Blue Light
Space shortcuts
Child pages
  • Sandbox

Versions Compared

Old Version 47

changes.mady.by.user Sam

Saved on

compared with

New Version 48

changes.mady.by.user Sam

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

6. Configure a LDAP Fat Server/Client

 

https://help.ubuntu.com/community/UbuntuLTSP/FatClients

http://wiki.bluelightav.org/display/BLUE/Open+LDAP

http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-business-server-setup-part-3-openldap/

http://ubuntuforums.org/showthread.php?t=1054966

http://ubuntuforums.org/showthread.php?t=1488232

https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html

http://ubuntuforums.org/archive/index.php/t-1156240.html

Install and configure LTSP

On the server:

if not done before configure the sources.list file to use the cache of the server:

Code Block
sed -i 's#http://#http://192.168.10.1:3142/#g' /etc/apt/sources.list
sed -i 's#http:/#http://192.168.10.1:3142/#g' /etc/apt/sources.list.d/medibuntu.list
apt-get update

Install ltsp-server-standalone:

Code Block
sudo apt-get install ltsp-server-standalone

Edit the installation option of ltsp-build-client:

...

title/etc/ltsp/ltsp-build-client.conf

...

11.10/serverguide/C/openldap-server.html

 

Install and configure LTSP

On the server:

if not done before configure the sources.list file to use the cache of the server:

Code Block
sed -i 's#http://#http://192.168.10.1:3142/#g' /etc/apt/sources.list
sed -i 's#http:/#http://192.168.10.1:3142/#g' /etc/apt/sources.list.d/medibuntu.list
apt-get update

Install ltsp-server-standalone:

Code Block
sudo apt-get install ltsp-server-standalone

Edit the installation option of ltsp-build-client:

Code Block
title/etc/ltsp/ltsp-build-client.conf
# The chroot architecture. 
ARCH=i386
# ubuntu-desktop and edubuntu-desktop are tested. 
# If you test with [k|x]ubuntu-desktop, edit this page and mention if it worked OK. 
# kubuntu lucid (10.10) working okay. 
FAT_CLIENT_DESKTOPS="ubuntu-desktop"
# Space separated list of programs to install. 
# The java plugin installation contained in ubuntu-restricted-extras 
# needs some special care, so let's use it as an example. 
LATE_PACKAGES=" 
 ubuntu-restricted-extras 
 gimp 
 nfs-client 
"
# This is needed to answer "yes" to the Java EULA. 
# We'll create that file in the next step. 
DEBCONF_SEEDS="/etc/ltsp/debconf.seeds"
# This uses the server apt cache to speed up downloading. 
# This locks the servers dpkg, so you can't use apt on 
# the server while building the chroot. 
MOUNT_PACKAGE_DIR="/var/cache/apt/archives/"

...

Install and configure LDAP

Install the server dependencies

Code Block
apt-get install slapd ldap-utils ldapscripts

Create /etc/ldap/frontend.bluelight.av.ldif

...

Preparation

emacs /etc/hosts

Code Block
127.0.0.1 localhost
127.0.1.1 server.bluelight.av server

emacs /etc/hostname

Code Block
server

hostname -f

(reboot if necessary)

Installation

apt-get install slapd ldap-utils

Post-installation

cd /etc/ldap/

emacs add_content.ldif

ldapadd -x -D cn=admin,dc=bluelight,dc=av

...

-W -f add_content.ldif

ldapsearch -x -LLL -b dc=bluelight,dc=av

...

Code Block
ldapadd -x -D cn=admin,dc=bluelight,dc=av -W -f frontend.bluelight.av.ldif

 

If you get the error: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Try to start slapd:

Code Block
/etc/init.d/slapd start

If you get the credential error try to reconfigure/reinstall slapd:

Code Block
rm -R slapd.d/
dpkg-reconfigure slapd

If it still doesn't work check the following file:

  • slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif 

you can also change the olcRootPW to secret

Code Block
File Edit Options Buffers Tools Help 
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=bluelight,dc=av
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
 s auth by dn="cn=admin,dc=bluelight,dc=av" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=bluelight,dc=av" write by
 * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=bluelight,dc=av
olcRootPW:: e1NTSEF9ZHVjOVVVLytLcnpqMEtaRDhtWHkwMWxMcmFrUVkrN2I=
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
structuralObjectClass: olcHdbConfig
entryUUID: 8cf0846c-d6d0-1030-8040-b16ccc9dfedc
creatorsName: cn=config
createTimestamp: 20120119100316Z
entryCSN: 20120119100316.322583Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20120119100316Z

 

Install the authentication for the server

Code Block
apt-get install ldap-auth-client auth-client-config

This is done with a simple migration tool called auth-client-config.
The configuration is done via its profiles which are stored in /etc/auth-client-config/profile.d

We can list the existing profiles with and safe the current, untouched configuration and set our profile to the one we want

 

Code Block
auth-client-config -S > /etc/auth-client-config/profile.d/original-config
auth-client-config -l
auth-client-config -p lac_ldap -a

This will update the files in /etc/pam.d/ and the nsswitch.conf

 

Change in /etc/ldapscripts/ldapscripts.conf

Code Block
title/etc/ldapscripts/ldapscripts.conf
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=bluelight,dc=av"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX="dc=bluelight,dc=av" # Global suffix
GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users" # Users ou (just under $SUFFIX)
GIDSTART="2000" # Group ID
UIDSTART="2000" # User ID
HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
HOMEPERMS="700" # Default permissions for home directories
GETENTPWCMD=""
GETENTGRCMD=""
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""

The original:

Code Block
# Copyright (C) 2005 Gana�l LAPLANCHE - Linagora
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Note for Debian users:
# On Debian system ldapscripts will try to parse and use some system config.
# Look on commented variables and description lines started with DEBIAN.
# But you could override it's values here.

# LDAP Configuration
# DEBIAN: values from /etc/pam_ldap.conf are used.
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=bluelight,dc=av"
 
# The following file contains the raw password of the binddn
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable
# DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used.
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
 
# For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence)
#BINDPWD="secret"
 
# DEBIAN: values from /etc/pam_ldap.conf are used.
SUFFIX="dc=bluelight,dc=av" # Global suffix
GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users" # Users ou (just under $SUFFIX)
MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX)
 
# Start with these IDs *if no entry found in LDAP*
GIDSTART="10000" # Group ID
UIDSTART="10000" # User ID
#MIDSTART="20000" # Machine ID
 
# User properties
# DEBIAN: values from /etc/adduser.conf are used.
#USHELL="/bin/sh"
#UHOMES="/home/%u" # You may use %u for username here
#CREATEHOMES="no" # Create home directories and set rights ?
HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
HOMEPERMS="700" # Default permissions for home directories
 
# User passwords generation
# Command-line used to generate a password for added users (you may use %u for username here)
# WARNING !!!! This is evaluated, everything specified here will be run !
# Special value "<ask>" will ask for a password interactively
#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
#PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n '2s|=*$||;2p' | sed -e 's|+||g' -e 's|/||g'"
#PASSWORDGEN="pwgen"
#PASSWORDGEN="echo changeme"
#PASSWORDGEN="echo %u"
#PASSWORDGEN="<ask>"
#PASSWORDGEN="pwgen"
 
# User passwords recording
# you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS
# (useful when performing a massive creation / net rpc vampire)
# WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE !
# WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE !
#RECORDPASSWORDS="no"
#PASSWORDFILE="/var/log/ldapscripts_passwd.log"
 
# Where to log
#LOGFILE="/var/log/ldapscripts.log"
 
# Temporary folder
#TMPDIR="/tmp"
 
# Various binaries used within the scripts
# Warning : they also use uuencode, date, grep, sed, cut, expr, which... 
# Please check they are installed before using these scripts
# Note that many of them should come with your OS
 
# OpenLDAP client commands
#LDAPSEARCHBIN="/usr/bin/ldapsearch"
#LDAPADDBIN="/usr/bin/ldapadd"
#LDAPDELETEBIN="/usr/bin/ldapdelete"
#LDAPMODIFYBIN="/usr/bin/ldapmodify"
#LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
#LDAPPASSWDBIN="/usr/bin/ldappasswd"
 
# Character set conversion : $ICONVCHAR <-> UTF-8
# Comment ICONVBIN to disable UTF-8 conversion
#ICONVBIN="/usr/bin/iconv"
#ICONVCHAR="ISO-8859-15"
 
# Base64 decoding
# Comment UUDECODEBIN to disable Base64 decoding
#UUDECODEBIN="/usr/bin/uudecode"
 
# Getent command to use - choose the ones used
# on your system. Leave blank or comment for auto-guess.
# GNU/Linux
#GETENTPWCMD="getent passwd"
#GETENTGRCMD="getent group"
# FreeBSD
#GETENTPWCMD="pw usershow"
#GETENTGRCMD="pw groupshow"
# Auto
GETENTPWCMD=""
GETENTGRCMD=""
 
# You can specify custom LDIF templates here
# Leave empty to use default templates
# See *.template.sample for default templates
#GTEMPLATE="/path/to/ldapaddgroup.template"
#UTEMPLATE="/path/to/ldapadduser.template"
#MTEMPLATE="/path/to/ldapaddmachine.template"
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""

 

Add a user

Code Block
ldapadduser testuser users

 

...

'uid=john' cn gidNumber

Modifying the slapd Configuration Database

emacs uid_index.ldif

Code Block
dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: uid eq,pres,sub

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f uid_index.ldif

emacs schema_convert.conf

Code Block
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/ldapns.schema
include /etc/ldap/schema/pmi.schema

mkdir ldif_output

slapcat -f schema_convert.conf -F ldif_output -n 0 | grep corba,cn=schema

(use the output for the next command)

slapcat -f schema_convert.conf -F ldif_output -n0 -H ldap:///cn={2}corba,cn=schema,cn=config -l cn=corba.ldif

emacs cn\=corba.ldif

#remove the {1}  for the followinf lines

Code Block
dn: cn=corba,cn=schema,cn=config 
... 
cn: corba

#also delete everything after

Code Block
structuralObjectClass: olcSchemaConfig entry
UUID: 52109a02-66ab-1030-8be2-bbf166230478 creatorsName: cn=config createTimestamp: 20110829165435Z entryCSN: 20110829165435.935248Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20110829165435Z

 

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\=corba.ldif

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn



Logging

emacs logging.ldif

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif

emacs /etc/rsyslog.conf

service rsyslog restart



Replication

emacs provider_sync.ldif

emacs /etc/apparmor.d/local/usr.sbin.slapd

sudo -u openldap mkdir /var/lib/ldap/accesslog

sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog

sudo service apparmor reload

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif

service slapd restart





LDAP Authentication

apt-get install libnss-ldap

auth-client-config -t nss -p lac_ldap

pam-auth-update



apt-get install ldapscripts

emacs /etc/ldapscripts/ldapscripts.conf

sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"

chmod 400 /etc/ldapscripts/ldapscripts.passwd

ldapadduser geo users







Install and configure NFS

Apt-get install nfs-kernel-server

emacs /etc/exports

emacs /etc/security/group.conf

emacs /etc/auth-client-config/profile.d/bl-ldap

auth-client-config -S > /etc/auth-client-config/profile.d/original

auth-client-config -p bl-ldap -a

emacs /etc/pam.d/gdm



 

On the client:

Chroot in the client's system

...