Using OpenLDAP for Linux Accounts Management

This document assumes you are using Ubuntu Server 6.06 (dapper) for both the server and client. It also assumes using Kerberos (Active Directory) for all authentication. If you want to use OpenLDAP for authentication, use the pam_ldap module.

Configuring the server

We want to set-up a host named accounts.student.cs.uwaterloo.ca with the OpenLDAP server to house account information (home directory, login shell, etc...) for Unix computers in the undergraduate teaching environment run by CSCF. Since the students have Active Directory accounts already for the Mac Labs and Terminal server, we'll use the Active Directory for authentication.

• Follow the instructions of the prerequisite steps section of this document.
• Create an account in AD representing the ldap service principal and generate a keytab file.
• Install (or merge) the keytab file as /etc/krb5.keytab and run chmod 600 /etc/krb5.keytab
• Run apt-get install slapd. It doesn't matter what answers you give to the Debian configuration program, since you are just going to blow away the database anyway. We'll assume you have OpenLDAP 2.2.x.
• Stop the server by running /etc/init.d/slapd stop.
• Delete the entire contents of /var/lib/ldap.
• Edit /etc/ldap/slapd.conf. Here is a sample.
• Using slapadd, initialize the database with some entries.
• Run slapindex to generate search indices.
• Start the server by running /etc/init.d/slapd start.
• Using ldapadd, add some users and groups.

Notes for OpenLDAP 2.3.x Server on Ubuntu Feisty

There are three noticeable changes:

• The slapd daemon runs as user openldap rather than root.
• Extra configuration is required to get sasl2 and slapd working.
• There may be some changes to the syntax of certain directives in /etc/ldap/slapd.conf.

The changes above imply the following:

• After running slapindex, make sure the contents of /var/lib/ldap have ownership openldap:openldap.
• The openldap user needs to be able to read the keytab file that contains the ldap service principal.
• You'll need to create the file /etc/ldap/sasl2/slapd.conf (not to be confused with /etc/ldap/slapd.conf) containing some sasl directives:
  • mech_list: GSSAPI
  • keytab: /path/to/keytab
• Be sure to read slapd.conf(5) before editing /etc/ldap/slapd.conf.

Configuring the client

We want to configure the host krbtux.student.cs.uwaterloo.ca to make use of accounts that exist in the directory on the OpenLDAP server accounts.student.cs.uwaterloo.ca. We'll use the STUDENT.CS.UWATERLOO.CA realm for authentication.

• Follow the instructions on configuring the host for Kerberos authentication against Active Directory.
• Install the nss-ldap library by running apt-get install libnss-ldap.
• Create a host entry for krbtux in the OpenLDAP directory.
• Change three lines /etc/nsswitch.conf:

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

• The /etc/libnss-ldap.conf only needs to contain the following lines:

host accounts.student.cs.uwaterloo.ca
base dc=ldap,dc=student,dc=cs,dc=uwaterloo,dc=ca
ldap_version 3
nss_base_passwd ou=People,dc=ldap,dc=student,dc=cs,dc=uwaterloo,dc=ca?one
nss_base_shadow ou=People,dc=ldap,dc=student,dc=cs,dc=uwaterloo,dc=ca?one
nss_base_group  ou=Groups,dc=ldap,dc=student,dc=cs,dc=uwaterloo,dc=ca?one
use_sasl on
rootuse_sasl on
SASL_MECH GSSAPI

The root account will need to run kinit -k host/krbtux.student.cs.uwaterloo.ca so that the host can get credentials to read the data in the directory.

Other things you'll need/want to do

• On the client, find a way for root to keep a valid credential cache for the host service principal all the time. For example, run /usr/bin/kdestroy;/usr/bin/kinit -k host/krbtux.student.cs.uwaterloo.ca via cron.
• Wrap the LDAP client-server communications with SSL
• Set-up an OpenLDAP replica server for redundancy.

-- JasonTestart - 24 Apr 2007