Differences between revisions 1 and 60 (spanning 59 versions)
Revision 1 as of 2004-01-11 21:34:12
Size: 1227
Editor: anonymous
Comment:
Revision 60 as of 2008-06-30 21:11:15
Size: 3402
Editor: ArthurDeJong
Comment: clean up topic
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
## Auto-converted by kwiki2moinmoin v2005-10-07
= Configuring LDAP Authentication for Debian =
== OpenLDAPSetup ==
1. Install the ["OpenLDAP"] package [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=slapd slapd]
= Setting up an LDAP server with OpenLDAP =
Line 6: Line 3:
Do '{{{apt-get install slapd}}}', answering prompts as required and generaly picking defaults except where they are obviously examples. == Install the OpenLDAP package slapd ==
Line 8: Line 5:
2. Edit the LDAP configuration file Install the package with:
{{{
  # apt-get install slapd
}}}
answering the prompts as follows:
Line 10: Line 11:
To make using LDAP utilities like '{{{ldapsearch}}}' a little less painful, edit {{{/etc/ldap/ldap.conf}}} (installed by the '{{{libldap2}}}' package on the stable (a.k.a. 'woody') distribution) to set:{{{
 BASE dc=<yourhost>,dc=<your>,dc=<domain>
 URI ldap://localhost
 * For the DNS domain name, enter your domain name.
 [[BR]]This will be translated to an LDAP DN (for example, '{{{example.com}}}' would become '{{{dc=example, dc=com}}}'). This becomes what is known as your BaseDN, the root of your database.
 * For your organzation you can enter any string; this becomes associated the '{{{ou}}}' field of your BaseDN record.
 * Next enter your LDAP administrator password twice. This will set the password for '{{{cn=admin, BaseDN}}} and give '{{{cn=admin, BaseDN}}}' write access to everything in your LDAP tree.
 * Accept the default of {{{No}}} to the question {{{Allow LDAPv2}}} protocol

For querying the LDAP server utilities like {{{ldapsearch}}} are available. See the ["LDAPTools"] topic for more details.

== For better performance do more indexing than the default. ==

Modify {{{/etc/ldap/slapd.conf}}} to contain the following:
{{{
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index default sub
index uidNumber eq
index gidNumber eq
index mail,givenName eq,subinitial
index dc eq
Line 15: Line 35:
3. Tune your LDAP server performance

To improve LDAP performance, edit {{{/etc/ldap/slapd.conf}}} to set more indexes than the stable (a.k.a. 'woody') default of just objectClass (taken from the Mandrake documentation):{{{
  index objectClass,uid,uidNumber,gidNumber eq
  index cn,mail,surname,givenName eq,subinitial
After any new indexes have been defined or other major database changes have been made (e.g. {{{slapadd}}} was used) it is best to recreate the indexes. Note that you should stop {{{slapd}}} before recreating the indexes and should fix the permissions afterward.
{{{
  # /etc/init.d/slapd stop
  # slapindex
  # chown -R openldap:openldap /var/lib/ldap
  # /etc/init.d/slapd start
Line 22: Line 43:
4. Update the LDAP indexes == Configuring 'chsh' and 'chfn' to work with LDAP ==
Line 24: Line 45:
Make sure the indexes are updated by doing (as {{{root}}}):{{{
  # /etc/init.d/slapd stop
  # slapindex
  # /etc/init.d/slapd start
Edit '{{{/etc/ldap/slapd.conf}}}' to allow access for users to update their {{{loginShell}}} and {{{gecos}}} entries by adding the following before the '{{{access to *}}}' entry:

{{{
access to attrs=loginShell,gecos
      by dn="cn=admin,dc=example,dc=com" write
      by self write
      by * read
Line 29: Line 53:
----
 * ["LDAPAuthentication"]

== For SAMBA LDAP support ==

For Samba LDAP, slapd needs the Samba schema. The Debian package seems to have a samba.schema file which is old and out of date, and a samba.schema.gz file which is actually the correct one. Do the following (as {{{root}}}):
{{{
  # cd /usr/share/doc/samba-doc/examples/LDAP
  # gunzip samba.schema.gz
  # cp samba.schema /etc/ldap/schema/
}}}

Now add the following line to /etc/ldap/slapd.conf after the other includes:
{{{
include /etc/ldap/schema/samba.schema
}}}

And restart slapd:
{{{
  # /etc/init.d/slapd restart
}}}

== Access controls for subtree-specific LDAP Admins ==

If you choose to use LDAP for many functions, such as having a single server for DNS, Authentication, and networking flat file database replacement, you may wish to have LDAP administrative users for each subtree in addition to the global admin ({{{dn="cn=admin, dc=example, dc=com}}}). The following example is useful when using a separate authentication tree which includes Samba.

{{{
 # The manager dn has full write access to the auth subtree
 # Everyone else has read access to not otherwise protected fields and entries
 access to dn.sub="ou=auth,dc=example,dc=com"
         by dn="cn=Manager,ou=auth,dc=example,dc=com" write
         by * read
}}}

Setting up an LDAP server with OpenLDAP

Install the OpenLDAP package slapd

Install the package with:

  # apt-get install slapd

answering the prompts as follows:

  • For the DNS domain name, enter your domain name.

    ?BRThis will be translated to an LDAP DN (for example, 'example.com' would become 'dc=example, dc=com'). This becomes what is known as your BaseDN, the root of your database.

  • For your organzation you can enter any string; this becomes associated the 'ou' field of your BaseDN record.

  • Next enter your LDAP administrator password twice. This will set the password for 'cn=admin, BaseDN and give 'cn=admin, BaseDN' write access to everything in your LDAP tree.

  • Accept the default of No to the question Allow LDAPv2 protocol

For querying the LDAP server utilities like ldapsearch are available. See the ["LDAPTools"] topic for more details.

For better performance do more indexing than the default.

Modify /etc/ldap/slapd.conf to contain the following:

index   objectClass             eq
index   cn                      pres,sub,eq
index   sn                      pres,sub,eq
index   uid                     pres,sub,eq
index   displayName             pres,sub,eq
index   default                 sub
index   uidNumber               eq
index   gidNumber               eq
index   mail,givenName          eq,subinitial
index   dc                      eq

After any new indexes have been defined or other major database changes have been made (e.g. slapadd was used) it is best to recreate the indexes. Note that you should stop slapd before recreating the indexes and should fix the permissions afterward.

  # /etc/init.d/slapd stop
  # slapindex
  # chown -R openldap:openldap /var/lib/ldap
  # /etc/init.d/slapd start

Configuring 'chsh' and 'chfn' to work with LDAP

Edit '/etc/ldap/slapd.conf' to allow access for users to update their loginShell and gecos entries by adding the following before the 'access to *' entry:

access to attrs=loginShell,gecos
      by dn="cn=admin,dc=example,dc=com" write
      by self write
      by * read

For SAMBA LDAP support

For Samba LDAP, slapd needs the Samba schema. The Debian package seems to have a samba.schema file which is old and out of date, and a samba.schema.gz file which is actually the correct one. Do the following (as root):

  # cd /usr/share/doc/samba-doc/examples/LDAP 
  # gunzip samba.schema.gz 
  # cp samba.schema /etc/ldap/schema/

Now add the following line to /etc/ldap/slapd.conf after the other includes:

include /etc/ldap/schema/samba.schema

And restart slapd:

  # /etc/init.d/slapd restart

Access controls for subtree-specific LDAP Admins

If you choose to use LDAP for many functions, such as having a single server for DNS, Authentication, and networking flat file database replacement, you may wish to have LDAP administrative users for each subtree in addition to the global admin (dn="cn=admin, dc=example, dc=com). The following example is useful when using a separate authentication tree which includes Samba.

 # The manager dn has full write access to the auth subtree
 # Everyone else has read access to not otherwise protected fields and entries
 access to dn.sub="ou=auth,dc=example,dc=com"
         by dn="cn=Manager,ou=auth,dc=example,dc=com" write
         by * read