openldap debian howto

Posted by Tux De Luxe at 14:38 08/02/2010

Inhoud

  1. OpenLDAP
    1. What is required
    2. Install
    3. Authentication
    4. Connect to openldap
    5. Simple addressbook
      1. Thunderbird
      2. Outlook
  2. OpenLdap for User Authentication
    1. Setup_OpenLdap_server.sh
    2. Migrating Unix Accounts to OpenLdap
    3. Linux Client Integration with LDAP
      1. libnss-ldap
      2. libpam-ldap
  3. Troubleshooting
    1. result: 32 No such object
    2. Ldap Editors
  4. References

OpenLDAP

What is required

  1. OpenLDAP / slapd - LDAP Server
  2. pam_ldap - For unix password authentication
  3. nss_ldap - For unix name lookup.
  4. auth_ldap -

Before you start here is a script for you.

If you want to setup openldap server for user authentication download and run this script. This will do all the work in 1min.

Install

  • Where can LDAP take us

  • OpenLDAP uses slapd which stands for standalone LDAP daemon.
  • ldap-utils is a set of helper tools for running ldap. 

aptitude install slapd ldap-utils
  • Set administrative password for ldap.
  • Now we will reconfigure it again so you get familiar with details. There seem to be a bug in debian when reconfiguring and it requires deleting the bacup version of ldap directory. Details follow.
  • Lets reconfigure the slapd and give it proper domain names so we all are on the same page.: 

dpkg-reconfigure slapd
  • You can keep all the other settings as default 

    * Omit OpenLDAP server configuration? No
   * DNS domain name: mycompany.com
   * Organization name: mycompany.com
   * Administrator password: ****
   * Database backend to use: HDB  (default)
   * Do you want the database to be removed when slapd is purged? No
   * Allow LDAPv2 protocol? No
  • It is Easy!

  • Now you have a ldap deamon working congratulations. It will allow connections, etc. What needs to happen now is you need to setup the ldap structure. Think of it as database tables and columns but in ldap world this is folders like structure. Just an fyi: mycompany.com becomes dc=mycompany,dc=com, and admin@mycompany.com becomes cn=admin,dc=mycompany,dc=com

  • You can look at /etc/ldap/slapd.conf for details if you want to educate yourself.
  • Start the open ldap deamon 

/etc/init.d/slapd start
  • Lets check if we can query the ldap server: 

ldapsearch -x -b dc=mycompany,dc=com
  • You should see the entries for "mycompany" and for "admin". 

# search result
search: 2

You have a working ldap server.

1. Convert Linux users to ldap 2. Setup Linux client to authenticate against ldap 4. Create global addressbook 5. Migrate Windows NT domain to ldap with few simple steps.

Temporary Debian bug

  • Reconfiguring is not working 

dpkg-reconfigure slapd
Stopping OpenLDAP: slapd.
Moving old database directory to /var/backups:

Backup path /var/backups/unknown-2.4.11-1.ldapdb exists. Giving up...

* You need to: 

rm -r /var/backups/unknown-2.4.11-1.ldapdb/
  • And then it works. 

dpkg-reconfigure slapd
Stopping OpenLDAP: slapd.
Moving old database directory to /var/backups:
- directory unknown... done.
Creating initial slapd configuration... done.
Creating initial LDAP directory... done.
Starting OpenLDAP: slapd.
  • If you don't do that you will get: 

 ldapadd -x -W -D "cn=admin,dc=mycompany,dc=com" -f directory.ldiff
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
  • This will fix the issue.

Authentication

Options for OpenLdap authentication

  • The authentications has many options for you to choose, from plain passwords, kerberos, or some other outside authentication mechanism.

Connect to openldap

  • Lets connect to see what our server has.
  • Install luma 

aptitude update
aptitude install luma
  • Start Luma 

luma

luma1.png

  • Click on Settings

  • Click on Edit Server List

luma2.png

  • Click on Add

  • Type in the server name: Mycompany

  • Click on network and type in a hostname then save.

luma3.png

  • Save and OK

  • Click on Choose plugin and click on addressbook, then browser to see who and what is already in.

Simple addressbook

  • Lets create a simple addressbook which will take few seconds. Sample ideas

  • First we create organizational unit. Organizational unit (ou) is an addressbook, or some other type of unit that will hold our records.
  • Create a file called directory.ldiff and inside put this: 

dn:     ou=addressbook, dc=mycompany, dc=com
objectClass:    top
objectClass:    organizationalUnit
ou:     addressbook
  • Above means: 

``dn:     ou=addressbook, dc=mycompany, dc=com`` - This creates organizational unit addressbook.mycompany.com
``objectClass:    top``  - Tells it its a top level Organizational Unit
``objectClass:    organizationalUnit`` - Tells it what type of object is it. In this case it is OrganizationalUnit.
``ou:     addressbook`` - Again stating the name of the ou.
  • Now import the file: 

ldapadd -x -f directory.ldiff -D "cn=admin,dc=mycompany,dc=com" -W
  • Now lets add one more just to get a hold of adding things and see where they are placed.
  • Comment out the content of the directory.ldiff and put this in at the bottom, then import it again. 

dn:     ou=accounting, ou=addressbook, dc=mycompany, dc=com
objectClass:    top
objectClass:    organizationalUnit
ou:     accounting
  • The reson we need to commend out the previous entries is because if we left it the ldap would say: First entry in the file already exists. It would not add the second one. It would stop processing file. Above created an organizational unit accounting.addressbook.mycompany.com
  • Now lets add our first contact. We create out definition like this. Create contact.ldiff and paste below code: 

dn: cn=Jane Doe, ou=addressbook, dc=mycompany, dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Jane Doe
gn: Jane
sn: Doe
mail: jane.doe@example.com
physicalDeliveryOfficeName: Conglomo, Inc., Financial Services
postalAddress: PO BOX 55555
organizationName: Conglomo, Inc., Financial Services
street: 123 N. Michigan Ave
l: Baton Rouge
st: LA
postalCode: 70555
telephoneNumber: 555-555-5555
facsimileTelephoneNumber: 555-555-5556
pager: 555-555-5557
mobile: 555-555-5558
homePhone: 555-555-5559
ou: addressbook
  • Chang what you need to. Here are some definitions of fields: 

The Definitions are somewhat standard. On top we see objectClass: person and objectClassInetOrgPerson which is one of the standard objects of ldap. We are not using nothing custom. These types already came with ldap.
We are setting some of the attributes of InetOrgPerson:
``cn`` -Common Name
``mail``-aka email
``street``-Street address
``st`` -State
``l`` - City
``ou`` - Department aka the Organizational Unit
``postalCode`` - Zipcode
....
  • And import it again. 

ldapadd -x -f contact.ldiff -D "cn=admin,dc=mycompany,dc=com" -W
  • Extra records can be added to the same file as long as a blank line is used to separate each different entry.
  • Now you should see it in luma when you do browse.

luma4.png

  • Now lets gets some details on our options:

Attribute

ObjectClass

Meaning

commonName, cn

person

Individual's full name

givenName, gn

inetOrgPerson

Individual's first name

surname, sn

person

Individual's last name

physicalDeliveryOfficeName

organizationalPerson

Department or delivery office name

mail

inetOrgPerson

Email address

postalAddress

organizationalPerson

Street mailing address

l

organizationalPerson

City

st

organizationalPerson

State

postalCode

organizationalPerson

Postal (ZIP) code

telephoneNumber

organizationalPerson

Work number

facsimileTelephoneNumber

organizationalPerson

Fax number

pager

inetOrgPerson

Pager number

mobile

inetOrgPerson

Mobile phone number

homePhone

inetOrgPerson

Home phone number

More schema definitions can be found here

For example you could create other structures like below, note the difference between ou and o: 

dn:     ou=addressbook, dc=mycompany, dc=com
objectClass:    top
objectClass:    organizationalUnit
ou:     addressbook

#Partners
dn:     ou=partners ou=addressbook, dc=mycompany, dc=com
objectClass:    top
objectClass:    organizationalUnit
ou:     partners

#xyzAgent
dn:      o=xyzAgancy, ou=partners, ou=addressbook, dc=mycompany, dc=com
objectClass:    top
objectClass:    organization
o:     xyzAgancy

And add a person like: 

dn: cn="John Smith",o=xyzAgency ,ou=partners,ou=addressbook, dc=mycompany, dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: John Smith
gn: John
sn: Smith
mail: Jsmith@example.com
organizationName: Conglomo, Inc., Financial Services
street: 123 N. Michigan Ave
l: Chicago
o: xyzAgancy
st: IL
postalCode: 60645
telephoneNumber: 773-123-5555
facsimileTelephoneNumber: 555-555-5556
pager: 555-555-5557
mobile: 555-555-5558
homePhone: 555-555-5559

Thunderbird

  1. Mozilla Thunderbird 2.0+ will autocomplete email address as soon as you add them to ldap directory.

  2. MozillaSchema

  3. Addressbook to LDAP Mappings.

thunderbird_ldap.png

Outlook

or simply
got to the registry
and add in HKEY_CURRENT_USER\Software\Policies\Microsoft\Offi ce\10.0\Outlook\LDAP
the DWORD DisableVLVBrowsing and set the value to 1
for Outlook 2003 use
HKEY_CURRENT_USER\Software\Policies\Microsoft\Offi ce\11.0\Outlook\LDAP

OpenLdap for User Authentication

Setup_OpenLdap_server.sh

This will install, configure ldap server, copy base settings from your linux server, users, groups, so that you can start authenticating clients in 1min.

http://lucasmanual.com/out/setup_openldap_server.sh

Download it and run. Example: 

wget http://lucasmanual.com/out/setup_openldap_server.sh
sh setup_openldap_server.sh

Migrating Unix Accounts to OpenLdap

  • Right now the database in ldap is empty so we will need to add user,groups,etc.

luma5.png

  • We do that using migrationtools which copy all the information from the file based system to ldap.
  • Install migrationtools 

aptitude install migrationtools
  • Lets see what programs are available to us 

ls /usr/share/migrationtools/
migrate_aliases.pl              migrate_group.pl
migrate_all_netinfo_offline.sh  migrate_hosts.pl
migrate_all_netinfo_online.sh   migrate_netgroup_byhost.pl
migrate_all_nis_offline.sh      migrate_netgroup_byuser.pl
migrate_all_nis_online.sh       migrate_netgroup.pl
migrate_all_nisplus_offline.sh  migrate_networks.pl
migrate_all_nisplus_online.sh   migrate_passwd.pl
migrate_all_offline.sh          migrate_profile.pl
migrate_all_online.sh           migrate_protocols.pl
migrate_automount.pl            migrate_rpc.pl
migrate_base.pl                 migrate_services.pl
migrate_common.ph               migrate_slapd_conf.pl
  • The migrate_all_online wil run all the scripts.

  • Before we run it we need to change the domain in migrate_common.ph. By default the file is set to padl.com so we meed to change it to mycompany.com 

cd /usr/share/migrationtools/
vi migrate_common.ph
  • Change all the padl to mycompany or tell vi editor to do it for you with this command: 

:%s/padl/mycompany/gc

  • And just press y to confirm.

  • There 2 more issues we need to take account of:Bug 537406 We need to add misc.schema to our slapd.conf setup, and if we get an error when doing migration we need to restart it with a command that will bypass the error.

  • Add this line right below the last include line in /etc/ldap/slapd.conf, and restart slapd. 

include         /etc/ldap/schema/misc.schema

Lets do our migration to the system., but first check if slapd is running: 

ps aux|grep slapd
#You should see
openldap  3557  0.7  0.9 112236  4808 ?        Ssl  13:42   0:12 /usr/sbin/slapd -g openldap -u openldap -f /etc/ldap/slapd.conf

 ./migrate_all_online.sh

Enter the X.500 naming context you wish to import into: [dc=mycompany,dc=com]
Enter the hostname of your LDAP server [ldap]: hpdebian  #This is the hostname of the computer you are on. Type in hostname if you are not sure what it is.
Enter the manager DN: [cn=admin,dc=mycompany,dc=com]:
Enter the credentials to bind with:
Do you wish to generate a DUAConfigProfile [yes|no]? no
  • If you received an error like: 

adding new entry "cn=ssh,ou=Group,dc=mycompany,dc=com"

adding new entry "cn=lucas,ou=Group,dc=mycompany,dc=com"

adding new entry "cn=openldap,ou=Group,dc=mycompany,dc=com"

adding new entry "cn=localhost,ou=Hosts,dc=mycompany,dc=com"

adding new entry "cn=dellxps.mycompany,ou=Hosts,dc=mycompany,dc=com"

adding new entry "cn=localhost,ou=Hosts,dc=mycompany,dc=com"
ldap_add: Already exists (68)

/usr/bin/ldapadd : returned non-zero exit status: saving failed LDIF to /tmp/nis.ldif.lMsKHTfGYh
  • Somehow the migrationtools is generating the localhost twice. This is not a big problem as we can rerun the script and this time it will continue and skip the errors. 

LDAPADD="/usr/bin/ldapadd -c" ./migrate_all_online.sh

  • [Optional] If you got familiar with the migration and you would like to start from scratch, you can reconfigure the slapd with dpkg-reconfigure slapd and when asked tell it to delete the old database. That way you will start from scratch. It will Delete all ldap/slapd databases. You will need to add the misc.schema back in in slapd.conf file. 

dpkg-reconfigure slapd

  • [Optional]Don't forget to delete rm -r /var/backups/unknown-2.4.11-1.ldapdband reconfigure slapd again if you see that dpkg-reconfigure slapd failed with Giving up...

  • Congratulations. Your system was just migrated to ldap based server. Now we just need to setup your system to use ldap, and connect any clients to our ldap.

luma6.png

  • Just to make sure everything is fine, see if you can search for yourself: 

ldapsearch -x uid=lucas -b "dc=mycompany,dc=com"

Linux Client Integration with LDAP

  • There are few choices you can make on how to integrate ldap with linux.
  • Lets do the basic first.
  • Install ldap utils 

aptitude install ldap-utils
  • See if you can connect to the ldap server. Replace the ip address with yours. 

ldapsearch -x -b dc=mycompany,dc=com -h 192.168.1.110
or
ldapsearch -x -b ou=People,dc=mycompany,dc=com -h 192.168.1.110

libnss-ldap

  • [definition]libpam - PAM system (Pluggable Authentication Module) is used to for user's authentication. Checking if provided login and password are correct, accomplish some other tasks and finally decide for example whether the user may login or not.

  • [definition]libnss -This package provides a Name Service Switch that allows your LDAP server act as a name service. This means providing user account information, group id's, host information, aliases, netgroups, and basically anything else that you would normally get from /etc flat files or NIS. run "getent passwd" to see few of the information available.

libpam checks if user name and password is correct, while libnss looks up the available names.

  • Install libnss-ldap. libnss-ldap will allow you to talk to you ldap server as it was regular /etc folder that contains (/etc/passwd, /etc/hosts, /etc/group , ..etc). In this case ldap will store all that information. 

aptitude install libnss-ldap
  • Change example to your domain name 

LDAP Server Host: 127.0.0.1
DN of Search Base: dc=mycompany,dc=com
LDAP Version: 3
Database requires login: no
Make config readable by owner only: yes
  • If at any point you want to reconfigure these settings, or your are getting "nss_ldap: failed to bind to LDAP server" run: 

dpkg-reconfigure libnss-ldap

LDAP server Uniform Resource Identifier: ldap://127.0.0.1
Distinguished name of the search base: dc=mycompany,dc=com
LDAP Version to use: [Default] 3
Does the LDAP database require login:[default] No
Special LDAP privileges for root:[default] Yes
Make the configuration file readable/writable by its owners only:[default]No
LDAP Account for root: cn=admin,dc=mycompany,dc=com
LDAP Password: ****
  • Now in order for the system to use ldap you need to tell about its existence. We do that in nsswitch.conf. It tells the system to not only check in the regular files, but also check in the ldap server for the users, groups, etc.
  • Edit the file /etc/nsswitch.conf and add ldap word at the end so it to look like the following: 

passwd: compat ldap
group: compat ldap
shadow: compat ldap

  • Now that you told nsswitch to look at ldap here are is a short list of what parts of your linux system can be integrated with ldap. Look at the example file in vi /usr/share/doc/libnss-ldap/examples/nsswitch.ldap to see what services are supported by ldap backed in you system. (passwords,groups,networks, protocol, rpc,ethers...)

  • The change we made to nsswitch will allow you to search the ldap now.
  • Congratulations your system knows how to talk to ldap now. Right now the database in ldap is empty so we will need to add user,groups,etc later. For now see how many groups we have in the original system.

    If you run command getent group This will search the local database (/etc/passwd) first, then LDAP later based on your nsswith.conf configuration. 

getent group
ssh:x:103:
users:x:20001:
guests:x:20002:
admins:x:20000:
.....

libpam-ldap

  • [definition]libpam - PAM system (Pluggable Authentication Module) is used to for user's authentication. Checking if provided login and password are correct, accomplish some other tasks and finally decide for example whether the user may login or not.

  • [definition]libnss -This package provides a Name Service Switch that allows your LDAP server act as a name service. This means providing user account information, group id's, host information, aliases, netgroups, and basically anything else that you would normally get from /etc flat files or NIS. run "getent passwd" to see few of the information available.

libpam checks if user name and password is correct, while libnss looks up the available names.

  • Install libpam-ldap 

aptitude install libpam-ldap
  • Reconfigure libpam-ldap 

dpkg-reconfigure libpam-ldap

vi /etc/ldap/ldap.conf
  • Add the url of the ldap server. 

BASE    dc=mycompany,dc=com
URI     ldap://ldap.mycompany.com
  • Make sure you add ldap.mycompany.com to /etc/hosts like this: 

#ipaddress    ldap.mycompany.com
#example
192.168.1.110    ldap.mycompany.com
  • Edit PAM settings 

vi /etc/pam.d/common-account

# Comment out the next line
#account required pam_unix.so

# and add these two
account sufficient pam_ldap.so
account required pam_unix.so try_first_pass

vi /etc/pam.d/common-auth

# from
#auth required pam_unix.so nullok_secure

# to
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

vi /etc/pam.d/common-password

# from
#password required pam_unix.so nullok obscure min=4 max=8 md5

# to
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass

vi /etc/pam.d/common-session

session optional        pam_ldap.so
session required        pam_unix.so

Troubleshooting

result: 32 No such object

Error: 

ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

FIX 

ldapsearch -x  -b "dc=mycompany,dc=com"

.........sult: 4 Size limit exceeded

# numResponses: 501
# numEntries: 500

Ldap Editors

[Optional][Not used in this manual] ldapvi There is also another vi based ldap browser that allows you to change ldap. 

aptitude instal ldapvi
#Then, to use it:
ldapvi -D "cn=admin,dc=mycompany,dc=com"

References