This is an old revision of the document!
Good day, folks; today's tutorial walks through installing and configuring an OpenLDAP server along with an NFS exported file system. The LDAP system will contain user identities and credentials which we will use for authenticating users from another linux client. In addition to authentication, the server will also provide storage via an NFS exported filesystem which we will auto-mount on our client for the user's home directory. This tutorial uses Ubuntu 16.04 LTS; however, the concepts are the same for RedHat-based distributions as well.
The outline of this tutorial contains the following sections:
- Server: Configure OpenLDAP and add users
- Server: Configure NFS to export home directories to a client system
- Client: Configure PAM to authente using our LDAP directory
- Client: Configure AutoFS to auto-mount user home directories from the server to the client
For this tutorial we will create three users in our LDAP directory, Tom, Olive and Kevin; all with the password of 1234567. In addition to these three directory users, we will login with the local account, user, which has sudo permissions on both our server (cls-kvm1) and client (cls-kvm2). For simplicity, any time we are prompted for a password, we will use this same number sequence, one through seven, above. You can follow along in the documentation for this lesson; it is written to be a copy and paste guide.
Server: Configure OpenLDAP and add users
Let's get started by logging into our server and installing OpenLDAP:
sudo apt-get -y install slapd ldap-utils
When prompted, enter a password for your LDAP admin user and press enter. For the purposes of this tutorial we will use 1234567 for the password. Confirm the password and press enter again.
Using your favorite editor, modify /etc/ldap/ldap.conf to contain the following, non-comment lines:
TLS_CACERT /etc/ssl/certs/ca-certificates.crt BASE dc=itsm,dc=unt,dc=edu URI ldap://localhost:389
Restart the ldap service to reload the new configuration:
sudo service slapd restart
Confirm the slapd service is running; you should see a line, active (running), in the output of your service command:
service slapd status
● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)
Loaded: loaded (/etc/init.d/slapd; bad; vendor preset: enabled)
Active: active (running) since Wed 2016-12-14 00:23:38 CST; 52min ago
Docs: man:systemd-sysv-generator(8)
Tasks: 3
Memory: 9.6M
CPU: 52ms
CGroup: /system.slice/slapd.service
└─2632 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
Confirm your ldap server is answering requests by giving it a simple request:
ldapsearch -x # extended LDIF # # LDAPv3 # base <dc=itsm,dc=unt,dc=edu> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # itsm.unt.edu dn: dc=itsm,dc=unt,dc=edu objectClass: top objectClass: dcObject objectClass: organization o: unt.edu dc: itsm # admin, itsm.unt.edu dn: cn=admin,dc=itsm,dc=unt,dc=edu objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
like this
Now that we have our LDAP server running, lets populate it with some users. Create a file named users.ldif which includes the following data:
dn: uid=tom,dc=itsm,dc=unt,dc=edu
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: tom
uid: tom
uidNumber: 5010
gidNumber: 9010
homeDirectory: /home/tom
loginShell: /bin/bash
gecos: tom
userPassword: {SHA}JzP8b+cWb3X2Q6v6Ulz2ADkL+VE=
shadowLastChange: 17531
shadowMax: 0
shadowWarning: 0
dn: uid=olive,dc=itsm,dc=unt,dc=edu
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: olive
uid: olive
uidNumber: 5011
gidNumber: 9011
homeDirectory: /home/olive
loginShell: /bin/bash
gecos: olive
userPassword: {SHA}JzP8b+cWb3X2Q6v6Ulz2ADkL+VE=
shadowLastChange: 17531
shadowMax: 0
shadowWarning: 0
dn: uid=kevin,dc=itsm,dc=unt,dc=edu
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: kevin
uid: kevin
uidNumber: 5012
gidNumber: 9012
homeDirectory: /home/kevin
loginShell: /bin/bash
gecos: kevin
userPassword: {SHA}JzP8b+cWb3X2Q6v6Ulz2ADkL+VE=
shadowLastChange: 17531
shadowMax: 0
shadowWarning: 0
Now that we have a data file containing user information, we can import it into our LDAP database using the ldapadd command, entering our password when prompted:
ldapadd -a -D 'cn=admin,dc=itsm,dc=unt,dc=edu' -W -f ~/users.ldif Enter LDAP Password: adding new entry "uid=tom,dc=itsm,dc=unt,dc=edu" adding new entry "uid=olive,dc=itsm,dc=unt,dc=edu" adding new entry "uid=kevin,dc=itsm,dc=unt,dc=edu"
We can confirm the users were added by performing another ldapsearch command as follows:
ldapsearch -x objectClass=account dn cn uidnumber gidnumber # extended LDIF # # LDAPv3 # base <dc=itsm,dc=unt,dc=edu> (default) with scope subtree # filter: objectClass=account # requesting: dn cn uidnumber gidnumber # # tom, itsm.unt.edu dn: uid=tom,dc=itsm,dc=unt,dc=edu cn: tom uidNumber: 5010 gidNumber: 9010 # olive, itsm.unt.edu dn: uid=olive,dc=itsm,dc=unt,dc=edu cn: olive uidNumber: 5011 gidNumber: 9011 # kevin, itsm.unt.edu dn: uid=kevin,dc=itsm,dc=unt,dc=edu cn: kevin uidNumber: 5012 gidNumber: 9012 # search result search: 2 result: 0 Success # numResponses: 4 # numEntries: 3
Client: Configure PAM authentication to use LDAP
Now that we have our OpenLDAP server configured and populated with users, we can move on to configuring our linux workstation to authenticate using our LDAP directory.
Logon to the client system (ssh user@cls-kvm2) and install required dependencies:
sudo apt-get -y install ldap-auth-client nscd autofs
Configure ldap-auth-config:
sudo dpkg-reconfigure ldap-auth-config
Include the following settings:
LDAP Server URI: ldap://cls-kvm1.itsm.unt.edu Distinguised name of the search base: dc=itsm,dc=unt,dc=edu LDAP version to use: 3 Make local root Database admin: Yes Does the LDAP require login: No LDAP account for root: cn=admin,dc=itsm,dc=unt,dc=edu LDAP root account password
Configure NSS authentication client for LDAP:
sudo auth-client-config -t nss -p lac_ldap
- /etc/auth
Update PAM configuration:
sudo pam-auth-update
Ensure the following are checked and choose Ok:
PAM profiles to enable: * Unix authentication * LDAP Authentication * Register user sessions in the systemd control group hierarchy
Restart the NSCD service:
sudo service nscd restart
Edit /etc/pamd.d/common-password to remove the use_authok from the password entry:
#password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
Confirm the client sees the LDAP accounts as available for authentication; look for our LDAP users in the output of getent passwd:
getenet passwd ... tom:x:5010:9010:tom:/home/tom:/bin/bash olive:x:5011:9011:olive:/home/olive:/bin/bash kevin:x:5012:9012:kevin:/home/kevin:/bin/bash
Test authentication using su - kevin or su - olive:
su - kevin Password: No directory, logging in with HOME=/ groups: cannot find name for group ID 9012 kevin@cls-kvm2:/$
In the next step we will resolve the No directory, logging in with HOME=/ error message by configuring autofs mounted home directories.
Still on the client machine, install our AutoFS dependencies: