Skip to end of metadata
Go to start of metadata

OUTDATED

slapd.conf is outdated

read
http://www.zytrax.com/books/ldap/ch6/slapd-config.html

How to configure a single point of authentication using Open LDAP

The goal of this howto is to come up with a walk through to the configuration of openldap, so that different computers in a network can use the same login.

preliminaries

make sure that a FQDN is defined in /etc/hosts

/etc/hosts

hostname -f should now return ldap.bluelight.av

see that the firewall is not in the way. Following a short reminder how to flush the firewall, if needed and possible. Only do this in a trusted network

Installing openldap

provide the ldap password: secret
provide the uri for the ldap server: ldap://192.168.10.1
provide the distinguished name: dc=bluelight,dc=av
LDAP version 3
Make local root database: yes
Does the LDAP database require login? no
LDAP account for root: cn=admin,dc=bluelight,dc=av
LDAP root account password: secret

Check and finetune the configuration

generate a hashed password

the generated password has to be added to
in /etc/ldap/slapd.conf change the following values

/etc/ldap/slapd.conf

Enter initial directory structure

save following in /root/ldap/base.ldif and edit according to your needs

/root/ldap/base.ldif

and add the ldif to the directory server

if there are errors along the lines of
str2entry: invalid value for attributeType objectClass #0
this can be a hint for a leading or trailing whitespace

also looking at /var/log/syslog can help if things don't work as expected.
The /etc/init.d/slapd start command does not give feedback if it fails, check if slapd is running by

The setup can be tested with a simple search such as

which should return the objects we just entered.

Configure the computer to use the ldap directory server

Install some packages:

This is done with a simple migration tool called auth-client-config.
The configuration is done via its profiles which are stored in /etc/auth-client-config/profile.d

We can list the existing profiles with and safe the current, untouched configuration and set our profile to the one we want

This will update the files in /etc/pam.d/ and the nsswitch.conf

Add some users to our directory

The user administration can be done using the ldapscripts
Before using them do the basic configuration in /etc/ldapscripts/ldapscripts.conf

/etc/ldapscripts/ldapscripts.conf

And change the password in /etc/ldapscripts/ldapscripts.passwd

/etc/ldapscripts/ldapscripts.passwd

Then there is still a small bugfix that has to be done otherwise we will run into errors:
ldapadduser testuser users
egrep: /etc/pam_ldap.conf: No such file or directory

change the follwing in /usr/share/ldapscripts/runtime.debian

/usr/share/ldapscripts/runtime.debian

Now adding users and groups are done with the ldapscripts

Install and configure NFS

install the main packet

and configure the shares by adding following to /etc/exports

/etc/exports

Changes on the client

LDAP

following is working for clients using 8.04 and 8.10
install some software

provide the uri for the ldap server: ldap://192.168.10.1
provide the distinguished name: dc=bluelight,dc=av
LDAP version 3
Make local root database: yes
Does the LDAP database require login? no
LDAP account for root: cn=admin,dc=bluelight,dc=av

safe following as a file in /etc/auth-client-config/profile.d/bl-ldap

/etc/auth-client-config/profile.d/bl-ldap

safe the current settings and tell pam to use ldap

add following to /etc/security/group.conf

add following line to /etc/pam.d/gdm right before @include common-auth

make sure that the ldap settings are correct, as specified in /etc/ldap.conf

little reminder, see following grep command to strip of the comments and newlines

make the client ready for nfs

install the needed packets

make the fstab ready for mounting the home directory

/etc/fstab

To move away from LDAP

If auth-client-config was used before, resetting the configuration to files again, following changes have to be done:

First backup the existing profile

/etc/auth-client-config/profile.d/original-state

This was the original file and has to be stored in /etc/auth-client-config/profile.d/

To list the existing profiles following command have to be issued.

to the change to the profile no-ldap

you can then verify to see the current profile

and all should be set to the files again.

But remember that all the credentials where stored in ldap, so all users need to be created on the system, and the files have to be changed accordingly.