OpenSpeak.net

User Tools

Site Tools

Trace:
classes:la_slapd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
classes:la_slapd [2016/12/14 19:41] curry_searleclasses:la_slapd [2016/12/15 20:43] (current) curry_searle
Line 2: Line 2:
  
 The outline of this tutorial contains the following sections: The outline of this tutorial contains the following sections:
-  - Server: Configure OpenLDAP and add users +  - [[classes:la_slapd_l1|Server: Configure OpenLDAP and add users]] 
-  - Server: Configure NFS to export home directories to a client system +  - [[classes:la_slapd_l2|Server: Configure NFS to export home directories]] 
-  - Client: Configure PAM to authente using our LDAP directory +  - [[classes:la_slapd_l3|Client: Configure PAM to authenticate using our OpenLDAP directory]] 
-  - Client: Configure AutoFS to auto-mount user home directories from the server to the client+  - [[classes:la_slapd_l4|Client: Configure AutoFS to auto-mount user home directories from the server to the client]]
  
-For this tutorial we will create three users in our LDAP directory, Tom, Olive and Kevin; all with the password of ''1234567''. In addition to these three directory users, we will login with the local account, ''user'', which has sudo permissions on both our server (cls-kvm1) and client (cls-kvm2). For simplicity, any time we are prompted for a password, we will use this same number sequence, one through seven, above. You can follow along in the documentation for this lesson; it is written to be a copy and paste guide.+For this tutorial we will create three users in our LDAP directory, Tom, Olive and Kevin; all with the password of ''1234567''. In addition to these three directory users, we will login with local account, ''user'', which has sudo permissions on both our server (cls-kvm1) and client (cls-kvm2). For simplicity, any time we are prompted for a password, we will use the same number sequence, one through seven, listed above. You can follow along in the documentation for each lesson which is written to be a copy and paste guide.
  
-=== Server: Configure OpenLDAP and add users === 
-Let's get started by logging into our server and installing OpenLDAP: 
-<code> 
-sudo apt-get -y install slapd ldap-utils 
-</code> 
  
-When prompted, enter a password for your LDAP ''admin'' user and press enter. For the purposes of this tutorial we will use ''1234567'' for the password. Confirm the password and press enter again. 
- 
-Using your favorite editor, modify /etc/ldap/ldap.conf to contain the following, non-comment lines: 
-<code> 
-TLS_CACERT      /etc/ssl/certs/ca-certificates.crt 
- 
-BASE dc=itsm,dc=unt,dc=edu 
-URI ldap://localhost:389 
-</code> 
- 
-Restart the ldap service to reload the new configuration: 
-<code> 
-sudo service slapd restart 
-</code> 
- 
-Confirm the slapd service is running; you should see a line, ''active (running)'', in the output of your ''service'' command: 
-<code> 
-service slapd status 
-● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol) 
-   Loaded: loaded (/etc/init.d/slapd; bad; vendor preset: enabled) 
-   Active: active (running) since Wed 2016-12-14 00:23:38 CST; 52min ago 
-     Docs: man:systemd-sysv-generator(8) 
-    Tasks: 3 
-   Memory: 9.6M 
-      CPU: 52ms 
-   CGroup: /system.slice/slapd.service 
-           └─2632 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d 
-</code> 
- 
-Confirm your ldap server is answering requests by giving it a simple request: 
-<code> 
-ldapsearch -x 
-# extended LDIF 
-# 
-# LDAPv3 
-# base <dc=itsm,dc=unt,dc=edu> (default) with scope subtree 
-# filter: (objectclass=*) 
-# requesting: ALL 
-# 
- 
-# itsm.unt.edu 
-dn: dc=itsm,dc=unt,dc=edu 
-objectClass: top 
-objectClass: dcObject 
-objectClass: organization 
-o: unt.edu 
-dc: itsm 
- 
-# admin, itsm.unt.edu 
-dn: cn=admin,dc=itsm,dc=unt,dc=edu 
-objectClass: simpleSecurityObject 
-objectClass: organizationalRole 
-cn: admin 
-description: LDAP administrator 
- 
-# search result 
-search: 2 
-result: 0 Success 
- 
-# numResponses: 3 
-# numEntries: 2 
-</code> 
-like this 
-Now that we have our LDAP server running, lets populate it with some users. Create a file named ''users.ldif'' which includes the following data: 
-<code> 
-dn: uid=tom,dc=itsm,dc=unt,dc=edu 
-objectClass: top 
-objectClass: account 
-objectClass: posixAccount 
-objectClass: shadowAccount 
-cn: tom 
-uid: tom 
-uidNumber: 5010 
-gidNumber: 9010 
-homeDirectory: /home/tom 
-loginShell: /bin/bash 
-gecos: tom 
-userPassword: {SHA}JzP8b+cWb3X2Q6v6Ulz2ADkL+VE= 
-shadowLastChange: 17531 
-shadowMax: 0 
-shadowWarning: 0 
- 
-dn: uid=olive,dc=itsm,dc=unt,dc=edu 
-objectClass: top 
-objectClass: account 
-objectClass: posixAccount 
-objectClass: shadowAccount 
-cn: olive 
-uid: olive 
-uidNumber: 5011 
-gidNumber: 9011 
-homeDirectory: /home/olive 
-loginShell: /bin/bash 
-gecos: olive 
-userPassword: {SHA}JzP8b+cWb3X2Q6v6Ulz2ADkL+VE= 
-shadowLastChange: 17531 
-shadowMax: 0 
-shadowWarning: 0 
- 
-dn: uid=kevin,dc=itsm,dc=unt,dc=edu 
-objectClass: top 
-objectClass: account 
-objectClass: posixAccount 
-objectClass: shadowAccount 
-cn: kevin 
-uid: kevin 
-uidNumber: 5012 
-gidNumber: 9012 
-homeDirectory: /home/kevin 
-loginShell: /bin/bash 
-gecos: kevin 
-userPassword: {SHA}JzP8b+cWb3X2Q6v6Ulz2ADkL+VE= 
-shadowLastChange: 17531 
-shadowMax: 0 
-shadowWarning: 0 
-</code> 
- 
-Now that we have a data file containing user information, we can import it into our LDAP database using the ''ldapadd'' command, entering our password when prompted: 
-<code> 
-ldapadd -a -D 'cn=admin,dc=itsm,dc=unt,dc=edu' -W -f ~/users.ldif 
-Enter LDAP Password:  
-adding new entry "uid=tom,dc=itsm,dc=unt,dc=edu" 
- 
-adding new entry "uid=olive,dc=itsm,dc=unt,dc=edu" 
- 
-adding new entry "uid=kevin,dc=itsm,dc=unt,dc=edu" 
-</code> 
- 
-We can confirm the users were added by performing another ''ldapsearch'' command as follows: 
-<code> 
-ldapsearch -x objectClass=account dn cn uidnumber gidnumber 
-# extended LDIF 
-# 
-# LDAPv3 
-# base <dc=itsm,dc=unt,dc=edu> (default) with scope subtree 
-# filter: objectClass=account 
-# requesting: dn cn uidnumber gidnumber  
-# 
- 
-# tom, itsm.unt.edu 
-dn: uid=tom,dc=itsm,dc=unt,dc=edu 
-cn: tom 
-uidNumber: 5010 
-gidNumber: 9010 
- 
-# olive, itsm.unt.edu 
-dn: uid=olive,dc=itsm,dc=unt,dc=edu 
-cn: olive 
-uidNumber: 5011 
-gidNumber: 9011 
- 
-# kevin, itsm.unt.edu 
-dn: uid=kevin,dc=itsm,dc=unt,dc=edu 
-cn: kevin 
-uidNumber: 5012 
-gidNumber: 9012 
- 
-# search result 
-search: 2 
-result: 0 Success 
- 
-# numResponses: 4 
-# numEntries: 3 
-</code> 
- 
-=== Client: Configure PAM authentication to use LDAP === 
- 
-Now that we have our OpenLDAP server configured and populated with users, we can move on to configuring our linux workstation to authenticate using our LDAP directory. 
- 
-Logon to the client system (''ssh user@cls-kvm2'') and install required dependencies: 
-<code> 
-sudo apt-get -y install ldap-auth-client nscd autofs 
-</code> 
- 
-Configure ldap-auth-config: 
-<code> 
-sudo dpkg-reconfigure ldap-auth-config 
-</code> 
- 
-Include the following settings: 
-<code> 
-LDAP Server URI: ldap://cls-kvm1.itsm.unt.edu 
-Distinguised name of the search base: dc=itsm,dc=unt,dc=edu 
-LDAP version to use: 3 
-Make local root Database admin: Yes 
-Does the LDAP require login: No 
-LDAP account for root: cn=admin,dc=itsm,dc=unt,dc=edu 
-LDAP root account password 
-</code> 
- 
-Configure NSS authentication client for LDAP: 
-<code> 
-sudo auth-client-config -t nss -p lac_ldap 
-</code> 
- - /etc/auth 
- 
-Update PAM configuration: 
-<code> 
-sudo pam-auth-update 
-</code> 
-Ensure the following are checked and choose Ok: 
-<code> 
-PAM profiles to enable: 
- * Unix authentication 
- * LDAP Authentication 
- * Register user sessions in the systemd control group hierarchy 
-</code> 
- 
-Restart the NSCD service: 
-<code> 
-sudo service nscd restart 
-</code> 
- 
-Edit ''/etc/pamd.d/common-password'' to remove the ''use_authok'' from the ''password'' entry: 
-<code> 
-#password       [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass 
-password        [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass 
-</code> 
- 
-Confirm the client sees the LDAP accounts as available for authentication; look for our LDAP users in the output of ''getent passwd'': 
-<code> 
-getenet passwd 
-... 
-tom:x:5010:9010:tom:/home/tom:/bin/bash 
-olive:x:5011:9011:olive:/home/olive:/bin/bash 
-kevin:x:5012:9012:kevin:/home/kevin:/bin/bash 
-</code> 
- 
-Test authentication using ''su - kevin'' or ''su - olive'': 
-<code> 
-su - kevin 
-Password:  
-No directory, logging in with HOME=/ 
-groups: cannot find name for group ID 9012 
-kevin@cls-kvm2:/ 
-</code> 
- 
-In the next step we will resolve the ''No directory, logging in with HOME=/'' error message by configuring autofs mounted home directories. 
- 
-Still on the client machine, install our AutoFS dependencies: 
-<code> 
- 
-</code> 
classes/la_slapd.1481773273.txt.gz · Last modified: 2016/12/14 19:41 by curry_searle