LDAP Server (OpenLDAP) in OpenSuse 10.2

You might wonder what is LDAP, well in my opinion LDAP is a program that can manage all the user in our environment. One of the example is Windows Active Directory, with this you can make centralized login for all of your user, you also can manage how to define the rules for your user (like password policy). Too bad that you have to pay a lot of money to get this software, so the alterantive is by using OpenLDAP. Both Windows AD and OpenLDAP are a good LDAP server, but to configure LDAP is quite painful, you have to do it in konsole, but in OpenSuse 10.2 you can configure it with yast.

What we are goin to make is a very simple direcotry server using OpenLDAP, later the user can do a centralized login (you can login to any computer as long as that computer is an LDAP Client) and the user that login by LDAP have to configure their password so that it will satisfy the password policy. I’ve read some article from IBM and ebook.

To start this configuration you have to make the design of your directory, in my example, I want my domain name is xanadu.com, and the domain will be maintained by administrator. This will be translated as the base of directory with suffix DN dc=xanadu,dc=com and administrative DN cn=administrator,dc=xanadu,dc=com.

After you configure the base now you need an OU to contain the user and group that going to use the LDAP server, for user we will use people ou=people,dc=xanadu,dc=com and for group we will use group ou=group,dc=xanadu,dc=com. You can imagine this configuration as a tree where the root is the base i.e. xanadu.com and the branch are people and group and the branch of them are the users and groups. You can design the complex one, like making another ou inside ou, it is up to you.

To make the user and group you can make it one by one, which is not good for your finger 😛 or you can try to make the user with my way. First you need to get yourself a dummy PC, in that OC you make all the user and group that is needed using yast. After that we are going to convert the user and group from that PC into some LDIF file by using Migration Tools from PADL. Later I will show you how.

Next thing to install is the LDAP packets, Login as root (also for the rest of configuration), go to yast, software, software management, in the filter tab change it into patterns, in the server function section choose directory server, and install it.

Now we need to configure slapd.conf:

vi /etc/openldap/slapd.conf

This is the example of slapd.conf:

#This is where you need to put all the schema that you will use
#the first four schema are needed
#ppolicy.schema is used to give the rule about password policy
#later you can add your own schema to your directory server
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/ppolicy.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Sample access control policy:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
# rootdn can always read and write EVERYTHING!
loglevel 0
database bdb
suffix "dc=xanadu,dc=com"
rootdn "cn=administrator,dc=xanadu,dc=com"
rootpw "password"
directory /var/lib/ldap/
checkpoint 1024 5
cachesize 10000
#Index that will be recorded by database
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres

Now you can start the services by typing:

rcldap start

After you start the services, now you can fill something into the LDAP’s database. But we need to convert the data from dummy computer into LDIF file so that we can input it into LDAP. First you need to download the Migration Tools from PADL, then you extract that into your dummy PC. Inside the extracted folder you need to find migrate_common.ph file, we need to do some configuratio with this file, we need to change some lines inside this file:

$DEFAULT_BASE = "dc=xanadu,dc=com" #your base suffix or domain name

Then you can run:

chmod -Rf 770 /MigrationTools-47 ./migrate_base.pl > base.ldif

You have to edit base.ldif so that it will become like this:

dn: dc=xanadu,dc=com
dc: xanadu
objectClass: top
objectClass: domaindn: ou=People,dc=xanadu,dc=com
ou: People
objectClass: top
objectClass: organizationalUnitdn: ou=Group,dc=xanadu,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

Now we’re going to convert ldapuser group that is in /etc/group in the dummy PC into ldap group or we can try to convert all the group inside it then edit it, if you want to convert ldapuser only:

grep ldapuser /etc/group > group.in
./migrate_group.pl group.in > group.ldif

or if you want to convert all the group, then select which one going to be used or no, you can do this:

./migrate_group.pl /etc/group > group.ldif

Basically the example of group.ldif is like this:

dn: cn=ldapuser,ou=Group,dc=ibm,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser
userPassword: {crypt}x
gidNumber: 500

The next step is to convert the user in the /etc/passwd in dummy PC into ldap user or you can choose to convert all of the user in that file then edit it, if you only want to convert ldapuser:

grep ldapuser /etc/passwd > passwd.in
./migrate_passwd.pl passwd.in > passwd.ldif

or if you want to convert all the user in /etc/passwd:

./migrate_passwd.pl /etc/passwd > passwd.ldif

Here is the example of passwd.ldif file:

dn: uid=ldapuser,ou=People,dc=ibm,dc=com
uid: ldapuser
cn: ldapuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt$1$TeOlOcMc$cpQaa0WpLSFRC1HIHW5bt1
shadowLastChange: 13048
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/ldapuser
gecos: ldapuser

Now you have 3 ldif file (base.ldif, group.ldif, passwd.ldif) in your dummy PC, all you can do now is to transfer it into your LDAP server. If you already finish transfer it , you can start to input that data into LDAP database using ldapadd:

ldapadd -x -W -D "cn=administrator,dc=xanadu,dc=com" -f base.ldif
ldapadd -x -W -D "cn=administrator,dc=xanadu,dc=com" -f group.ldif
ldapadd -x -W -D "cn=administrator,dc=xanadu,dc=com" -f passwd.ldif

To test your configuration you can type:

ldapsearch -x -W -D "cn=administrator,dc=xanadu,dc=com"

and this is what you’ll get:

# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting: ALL
## ibm.com
dn: dc=ibm,dc=com
dc: ibm
objectClass: top
objectClass: domain#People, ibm.com
dn: ou=People,dc=ibm,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit# Group, ibm.com
dn: ou=Group,dc=ibm,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit# ldapuser, Group, ibm.com
dn: cn=ldapuser,ou=Group,dc=ibm,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser
gidNumber: 500# ldapuser, People, ibm.com
dn: uid=ldapuser,ou=People,dc=ibm,dc=com
uid: ldapuser
cn: ldapuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/ldapuser
gecos: test2

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5

If you get this kind result that’s mean you have your own LDAP server, now we have to configure the LDAP Client. To be able to become LDAP Client you have to install nss_ldap and pam_ldap, then type:

pam-config -a --ldap

After that you can config ldap.conf:

vi /etc/openldap/ldap.conf

Make it like this:

#
# LDAP Defaults
#
# See ldap.conf(5) for details
BASE dc=xanadu,dc=com
URI ldap://10.0.0.2:389 #put your LDAP server IP address
BINDDN cn=administrator,dc=xanadu,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow

Now we need to configure ldap.conf in /etc;

vi /etc/ldap.conf

Try to make it like this:

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host 10.0.0.2
# The distinguished name of the search base.
base dc=aprdev,dc=com
# Reconnect policy: # hard_open: reconnect to DSA with exponential backoff if
# opening connection failed
# hard_init: reconnect to DSA with exponential backoff if
# initializing connection failed
# hard: alias for hard_open
# soft: return immediately on server failure
bind_policy soft
# Search the root DSE for the password policy (works
# with Netscape Directory Server). Make use of
# Password Policy LDAP Control (as in OpenLDAP)
pam_lookup_policy yes
# Use the OpenLDAP password change
# extended operation to update the password.
pam_password clear
# returns NOTFOUND if nss_ldap's initgroups() is called
# for users specified in nss_initgroups_ignoreusers
# (comma separated) nss_initgroups_ignoreusers root,ldap
# Enable support for RFC2307bis (distinguished names in group
# members)
nss_schema rfc2307bis
# configure --enable-nds is no longer supported.
# NDS mappings
nss_map_attribute uniqueMember member
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl no
ldap_version 3
pam_filter objectclass=posixAccount
nss_base_passwd ou=People,dc=aprdev,dc=com
nss_base_shadow ou=People,dc=aprdev,dc=com
nss_base_group ou=Group,dc=aprdev,dc=com
tls_checkpeer no
#ssl on

Now you need to edit nsswitch.conf

vi /etc/nsswitch.conf

Edit this line:

passwd: compat
group: compat
passwd_compat: ldap
group_compat: ldap

Now go to /etc/pam.d, edit common-account, common-auth, common-password, common-session

common-account:


account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_ldap.so use_first_pass

common-auth:


auth required pam_env.so
auth sufficient pam_unix2.so nullok
auth required pam_ldap.so use_first_pass

common-password:


password requisite pam_pwcheck.so nullok
password sufficient pam_unix2.so use_authok nullok
password required pam_ldap.so try_first_pass user_authok

common-session:


session required pam_limits.so
session required pam_unix2.so
session optional pam_ldap.so
session optional pam_umask.so
session optional pam_env.so

If you alrady finish setting up this, then now you officially can join the directory service, just to make sure you can go to yast, network service, LDAP client, tick Use LDAP in user authentication, type IP address of LDAP server, type the LDAP base DN, untick LDAP TSL/SSL. Click advanced configuration, in Naming contexts, in User map type ou=people,dc=xanadu,dc=com, in password map type: ou=people,dc=xanadu,dc=com, in group map type ou=group,dc=xanadu,dc=com. Change the password change protocol into clear, group member attribute as member.

Well that’s all that I know about setting up an LDAP Server, please let me know if you have any problem, or if you want to get the original file 😀 Phiiiuuuhhh Finally it’s done, I made a lot of effort writing this one 😀

Advertisements

10 thoughts on “LDAP Server (OpenLDAP) in OpenSuse 10.2

  1. mm.. thx for the great article.
    now i am trying to deploy LDAP in Ubuntu and it asked me to install a DBD Berkeley first before i can install the LDAP .. is it the same to configure LDAP in Ubuntu as like in opensuse because ? :d

  2. I told you before when I install OpenLDAP into my OpenSuse DBD Berkeley already installed, that’s why I choose OpenSuse rather than Ubuntu, because OpenSuse has a utility module named Yast that works just like Control Panel in Windows. It will makes us easier if we want to install something

    Anyway if you’re using the same LDAP, which is OpenLdap I bet it won’t have much differences than the one that I install in my OpenSuse

    Good Luck for the try ^^

  3. Hi there, thanks a lot for your article.
    By the way, is there any other way to add those ldap users? What a pity if we got to add hundreds, even with Yast.

  4. That’s what I haven’t find….I still have no idea if somebody asked me to do it, it’d be troublesome for me….I was trying to do it with 50 user and when I did it, I gave up at 20’s 😛

    I need to do some research for that one, when I find it I’ll let you know…but I’m not promising anything 😀

  5. Hi am new in linux. in my ofifce we are using suse linux 10.3 PDC with Samba and Ldap installed. Now the client versions are windows. I installed suse linux 10.3 as a client machine and i tried to join in domain but it is not happening. Please help me how can i done this. I tried alot and finally and i came here..

  6. thanks alot, would you able to show how can you configure the ldap server to run on ssl? which should be on port 636 or ldaps?

    i’ve been trying to get ldap running on the secured layer but it alows show fail connection message :-$
    Thanks

  7. @vineeth if your client is using suse also, you must configure your client first, the how to is available here also.

    @ahmed so sorry ahmed lately i haven’t have time to do further research about it 😦

  8. Hi tazlambert,

    I am following these instructions to setup LDAP on opensuse 11.3.
    But I am getting ldap_bind: Invalid credentials (49) when i try to ldapadd -h localhost -x -w secret -D “cn=Manager,dc=example,dc=com” -f base.ldif.
    I referred google and could find no helping info.
    Can you help me with this?

    Thanks,
    Senthil M

  9. Hi Senthil,

    Try capital letter for -w so it would be

    ldapadd -h localhost -x -W -D “cn=Manager,dc=example,dc=com” -f base.ldif

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s