LDAP Server

Configuration steps taken from Ubuntu LTS LDAP Server documentation


Install the OpenLDAP server daemon and the traditional LDAP management utilities. These are found in packages slapd and ldap-utils respectively.

The installation of slapd will create a working configuration. In particular, it will create a database instance that you can use to store your data. However, the suffix (or base DN) of this instance will be determined from the domain name of the localhost. If you want something different, edit /etc/hosts and replace the domain name with one that will give you the suffix you desire. For instance, if you want a suffix of dc=pujc,dc=edu,dc=co then your file would have a line similar to this:       hostname.pujc.edu.co	hostname

You can revert the change after package installation.

Proceed with the install:

sudo apt-get install slapd ldap-utils

During the install you were prompted to define administrative credentials. These are LDAP-based credentials for the rootDN of your database instance. By default, this user's DN is cn=admin,dc=pujc,dc=edu,dc=co. Also by default, there is no administrative account created for the slapd-config database and you will therefore need to authenticate externally to LDAP in order to access it. We will see how to do this later on.

To test, this is what the slapd-config DIT looks like via the LDAP protocol:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn

dn: cn=config

dn: cn=module{0},cn=config

dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

dn: olcBackend={0}hdb,cn=config

dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config

dn: olcDatabase={1}hdb,cn=config

This is what the dc=pujc,dc=edu,dc=co DIT looks like:

ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn

dn: dc=example,dc=com

dn: cn=admin,dc=example,dc=com
Modifying/Populating your Database

Let's introduce some content to our database. We will add the following:

  • a node called People (to store users)
  • a node called Groups (to store groups)
  • a group called faculty
  • a user called pperez

Create the following LDIF file and call it add_content.ldif:

dn: ou=People,dc=pujc,dc=edu,dc=co
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=pujc,dc=edu,dc=co
objectClass: organizationalUnit
ou: Groups

dn: cn=faculty,ou=Groups,dc=pujc,dc=edu,dc=co
objectClass: posixGroup
cn: faculty
gidNumber: 5000

dn: uid=pperez,ou=People,dc=pujc,dc=edu,dc=co
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: pperez
sn: Perez
givenName: Pedro
cn: Pedro Perez
displayName: Pedro Perez
uidNumber: 10000
gidNumber: 5000
userPassword: pppasswd
gecos: Pedro Perez
loginShell: /bin/bash
homeDirectory: /users/pperez

It's important that uid and gid values in your directory do not collide with local values. Use high number ranges, such as starting at 5000. By setting the uid and gid values in ldap high, you also allow for easier control of what can be done with a local user vs a ldap one. More on that later.

Add the content:

ldapadd -x -D cn=admin,dc=pujc,dc=edu,dc=co -W -f add_content.ldif

Enter LDAP Password: ********
adding new entry "ou=People,dc=pujc,dc=edu,dc=co"

adding new entry "ou=Groups,dc=pujc,dc=edu,dc=co"

adding new entry "cn=faculty,ou=Groups,dc=pujc,dc=edu,dc=co"

adding new entry "uid=pperez,ou=People,dc=pujc,dc=edu,dc=co"

We can check that the information has been correctly added with the ldapsearch utility:

ldapsearch -x -LLL -b dc=pujc,dc=edu,dc=co 'uid=pperez' cn gidNumber
dn: uid=pperez,ou=People,dc=pujc,dc=edu,dc=co
cn: Pedro Perez
gidNumber: 5000

LDAP Authentication

Once you have a working LDAP server, you will need to install libraries on the client that will know how and when to contact it. On Ubuntu, this has been traditionally accomplished by installing the libnss-ldap package. This package will bring in other tools that will assist you in the configuration step. Install this package now:

sudo apt-get install libnss-ldap

You will be prompted for details of your LDAP server. If you make a mistake you can try again using:

sudo dpkg-reconfigure ldap-auth-config

The results of the dialog can be seen in /etc/ldap.conf. If your server requires options not covered in the menu edit this file accordingly.

Now configure the LDAP profile for NSS:

sudo auth-client-config -t nss -p lac_ldap

Configure the system to use LDAP for authentication:

sudo pam-auth-update

From the menu, choose LDAP and any other authentication mechanisms you need.

You should now be able to log in using LDAP-based credentials.

User and Group Management

The ldap-utils package comes with enough utilities to manage the directory but the long string of options needed can make them a burden to use. The ldapscripts package contains wrapper scripts to these utilities that some people find easier to use.

Install the package:

sudo apt-get install ldapscripts

Then edit the file /etc/ldapscripts/ldapscripts.conf to arrive at something similar to the following:


Now, create the ldapscripts.passwd file to allow rootDN access to the directory:

sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"
sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd

The scripts are now ready to help manage your directory. Here are some examples of how to use them:

Create a new user:

sudo ldapadduser george example

This will create a user with uid george and set the user's primary group (gid) to example

Change a user's password:

sudo ldapsetpasswd george
Changing password for user uid=george,ou=People,dc=example,dc=com
New Password: 
New Password (verify): 

Delete a user:

sudo ldapdeleteuser george

Add a group:

sudo ldapaddgroup qa

Delete a group:

sudo ldapdeletegroup qa

Add a user to a group:

sudo ldapaddusertogroup george qa

You should now see a memberUid attribute for the qa group with a value of george.

Remove a user from a group:

sudo ldapdeleteuserfromgroup george qa

The memberUid attribute should now be removed from the qa group.

hpccluster-ldap.txt · Última modificación: 2015/02/07 19:32 por abuss
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki