LDAP (Lightweight Directory Access Protocol) allows central user, group, domain….. authentication, information storage …
Using LDAP in a local network, you can allow your users to login and authenticate from anywhere on your network.
This tutorial will be split in 2 parts. In the first part, I will explain how-to install, configure the LDAP server, add a few users and group, in the second part, we will set up Linux client to authenticate through LDAP if the user does not exist on the local filesystem.
In this tutorial, I will suppose that our LDAP server is located at 192.168.1.4. All machines in the network can resolve the host name ldap to 192.168.1.4. The LDAP server is going to manage domain debuntu.local.
The server runs Debian 4 (testing but almost stable) and the client Ubuntu Feisty 7.04.
1. LDAP Server
In order to get our LDAP server setted up, we need a couple of packages to be installed:
apt-get install slapd ldap-utils migrationtools
Answer the questions and then reconfigure slapd in order to have dpkg ask us a few more questions.
Omit OpenLDAP server configuration? ... No DNS domain name: ... debuntu.local Name of your organization: ... Whatever & Co Admin Password: XXXXX Confirm Password: XXXXX OK BDB Do you want your database to be removed when slapd is purged? ... No Move old database? ... Yes Allow LDAPv2 Protocol? ... No
Right, from now on, we have got our domain set up, as well as our administrator user: “admin”.
You can now check if you can access your ldap server by typing:
ldapsearch -x -b dc=debuntu,dc=local
If you get an error message like:
ldap_bind: Can't contact LDAP server (-1)
Most chances are that your server is not running. use:
to start it.
Ok, now, it is about time to add our users and groups to the LDAP database.
1.2. Populating the database
Using migrationtools we are going to be able to quickly import all existing users and groups from our local system to LDAP.
We need to edit the default migrationtools’ config file migrate_common.ph and replace the following parameters with:
$DEFAULT_MAIL_DOMAIN = "debuntu.local"; $DEFAULT_BASE = "dc=debuntu,dc=local";
Then export the values:
./migrate_group.pl /etc/group ~/group.ldif ./migrate_passwd.pl /etc/passwd ~/passwd.ldif
Unfortunately, the script does not create the Group and People nodes, so we need to create it. To do this, create a file called ~/people_group.ldif and fill it up with:
dn: ou=People, dc=debuntu, dc=local ou: People objectclass: organizationalUnit dn: ou=Group, dc=debuntu, dc=local ou: Group objectclass: organizationalUnit
Now, we have our users and groups converted to LDAP’s ldif format. Let import them into our LDAP database.
cd ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/people_group.ldif ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/group.ldif ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/passwd.ldif
- -x specify that we are not using sasl
- -W prompt for password
- -D is used to identify the administrator
- -f to specify the file where ldapadd should find the data to add
Well, now the server is ready to identify your users. Let’s go on and set up the clients.