This is only very short remainder notes to install a LDAP server and configure a Linux client to authentication through the PAM/LDAP module
Server side
Add a DNS entry for ldap.softndesign.org in /etc/bind/db.softndesign.org
Code
Install LDAP server
Shell
| aptitude install slapd ldap-utils |
Debconf answers
- Omit OpenLDAP server configuration? No
- DNS domain name: softndesig.org
- Organization name? softndesign.org
- Administrator password: PASSWORD
- Confirm password: PASSWORD
- Database backend to use: HDB
- Do you want the database to be removed when slapd is purged? No
- Allow LDAPv2 protocol? No
Configure ldap utilities in /etc/ldap/ldap.conf
Code
| BASE dc=softndesign,dc=org |
| URI ldap://ldap.softndesign.org |
Modify /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif to index uid
Code
then build index
Shell
| invoke-rc.d slapd stop |
| slapindex |
| chown -R openldap:openldap /var/lib/ldap |
| invoke-rc.d slapd start |
Install phpldapadmin
Shell
| aptitude install phpldapadmin |
Configure phpldapadmin in /etc/phpldapadmin/config.php
PHP
| $servers->setValue('server','name',"Soft'n'Design LDAP Server"); |
| $servers->setValue('server','host','ldap.softndesign.org'); |
| $servers->setValue('server','base',array('dc=softndesign,dc=org')); |
| $servers->setValue('login','bind_id','cn=admin,dc=softndesign,dc=org'); |
In /etc/phpldapadmin/templates/creation, only keep
- alias.xml
- dNSDomain.xml
- inetOrgPerson.xml
- organizationalRole.xml
- ou.xml
- posixAccount.xml
- posixGroup.xml
- simpleSecurityObject.xml
Modify /etc/phpldapadmin/templates/creation/posixGroup.xml, thus first group number will be 0, then 1000, 1001...
XML
Modify /etc/phpldapadmin/templates/creation/posixAccount.xml, thus first user number will be 0, then 1000, 1001...
XML
Modify /etc/phpldapadmin/templates/creation/posixAccount.xml, thus bash or zsh will be login shell.
XML
| <value id="/bin/nologin">false</value> |
| <value id="/bin/sh">/bin/sh</value> |
| <value id="/bin/csh">/bin/csh</value> |
| <value id="/bin/tsh">/bin/tsh</value> |
| <value id="/bin/zsh">/bin/zsh</value> |
| <value id="/bin/bash">/bin/bash</value> |
Setup your directory:
- Log on http://127.0.0.1/phpldapadmin with admin password.
- Create two organisational unit: Groups and People.
- Create posix groups (first must be root as gid is 0) as child elements of Groups.
- Create user accounts (first must be root as uid is 0) as child elements of People.
- Modify groups to assign users.
Check that your ldap server is operationnal.
Shell
Client side
Install Name Service Switch modules.
Shell
| aptitude install libnss-ldap nscd |
Debconf answers
- libnss-ldap
- LDAP server Uniform Resource Identifier: ldap://ldap.softndesign.org/
- Distinguished name of the search base: dc=softndesign,dc=org
- LDAP version to use: 3
- Does the LDAP database require login? No
- Special LDAP privileges for root? No
- Make the configuration file readable/writeable by its owner only? No
- libpam-ldap
- Allow LDAP admin account to behave like local root? Yes
- Does the LDAP database require login? No
- LDAP administrative account: cn=admin,dc=softndesign,dc=org
- LDAP administrative password: PASSWORD
- Local encryption algorithm to use for passwords: md5
- libpam-runtime
- PAM profiles to enable: select all
Configure NSS module in /etc/libnss-ldap.conf
Code
| base dc=softndesign,dc=org |
| uri ldap://ldap.softndesign.org/ |
| ldap_version 3 |
Activate the LDAP NSS module in /etc/nsswitch.conf
Code
| passwd: files ldap |
| group: files ldap |
Deactivate temporary nscd and check that a ldap user is visible.
Shell
| invoke-rc.d nscd stop |
| id lmazet |
Install PAM module (already done thank to Debian installer).
Code
| aptitude install libpam-ldap |
Debconf answers:
- Allow LDAP admin account to behave like local root? Yes
- Does the LDAP database require login? No
- LDAP administrative account: cn=admin,dc=softndesign,dc=org
- LDAP administrative password: PASSWORD
- Local encryption algorithm to use for passwords: md5
Configure LDAP PAM module in /etc/pam_ldap.conf
Code
| base dc=softndesign,dc=org |
| uri ldap://ldap.softndesign.org/ |
| ldap_version 3 |
| rootbinddn cn=admin,dc=softndesign,dc=org |
| pam_password md5 |
Configure PAM session in /etc/pam.d/common-session
Code
| session required pam_unix.so |
| # create home dir on first login |
| session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 |
Create home root directory.
Shell
Add some default files (.bashrc, .emacs, .forward, .procmail, .profile, .screenrc, .vimrc, .zshrc) and directories (.gnupg, .ssh, .xemacs, bin, Maildir, tmp) into /etc/skel
Apache side
Activate apache LDAP modules:
Shell
| cd /etc/apache2/mods-enabled |
| ln -s ../mods-available/ldap.conf . |
| ln -s ../mods-available/ldap.load . |
| ln -s ../mods-available/authnz_ldap.load . |
Enable LDAP authentification per location:
Code
| <Location /hg/> |
| AuthType Basic |
| AuthName "Mercurial repositories" |
| AuthBasicProvider ldap |
| AuthzLDAPAuthoritative on |
| AuthLDAPURL "ldap://ldap.softndesign.org/ou=People,dc=softndesign,dc=org?uid?sub" |
| AuthLDAPGroupAttribute memberUid |
| AuthLDAPGroupAttributeIsDN off |
| AuthLDAPRemoteUserIsDN off |
| # require a valid user |
| Require ldap-filter &(uid=*) |
| </Location> |
| |
| <Location /hg/debug-lib/> |
| # require that user is in debug-lib group from Mercurial organisation unit |
| Require ldap-group cn=debug-lib,ou=Mercurial,dc=softndesign,dc=org |
| </Location> |
ProFTPd server side
Enable PAM/LDAP authentication in /etc/proftpd/proftpd.conf
Code
| # Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords: |
| PersistentPasswd off |
| |
| # This is required to use both PAM-based authentication and local passwords |
| AuthOrder mod_auth_pam.c* mod_auth_unix.c |
Thank to Davor Ocelic.