NOTE: For an up to date howto for 10.04 Lucid Lynx see this article
So, here we go!
PLATFORM:
* Ubuntu Server 8.04 LTS (Hardy)
PREREQUISITES:
* Working DNS with fqdn.
* An NFS server exporting the users home directorys
Network overview;
* domain name: example.com
* ldap-server ldap.example.com
Install The Packages
apt-get install slapd ldap-utils migrationtoolsFor some reason the install process doesn't ask you all of the necessary questions so when it is done we must reconfigure slapd.
dpkg-reconfigure slapdIt will ask you a bunch of questions
Omit OpenLDAP server configuration? No
DNS domain name: example.com
Name of your organization: Example Corp
Admin Password: password
Confirm Password: password
Database Type: HDB
Do you want your database to be removed when slapd is purged? ... No
Move old database? ... Yes
Allow LDAPv2 Protocol? ... No
Note: During this process, I will use "password" for simplicities sake. This is fine for setting up a test network for educational purposes but if you intend to use this in production then you should obviously choose a more appropriate password.
Oh, also, make sure you DONT FORGET IT! You will need it later.
You can now check if you can access your ldap server by typing:
ldapsearch -x -b dc=example,dc=comInstalling phpldapadmin
apt-get install phpldapadmin
ln -s /usr/share/phpldapadmin/ /var/www/phpldapadminIncrease php memory limit
vi /etc/php5/apache2/php.iniFind this line and change the memory limit to 64M;
memory_limit = 64M ; Maximum amount of memory a script may consume (16MB)Restart apache;
/etc/init.d/apache2 restartYou can then browse to
http://ldap.example.com/phpldapadminand login using admin:password
Once you have logged in, expand the tree & you should see something like this;
+--> dc=example,dc=com (1)
---> cn=admin
---> Create new entry hereLets add some users and groups;
cd /usr/share/migrationtools/We need to create the default migrationtools' config file "migrate_common.ph"
vi migrate_common.phand add the following parameters:
$DEFAULT_MAIL_DOMAIN = "example.com";
$DEFAULT_BASE = "dc=example,dc=com";Create an ldif file with the details for our ou entries
vi ~/usergroup.ldif
dn: ou=users, dc=example, dc=com
ou: users
objectclass: organizationalUnit
dn: ou=groups, dc=example, dc=com
ou: groups
objectclass: organizationalUnit
Note: If you cut and paste from this guide, ensure that there are no whitespace chars at the end of the file.
Now that the user and group info is saved in your file, we can add it to the ldap server
ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f ~/usergroup.ldifPossible errors;
ldap_add: Invalid syntax (21)
additional info: objectclass: value #0 invalid per syntaxProbable cause;
If you copy/pasted the above then check for whitespace at the end of the users_group.ldif file. You will also need to remove the first entry (ou=users stanza) if it has already gone through before or you will get "already exists" and the script will halt before reaching the second entry
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledgeProbable cause;
You have used incorrect domain details. Make sure the uri setting in /etc/ldap.conf is correct and that the server is pingable.
Now, if you hit "refresh" in the phpldapadmin gui, you should see your Users and Groups ou's are there.
Of course you could have added those ou's using the clickety-clickety gui as well but I just wanted to show how stuff can be added via command line. Yes, yes, I know, I'm a cruel bastard.
So now we want to add a new test user to the ldap tree using the phpldapadmin gui, but first we need to create a group called "users" in the Groups ou.
Click on the Groups ou and click "Create a child entry". Select "Posix Group".
Call the group "users" with Group ID 100. Click "Save Changes" when done.
Next, create a user in the Users ou with the following details;
User: fred
Group: users
Password: password
Encryption: cryptNote: When I do this, the drop down box does not list /bin/bash as an option for loginShell. If you click "Save" you get a second screen where it is possible to alter the loginShell parameter to use /bin/bash. This is less of an issue if your users just use GDM. I use crypt instead of md5. You can use md5 if you prefer but remember to change the encryption type when setting up client hosts to match.
Well, assuming everything is working up to this point, the server is ready to authenticate your users.
Let's go on and set up a client on Hardy or Lucid
1 comment:
Thank you Brett I had a hard time installing LDAP. This would help me.
Please visit: http://starksolutions.blogspot.com/
Post a Comment