OpenSpeak.net

User Tools

Site Tools

Trace:
classes:la_slapd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
classes:la_slapd [2016/12/15 14:34] curry_searleclasses:la_slapd [2016/12/15 20:43] (current) curry_searle
Line 2: Line 2:
  
 The outline of this tutorial contains the following sections: The outline of this tutorial contains the following sections:
-  - Server: Configure OpenLDAP and add users +  - [[classes:la_slapd_l1|Server: Configure OpenLDAP and add users]] 
-  - Server: Configure NFS to export home directories +  - [[classes:la_slapd_l2|Server: Configure NFS to export home directories]] 
-  - Client: Configure PAM to authenticate using our OpenLDAP directory +  - [[classes:la_slapd_l3|Client: Configure PAM to authenticate using our OpenLDAP directory]] 
-  - Client: Configure AutoFS to auto-mount user home directories from the server to the client+  - [[classes:la_slapd_l4|Client: Configure AutoFS to auto-mount user home directories from the server to the client]]
  
-For this tutorial we will create three users in our LDAP directory, Tom, Olive and Kevin; all with the password of ''1234567''. In addition to these three directory users, we will login with a local account, ''user'', which has sudo permissions on both our server (cls-kvm1) and client (cls-kvm2). For simplicity, any time we are prompted for a password, we will use the same number sequence, one through seven, listed above. You can follow along in the documentation for this lesson; it is written to be a copy and paste guide.+For this tutorial we will create three users in our LDAP directory, Tom, Olive and Kevin; all with the password of ''1234567''. In addition to these three directory users, we will login with a local account, ''user'', which has sudo permissions on both our server (cls-kvm1) and client (cls-kvm2). For simplicity, any time we are prompted for a password, we will use the same number sequence, one through seven, listed above. You can follow along in the documentation for each lesson which is written to be a copy and paste guide.
  
-=== Server: Configure OpenLDAP and add users === 
-Let's get started by logging into our server and installing OpenLDAP: 
-<code> 
-sudo apt-get -y install slapd ldap-utils 
-</code> 
- 
-When prompted, enter a password for your LDAP ''admin'' user and press enter. For the purposes of this tutorial we will use ''1234567'' for the password. Confirm the password and press enter again. 
- 
-Now we need to finalize the OpenLDAP configuration by running ''dpkg-reconfigure'' to specify settings: 
-<code> 
-sudo dpkg-reconfigure slapd 
-</code> 
- 
-Using your favorite editor, modify /etc/ldap/ldap.conf to contain the following, non-comment lines: 
-<code> 
-TLS_CACERT      /etc/ssl/certs/ca-certificates.crt 
- 
-BASE dc=itsm,dc=unt,dc=edu 
-URI ldap://localhost:389 
-</code> 
- 
-Restart the ldap service to reload the new configuration: 
-<code> 
-sudo service slapd restart 
-</code> 
- 
-Confirm the slapd service is running; you should see a line, ''active (running)'', in the output of your ''service'' command: 
-<code> 
-service slapd status 
-● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol) 
-   Loaded: loaded (/etc/init.d/slapd; bad; vendor preset: enabled) 
-   Active: active (running) since Wed 2016-12-14 00:23:38 CST; 52min ago 
-     Docs: man:systemd-sysv-generator(8) 
-    Tasks: 3 
-   Memory: 9.6M 
-      CPU: 52ms 
-   CGroup: /system.slice/slapd.service 
-           └─2632 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d 
-</code> 
- 
-Confirm your ldap server is answering requests by giving it a simple request: 
-<code> 
-ldapsearch -x 
-# extended LDIF 
-# 
-# LDAPv3 
-# base <dc=itsm,dc=unt,dc=edu> (default) with scope subtree 
-# filter: (objectclass=*) 
-# requesting: ALL 
-# 
- 
-# itsm.unt.edu 
-dn: dc=itsm,dc=unt,dc=edu 
-objectClass: top 
-objectClass: dcObject 
-objectClass: organization 
-o: unt.edu 
-dc: itsm 
- 
-# admin, itsm.unt.edu 
-dn: cn=admin,dc=itsm,dc=unt,dc=edu 
-objectClass: simpleSecurityObject 
-objectClass: organizationalRole 
-cn: admin 
-description: LDAP administrator 
- 
-# search result 
-search: 2 
-result: 0 Success 
- 
-# numResponses: 3 
-# numEntries: 2 
-</code> 
-like this 
-Now that we have our LDAP server running, lets populate it with some users. Create a file named ''users.ldif'' which includes the following data: 
-<code> 
-dn: uid=tom,dc=itsm,dc=unt,dc=edu 
-objectClass: top 
-objectClass: account 
-objectClass: posixAccount 
-objectClass: shadowAccount 
-cn: tom 
-uid: tom 
-uidNumber: 5010 
-gidNumber: 9010 
-homeDirectory: /nfs/cls-kvm1/tom 
-loginShell: /bin/bash 
-gecos: tom 
-userPassword: {SHA}JzP8b+cWb3X2Q6v6Ulz2ADkL+VE= 
-shadowLastChange: 17531 
-shadowMax: 0 
-shadowWarning: 0 
- 
-dn: uid=olive,dc=itsm,dc=unt,dc=edu 
-objectClass: top 
-objectClass: account 
-objectClass: posixAccount 
-objectClass: shadowAccount 
-cn: olive 
-uid: olive 
-uidNumber: 5011 
-gidNumber: 9011 
-homeDirectory: /nfs/cls-kvm1/olive 
-loginShell: /bin/bash 
-gecos: olive 
-userPassword: {SHA}JzP8b+cWb3X2Q6v6Ulz2ADkL+VE= 
-shadowLastChange: 17531 
-shadowMax: 0 
-shadowWarning: 0 
- 
-dn: uid=kevin,dc=itsm,dc=unt,dc=edu 
-objectClass: top 
-objectClass: account 
-objectClass: posixAccount 
-objectClass: shadowAccount 
-cn: kevin 
-uid: kevin 
-uidNumber: 5012 
-gidNumber: 9012 
-homeDirectory: /nfs/cls-kvm1/kevin 
-loginShell: /bin/bash 
-gecos: kevin 
-userPassword: {SHA}JzP8b+cWb3X2Q6v6Ulz2ADkL+VE= 
-shadowLastChange: 17531 
-shadowMax: 0 
-shadowWarning: 0 
-</code> 
- 
-Now that we have a data file containing user information, we can import it into our LDAP database using the ''ldapadd'' command, entering our password when prompted: 
-<code> 
-ldapadd -a -D 'cn=admin,dc=itsm,dc=unt,dc=edu' -W -f ~/users.ldif 
-Enter LDAP Password:  
-adding new entry "uid=tom,dc=itsm,dc=unt,dc=edu" 
- 
-adding new entry "uid=olive,dc=itsm,dc=unt,dc=edu" 
- 
-adding new entry "uid=kevin,dc=itsm,dc=unt,dc=edu" 
-</code> 
- 
-We can confirm the users were added by performing another ''ldapsearch'' command as follows: 
-<code> 
-ldapsearch -x objectClass=account dn cn uidnumber gidnumber 
-# extended LDIF 
-# 
-# LDAPv3 
-# base <dc=itsm,dc=unt,dc=edu> (default) with scope subtree 
-# filter: objectClass=account 
-# requesting: dn cn uidnumber gidnumber  
-# 
- 
-# tom, itsm.unt.edu 
-dn: uid=tom,dc=itsm,dc=unt,dc=edu 
-cn: tom 
-uidNumber: 5010 
-gidNumber: 9010 
- 
-# olive, itsm.unt.edu 
-dn: uid=olive,dc=itsm,dc=unt,dc=edu 
-cn: olive 
-uidNumber: 5011 
-gidNumber: 9011 
- 
-# kevin, itsm.unt.edu 
-dn: uid=kevin,dc=itsm,dc=unt,dc=edu 
-cn: kevin 
-uidNumber: 5012 
-gidNumber: 9012 
- 
-# search result 
-search: 2 
-result: 0 Success 
- 
-# numResponses: 4 
-# numEntries: 3 
-</code> 
- 
-That's all for this section on configuring OpenLDAP and adding our users. Join me in the next section as we configure NFS to export home directories. 
- 
-=== Server: Configure NFS to export home directories to a client system === 
- 
-This section covers configuring NFS to export filesystems to remote computers. For the purpose of this tutorial, our remote filesystems will be the home directories of users defined in our OpenLDAP directory. Let's jump right in on our server and install NFS then make a directory to store our user home directories: 
-<code> 
-sudo apt-get -y install nfs-kernel-server 
-sudo mkdir -p /export/users 
-</code> 
- 
-The file ''/etc/exports'' defines any filesystems you are making available to remote systems. Edit ''/etc/exports'' to include the following: 
-<code> 
-/home   cls-kvm2.itsm.unt.edu(rw,sync,no_root_squash) 
-</code> 
- 
-Start the nfs-kernel-server service and confirm there are no errors: 
-<code> 
-sudo service nfs-kernel-server start 
-sudo service nfs-kernel-server status 
-</code> 
- 
-Confirm the filesystem is being exported to the system we expected using the ''showmount -e'' command: 
-<code> 
-showmount -e 
- 
-Export list for cls-kvm1: 
-/home cls-kvm2.itsm.unt.edu 
-</code> 
- 
-Edit ''/etc/auto.master'' to include the following line at the end; save & close: 
-<code> 
-/nfs   /etc/auto.nfs 
-</code> 
- 
-=== Client: Configure PAM authentication to use LDAP === 
- 
-Now that we have our OpenLDAP server configured and populated with users, we can move on to configuring our linux workstation to authenticate using our LDAP directory. 
- 
-Logon to the client system (''ssh user@cls-kvm2'') and install required dependencies: 
-<code> 
-sudo apt-get -y install ldap-auth-client nscd autofs 
-</code> 
- 
-Configure ldap-auth-config: 
-<code> 
-sudo dpkg-reconfigure ldap-auth-config 
-</code> 
- 
-Include the following settings: 
-<code> 
-LDAP Server URI: ldap://cls-kvm1.itsm.unt.edu 
-Distinguised name of the search base: dc=itsm,dc=unt,dc=edu 
-LDAP version to use: 3 
-Make local root Database admin: Yes 
-Does the LDAP require login: No 
-LDAP account for root: cn=admin,dc=itsm,dc=unt,dc=edu 
-LDAP root account password 
-</code> 
- 
-Configure NSS authentication client for LDAP: 
-<code> 
-sudo auth-client-config -t nss -p lac_ldap 
-</code> 
- - /etc/auth 
- 
-Update PAM configuration: 
-<code> 
-sudo pam-auth-update 
-</code> 
-Ensure the following are checked and choose Ok: 
-<code> 
-PAM profiles to enable: 
- * Unix authentication 
- * LDAP Authentication 
- * Register user sessions in the systemd control group hierarchy 
-</code> 
- 
-Restart the NSCD service: 
-<code> 
-sudo service nscd restart 
-</code> 
- 
-Edit ''/etc/pamd.d/common-password'' to remove the ''use_authok'' from the ''password'' entry: 
-<code> 
-#password       [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass 
-password        [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass 
-</code> 
- 
-Confirm the client sees the LDAP accounts as available for authentication; look for our LDAP users in the output of ''getent passwd'': 
-<code> 
-getent passwd 
-... 
-tom:x:5010:9010:tom:/nfs/cls-kvm1/tom:/bin/bash 
-olive:x:5011:9011:olive:/nfs/cls-kvm1/olive:/bin/bash 
-kevin:x:5012:9012:kevin:/nfs/cls-kvm1/kevin:/bin/bash 
-</code> 
- 
-Test authentication using ''su - kevin'' or ''su - olive'': 
-<code> 
-su - kevin 
-Password:  
-No directory, logging in with HOME=/ 
-groups: cannot find name for group ID 9012 
-kevin@cls-kvm2:/ 
-</code> 
- 
-In the next step we will resolve the ''No directory, logging in with HOME=/'' error message by configuring autofs mounted home directories. 
- 
-=== Configure AutoFS to auto-mount user home directories === 
-On the client machine (cls-kvm2), install our AutoFS dependencies: 
-<code> 
-sudo apt-get install autofs oddjob-mkhomedir 
-</code> 
- 
-Add a line to ''/etc/auto.master'': 
-<code> 
-sudo sh -ec 'echo /nfs \\t/etc/auto.nfs >> /etc/auto.master' 
-</code> 
- 
-Create ''/etc/auto.nfs'': 
-<code> 
-sudo sh -ec 'echo cls-kvm1 \\tcls-kvm1.itsm.unt.edu:/home >> /etc/auto.nfs' 
-</code> 
- 
-Create ''/etc/auto.home'': 
-<code> 
-sudo sh -ec 'echo *\\tcls-kvm1.itsm.unt.edu:/home/\& >> /etc/auto.home' 
-</code> 
- 
-Restart ''autofs'': 
-<code> 
-sudo service autofs restart 
-sudo service autofs status 
-</code> 
  
classes/la_slapd.1481841246.txt.gz · Last modified: 2016/12/15 14:34 by curry_searle