Wednesday, September 17, 2008

Openldap

sudo apt-get install slapd ldap-utils phpldapadmin libnss-ldap libpam-ldap

dpkg-reconfigure slapd


vim /etc/ldap/slapd.conf
include -------------------> all required scema files(build them if u can)


And now for client configuration. 

vim /etc/ldap/ldap.conf
HOST 127.0.0.1
BASE o=example.net




To do rest in GUI mode. 

http://localhost/phpldapadmin/



Create the database(account book), you can do it in GUI also. 

vim ****.ldif

to create authenticated user under admin group

dn: uid=***,cn=admin,dc=example,dc=net
uid: ****
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
userPassword: ******


to create authenticated user under other groups 

dn: uid=***,ou=****,dc=example,dc=net
uid: ****
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
userPassword: ******


to create objectclass like organizationalUnit

{{

dn: ou=admin,dc=example,dc=net objectclass: organizationalunit ou: admin

}}}
to create normal addressbook entries under any group 

dn: cn=***,ou=***,dc=example,dc=net
objectClass: organizationalRole
cn: ***
roleOccupant: cn=***,dc=example,dc=net



Now to add entries either add them from GUI or by comand line 

ldapadd -x -f *.ldif -vD "cn=***,dc=example,dc=net" -w ***

And to test the directory try searching 

ldapsearch -x -b 'dc=example,dc=net' '(objectclass=*)'



To give permmisions to authenticated users 

vim /etc/ldap/slapd.conf\
access to *
     by dn="cn=admin,dc=example,dc=net" write
     by dn="uid=***,cn=admin,dc=example,dc=net" write
     by * read

* line no. 2 of permissions was to give the user full permissions.
      read --------> to see

      write--------> to edit add delete



pam-nss-ldap


PAM is an intermediator which provides the application the required information about the user.
and helps him clearing authentication without changing it in applications configuration files.
What it does is , it checks for the authentication(user name and password) into the system files then into the programs data.
And lets the user login if it gets the required information from any of the source.


server--------------------->




client-------------------->

install

sudo apt-get install ldap-auth-client
sudo apt-get install ldap-utils libpam-ldap libnss-ldap nscd


edit /etc/ldap/ldap.conf
to look like this--> 

host 10.10.5.3
base dc=example,dc=net
pam_filter objectclass=prosixaccount
pam_login_attribute uid
pam_member_attribute memberuid
pam_password crypt
ssl on
sslpath /etc/ssl/certs


Now edit pam.conf
to look like this--> 

login   auth sufficient /usr/lib/security/pam_ldap.so.1
login   auth required   /usr/lib/security/pam_unix.so.1 try_first_pass
login   auth required   /usr/lib/security/pam_dial_auth.so.1

telnet  auth sufficient /usr/lib/security/pam_ldap.so.1
telnet  auth required   /usr/lib/security/pam_unix.so.1 try_first_pass

rlogin  auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
rlogin  auth sufficient /usr/lib/security/pam_ldap.so.1
rlogin  auth required   /usr/lib/security/pam_unix.so.1 try_first_pass

dtlogin auth sufficient /usr/lib/security/pam_ldap.so.1
dtlogin auth required   /usr/lib/security/pam_unix.so.1 try_first_pass

rsh     auth required   /usr/lib/security/pam_rhosts_auth.so.1

other   auth sufficient /usr/lib/security/pam_ldap.so.1
other   auth required   /usr/lib/security/pam_unix.so.1 try_first_pass

login   account required /usr/lib/security/pam_ldap.so.1
login   account required /usr/lib/security/pam_unix.so.1

dtlogin account required /usr/lib/security/pam_ldap.so.1
dtlogin account required /usr/lib/security/pam_unix.so.1

other   account required /usr/lib/security/pam_ldap.so.1
other   account required /usr/lib/security/pam_unix.so.1

other   session required /usr/lib/security/pam_unix.so.1

other   password required /usr/lib/security/pam_ldap.so


Now edit /etc/nsswitch.cong
to look like this--> 

passwd:         files   ldap
group:          files   ldap
shadow:         files   ldap


Now edit /etc/nscd.conf
to look like this--> 

 enable-cache            passwd          yes
      positive-time-to-live   passwd          600
      negative-time-to-live   passwd          20
      suggested-size          passwd          211
      check-files             passwd          yes
      persistent              passwd          yes
      shared                  passwd          yes
      max-db-size             passwd          33554432
      auto-propagate          passwd          yes

      enable-cache            group           yes
      positive-time-to-live   group           3600
      negative-time-to-live   group           60
      suggested-size          group           211
      check-files             group           yes
      persistent              group           yes
      shared                  group           yes
      max-db-size             group           33554432
      auto-propagate          group           yes

enable-cache            hosts           no
      positive-time-to-live   hosts           3600
      negative-time-to-live   hosts           20
      suggested-size          hosts           211
      check-files             hosts           yes
      persistent              hosts           yes
      shared                  hosts           yes
      max-db-size             hosts           33554432

      enable-cache            services        yes
      positive-time-to-live   services        28800
      negative-time-to-live   services        20
      suggested-size          services        211
      check-files             services        yes
      persistent              services        yes
      shared                  services        yes


Restart the server 

service slapd restart


restart nscd 

servive nscd restart


the configuration is done just check if u can modify the data from the same client and other clients.




Posted by Harpreet's layout at 2:23 AM
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)