You might wonder what is LDAP, well in my opinion LDAP is a program that can manage all the user in our environment. One of the example is Windows Active Directory, with this you can make centralized login for all of your user, you also can manage how to define the rules for your user (like password policy). Too bad that you have to pay a lot of money to get this software, so the alterantive is by using OpenLDAP. Both Windows AD and OpenLDAP are a good LDAP server, but to configure LDAP is quite painful, you have to do it in konsole, but in OpenSuse 10.2 you can configure it with yast.
What we are goin to make is a very simple direcotry server using OpenLDAP, later the user can do a centralized login (you can login to any computer as long as that computer is an LDAP Client) and the user that login by LDAP have to configure their password so that it will satisfy the password policy. I’ve read some article from IBM and ebook.
To start this configuration you have to make the design of your directory, in my example, I want my domain name is xanadu.com, and the domain will be maintained by administrator. This will be translated as the base of directory with suffix DN dc=xanadu,dc=com and administrative DN cn=administrator,dc=xanadu,dc=com.
After you configure the base now you need an OU to contain the user and group that going to use the LDAP server, for user we will use people ou=people,dc=xanadu,dc=com and for group we will use group ou=group,dc=xanadu,dc=com. You can imagine this configuration as a tree where the root is the base i.e. xanadu.com and the branch are people and group and the branch of them are the users and groups. You can design the complex one, like making another ou inside ou, it is up to you.
To make the user and group you can make it one by one, which is not good for your finger 😛 or you can try to make the user with my way. First you need to get yourself a dummy PC, in that OC you make all the user and group that is needed using yast. After that we are going to convert the user and group from that PC into some LDIF file by using Migration Tools from PADL. Later I will show you how.
Next thing to install is the LDAP packets, Login as root (also for the rest of configuration), go to yast, software, software management, in the filter tab change it into patterns, in the server function section choose directory server, and install it.
Now we need to configure slapd.conf:
This is the example of slapd.conf:
#This is where you need to put all the schema that you will use
#the first four schema are needed
#ppolicy.schema is used to give the rule about password policy
#later you can add your own schema to your directory server
# Sample access control policy:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
# rootdn can always read and write EVERYTHING!
checkpoint 1024 5
#Index that will be recorded by database
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
Now you can start the services by typing:
After you start the services, now you can fill something into the LDAP’s database. But we need to convert the data from dummy computer into LDIF file so that we can input it into LDAP. First you need to download the Migration Tools from PADL, then you extract that into your dummy PC. Inside the extracted folder you need to find migrate_common.ph file, we need to do some configuratio with this file, we need to change some lines inside this file:
$DEFAULT_BASE = "dc=xanadu,dc=com" #your base suffix or domain name
Then you can run:
chmod -Rf 770 /MigrationTools-47 ./migrate_base.pl > base.ldif
You have to edit base.ldif so that it will become like this:
objectClass: domaindn: ou=People,dc=xanadu,dc=com
objectClass: organizationalUnitdn: ou=Group,dc=xanadu,dc=com
Now we’re going to convert ldapuser group that is in /etc/group in the dummy PC into ldap group or we can try to convert all the group inside it then edit it, if you want to convert ldapuser only:
grep ldapuser /etc/group > group.in
./migrate_group.pl group.in > group.ldif
or if you want to convert all the group, then select which one going to be used or no, you can do this:
./migrate_group.pl /etc/group > group.ldif
Basically the example of group.ldif is like this:
The next step is to convert the user in the /etc/passwd in dummy PC into ldap user or you can choose to convert all of the user in that file then edit it, if you only want to convert ldapuser:
grep ldapuser /etc/passwd > passwd.in
./migrate_passwd.pl passwd.in > passwd.ldif
or if you want to convert all the user in /etc/passwd:
./migrate_passwd.pl /etc/passwd > passwd.ldif
Here is the example of passwd.ldif file:
Now you have 3 ldif file (base.ldif, group.ldif, passwd.ldif) in your dummy PC, all you can do now is to transfer it into your LDAP server. If you already finish transfer it , you can start to input that data into LDAP database using ldapadd:
ldapadd -x -W -D "cn=administrator,dc=xanadu,dc=com" -f base.ldif
ldapadd -x -W -D "cn=administrator,dc=xanadu,dc=com" -f group.ldif
ldapadd -x -W -D "cn=administrator,dc=xanadu,dc=com" -f passwd.ldif
To test your configuration you can type:
ldapsearch -x -W -D "cn=administrator,dc=xanadu,dc=com"
and this is what you’ll get:
# extended LDIF
# base <> with scope sub
# filter: (objectclass=*)
# requesting: ALL
objectClass: domain#People, ibm.com
objectClass: organizationalUnit# Group, ibm.com
objectClass: organizationalUnit# ldapuser, Group, ibm.com
gidNumber: 500# ldapuser, People, ibm.com
# search result
result: 0 Success
# numResponses: 6
# numEntries: 5
If you get this kind result that’s mean you have your own LDAP server, now we have to configure the LDAP Client. To be able to become LDAP Client you have to install nss_ldap and pam_ldap, then type:
pam-config -a --ldap
After that you can config ldap.conf:
Make it like this:
# LDAP Defaults
# See ldap.conf(5) for details
URI ldap://10.0.0.2:389 #put your LDAP server IP address
Now we need to configure ldap.conf in /etc;
Try to make it like this:
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
# The distinguished name of the search base.
# Reconnect policy: # hard_open: reconnect to DSA with exponential backoff if
# opening connection failed
# hard_init: reconnect to DSA with exponential backoff if
# initializing connection failed
# hard: alias for hard_open
# soft: return immediately on server failure
# Search the root DSE for the password policy (works
# with Netscape Directory Server). Make use of
# Password Policy LDAP Control (as in OpenLDAP)
# Use the OpenLDAP password change
# extended operation to update the password.
# returns NOTFOUND if nss_ldap's initgroups() is called
# for users specified in nss_initgroups_ignoreusers
# (comma separated) nss_initgroups_ignoreusers root,ldap
# Enable support for RFC2307bis (distinguished names in group
# configure --enable-nds is no longer supported.
# NDS mappings
nss_map_attribute uniqueMember member
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
Now you need to edit nsswitch.conf
Edit this line:
Now go to /etc/pam.d, edit common-account, common-auth, common-password, common-session
account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_ldap.so use_first_pass
auth required pam_env.so
auth sufficient pam_unix2.so nullok
auth required pam_ldap.so use_first_pass
password requisite pam_pwcheck.so nullok
password sufficient pam_unix2.so use_authok nullok
password required pam_ldap.so try_first_pass user_authok
session required pam_limits.so
session required pam_unix2.so
session optional pam_ldap.so
session optional pam_umask.so
session optional pam_env.so
If you alrady finish setting up this, then now you officially can join the directory service, just to make sure you can go to yast, network service, LDAP client, tick Use LDAP in user authentication, type IP address of LDAP server, type the LDAP base DN, untick LDAP TSL/SSL. Click advanced configuration, in Naming contexts, in User map type ou=people,dc=xanadu,dc=com, in password map type: ou=people,dc=xanadu,dc=com, in group map type ou=group,dc=xanadu,dc=com. Change the password change protocol into clear, group member attribute as member.
Well that’s all that I know about setting up an LDAP Server, please let me know if you have any problem, or if you want to get the original file 😀 Phiiiuuuhhh Finally it’s done, I made a lot of effort writing this one 😀