The fastest way to setup ldap on linux

The following steps should work on ubuntu 12.04 LTS or any linux using slapd 2.4.x.  Just installation commands have some different.

  1. Change your hostname to be a full domain hostname if not yet.  The domain is what your default ldap server want and forget the actual environment setting. 
  2. Install packages slapd, you need to provide an admin password during installation.  You may remove ldap-utils and slapd and install it again because the configuration phase will ask for the domain, password, company name to create the default records.  After reinstalled, do this: dpkg-reconfigure slapd.  Overwrite everything, take default for any item I didn't mention.
  3. Double check your default records being built by the installation.  Do this: slapcat.  You should have two records. one base dcObject and one simpleSecurityObject.  if it is not what you want. See (2).
  4. Install package libnss-ldap.  This utility helps you configure ldap managed user account.  You can ignore it if not want to.  Take care the base, Administrative RootDN, and Root Password.  The default prompted is not good for you.  Use the result from step 3.  The RootDN default should be "cn=admin,{base}" where {base} for example, your domain is abc.net, then should dc=abc,dc=net. 
  5. Double check by: slapcat.  If still the same, good.  If some records more, you made it wrong :<
  6. Install ldap command line utility package ldap-utils.  
  7. Now, you can use command ldapadd to create additional records.  You have to specify the authentication parameters: -D"admin RootDN" -w "admin Root Password".
  8. Configure authentication client: auth-client-config -t nss -p lac_ldap
  9. If steps 8 has any error, recheck your configuration.
  10. Configure pam system authentication: pam-auth-update.  You have to specify both Unix and LDAP, always!

Your ldap environment is ready now.  You may get some warnings in syslog due to no suitable index is being created.  Use the following way to add some.  Run the command:

ldapmodify -Q -Y EXTERNAL -H ldapi:///

The parameters above is used for connecting configuration environment.  Started from 2.4, it likes netscape and other enterprise LDAP, the configuration, especially the schema, can be changed real time.  The syntax is same as ldap record and stored under /etc/ldap/slapd.d (/etc/openldap/slapd.d). 

Enter the following lines (more index you can provide, check correct syntax and add it), one more RETURN and press CTRL-D when finished:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidNumber pres,eq
olcDbIndex: gidNumber pres,eq
olcDbIndex: ou pres,eq,sub
olcDbIndex: memberUid pres,eq,sub
olcDbIndex: uniqueMember pres,eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbIndex: loginShell pres,eq
olcDbIndex: displayName pres,eq,sub
olcDbIndex: entryCSN pres,eq
 
One more line feed, then CTRL-D to complete the entry.
 
Check you index by command: ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcDBIndex
 
For using LDAP as authentication, you need to create the base organizational unit records for groups and people.  Using ldapadd command to make it.   At least, you need the following base record.  Remember! the following normal ldap records are better using standard ldap connection command:
 
ldapadd -D"cn=admin,dc=abc,dc=net" -w{ldap root password}
 
 
dn: ou=People,dc=abc,dc=net
ou: People
objectClass: organizationalUnit
 
dn: ou=Groups,dc=abc,dc=net
ou: Groups
objectClass: organizationalUnit
 
If you just provide the a ldap server, this is enough.  You may ready the /etc/ldap/ldap.conf file as a default of ldap commands.  Usually BASE and URI is fine.
 
e.g. 
 
BASE      dc=abc,dc=net
URI         ldap://127.0.0.1
 
For user and group account maintenance, highly recommended using some control panel like webmin.  Avoid all manually make it.  If really want ldap as an authentication server, prepare the /etc/libnss-ldap.conf file, also.
 
e.g.
 
host 127.0.0.1
base dc=abc,dc=net
binddn cn=admin,dc=abc,dc=net
bindpw abc123
nss_base_passwd ou=People,dc=abc,dc=net?sub
nss_base_shadow ou=People,dc=abc,dc=net?sub
nss_base_group ou=Groups,dc=abc,dc=net?one
 
You are no need to use root dn for binding here.  Just create a individual account that has enough access rights is fine.  Of course, you need to know how to set the ldap access rights before doing this.

 

Tags: