LDAP
Contents
OpenLDAP
Overview
OpenLDAP is installed on Hosts/boron and has a CNAME alias of ldap.shop.lan, It has the standard four schema files installed.
Administration
Administration of OpenLDAP itself can be done via command line on boron or via webmin found here
Please read this guide to learn how to add and remove users.
Enabling Ubuntu/Debian
To integrate to our LDAP authentication.
- See here-for-debian and here-for-ubuntu
Note: the following edits to pam.d is a deprecated procedure and should not be followed unless working with older ( < 9.10 ) OSes
- Modify '/etc/pam.d/passwd' with the following, this will allow 'passwd' to continue to work
@include common-password
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_pwdb.so shadow nullok
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so retry=3 type=aerospace
password sufficient /lib/security/pam_ldap.so authtok use_first_pass
password required /lib/security/pam_pwdb.so authtok use_first_pass md5 shadow
- Modify '/etc/pam.d/common-password' with the following
password sufficient pam_unix.so nullok obscure md5
- Then edit the
/etc/nsswitch.conf
to make passwd/group/shadow lines say "files ldap"
- To refresh the nsswitch cache use the command
nss_updatedb ldap
Access
sudo
Sudo access is granted by assigning a user to the ldap group ldap-admin This group is then granted access on all the server by inserting %ldap-admin ALL=(ALL) ALL
into /etc/sudoers
VPN
OpenVPN access is granted by assigning a user into the group vpnusers
Please read this OpenVPN guide] to learn how to do so
Maintenance
Backing up data
Back up the configuration to the file config.ldif
slapcat -bcn=config -l config.ldif
Back up the database to the file data.ldif
slapcat -bdc=shop,dc=lan -l data.ldif
Restoring data
Configuration
With slapd stopped and the configuration backup in file config.ldif
sudo rm -rf /etc/ldap/slapd.d sudo mkdir /etc/ldap/slapd.d sudo chown openldap.openldap /etc/ldap/slapd.d sudo -u openldap slapadd -F /etc/ldap/slapd.d -bcn=config -l config.ldif
Data
With slapd stopped and backup in file data.ldif
# Remove existing data sudo rm -rf /var/lib/ldap # Restore data sudo mkdir /var/lib/ldap sudo chown openldap.openldap /var/lib/ldap sudo chmod 750 /var/lib/ldap sudo -u openldap slapadd -F /etc/ldap/slapd.d -bdc=shop,dc=lan -l data.ldif
Modifying configuration
As an example to change the root password for the first database.
Create the file describing the changes we want as pass.ldif:
dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}LXgddQqVZ52ctplFlfRdWmNKj/RWYZr8
Then load the modification into ldap:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f pass.ldif
Refer to the OpenLDAP 2.4 Administrator's guide for more information.
Rebuild LDAP Server
First slapcat the existing database so you have a backup.
slapcat -h localhost -l data.ldif
Then ensure the packages are up to date
sudo apt-get install slapd ldap-utils
After that we must load the schema files into the database.
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif
Then create a file called create_database.ldif and paste this into it.
# Load hdb backend module
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb
- Create the hdb database and place the files under /var/lib/ldap
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=shop,dc=lan
olcRootDN: uid=diradmin,ou=People,dc=shop,dc=lan
olcRootPW: example
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
Now push that into the database
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f create_database.ldif
Next, create a file called init_database.ldif
dn: dc=shop,dc=lan
objectClass: dcObject
objectclass: organization
o: dc=shop,dc=lan
description: LDAP root
dn: ou=People,dc=shop,dc=lan
objectClass: top
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=shop,dc=lan
objectClass: top
objectClass: organizationalUnit
ou: Groups
and add it sudo ldapadd -Y EXTERNAL -H ldapi:/// -f init_database.ldif
Now modify the acls so that only diradmin can modify the database by pasting this into the file acls.ldif
dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="uid=admin,ou=People,dc=shop,dc=lan" write by anonymous auth by self write by * none
olcAccess: {1}to dn.subtree="" by * read
olcAccess: {2}to * by dn="cn=diradmin,ou=People,dc=shop,dc=lan" write by * read
and modify the database
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f acls.ldif
Now stop the ldap server by /etc/init.d/slapd stop and grab that data.ldif file we created earlier. Edit the ldif to take out the statements that were added by init_database.ldif. Yes take out the whole blocks, should be around 15-20 lines.
Next use sudo -u openldap slapped -H ldapi:/// -l data.ldif
to write that file to LDAP server. You should see a little progress bar tick away.
Note: If you hit an error about "Cannot modify cn=diradmin" don't panic, take that block out and paste into a separate file. Then run the command again.
use slappasswd until to generate a new root password.