Ubuntu10.04 Installation Configuration LDAP Service

Note: In the Ubuntu 10.04 version, for example, the LDAP server and the client are the same machine, the latest OPENLDAP software server side has no separate configuration file, but the configuration information is saved in the database.

1. LDAP server-side installation and configuration

1.1 Installing LDAP server-related software sudo apt-get install SLAPD ldap-utils

1.2 Configure LDAP server database sudo ldapadd-y external-h ldapi:///-f/etc/ldap/schema/cosine.ldifsudo ldapadd-y external-h ldapi:// /-f/etc/ldap/schema/nis.ldif sudo ldapadd-y external-h ldapi:///-f/etc/ldap/schema/inetorgperson.ldif sudo ldapadd- Y external-h ldapi:///-f/etc/ldap/schema/misc.ldif (1) Create a database to create a create_database.ldif file under/var/lib/ldap/: # Load HDB Backe ND module

Dn:cn=module{0},cn=config

Objectclass:olcmodulelist

Cn:module

Olcmodulepath:/usr/lib/ldap

Olcmoduleload: {0}back_hdb

# Create the HDB database and place the files Under/var/lib/ldap

Dn:olcdatabase={1}hdb,cn=config

Objectclass:olcdatabaseconfig

Objectclass:olchdbconfig

Olcdatabase: {1}hdb

Olcdbdirectory:/var/lib/ldap

olcsuffix:dc=edu,dc=example,dc=org

olcrootdn:cn=admin,dc=edu,dc=example,dc=org

OLCROOTPW: {SSHA}5EDV7CSYLP44/GEWU+X3VKAKLN2HG4VX

Olcdbconfig: {0}set_cachesize 0 2097152 0

Olcdbconfig: {1}set_lk_max_objects 1500

Olcdbconfig: {2}set_lk_max_locks 1500

Olcdbconfig: {3}set_lk_max_lockers 1500

Olclastmod:true

olcdbcheckpoint:512 30

Olcdbindex:uid Pres,eq

Olcdbindex:cn,sn,mail pres,eq,approx,sub

Olcdbindex:objectclass eq import: sudo ldapadd-y external-h ldapi:///-f/var/lib/ldap/create_database.ldif Note: Create_databa SE.LDIF file OLCROOTPW parameters after the ciphertext to Chengmingwen as "example", can be slappasswd command to obtain plaintext corresponding to the ciphertext

(2) Initialize the database to create the Init_database.ldif file under/var/lib/ldap/: dn:dc=edu,dc=example,dc=org

Objectclass:top

Objectclass:dcobject

Objectclass:organization

o:edu.example.org

dc:edu

#description: LDAP Root

dn:ou=people,dc=edu,dc=example,dc=org

Objectclass:top

Objectclass:organizationalunit

Ou:people

dn:ou=groups,dc=edu,dc=example,dc=org

Objectclass:top

Objectclass:organizationalunit

Ou:groups import: sudo ldapadd-y external-h ldapi:///-f/var/lib/ldap/init_database.ldif

(3) Modify the ACL to limit access to the database. Create a Acls.ldif file under/var/lib/ldap/: Dn:olcdatabase={1}hdb,cn=config

Add:olcaccess

Olcaccess: {0}to attrs=userpassword,shadowlastchange by dn= ' cn=admin,dc=edu,dc=example,dc=org ' write by anonymous Auth by self Write by * None

Olcaccess: {1}to dn.subtree= "" by * Read

Olcaccess: {2}to * by dn= ' cn=admin,dc=edu,dc=example,dc=org ' write by * Read import: sudo ldapmodify-y external-h -f/var/lib/ldap/acls.ldif

(4) Test database sudo ldapsearch-x-h localhost-b dc=edu,dc=example,dc=org

1.3 Use the Migration Tool Migrationtools (1) To install sudo apt-get install Migrationtools

(2) Use this tool to migrate users and groups in the Linux system to the LDAP server cd/usr/share/migrationtools/./migrate_group.pl/etc/group/group.ldif./migrate_ passwd.pl/etc/passwd./passwd.ldif Modify the parent domain name of the group in Group.ldif to ou=groups,dc=edu,dc=example,dc=org modify Passwd.ldif the user's parent domain name is ou= People,dc=edu,dc=example,dc=orgldapadd-x-w-d "cn=admin,dc=edu,dc=example,dc=org"-F./group.ldif ldapadd-x-w-d "cn= Admin,dc=edu,dc=example,dc=org "-F./passwd.ldif

1.4 Use the LDAP Server Administration Tool ldapscripts (1) To install sudo apt-get install ldapscripts

(2) Modify config file # LDAP Configuration

# debian:values from/etc/pam_ldap.conf are used.

Server= "LDAP://localhost"

Binddn= "Cn=admin,dc=edu,dc=example,dc=org"

# The following file contains the raw password of the BINDDN

# Create it with something like:echo-n ' secret ' > $BINDPWDFILE

# WARNING!!!! Is careful not to make this file world-readable

# DEBIAN:/etc/pam_ldap.secret Or/etc/ldap.secret are used.

Bindpwdfile= "/ETC/LDAPSCRIPTS/LDAPSCRIPTS.PASSWD"

# for older versions of OpenLDAP, it's still possible to use

# unsecure command-line passwords by defining the following option

# and commenting the previous one (Bindpwdfile takes precedence)

#BINDPWD = "Secret"

# debian:values from/etc/pam_ldap.conf are used.

Suffix= "dc=edu,dc=example,dc=org" # Global SUFFIX

Gsuffix= "ou=groups" # Groups ou (just under $SUFFIX)

Usuffix= "ou=people" # Users ou (just under $SUFFIX)

#MSUFFIX = "Ou=machines" # Machines OU (just under $SUFFIX)

# User Passwords Generation

# command-line used to generate a password for added users (with may use%u for username)

# WARNING!!!! This is evaluated, everything specified here would be run!

# Special value "" 'll ask for a password interactively

#PASSWORDGEN = "Cat/dev/random | Lc_all=c tr-dc ' a-za-z0-9 ' | Head-c8 "

#PASSWORDGEN = "Head-c8/dev/random | Uuencode-m-| Sed-n ' 2s|=*$| |; 2p ' | Sed-e ' s|+| | G '-E ' s|/| | G ' "

#PASSWORDGEN = "Pwgen"

#PASSWORDGEN = "Echo changeme"

#PASSWORDGEN = "echo%u"

Passwordgen= "" Note: as shown in the Scarlet Letter, to accommodate the previous configuration, the command to write a password to LDAPSCRIPTS.PASSWD is: Echo-n ' example ' >/etc/ldapscripts/ ldapscripts.passwd

(3) Use sudo ldapaddgroup testgroup sudo ldapadduser testuser testgroup sudo ldapsetpasswd testuser

(4) test getent passwd getent Group

2. LDAP client Installation and configuration 2.1 use Apt-get to install related services #sudo apt-get install LIBNSS-LDAPD LIBPAM-LDAPD Install the LDAP server IP and corresponding base domain name information according to the Setup Wizard during Setup. Finally, check group and passwd two for NSS services. Note: The LDAP client configuration file in Ubuntu system is/etc/nslcd.conf and/etc/nsswitch.conf, and the above configuration information can be modified at any time in the configuration file! To restart the service after the modification: services NSLCD Restart #/ Etc/nslcd.conf

# NSLCD configuration file. Nslcd.conf (5)

# for details.

# The user and group NSLCD should run as.

UID NSLCD

GID NSLCD

# The location at which the LDAP server (s) should is reachable.

URI LDAP://127.0.0.1/

# The search base that'll be used to all queries.

Base dc=edu,dc=example,dc=org

# The LDAP protocol version to use.

#ldap_version 3

# The DN to bind with a for normal lookups.

#binddn cn=annonymous,dc=example,dc=net

#bindpw Secret

# SSL Options

#ssl off

#tls_reqcert never

# The search scope.

#scope Sub #/etc/nsswitch.conf

#

# Example configuration of the GNU Name Service Switch functionality.

# If you have the ' glibc-doc-reference ' and ' info ' packages installed, try:

# ' info libc ' Name Service Switch ' For information about this file.

Passwd:compat LDAP

Group:compat LDAP

Shadow:compat

Hosts:files mdns4_minimal [Notfound=return] DNS Mdns4

Networks:files

PROTOCOLS:DB files

SERVICES:DB files

ETHERS:DB files

RPC:DB files

Netgroup:nis

2.2 After the installation configuration is complete, use the following command to verify that access to the LDAP server is successful #getent passwd#getent group if the associated users and groups on the LDAP server are not properly displayed, check for the following reasons: ①ldap server is turned on ②ldap Server firewall shuts down ③ client configured LDAP server IP is correct, can ping ④ client configured base domain name is correct ⑤ port is not ⑥ version is wrong

-----------------------------------------------

"Related description" ①libnss-ldap is used for name resolution, LIBPAM-LDAP uses PM to authenticate users through LDAP.

Reference ①http://labs.opinsys.com/blog/2010/01/27/setting-up-openldap-on-ubuntu-10-04-alpha2/server and client are referenced documents on Ubuntu ② http://forum.ubuntu.org.cn/viewtopic.php?p=2225140 the detailed installation process (server and client) for 10.04 and beyond ③http://askubuntu.com/questions/ 127389/how-to-configure-ubuntu-as-an-ldap-client pointed out the problem to see the log!! ④http://www.dasairen.com/centos/18520711220.html manually add log functionality to the LDAP service