Difference between revisions of "LDAP-Server-setup"

From Immersive Visualization Lab Wiki
Jump to: navigation, search
(Frontend)
(Web Based Admin Interface)
 
(15 intermediate revisions by one user not shown)
Line 79: Line 79:
 
** shouldn't return anything
 
** shouldn't return anything
 
* Test server:
 
* Test server:
** ldapsearch -x -b “dc=ucsd,dc=edu”
+
** ldapsearch -x -b "dc=ucsd,dc=edu"
 
** You should get a ‘search: 2′ somewhere in the output
 
** You should get a ‘search: 2′ somewhere in the output
  
Line 101: Line 101:
 
objectClass: organizationalUnit
 
objectClass: organizationalUnit
 
</pre>
 
</pre>
* create file newgroup.ldif with this content:
+
** ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f base.ldif
 +
* create a new user group 'calvr' by creating a file newgroup.ldif with this content:
 
<pre>
 
<pre>
dn: cn=blah,ou=Group,dc=ucsd,dc=edu
+
dn: cn=calvr,ou=Group,dc=ucsd,dc=edu
 
objectClass: posixGroup
 
objectClass: posixGroup
 
objectClass: top
 
objectClass: top
cn: blah
+
cn: calvr
 
userPassword: {crypt}x
 
userPassword: {crypt}x
gidNumber: 1000
+
gidNumber: 1212
 
</pre>
 
</pre>
* create file newpeople.ldif with this content:
+
** ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f newgroup.ldif
 +
* create a new user 'jschulze' with file newuser.ldif and this content:
 
<pre>
 
<pre>
dn: uid=blah,ou=People,dc=ucsd,dc=edu
+
dn: uid=jschulze,ou=People,dc=ucsd,dc=edu
uid: blah
+
uid: jschulze
cn: Blah Blah
+
cn: Jurgen Schulze
 +
objectClass: top
 
objectClass: account
 
objectClass: account
 
objectClass: posixAccount
 
objectClass: posixAccount
objectClass: top
 
 
objectClass: shadowAccount
 
objectClass: shadowAccount
userPassword: {CRYPT}cr5y5J6F67Ci2
+
userPassword: {crypt}x
shadowLastChange: 15140
+
loginShell: /bin/tcsh
shadowMin: 0
+
uidNumber: 4009
shadowMax: 99999
+
gidNumber: 1212
shadowWarning: 7
+
gecos: Jurgen Schulze, room 2125
loginShell: /bin/bash
+
homeDirectory: /home/jschulze
uidNumber: 1000
+
shadowLastChange: 0
gidNumber: 1000
+
shadowMax: 0
homeDirectory: /home/blah
+
shadowWarning: 0
 
</pre>
 
</pre>
* ldapadd -x -W -D “cn=Manager,dc=ucsd,dc=edu” -f base.ldif
+
** ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f newuser.ldif
* ldapadd -x -W -D “cn=Manager,dc=ucsd,dc=edu” -f newgroup.ldif
+
* set password for new user to <newpassword>. LDAP admin password is <ldapadminpassword>
* ldapadd -x -W -D “cn=Manager,dc=ucsd,dc=edu” -f newpeople.ldif
+
** ldappasswd -s <newpassword> -D "cn=Manager,dc=ucsd,dc=edu" -w <ldapadminpassword> -x uid=jschulze,ou=People,dc=ucsd,dc=edu
 +
 
 +
===Configure CentOS Client===
 +
 
 +
* yum install nss-pam-ldapd
 +
* run authconfig-tui
 +
** Select LDAP and LDAP Authetication.
 +
** Give the LDAP server’s IP address, which is ldap://192.168.1.2 in this case.
 +
** Give the base DN as dc=localdomain,dc=com
 +
** Do not select TLS.
 +
** [*] Use LDAP
 +
** [*] Use Shadow Passwords
 +
** [*] Use LDAP Authetication
 +
** [*] Local authorization is sufficient
 +
** [ ] Use TLS
 +
** Server: ldap://192.168.1.2
 +
** Base DN: dc=localdomain,dc=com
 +
* By default home dirs are not created after login, but can be turned on like this:
 +
** authconfig --enablemkhomedir --update
 +
 
 +
===Install Web-Based Administration Interface===
 +
 
 +
* yum install phpldapadmin
 +
* vi /etc/httpd/conf.d/phpldapadmin.conf
 +
** change 127.0.0.1 to local IP (137.110.119.xxx)
 +
* vi /etc/phpldapadmin/config.php
 +
** search for line $servers->setValue('login','attr','uid');
 +
** comment it out to: //$servers->setValue('login','attr','uid');
 +
* service httpd restart
 +
* log in to web interface:
 +
** point web browser to: http://137.110.119.xxx/phpldapadmin/
 +
** user name: cn=Manager,dc=ucsd,dc=edu
 +
** password: LDAP server password

Latest revision as of 20:42, 22 August 2012

Contents

Resource URLs

Installation Procedure

Install Libraries

  • yum install migrationtools
  • yum install openldap-servers
  • yum install openldap-clients
  • yum install openldap-devel
  • yum install cyrus-sasl
  • yum install cyrus-sasl-ldap

Configure LDAP Server

Backend

  • vi /etc/sysconfig/iptables
    • Add these lines to open firewall for LDAP server:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT 
    • service iptables restart
  • Generate root password for openldap server: /usr/sbin/slappasswd
  • cd /etc/openldap/slapd.d/cn=config
  • vi olcDatabase={2}bdb.ldif
    • change oldSuffix to: dc=ucsd,dc=edu
    • change olcRootDN to: cn=Manager,dc=ucsd,dc=edu
    • add a line for olcRootPW to end of file:
      olcRootPW: {SSHA}yourhashhere
    • add certificate lines to end of file:
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
    • add these lines after the last olcDbIndex line:
olcAccess: to attrs=userPassword
       by self write
       by anonymous auth
       by dn.base="cn=Manager,dc=ucsd,dc=edu" write
       by * none
olcAccess: to *
       by self write
       by dn.base="cn=Manager,dc=ucsd,dc=edu" write
       by * read
  • vi olcDatabase={1}monitor.ldif
    • in line starting with olcAccess change dc=my-domain to dc=ucsd, and dc=com to dc=edu
  • cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    • chown -Rf ldap:ldap /var/lib/ldap
  • vi /etc/sysconfig/ldap
    • set: SLAPD_LDAPS=yes
  • openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365
    • Country Name (2 letter code) [XX]:US
    • State or Province Name (full name) []:California
    • Locality Name (eg, city) [Default City]:San Diego
    • Organization Name (eg, company) [Default Company Ltd]:UCSD
    • Organizational Unit Name (eg, section) []:Calit2
    • Common Name (eg, your name or your server's hostname) []:IVL
    • Email Address []: <email_address>
  • chown -Rf root:ldap /etc/pki/tls/certs/slapdcert.pem
  • chmod -Rf 750 /etc/pki/tls/certs/slapdkey.pem
  • vi /etc/openldap/ldap.conf
    • Add to end of file:
TLS_CACERT /etc/pki/tls/certs/slapdcert.pem
  • slaptest -u
    • this should return "config file testing succeeded"
  • service slapd start
    • should return "Starting slapd: [ OK ]"
  • chkconfig slapd on
    • shouldn't return anything
  • Test server:
    • ldapsearch -x -b "dc=ucsd,dc=edu"
    • You should get a ‘search: 2′ somewhere in the output

Frontend

  • create file base.ldif with this content:
dn: dc=ucsd,dc=edu
dc: ucsd
objectClass: top
objectClass: domain

dn: ou=People,dc=ucsd,dc=edu
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=ucsd,dc=edu
ou: Group
objectClass: top
objectClass: organizationalUnit
    • ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f base.ldif
  • create a new user group 'calvr' by creating a file newgroup.ldif with this content:
dn: cn=calvr,ou=Group,dc=ucsd,dc=edu
objectClass: posixGroup
objectClass: top
cn: calvr
userPassword: {crypt}x
gidNumber: 1212
    • ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f newgroup.ldif
  • create a new user 'jschulze' with file newuser.ldif and this content:
dn: uid=jschulze,ou=People,dc=ucsd,dc=edu
uid: jschulze
cn: Jurgen Schulze
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
userPassword: {crypt}x
loginShell: /bin/tcsh
uidNumber: 4009
gidNumber: 1212
gecos: Jurgen Schulze, room 2125
homeDirectory: /home/jschulze
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
    • ldapadd -x -W -D "cn=Manager,dc=ucsd,dc=edu" -f newuser.ldif
  • set password for new user to <newpassword>. LDAP admin password is <ldapadminpassword>
    • ldappasswd -s <newpassword> -D "cn=Manager,dc=ucsd,dc=edu" -w <ldapadminpassword> -x uid=jschulze,ou=People,dc=ucsd,dc=edu

Configure CentOS Client

  • yum install nss-pam-ldapd
  • run authconfig-tui
    • Select LDAP and LDAP Authetication.
    • Give the LDAP server’s IP address, which is ldap://192.168.1.2 in this case.
    • Give the base DN as dc=localdomain,dc=com
    • Do not select TLS.
    • [*] Use LDAP
    • [*] Use Shadow Passwords
    • [*] Use LDAP Authetication
    • [*] Local authorization is sufficient
    • [ ] Use TLS
    • Server: ldap://192.168.1.2
    • Base DN: dc=localdomain,dc=com
  • By default home dirs are not created after login, but can be turned on like this:
    • authconfig --enablemkhomedir --update

Install Web-Based Administration Interface

  • yum install phpldapadmin
  • vi /etc/httpd/conf.d/phpldapadmin.conf
    • change 127.0.0.1 to local IP (137.110.119.xxx)
  • vi /etc/phpldapadmin/config.php
    • search for line $servers->setValue('login','attr','uid');
    • comment it out to: //$servers->setValue('login','attr','uid');
  • service httpd restart
  • log in to web interface: