How to setup and maintain OpenLDAP server for your network
From FedoraNEWS.ORG
Written by Anze Vidmar on 2005-10-25
| Table of contents |
About
This is step-by-step how-to install and setup your OpenLDAP server on FC4. This howto also covers managing the LDAP users and GUI/Web tools for managing LDAP users. And for the bonus, I'll show you how to automatically mount users home folders (with NFS), so they can access theyr home folders from any machine on the network that they logon to.
What is LDAP
LDAP is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP), which is part of X.500, a standard for directory services in a network.
Benefits of having OpenLDAP
There are many benefits actually. But in this case, the main benefit is to have a centralized login scheme. We will setup LDAP on our server and we will create all the users for logging into our network at one place. We will also setup home folders for our LDAP users on our FC4 server and export them via NFS, so that when user logs in on any machine in our network, he/she will automatically have his/her home folder available.
The Scenario
- We have a small LAN 172.16.0.0/16, the domain name is example.com, that makes our domain component (dc) to be example and the other com
- The server's name is ldap (IP 172.16.38.104) and our testing client's name is station5 (IP 172.16.38.105)
- We will setup one Organization Unit (OU) called People and we will create our new LDAP users in this OU
Installation
You can install all the necessary packages for setting up OpenLDAP from Add/Remove packages menu. You only need (under Network Servers) to select the OpenLDAP servers checkbox in order to install the required packages. The Menu is shown below
You can also install packages from Fedora DVD/CD's by hand. All you need is this packages
openldap-2.2.23-5 openldap-devel-2.2.23-5 nss_ldap-234-4 openldap-clients-2.2.23-5 openldap-servers-2.2.23-5
Or you can use yum tool
[root@ldap ~]# yum install openldap openldap-devel nss_ldap openldap-clients openldap-servers
This is the end of installation part. In the next step, we will configure our OpenLDAP server.
Configuration
Database directory
First we create the LDAP database. LDAP databases are by default located in /var/lib/ldap folder. If you like a special directory for your LDAP, you can create it within the /var/lib/ldap folder and make the owner (and group) belong to ldap. Otherwise, you can leave as is.
Create LDAP root password
This is done by
[root@ldap ~]# slappasswd
New password:
Re-enter new password:
{SSHA}5WcnZ/3lXJXf72pyS5Nv2z3sjNVrpm2m
[root@ldap ~]#
Note that password may be whatever you want it to be, it doesn't need to be the same as root's password. You need to remember the encrypted password, since you will have to paste it into the slapd.conf file later on.
Edit /etc/openldap/slapd.conf file
You can leave everything in the file as is, except the following things that needs to be changed for our scenario:
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}5WcnZ/3lXJXf72pyS5Nv2z3sjNVrpm2m
Note, if you have had change the ldap directory, correct that in the line
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap
...otherwise leave it as is.
This is the end of the configuration part for LDAP server. You can start it by
[root@ldap ~]# service ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[root@ldap ~]#
And make sure the service ldap is always started at boot time
[root@ldap ~]# chkconfig ldap on
Converting local users to LDAP users
Now might be the right time to create all (or a few) users that will be accessing your network, and import them into the LDAP. When I say create users i mean create them localy, because we will import our local user list into the LDAP. Keep in mind that in order to import local users to LDAP, you must convert the file (with user info) to the *.ldif (LDAP Data Interchange Files) format. This is done with alredy made script that comes with OpenLDAP server.
The first step is to Import root user. Let's copy/paste or "grep" the root user info from /etc/passwd file to the new file called passwd.root. This can be done like this
[root@ldap ~]# grep root /etc/passwd > /etc/openldap/passwd.root
Next, you can additionally import your already-made local users to LDAP. This is done the same way. For example, let's say I have a user pokemon and I wont to import it. I would do
[root@ldap ~]# grep pokemon /etc/passwd > /etc/openldap/passwd.ldapusers
If you have any more local users that you wish to add, repeat the last step, but this time use two ">" symbols instead of one. Why? Because one ">" overrides the previous text in the file and ">>" adds the text, and that's exactly what you want.
[root@ldap ~]# grep pablo /etc/passwd >> /etc/openldap/passwd.ldapusers
Next, it's time to convert our files to *.ldif format.
Locate the migrate_passwd.pl script (in FC4 by default the ldap scripts are located in /usr/share/openldap/migration/ foler.
[root@ldap ~]# locate migrate_passwd.pl
If your indexed database (for locating files) is too old, update it with updatedb tool
[root@ldap ~]# updatedb
Now that you have located the script, use it to convert this two files
[root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.root /etc/openldap/root.ldif [root@ldap ~]# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.ldapusers /etc/openldap/ldapusers.ldif
Note if you add some local user to the LDAP sometime later, you need to re-run the script for converting passwd.ldapusers file again. No need to do that for passwd.root file.
Now, it's time to make a few changes in our two *.ldif files. You need to change dn entry to suit our scenario. So, default dn is dc=padl,dc=com and you need to change every word "padl" with word "example".
Since we also named our root user Manager in slapd.conf file, you also need to change the cn=root to cn=Manager in the root.ldif file.
Your root.ldif ends up looking like this
dn: uid=root,ou=People,dc=example,dc=com uid: root cn: Manager . . .
Next, you have to create a *.ldif file for the "example.com" domain
The LDIF files you created from /etc/passwd referred to users only. The attributes of the example.com domain haven't yet been defined, and you also haven't defined the organizational unit called People. This can be done using a third LDIF file called /etc/openldap/example.com.ldif, which should look like this:
dn: dc=example,dc=com dc: example description: Root LDAP entry for example.com objectClass: dcObject objectClass: organizationalUnit ou: rootobject dn: ou=People, dc=example,dc=com ou: People description: All people in organisation objectClass: organizationalUnit
Please note, that you need that extra blank line in the example.conf.ldif file, otherwise the import will Fail with an error:
adding new entry "dc=example,dc=com"
ldap_add: Type or value exists (20)
additional info: objectClass: value #1 provided more than once
The only step left is to actually import the three *.ldif files to our LDAP. First you need to import the root domain info (example.com.ldif), than root user info (root.ldif) and last additional local users info (ldapusers.ldif) in that order. This is done as shown below, first domain info
[root@ldap ~]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /etc/openldap/example.com.ldif Enter LDAP Password: adding new entry "dc=example,dc=com" adding new entry "ou=People, dc=example,dc=com" [root@ldap ~]#
Type your LDAP password when prompted and the data will be import into the database.
Do the same for file root.ldif
[root@ldap~]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /etc/openldap/root.ldif Enter LDAP Password: adding new entry "uid=root,ou=People,dc=example,dc=com" adding new entry "uid=operator,ou=People,dc=example,dc=com" [root@ldap~]#
...and ldapusers.ldif
[root@ldap~]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /etc/openldap/ldapusers.ldif Enter LDAP Password: adding new entry "uid=pokemon,ou=People,dc=example,dc=com" [root@ldap~]#
The importing part is done. The LDAP is set now and running. Let's test it on a client machine, shall we...
Configuring the LDAP client computer
The client machine may be *any* machine that you want your LDAP users to be connecting to (and use LDAP authentication of course). If you have a stand-alone server, that you just want it to share with others than the server is also the client machine. Configure it to authenticate thru LDAP so that users connecting locally or remotely (via ssh/telnet...) can get authenticated.
But for our scenario we have another FC4 client box that users will be logging on to and work from there. On the Client side, we only need to configure the authentication type and point to the LDAP server. For the GUI-style for setting this, go-to the console and invoke the command
[root@station5 ~]# system-config-authentication
or, if you like console better, you can also use the console-based config with the command
[root@station5 ~]# authconfig
I like both, but i prefer fancy GUI for this demo :) Here is what you get
Under user information tab click on the "Enable LDAP support" checkbox, it will provide you with a configuration dialog.
Make sure you fill in the information correct. Don't check the "Use TLS to encrypt connection" checkbox, because the authentication won't work. As you can see the LDAP search base DN is already correct (example.com) all you have to do is type in the correct IP of ther LDAP server, in our case it's 172.16.38.104, as shown below
Now, do the same on Authentication tab. Enable the "Enable the LDAP support" and click on the button below to configure it. Leave the checkboxes for "Use shadow password" and "Use MD5 passwords" as is. They need to stay enabled.
Fill in the same info as in previous tab and you will likely end up with configuration as shown below
When done, click on OK buttons to save your configuration and we're all set for testing.
Testing
For testing purposes we'll use pokemon's account. Since pokemon doesn't have his local account on the client machine, he couldn't be logging on to the client machine if we didn't use the LDAP for authentication. This way, when pokemon wan't to login to the machine, the authentication mechanism will first check the local users for his account, and since he does'n have a local acount, the authentication mechanism will ask LDAP server for his account info, and since he's in the LDAP directory, he will be successfully authenticated.
In the demo, I'll just use ssh to connect to the client machine. The procedure looks like this
Don't get confused with the error about not finding his home directory. Since we've created this user on a server and put his account info in LDAP, this only authenticate him on the client machines, it does NOT create a home folder for him, although it's possible somehow to do this. Instead, I've wrote a bonus part, where we will setup our LDAP server, so that every LDAP user that will logon to any client machine, will automatically have his home folder exported and he/she will be able to work form any machine with his/her files in home folder. Read on...
Bonus: Exporting LDAP users home folders with NFS
In order for LDAP users home folders to be exported to any machine that they will logon to, we need to setup a NFS server. You can learn more about what NFS is and how does it work from this (http://nfs.sourceforge.net/) site.
Setting up NFS server
We have to setup NFS on the LDAP server (ldap.example.com). Configuration on both sides is pretty easy, and the effect is priceless. So, let's start with the config files for the NFS server, /etc/exports file that is. In this file, we say to our NFS server what do we want, and to whom do we want to export something. For our scenario we want to export our /home folders to all the client machines in our LAN. This is done by configuring /etc/exports as follows
/home *(rw,sync)
For NFS server to be able to read the configuration, invoke the command
[root@ldap ~]# exportfs -a
Ok, that's it :) Done configuring. Now, startup the services that needs to be running in order for NFS to be successfully working, the services are
portmap nfslock nfs
Start them by
[root@ldap ~]# service portmap start [root@ldap ~]# service nfslock start [root@ldap ~]# service nfs start
...and make sure the services are automatically startet at boot time
[root@ldap ~]# chkconfig portmap on [root@ldap ~]# chkconfig nfslockon [root@ldap ~]# chkconfig nfs on
Setting up NFS client
The client side of configuring is also easy. Just make sure the same services (as for NFS server) are started at boot
[root@station5 ~]# chkconfig portmap on [root@station5 ~]# chkconfig nfslockon [root@station5 ~]# chkconfig nfs on
Also, add the service autofs to your startup list, because this service will actually mount our home folder from NFS server to our /home folder
[root@station5 ~]# chkconfig autofs on
Next, clen-up the home folders. The best way is just to move your /home folder to home.old or something
[root@station5 ~]# mv /home /home.old
Create the new folder /home
[root@station5 ~]# mkdir /home
Ok, before testing with actual login, test if you can mount the exported /home folders from NFS server
[root@station5 ~]# mount 172.16.38.104:/home /home/
If no errors are return or if your machine is still responding, list the content of /home, just to make sure
[root@station5 ~]# ls /home
and you should end up seeing the pokemon folder in your /home (/home/pokemon)
Ok, this works fine, it's time for automatizing this so that every time user logon to a client it gets his home folder automatically mounted in /home
We will configure autofs config files for this, starting with the master config file, /etc/master.conf Add the line to your auto.master file
/home /etc/auto.home
Now, create auto.home file in /etc folder and edit it as follows
#/etc/auto.home * -fstype=nfs,soft,intr,rsize=8192,wsize=8192,nosuid,tcp 172.16.38.104:/home:&
That's it. Make sure the needed services are started and you are ready to test your configuration.
Testing
To test our scenario, let's login again on the clients computer and this time, we must not get any error regarding the home folder not beeing found. it should look & feel exactly like logging on to some machine that already has local user and home folder set up.
Here is my demo:
See, no errors, and I'm in my home folder.
Now, you can work normally (all the files and your private stuff that you'll save into your home folder) will be actually saved on the NFS server's home folders. And when you'll login from another client (that has LDAP and NFS configured), you'll automatically have your home folder mounted and you'll have your private stuff in place.
Managing LDAP users
Managing (this also includes adding , deleting and modifying) LDAP users can be a painful job if we don't help ourself with some scripts or tools.
My personal best is "LDAP Browser/Editor". It's written in Java, so you can use it on Linux/Win platform. Here is a screen shot
And here are some ideas to get you started:
Directory Administrator (http://diradmin.open-it.org/index.php)
phpLDAPadmin (http://phpldapadmin.sourceforge.net/)
LDAP Browser/Editor (http://www-unix.mcs.anl.gov/~gawor/ldap/)
LDAP Account Manager (http://lam.sourceforge.net/)
Scripts to make your life easier
The following are examples of the simple scripts for adding/deleting/modifying LDAP users. Keep in mind, that you first need to create local user on the server and than with the script, you export it to the LDAP. It's the exact same thing as we were doing earlier, only this can be automatically done with the following script.
- Crete addldapuser script and copy/paste the following lines in
#!/bin/bash grep $1 /etc/passwd > /tmp/changeldappasswd.tmp /usr/share/openldap/migration/migrate_passwd.pl /tmp/changeldappasswd.tmp /tmp/changeldappasswd.ldif.tmp cat /tmp/changeldappasswd.ldif.tmp | sed s/padl/example/ > /tmp/changeldappasswd.ldif ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /tmp/changeldappasswd.ldif rm -f /tmp/changeldappasswd.*
Watch for the line brakes, because you will end up with errors if the line breake on some different point. Now, make the script executable and place it somewhere in your PATH.
[root@ldap ~]# chmod 700 addldapuser [root@ldap ~]# mv addldapuser /usr/sbin
Sample usage:
[root@ldap ~]# addldapuser pablo
Note that the user Pablo must already exist on the server as a local user.
- Script deleteldapuser for deeleting LDAP users from database
#!/bin/bash ldapdelete -x -W -D "cn=Manager,dc=example,dc=com" "uid=$1,ou=People,dc=example,dc=com"
[root@ldap ~]# chmod 700 deleteldapuser [root@ldap ~]# mv deleteldapuser /usr/sbin
Sample usage:
[root@ldap ~]# deleteldapuser pablo
- Script modifyldapuser for modifying LDAP users
#!/bin/bash grep $1 /etc/passwd > /tmp/modifyldapuser.tmp /usr/share/openldap/migration/migrate_passwd.pl /tmp/modifyldapuser.tmp /tmp/modifyldapuser.ldif.tmp cat /tmp/modifyldapuser.ldif.tmp | sed s/padl/example/ > /tmp/modifyldapuser.ldif ldapmodify -x -D "cn=Manager,dc=example,dc=com" -W -f /tmp/modifyldapuser.ldif rm -f /tmp/modifyldapuser.*
[root@ldap ~]# chmod 700 modifyldapuser [root@ldap ~]# mv modifyldapuser /usr/sbin
Sample usage:
[root@ldap ~]# modifyldapuser pablo
Conclusion
LDAP is becoming a standard in network enviroments. We can find LDAP in Unix, Linux and Windows envirments. Althought it looks complicate to setup and manage it's really not. Go step-by-step, know what you are doing and you'll see it's really simple. The same goes for the user management. It's easy when you have GUI tool for it.
