OpenSpeak.net

User Tools

Site Tools

Trace:
classes:la_slapd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
classes:la_slapd [2016/12/14 19:04] curry_searleclasses:la_slapd [2016/12/15 20:43] (current) curry_searle
Line 1: Line 1:
-Good day, folks; today's tutorial walks through installing and configuring an OpenLDAP server along with an NFS exported file system. The LDAP system will contain user identities and credentials which we will use for authenticating users from another linux client. In addition to authentication, the server will also storage via an NFS exported filesystem which we will auto-mount on our client for the user's home directory.+Good day, folks; today's tutorial walks through installing and configuring an OpenLDAP server along with an NFS exported file system. The LDAP system will contain user identities and credentials which we will use for authenticating users from another linux client. In addition to authentication, the server will also provide storage via an NFS exported filesystem which we will auto-mount on our client for the user's home directory. This tutorial uses Ubuntu 16.04 LTS; however, the concepts are the same for RedHat-based distributions as well.
  
-The outline of this tutorial contains the following parts+The outline of this tutorial contains the following sections
-  - Server: Configure OpenLDAP and add users +  - [[classes:la_slapd_l1|Server: Configure OpenLDAP and add users]] 
-  - Server: Configure NFS to exported home directories +  - [[classes:la_slapd_l2|Server: Configure NFS to export home directories]] 
-  - Client: Configure PAM authentication to use LDAP +  - [[classes:la_slapd_l3|Client: Configure PAM to authenticate using our OpenLDAP directory]] 
-  - Client: Configure AutoFS to auto-mount home directories+  - [[classes:la_slapd_l4|Client: Configure AutoFS to auto-mount user home directories from the server to the client]]
  
-For the purposes of this tutorial we will create three users, Tom, Olive and Kevin and they will all have the password of ''1234567''. For simplicity, any time we are prompted for a password, we will use this same sequence of numbers.+For this tutorial we will create three users in our LDAP directory, Tom, Olive and Kevinall with the password of ''1234567''. In addition to these three directory users, we will login with a local account, ''user'', which has sudo permissions on both our server (cls-kvm1) and client (cls-kvm2). For simplicity, any time we are prompted for a password, we will use the same number sequence, one through seven, listed above. You can follow along in the documentation for each lesson which is written to be a copy and paste guide.
  
-=== Server: Configure OpenLDAP and add users === 
-Let's get started by installing OpenLDAP: 
-<code> 
-sudo apt-get -y install slapd ldap-utils 
-</code> 
  
-When prompted, enter a password for your LDAP ''admin'' user and press enter. For the purposes of this tutorial we will use ''1234567'' for the password. Confirm the password and press enter again. 
- 
-Using your favorite editor, modify /etc/ldap/ldap.conf to contain the following, non-comment lines: 
-<code> 
-TLS_CACERT      /etc/ssl/certs/ca-certificates.crt 
- 
-BASE dc=itsm,dc=unt,dc=edu 
-URI ldap://localhost:389 
-</code> 
- 
-Restart the ldap service to reload the new configuration: 
-<code> 
-sudo service slapd restart 
-</code> 
- 
-Confirm the slapd service is running; you should see a line, ''active (running)'', in the output of your ''service'' command: 
-<code> 
-service slapd status 
-● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol) 
-   Loaded: loaded (/etc/init.d/slapd; bad; vendor preset: enabled) 
-   Active: active (running) since Wed 2016-12-14 00:23:38 CST; 52min ago 
-     Docs: man:systemd-sysv-generator(8) 
-    Tasks: 3 
-   Memory: 9.6M 
-      CPU: 52ms 
-   CGroup: /system.slice/slapd.service 
-           └─2632 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d 
-</code> 
- 
-Confirm your ldap server is answering requests by giving it a simple request: 
-<code> 
-ldapsearch -x 
-# extended LDIF 
-# 
-# LDAPv3 
-# base <dc=itsm,dc=unt,dc=edu> (default) with scope subtree 
-# filter: (objectclass=*) 
-# requesting: ALL 
-# 
- 
-# itsm.unt.edu 
-dn: dc=itsm,dc=unt,dc=edu 
-objectClass: top 
-objectClass: dcObject 
-objectClass: organization 
-o: unt.edu 
-dc: itsm 
- 
-# admin, itsm.unt.edu 
-dn: cn=admin,dc=itsm,dc=unt,dc=edu 
-objectClass: simpleSecurityObject 
-objectClass: organizationalRole 
-cn: admin 
-description: LDAP administrator 
- 
-# search result 
-search: 2 
-result: 0 Success 
- 
-# numResponses: 3 
-# numEntries: 2 
-</code> 
-like this 
-Now that we have our LDAP server running, lets populate it with some users. Create a file named ''users.ldif'' which includes the following data: 
-<code> 
-dn: uid=tom,dc=itsm,dc=unt,dc=edu 
-objectClass: top 
-objectClass: account 
-objectClass: posixAccount 
-objectClass: shadowAccount 
-cn: tom 
-uid: tom 
-uidNumber: 5010 
-gidNumber: 9010 
-homeDirectory: /home/tom 
-loginShell: /bin/bash 
-gecos: tom 
-userPassword: {SHA}JzP8b+cWb3X2Q6v6Ulz2ADkL+VE= 
-shadowLastChange: 17531 
-shadowMax: 0 
-shadowWarning: 0 
- 
-dn: uid=olive,dc=itsm,dc=unt,dc=edu 
-objectClass: top 
-objectClass: account 
-objectClass: posixAccount 
-objectClass: shadowAccount 
-cn: olive 
-uid: olive 
-uidNumber: 5011 
-gidNumber: 9011 
-homeDirectory: /home/olive 
-loginShell: /bin/bash 
-gecos: olive 
-userPassword: {SHA}JzP8b+cWb3X2Q6v6Ulz2ADkL+VE= 
-shadowLastChange: 17531 
-shadowMax: 0 
-shadowWarning: 0 
- 
-dn: uid=kevin,dc=itsm,dc=unt,dc=edu 
-objectClass: top 
-objectClass: account 
-objectClass: posixAccount 
-objectClass: shadowAccount 
-cn: kevin 
-uid: kevin 
-uidNumber: 5012 
-gidNumber: 9012 
-homeDirectory: /home/kevin 
-loginShell: /bin/bash 
-gecos: kevin 
-userPassword: {SHA}JzP8b+cWb3X2Q6v6Ulz2ADkL+VE= 
-shadowLastChange: 17531 
-shadowMax: 0 
-shadowWarning: 0 
-</code> 
- 
-Now that we have a data file containing user information, we can import it into our LDAP database using the ''ldapadd'' command, entering our password when prompted: 
-<code> 
-ldapadd -a -D 'cn=admin,dc=itsm,dc=unt,dc=edu' -W -f ~/users.ldif 
-Enter LDAP Password:  
-adding new entry "uid=tom,dc=itsm,dc=unt,dc=edu" 
- 
-adding new entry "uid=olive,dc=itsm,dc=unt,dc=edu" 
- 
-adding new entry "uid=kevin,dc=itsm,dc=unt,dc=edu" 
-</code> 
- 
-We can confirm the users were added by performing another ''ldapsearch'' command as follows: 
-<code> 
-ldapsearch -x objectClass=account dn cn uidnumber gidnumber 
-# extended LDIF 
-# 
-# LDAPv3 
-# base <dc=itsm,dc=unt,dc=edu> (default) with scope subtree 
-# filter: objectClass=account 
-# requesting: dn cn uidnumber gidnumber  
-# 
- 
-# tom, itsm.unt.edu 
-dn: uid=tom,dc=itsm,dc=unt,dc=edu 
-cn: tom 
-uidNumber: 5010 
-gidNumber: 9010 
- 
-# olive, itsm.unt.edu 
-dn: uid=olive,dc=itsm,dc=unt,dc=edu 
-cn: olive 
-uidNumber: 5011 
-gidNumber: 9011 
- 
-# kevin, itsm.unt.edu 
-dn: uid=kevin,dc=itsm,dc=unt,dc=edu 
-cn: kevin 
-uidNumber: 5012 
-gidNumber: 9012 
- 
-# search result 
-search: 2 
-result: 0 Success 
- 
-# numResponses: 4 
-# numEntries: 3 
-</code> 
- 
-=== Client: Configure PAM authentication to use LDAP === 
- 
-Now that we have our OpenLDAP server configured and populated with users, we can move on to configuring our linux workstation to authenticate using our LDAP directory. 
- 
-Logon to the client system (''ssh user@cls-kvm2'') and install required dependencies: 
-<code> 
-sudo apt-get -y install ldap-auth-client nscd autofs 
-</code> 
- 
-Configure ldap-auth-config: 
-<code> 
-sudo dpkg-reconfigure ldap-auth-config 
-</code> 
- 
-Include the following settings: 
-<code> 
-LDAP Server URI: ldap://cls-kvm1.itsm.unt.edu 
-Distinguised name of the search base: dc=itsm,dc=unt,dc=edu 
-LDAP version to use: 3 
-Make local root Database admin: Yes 
-Does the LDAP require login: No 
-LDAP account for root: cn=admin,dc=itsm,dc=unt,dc=edu 
-LDAP root account password 
-</code> 
- 
-Configure NSS authentication client for LDAP: 
-<code> 
-sudo auth-client-config -t nss -p lac_ldap 
-</code> 
- - /etc/auth 
- 
-Update PAM configuration: 
-<code> 
-sudo pam-auth-update 
-</code> 
-Ensure the following are checked and choose Ok: 
-<code> 
-PAM profiles to enable: 
- * Unix authentication 
- * LDAP Authentication 
- * Register user sessions in the systemd control group hierarchy 
-</code> 
- 
-Restart the NSCD service: 
-<code> 
-sudo service nscd restart 
-</code> 
- 
-Edit ''/etc/pamd.d/common-password'' to remove the ''use_authok'' from the ''password'' entry: 
-<code> 
-#password       [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass 
-password        [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass 
-</code> 
- 
-Confirm the client sees the LDAP accounts as available for authentication; look for our LDAP users in the output of ''getent passwd'': 
-<code> 
-getenet passwd 
-... 
-tom:x:5010:9010:tom:/home/tom:/bin/bash 
-olive:x:5011:9011:olive:/home/olive:/bin/bash 
-kevin:x:5012:9012:kevin:/home/kevin:/bin/bash 
-</code> 
- 
-Test authentication using ''su - kevin'' or ''su - olive'': 
-<code> 
-su - kevin 
-Password:  
-No directory, logging in with HOME=/ 
-groups: cannot find name for group ID 9012 
-kevin@cls-kvm2:/ 
-</code> 
- 
-In the next step we will resolve the ''No directory, logging in with HOME=/'' error message by configuring autofs mounted home directories. 
- 
-Still on the client machine, install our AutoFS dependencies: 
-<code> 
- 
-</code> 
classes/la_slapd.1481771092.txt.gz · Last modified: 2016/12/14 19:04 by curry_searle