Server: Configure OpenLDAP and add users
Let's get started by logging into our server and installing OpenLDAP:
sudo apt-get -y install slapd ldap-utils
When prompted, enter a password for your LDAP admin user and press enter. For the purposes of this tutorial we will use 1234567 for the password. Confirm the password and press enter again.
Now we need to finalize the OpenLDAP configuration by running dpkg-reconfigure to specify settings:
sudo dpkg-reconfigure slapd
Configure slapd, the LDAP service; enter the following settings when prompted:
Omit OpenLDAP server configuration: No DNS domain name: itsm.unt.edu Org name: UNT Admin password: 1234567 Confirm passwd: 1234567 Database backend: MDB Remove database when purged: No Move old database: Yes Allow LDAPv2: No
Using your favorite editor, modify /etc/ldap/ldap.conf to contain the following, non-comment lines:
TLS_CACERT /etc/ssl/certs/ca-certificates.crt BASE dc=itsm,dc=unt,dc=edu URI ldap://localhost:389
Restart the ldap service to reload the new configuration:
sudo service slapd restart
Confirm the slapd service is running; you should see a line, active (running), in the output of your service command:
service slapd status
● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)
Loaded: loaded (/etc/init.d/slapd; bad; vendor preset: enabled)
Active: active (running) since Wed 2016-12-14 00:23:38 CST; 52min ago
Docs: man:systemd-sysv-generator(8)
Tasks: 3
Memory: 9.6M
CPU: 52ms
CGroup: /system.slice/slapd.service
└─2632 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
Confirm your ldap server is answering requests by giving it a simple request:
ldapsearch -x # extended LDIF # # LDAPv3 # base <dc=itsm,dc=unt,dc=edu> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # itsm.unt.edu dn: dc=itsm,dc=unt,dc=edu objectClass: top objectClass: dcObject objectClass: organization o: unt.edu dc: itsm # admin, itsm.unt.edu dn: cn=admin,dc=itsm,dc=unt,dc=edu objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
like this
Now that we have our LDAP server running, lets populate it with some users. Create a file named users.ldif which includes the following user data:
dn: uid=tom,dc=itsm,dc=unt,dc=edu
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: tom
uid: tom
uidNumber: 5010
gidNumber: 9010
homeDirectory: /nfs/cls-kvm1/tom
loginShell: /bin/bash
gecos: tom
userPassword: {SHA}JzP8b+cWb3X2Q6v6Ulz2ADkL+VE=
shadowLastChange: 17531
shadowMax: 0
shadowWarning: 0
dn: uid=olive,dc=itsm,dc=unt,dc=edu
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: olive
uid: olive
uidNumber: 5011
gidNumber: 9011
homeDirectory: /nfs/cls-kvm1/olive
loginShell: /bin/bash
gecos: olive
userPassword: {SHA}JzP8b+cWb3X2Q6v6Ulz2ADkL+VE=
shadowLastChange: 17531
shadowMax: 0
shadowWarning: 0
dn: uid=kevin,dc=itsm,dc=unt,dc=edu
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: kevin
uid: kevin
uidNumber: 5012
gidNumber: 9012
homeDirectory: /nfs/cls-kvm1/kevin
loginShell: /bin/bash
gecos: kevin
userPassword: {SHA}JzP8b+cWb3X2Q6v6Ulz2ADkL+VE=
shadowLastChange: 17531
shadowMax: 0
shadowWarning: 0
Create a second file named groups.ldif containing this LDAP group information:
dn: cn=kevin,dc=itsm,dc=unt,dc=edu objectclass: top objectclass: posixGroup cn: kevin gidnumber: 9012 memberuid: kevin dn: cn=olive,dc=itsm,dc=unt,dc=edu objectclass: top objectclass: posixGroup cn: olive gidnumber: 9011 memberuid: olive dn: cn=tom,dc=itsm,dc=unt,dc=edu objectclass: top objectclass: posixGroup cn: tom gidnumber: 9010 memberuid: tom
Now that we have our user and group data files, we can import them into our LDAP database using the ldapadd command, entering our password when prompted:
ldapadd -a -D 'cn=admin,dc=itsm,dc=unt,dc=edu' -W -f ~/users.ldif Enter LDAP Password: adding new entry "uid=tom,dc=itsm,dc=unt,dc=edu" adding new entry "uid=olive,dc=itsm,dc=unt,dc=edu" adding new entry "uid=kevin,dc=itsm,dc=unt,dc=edu"
Do the same for the groups.ldif file:
ldapadd -a -D 'cn=admin,dc=itsm,dc=unt,dc=edu' -W -f ~/groups.ldif Enter LDAP Password: adding new entry "cn=kevin,dc=itsm,dc=unt,dc=edu" adding new entry "cn=olive,dc=itsm,dc=unt,dc=edu" adding new entry "cn=tom,dc=itsm,dc=unt,dc=edu"
We can confirm the users were added by performing another ldapsearch command as follows:
ldapsearch -x objectClass=account dn cn uidnumber gidnumber # extended LDIF # # LDAPv3 # base <dc=itsm,dc=unt,dc=edu> (default) with scope subtree # filter: objectClass=account # requesting: dn cn uidnumber gidnumber # # tom, itsm.unt.edu dn: uid=tom,dc=itsm,dc=unt,dc=edu cn: tom uidNumber: 5010 gidNumber: 9010 # olive, itsm.unt.edu dn: uid=olive,dc=itsm,dc=unt,dc=edu cn: olive uidNumber: 5011 gidNumber: 9011 # kevin, itsm.unt.edu dn: uid=kevin,dc=itsm,dc=unt,dc=edu cn: kevin uidNumber: 5012 gidNumber: 9012 # search result search: 2 result: 0 Success # numResponses: 4 # numEntries: 3
And likewise with the groups to confirm they were added as well:
ldapsearch -x objectClass=posixGroup # extended LDIF # # LDAPv3 # base <dc=itsm,dc=unt,dc=edu> (default) with scope subtree # filter: objectClass=posixGroup # requesting: ALL # # kevin, itsm.unt.edu dn: cn=kevin,dc=itsm,dc=unt,dc=edu objectClass: top objectClass: posixGroup cn: kevin gidNumber: 9012 memberUid: kevin # olive, itsm.unt.edu dn: cn=olive,dc=itsm,dc=unt,dc=edu objectClass: top objectClass: posixGroup cn: olive gidNumber: 9011 memberUid: olive # tom, itsm.unt.edu dn: cn=tom,dc=itsm,dc=unt,dc=edu objectClass: top objectClass: posixGroup cn: tom gidNumber: 9010 memberUid: tom # search result search: 2 result: 0 Success # numResponses: 4 # numEntries: 3
Now that we've confirmed all of our LDAP attributes are populated, that completes this lesson. Join me in the next section as we configure NFS to export home directories.