Simple LDAP setup for Edubuntu

Karmic or Lucid

Server: install slapd, ldap-utils

Install the packages you'll need from apt.

sudo apt-get install slapd ldap-utils

Server: Install schemas

This will install the schemas you'll need for doing LDAP authentication.

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Server: Create initial cn=config entry

You'll need to create cn=config entry.


We're going to assume that our LDAP database is being set up with o=edubuntu. Our admin password for the ldap administrator (cn=admin,o=edubuntu) is "edubuntu". Security!

Create the following file, save it as config.ldif:

# Edubuntu Database Setup

# Load modules for database type
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb

# Create directory database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: o=edubuntu
olcRootDN: cn=admin,o=edubuntu
olcRootPW: edubuntu
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,o=edubuntu" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,o=edubuntu" write by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 4194304 0
olcDbConfig: {1}set_lk_max_objects 2048
olcDbConfig: {2}set_lk_max_locks 2048
olcDbConfig: {3}set_lk_max_lockers 2048
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq

Install it with:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f config.ldif

Server: Create your initial database

We'll create our database. We'll have two ou's (organization units).

ou=users,o=edubuntu will hold our users (/etc/password and /etc/shadow).

ou=groups,o=edubuntu will hold our groups (/etc/groups).

Create the a file called root.ldif:

# o=edubuntu
dn: o=edubuntu
objectclass: organization
o: edubuntu
description: Edubtunu

# Administrator
dn: cn=admin,o=edubuntu
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: edubuntu
description: LDAP administrator

# Users
dn: ou=users,o=edubuntu
objectClass: organizationalUnit
objectClass: top
description: Users
ou: users

# Groups
dn: ou=groups,o=edubuntu
objectClass: organizationalUnit
objectClass: top
description: Groups
ou: groups

Add it with the following command:

sudo ldapadd -x -D cn=admin,o=edubuntu -W -f root.ldif

It'll ask you for a password. Use what you did in the config step, i.e. edubuntu (Security!)

Server: add a user and group

So, add a user. And their group as well. Here's a user who's /etc/password line would look like:

sbalneav:x:1000:1000:Scott Balneaves:/home/sbalneav:/bin/bash

And who's password expires every 90 days. Default password is set to sbalneav (Security!).

Create a file called sbalneav.ldif:

# Example user and group

# User
dn: uid=sbalneav,ou=users,o=edubuntu
cn: Scott Balneaves
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: inetOrgPerson
displayName: Scott Balneaves
telephoneNumber: 555-1212
givenName: Scott
sn: Balneaves
uid: sbalneav
uidNumber: 1000
gidNumber: 1000
gecos: Scott Balneaves
homeDirectory: /home/sbalneav
loginShell: /bin/bash
shadowMax: 90
shadowWarning: 7
userPassword: sbalneav

# Group
dn: cn=sbalneav,ou=groups,o=edubuntu
cn: sbalneav
objectClass: posixGroup
objectClass: top
gidNumber: 1000

There's some other useful info set in there, like mail address, display name, and homepage.

add it with:

sudo ldapadd -x -D cn=admin,o=edubuntu -W -f sbalneav.ldif

Password, edubuntu, you know the drill.

Congrats! You now have a working LDAP auth server.

On to the client.

Client: install client pieces

There's a nice meta-package that installs all the stuff you need.

sudo apt-get install ldap-auth-client
  • It'll ask for the base. Base is o=edubuntu
  • connect as DB version 3
  • Root bind dn is cn=admin,o=edubuntu (from above)
  • Password is edubuntu (Security!)

Client: create an auth-client-config profile

Create a file in /etc/auth-client-config/profile.d, called edubuntu-ldap-config:

nss_passwd=passwd: compat ldap
nss_group=group: compat ldap
nss_shadow=shadow: compat ldap
nss_netgroup=netgroup: compat ldap
pam_auth=auth         optional
         auth         sufficient
         auth         required nullok_secure use_first_pass
pam_account=account   sufficient
            account   required
pam_password=password sufficient
             password required try_first_pass
pam_session=session   required
            session   required skel=/etc/skel/
            session   optional
            session   optional

This will set up both nss and pam services to use LDAP.

Set the auth config with:

sudo auth-client-config -a -p edubuntu

Note that the "edubuntu" in that command comes from the [edubuntu] in the config file.

Client: reboot the machine

I always find I need this.

Client: log in as user

For some reason, the user won't appear in the gdm face browser until they've logged in for the first time, so choose "other", and log in with user "sbalneav", password "sbalneav".

Things like getent password will give you the combined local /etc/passwd and LDAP password database, as you'd expect.

Edubuntu/WikiSite/SimpleLDAPSetup (last edited 2010-02-07 17:01:55 by S010600902754713b)