If you have multiple linux machines and multiple users, it’s annoying to keep all the accounts in sync. Changing a password means you have to do it on all machines. OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol (LDAP). It stores user information which can be used for authentication. On Debian and Ubuntu it is easy to setup and use an OpenLDAP server as authentication source. By doing so you have a single source for all the user information.
Installing OpenLDAP and utils
The OpenLDAP server is called `slapd`. In addition you will need `ldap-utils`. This contains several tools to interact with `slapd`. The installer wil ask you for an admin password.
apt-get install slapd ldap-utils
Edit or add `/etc/ldap/ldap.conf`. Change the `BASE` and `URI` value.
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=home URI ldap://localhost #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never
Modify `slapd`
With the installation of `slapd` you get a default database. To customize it you need to edit the database file. Furthermore you need to remove the cache files.
First you have to stop the `slapd` server.
service slapd stop
Edit `/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif`. Start by deleting the comments on top. Next change the `olcSuffix`, `olcAccess` and `olcRootDN` atrributes. The default domain value is `dc=nodomain`. You can change it to a value you like. For example: `dc=home` or `dc=nnet,dc=nl`.
dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=home olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=home" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=home" write by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=home olcRootPW:: e1NTSEF9NnlDcGgvdSs4VFFEdGhDcFMzWFpNRGJ4QU5qYWNGdUw= olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq structuralObjectClass: olcHdbConfig entryUUID: ddb8a3f2-eafc-1031-971a-29130b48cf4a creatorsName: cn=admin,cn=config createTimestamp: 20130104205550Z entryCSN: 20130104205550.634509Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20130104205550Z
After saving the file you need to remove the current cache files.
rm -r /var/lib/ldap/*
Next you can start the `slapd` server.
service slapd start
Your database is now modified and empty.
Filling the database
The database is filled by using templates. We use two. Save them to your server.
`adddomain.ldif`:
dn: dc=home changetype: add objectClass: top objectClass: dcObject objectClass: organization o: home dc: home dn: cn=admin,dc=home changetype: add objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: dn: ou=people,dc=home changetype: add ou: people objectClass: top objectClass: organizationalUnit description: Parent object of all UNIX accounts dn: ou=groups,dc=home changetype: add ou: groups objectClass: top objectClass: organizationalUnit description: Parent object of all UNIX groups
`adduser.ldif`:
dn: uid=jdoe,ou=people,dc=home changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: jdoe sn: Doe givenName: John cn: John Doe userPassword: loginShell: /bin/bash uidNumber: 10000 gidNumber: 10000 homeDirectory: /home/jdoe gecos: John Doe DisplayName: John Doe dn: cn=jdoe,ou=groups,dc=home changetype: add objectClass: posixGroup objectClass: top cn: jdoe gidNumber: 10000 memberUid: jdoe
First we need to setup a domain. Edit the `adddomain.ldif` template if you used a different domain. Enter the slapd admin password when asked.
ldapmodify -f adddomain.ldif -x -D "cn=admin,dc=home" -W
Update the admin password in the database. Enter the `slapd` admin password three times.
ldappasswd -D cn=admin,dc=home -W cn=admin,dc=home
Now we can add a user to the database. Edit the `adduser.ldif` template. Change the name fields and increase the `uidNumber`, `gidNumber` fields for every new user.
ldapmodify -f adduser.ldif -x -D "cn=admin,dc=home" -W
Update the user password in the database. Enter new password two times. Finally enter the `slapd` admin password.
ldappasswd -D cn=admin,dc=home -W uid=jdoe,ou=people,dc=home
Check the database contents
To check the contents of the database we use the `slapcat` command. This command can also be used to backup the contents of the database.
slapcat
Tell a system to use OpenLDAP
To use openldap as authentication service we use a PAM (Pluggable Authentication Modules) module for ldap. When asked enter the name or ip-address of the ldapserver. Then check the following boxes: `aliases`, `group`, `passwd`.
apt-get install libpam-ldapd
Don’t forget to delete the local user with the same name. Also change the owner of the home folder as the `uidNumber` has changed.
Did it work?
To check if the new users are available u can use the `id` command.
id jdoe
It should return something like this:
UID=10000(jdoe) GID=10000(jdoe) groepen=10000(jdoe)