Configuring LDAP services (revision 1)

Introduction

Server configuration

  1. Run: 
    apt-get install slapd ldap-utils
  2. At the ‘Configuring slapd’ window, when asked to set the LDAP administrator’s password, just press ENTER twice (we’ll set the real password in a moment).
  3. Run: 
    dpkg-reconfigure slapd
  4. At the ‘Configuring slapd’ window, when asked ‘Omit OpenLDAP server configuration’ accept the default (i.e. the server configuration will be completed).
  5. At the ‘Configuring slapd’ window, when asked ‘DNS domain name’, accept the default.
  6. At the ‘Configuring slapd’ window, when asked ‘Organizartion name’, accept the default (the same as the DNS domain name).
  7. At the ‘Configuring slapd’ window, when asked (again) to set the LDAP administrator’s password, do so.
  8. At the ‘Configuring slapd’ window, when asked for the database backend to use, accept the default (MDB).
  9. At the ‘Configuring slapd’ window, when asked if you want the database to be removed when slapd is purged, accept the default (no).
  10. At the ‘Configuring slapd’ window, when asked if you want to the old dataase, accept the default (yes).
  11. Test by running: 
    ldapwhoami -H ldap:// -x     #  it may already be possible to drop the '-H ldap://' for this command, in which case re-test below can be removed

    (This should report ‘anonymous’ as root has not authenticated when using this command.)

  12. Run: 
    apt-get install ldapscripts
  13. Edit /etc/ldapscripts/ldapscripts.conf and set the following, being sure to ignore the Debian-specific ways of doing things: 
    SERVER="ldap://localhost"
PASSWORDGEN="<ask>"         #  that's a literal '<' and '>'
SUFFIX="dc=pasta,dc=net"      #  adjust to your own situation
GSUFFIX="ou=Groups"
USUFFIX="ou=Users"
MSUFFIX="ou=Machines"
  14. Run: 
    echo -n '<the-ldap-password-you-set-earlier>' > /etc/ldapscripts/ldapscripts.passwd
chmod 400 /etc/ldapscripts/ldapscripts.passwd
  15. Test by running: 
    ldapwhoami -x
  16. Before adding groups or users we need to add containers for these things. Create /tmp/containers.ldif containing: 
    dn: ou=Users,dc=pasta,dc=net                # adjust to your own situation
objectClass: organizationalUnit
ou: Users

dn: ou=Groups,dc=pasta,dc=net              # adjust to your own situation
objectClass: organizationalUnit
ou: Groups

    and then run:

    ldapadd -x -D cn=admin,dc=pasta,dc=net -W -f containers.ldif     # adjust to your own situation
  17. Add a group like this: 
    ldapaddgroup <groupname> <gid>    #  e.g. ldapaddgroup alexis 1000
  18. Add users to that group like this: 
    ldapadduser <username> <groupname> <uid> #  e.g. ldapadduser alexis alexis 1000

Server configuration for automounter maps

  1. Create /tmp/containers-autofs.ldif containing: 
    dn: ou=automount,ou=admin,dc=pasta,dc=net        # adjust to your own situation
ou: automount
objectClass: top
objectClass: organizationalUnit
  2. If you want to store the auto.master map itself in LDAP (I do not!) then add this to the same file: 
    dn: ou=auto.master,ou=automount,ou=admin,dc=pasta,dc=net 
ou: auto.master
objectClass: top
objectClass: automountMap
  3. If you want to store the auto.home map in LDAP (I do!) then add this to the same file: 
    dn: ou=auto.home,ou=automount,ou=admin,dc=pasta,dc=net 
ou: auto.home
objectClass: top
objectClass: automountMap
  4. If you want to store the auto.staging map in LDAP (I do!) then add this to the same file: 
    dn: ou=auto.staging,ou=automount,ou=admin,dc=pasta,dc=net 
ou: auto.staging
objectClass: top
objectClass: automountMap
  5. If you want to add an entry to auto.staging for the mailserver to automount the mail directory, using a symlink pointing from /var/mail to /staging/mail (I do!) then add the following to the same file: 
    dn: cn=mail,ou=auto.staging,ou=automount,ou=admin,dc=pasta,dc=net
cn: mail
objectClass: top
objectClass: automount
automountInformation: -nordirplus,noatime,nodiratime,nfsvers=3,nolock,proto=tcp filer-on-storage-net.pasta.net,filer-on-public-net.pasta.net:/vol/small/mail
  6. If you want to add an entry to auto.staging for the mailserver to automount./pub, using a symlink pointing from /pub to /staging/pub (I do!) then add the following to the same file: 
    
dn: cn=pub,ou=auto.staging,ou=automount,ou=admin,dc=pasta,dc=net
cn: pub
objectClass: top
objectClass: automount
automountInformation: -nordirplus,noatime,nodiratime,nfsvers=3,nolock,proto=tcp filer-on-storage-net.pasta.net,filer-on-public-net.pasta.net:/vol/pub

     

  7. Finally, apply the changes by running: 
    ldapadd -D cn=admin,dc=pasta,dc=net -W -f /tmp/containers-autofs.ldif    #  adjust dc=...,dc=...
  8. Add a user like this:
    1. Create a file /tmp/<username>-autofs.ldif containing: 
      dn: cn=alexis,ou=auto.home,ou=automount,ou=admin,dc=pasta,dc=net
cn: alexis
objectClass: top
objectClass: automount
automountInformation: -nordirplus,noatime,nodiratime,nfsvers=3,nolock,proto=tcp filer-on-storage-net.pasta.net,filer-on-public-net.pasta.net:/vol/small/home/alexis
    2. Run: 
      ldapadd -D cn=admin,dc=pasta,dc=net -W -f /tmp/<username>-autofs.ldif

Client configuration

Note that pcms takes care of this for me!

  1. Run: 
    apt-get install libnss-ldapd
  2. At the ‘Configuring nslcd’ window, when prompted ‘LDAP server URI’, enter ‘ldap://<ldap-server-ip-address>/’.
  3. At the ‘Configuring nslcd’ window, when prompted ‘LDAP server search base’, enter the correct search base as set earlier (e.g. ‘dc=pasta,dc=net’)
  4. At the ‘Configuring libnss-ldapd’, when prompted ‘Name services to configure’, enable passwd, group and shadow services.
  5. Test by running: 
    getent passwd alexis
  6. If you want this NFS client to access automounter maps from LDAP then:

Miscellaneous LDAP-related procedures

Resetting the admin’s password

https://www.digitalocean.com/community/tutorials/how-to-change-account-passwords-on-an-openldap-server

  1. Log in to the LDAP server.
  2. Change the password in the admin tree as follows:
    1. Get the LDIF-record specifying the current password, as in this example: 
      ziti# ldapsearch -H ldapi:// -LLL -Q -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" dn olcRootDN olcRootPW
dn: olcDatabase={0}config,cn=config
olcRootDN: cn=admin,cn=config

dn: olcDatabase={1}mdb,cn=config
olcRootDN: cn=admin,dc=pasta,dc=net
olcRootPW: {SSHA}SEdA8EFr5wpS/vLyspPzAtuViaARtdUB

ziti#

      and note:

      • the use of -H ldapi:// -Y EXTERNAL to communicate over a channel that obviates the need to provide credentials in order to authenticate oneself
      • the hash type used to store the old password, which in this case is {SSHA}
      • the database format, which in this case is mdb.
    2. Use slappasswd, possibly with the -h option to use the same hash type as before, to generate the hash of the new password, e.g.: 
      ziti# slappasswd -h '{SSHA}'
New password: 
Re-enter new password: 
{SSHA}JCh1Ec89olTXRCe9HV1OJW7OId1B5JCq
ziti#
    3. Create a new LDIF file called /tmp/config-admin-passwd.ldif containing: 
      dn: olcDatabase={1}<database-format-e.g.-mdb>,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: <hashed-password-including-hash-type-prefix-as-reported-by-slappasswd-above>
    4. Apply this by running: 
      ldapmodify -H ldapi:// -Y EXTERNAL -f /tmp/config-admin-passwd.ldif
  2. Change the password in the admin tree as follows:
    1. Create a new LDIF file called /tmp/normal-admin-passwd.ldif containing: 
      dn: cn=admin,dc=pasta,dc=net
changetype: modify
replace: userPassword
userPassword: <hashed-password-including-hash-type-prefix-as-reported-by-slappasswd-above>
    2. Apply this by running: 
      ldapmodify -H ldap:// -x -D "cn=admin,dc=pasta,dc=net" -W -f /tmp/normal-admin-passwd.ldif
    3. and note:
      • the use of -H ldap:// -x to do simple authentication, using the admin password just set above.

Resetting user’s passwords

  1. Run: 
    ldappasswd -H ldap:// -x -D "cn=admin,dc=pasta,dc=net" -W -S "uid=judith,ou=Users,dc=pasta,dc=net"

    and follow the prompts.

Determining which SASL authentication mechanisms are enabled

  1. Run: 
    ldapsearch -LLL -H ldapi:// -Y EXTERNAL -D dc=pasta,dc=net -s base -b "" "(objectclass=*)" supportedSASLMechanisms

    (This is taken from here.)

  2. For reasons I don’t yet understand the following command gives different results: 
    ldapsearch -LLL -x -s base -b "" "(objectclass=*)" supportedSASLMechanisms

    (This is based on something taken from here.)

See also