2. OpenLDAP
上一頁 第 54 章 Network Authentication 下一頁
Home | Mirror | Search

2. OpenLDAP

2.1. Server

  1. First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:

    sudo apt-get install slapd ldap-utils

    By default the directory suffix will match the domain name of the server. For example, if the machine's Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will be dc=example,dc=com. If you require a different suffix, the directory can be reconfigured using dpkg-reconfigure. Enter the following in a terminal prompt:

    sudo dpkg-reconfigure slapd

  2. example.com.ldif

    dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

dn: uid=john,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 1000
gidNumber: 10000
userPassword: password
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: john.doe@example.com
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress: 
initials: JD

dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
gidNumber: 10000

  3. To add the entries to the LDAP directory use the ldapadd utility:

    ldapadd -x -D cn=admin,dc=example,dc=com -W -f example.com.ldif

    We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search of the LDAP directory:

    ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn

dn: uid=john,ou=people,dc=example,dc=com
cn: John Doe
sn: Doe
givenName: John

Just a quick explanation:

-x: will not use SASL authentication method, which is the default.

-LLL: disable printing LDIF schema information.

2.2. Client

  1. libnss-ldap

    sudo apt-get install libnss-ldap

  2. reconfigure ldap-auth-config

    sudo dpkg-reconfigure ldap-auth-config

  3. auth-client-config

    sudo auth-client-config -t nss -p lac_ldap

  4. pam-auth-update.

    sudo pam-auth-update

2.3. User and Group Management

sudo apt-get install ldapscripts

/etc/ldapscripts/ldapscripts.conf 

SERVER=localhost
BINDDN='cn=admin,dc=example,dc=com'
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX='dc=example,dc=com'
GSUFFIX='ou=Groups'
USUFFIX='ou=People'
MSUFFIX='ou=Computers'
GIDSTART=10000
UIDSTART=10000
MIDSTART=10000

Now, create the ldapscripts.passwd file to allow authenticated access to the directory:

sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"
sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd
comments powered by Disqus
上一頁 上一級 下一頁
第 54 章 Network Authentication 起始頁 3. Kerberos