Using OpenLDAP for Linux Accounts Management
This document assumes you are using Ubuntu Server 6.06 (dapper) for both the server and client. It also assumes using Kerberos (Active Directory) for all authentication. If you want to use OpenLDAP for authentication, use the
pam_ldap module.
Configuring the server
We want to set-up a host named
accounts.student.cs.uwaterloo.ca
with the OpenLDAP server to house account information (home directory, login shell, etc...) for Unix computers in the undergraduate teaching environment run by CSCF. Since the students have Active Directory accounts already for the Mac Labs and Terminal server, we'll use the Active Directory for authentication.
- Follow the instructions of the prerequisite steps section of this document.
- Create an account in AD representing the
ldap
service principal and generate a keytab file.
- Install (or merge) the keytab file as
/etc/krb5.keytab
and run chmod 600 /etc/krb5.keytab
- Run
apt-get install slapd
. It doesn't matter what answers you give to the Debian configuration program, since you are just going to blow away the database anyway. We'll assume you have OpenLDAP 2.2.x.
- Stop the server by running
/etc/init.d/slapd stop
.
- Delete the entire contents of
/var/lib/ldap
.
- Edit
/etc/ldap/slapd.conf
. Here is a sample.
- Using
slapadd
, initialize the database with some entries.
- Run
slapindex
to generate search indices.
- Start the server by running
/etc/init.d/slapd start
.
- Using
ldapadd
, add some users and groups.
Notes for OpenLDAP 2.3.x Server on Ubuntu Feisty
There are three noticeable changes:
- The
slapd
daemon runs as user openldap
rather than root
.
- Extra configuration is required to get
sasl2
and slapd
working.
- There may be some changes to the syntax of certain directives in
/etc/ldap/slapd.conf
.
The changes above imply the following:
- After running
slapindex
, make sure the contents of /var/lib/ldap
have ownership openldap:openldap
.
- The
openldap
user needs to be able to read the keytab file that contains the ldap
service principal.
- You'll need to create the file
/etc/ldap/sasl2/slapd.conf
(not to be confused with /etc/ldap/slapd.conf
) containing some sasl
directives:
-
mech_list: GSSAPI
-
keytab: /path/to/keytab
- Be sure to read
slapd.conf(5)
before editing /etc/ldap/slapd.conf
.
Configuring the client
We want to configure the host
krbtux.student.cs.uwaterloo.ca
to make use of accounts that exist in the directory on the OpenLDAP server
accounts.student.cs.uwaterloo.ca
. We'll use the
STUDENT.CS.UWATERLOO.CA
realm for authentication.
- Follow the instructions on configuring the host for Kerberos authentication against Active Directory.
- Install the nss-ldap library by running
apt-get install libnss-ldap
.
- Create a host entry for
krbtux
in the OpenLDAP directory.
- Change three lines
/etc/nsswitch.conf
:
passwd: compat ldap
group: compat ldap
shadow: compat ldap
- The
/etc/libnss-ldap.conf
only needs to contain the following lines:
host accounts.student.cs.uwaterloo.ca
base dc=ldap,dc=student,dc=cs,dc=uwaterloo,dc=ca
ldap_version 3
nss_base_passwd ou=People,dc=ldap,dc=student,dc=cs,dc=uwaterloo,dc=ca?one
nss_base_shadow ou=People,dc=ldap,dc=student,dc=cs,dc=uwaterloo,dc=ca?one
nss_base_group ou=Groups,dc=ldap,dc=student,dc=cs,dc=uwaterloo,dc=ca?one
use_sasl on
rootuse_sasl on
SASL_MECH GSSAPI
The
root
account will need to run
kinit -k host/krbtux.student.cs.uwaterloo.ca
so that the host can get credentials to read the data in the directory.
Other things you'll need/want to do
- On the client, find a way for
root
to keep a valid credential cache for the host
service principal all the time. For example, run /usr/bin/kdestroy;/usr/bin/kinit -k host/krbtux.student.cs.uwaterloo.ca
via cron
.
- Wrap the LDAP client-server communications with SSL
- Set-up an OpenLDAP replica server for redundancy.
--
JasonTestart - 24 Apr 2007