etc/ldap/schema/

Now add the following line to /etc/ldap/slapd.conf after the other includes:

include /etc/ldap/schema/samba.schema

And restart slapd:

# /etc/init.d/slapd restart

Access controls for subtree-specific LDAP Admins

If you choose to use ["LDAP"] for many functions, such having a single server for DNS, Authentication, and networking flat file database replacement, you may wish to have LDAP administrative users for each subtree in addition to the global admin (dn="cn=admin,[["BaseDN"]]"). The following example is useful when using a separate authentication tree which includes Samba.

Skeleton

 # The manager dn has full write access to the auth subtree
 # Everyone else has read access to not otherwise protected fields and entries
 access to dn.sub="ou=auth,[["BaseDN"]]"
         by dn="cn=Manager,ou=auth,[["BaseDN"]]" write
         by * read

Example

 # The manager dn has full write access to the auth subtree
 # Everyone else has read access to not otherwise protected fields and entries
 access to dn.sub="ou=auth,dc=example,dc=com"
         by dn="cn=Manager,ou=auth,dc=example,dc=com" write
         by * read


Previous: ?"LDAPOverview"

Top: ["LDAP"]

Next: ["LDAPMigrationTools"]