ubuntu openldap | getent passwd ldapsearch -x

By OK -

OpenLDAP admin guide at http://www.openldap.org/doc/admin24/intro.html.

 slapd(8) is an LDAP directory server that runs on many different platforms


Let's start with installing the LDAP package and helper utilities:
  1. Update your repository using the apt-get update command and then install the OpenLDAP package, slapd:
    $ sudo apt-get update
$ sudo apt-get install slapd ldap-utils
  2. You will be asked to enter the admin password and to confirm it.
  3. The installation process simply installs the package without any configuration. We need to start the actual configuration process with the reconfiguration of the slapd package. Use the following command to start the re-configuration process:
    $ sudo dpkg-reconfigure slapd
  4. This command will ask you a series of questions including the domain name, admin account, password, database type, and others. Match your answers as follows:
    • Omit LDAP server configuration – NO.
    • DNS Domain name – Enter your domain name. You can use any domain name. For this setup, I will be using example.com. This domain name will determine the top structure of your directory:
    • Organization name – Enter your organization name. I am using example as my organization.
    • Admin password – Enter a password for the admin account. It can be the same as the one entered during installation, or a totally different one. Make sure you note this password as it will be used to access the admin account.
    • Database backend – HDB

    • Remove the database when slapd is purged - this is about removing the database in case you uninstall the slapd package. Choose NO as you don't want the database to be deleted:
    • Move old database - YES
    • Allow the LDAPv2 protocol - unless you are planning to use some old tools, choose NO:
  5. Once you have answered all the questions, the process will reconfigure the LDAP service. Now your LDAP service is installed and ready to use:
  6. Now you can use utility commands to query existing data. To test whether the LDAP service is installed and running properly, use the ldapsearch -x command. You should see output similar to following screenshot:

mysql1@ubuntu:~$ ldapsearch -x -LLL ldap:/// -b dc=ubuntu,dc=local dn
dn: dc=ubuntu,dc=local

dn: cn=admin,dc=ubuntu,dc=local

dn: ou=People,dc=ubuntu,dc=local

dn: cn=Users,dc=ubuntu,dc=local

dn: cn=useruday,dc=ubuntu,dc=local

dn: cn=ldap1,cn=Users,dc=ubuntu,dc=local


Follow these steps to install phpLDAPadmin:
  1. The Ubuntu package repository makes things easy again by providing the package for phpLDAPadmin. The web interface can be quickly installed in a single command as follows:
    $ sudo apt-get install phpldapadmin
  2. The installation process takes care of installing all dependencies including PHP and the Apache web server. It also creates necessary configurations and sets up Apache with the required settings for phpLDAPadmin. Once installation is complete, you can access the admin interface at http://youServerIP/phpldapadmin.
  3. Before we access the admin page, let's make some small changes in the configuration file. The file is located at /etc/phpldapadmin/config.php. By default, phpLDAPadmin shows warning messages for unused template files. These warning messages get shown in the main interface before the actual content. To hide them, search for hide_template_warning in the configuration file and set it to true. You will also need to uncomment the same line:
    $config->custom->appearance['hide_template_warning'] = true;
  4. The other settings should have already been set by the installation process. You can cross-check the following settings:
    $servers->setValue('server','host','127.0.0.1');
$servers->setValue(
    'login','bind_id',
    'cn=admin,dc=example,
    dc=com'
);
$servers->setValue(
    'server','base',array('dc=example,dc=com')
);
  5. Once you are done with the configuration file changes, save and close it and then access the admin interface through your browser:




Apache directory studio is another user interface for LDAP administration. It is a desktop application based on Java. You can get more details at https://directory.apache.org/studio/.

Ubuntu server logins with LDAP

So, we have installed and configured our own centralized auth server with LDAP. Now is the time to use LDAP to authenticate client logins. In this recipe, we will set up a separate Ubuntu server to use our LDAP server for authenticating users.

Getting ready

You will need a new Ubuntu server to be set as an LDAP client. Also, sudo privileges are needed for the initial setup.
Make sure you have followed the previous recipes and have set up your LDAP server.

How to do it…

  1. We will need to install the LDAP client-side package on the client system. This package will install all the required tools to authenticate with the remote LDAP server:
    $ sudo apt-get update
$ sudo apt-get install ldap-auth-client nscd
  2. The installation process will ask you some questions regarding your LDAP server and its authentication details. Answer those questions as follows:
    • LDAP server URIldap://you-LDAP-server-IP: Make sure you change the protocol line from ldapi:/// to ldap://
    • Distinguished name of search base: Match this to the domain set on the LDAP server in the format dc=example,dc=com
    • LDAP version to use3
    • Make local root database adminYes
    • Does LDAP database require loginNo
    • LDAP account for rootcn=admin,dc=example,dc=com
    • LDAP root account password: The password for the LDAP admin account
  3. Next, we need to change the authentication configuration to check with the LDAP server. First, run the following command to set the name service switch file /etc/nsswitch.conf:
    $ sudo auth-client-config -t nss -p lac_ldap
  4. This will change /etc/nsswitch.conf as follows:
    How to do it…
  5. Next, add the following line to /etc/pam.d/common-session. This will create a local home directory for LDAP users. Edit the common-session file and add the following line at the end of the file:
    session required        pam_mkhomedir.so umask=0022 skel=/etc/skel
  6. Now restart the nscd service with the following command:
    $ sudo /etc/init.d/nscd restart
    Now you should be able to log in with the user account created on your LDAP server. I have set up an Organizational Unit (OU) named users and created an admin user under it:
    How to do it…
  7. Next, change the login to the newly created LDAP user account with the su username command. You will need to enter a password that is configured on LDAP server. As this is a first-time login for this new user, our PAM settings have created a new home directory for him:
    How to do it…
This new user is a member of the admin group on the LDAP server, so he will get sudo privileges on the local server as well.
You can always use a default login prompt to log in with LDAP users, as well as local user accounts that already exist on the server.
mysql1@ubuntu:~$ getent passwd

5553:*:1000:500:useruday:/home/users/5553:/bin/sh
5554:*:1001:500:ldap1:/home/users/5554:/bin/sh
ttest:*:1002:500:test test:/home/users/ttest:/bin/sh

mysql1@ubuntu:~$ su ttest
Password:
Creating directory '/home/users/ttest'.

ubu@client:~$ su 5553
Password:
Creating directory '/home/users/5553'.
$

ubu@ubuntu:~$ getent passwd | grep uda
5553:*:1000:500:useruday:/home/users/5553:/bin/sh
u

#even with below error it;s possible to use LDAP accounts on client
ubu@ubuntu:~$ ldapsearch -x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

getent - get entries from Name Service Switch libraries


#SERVER
mysql1@ubuntu:~$ sudo ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
-----------------------

#client
ubuntu16@mail:~$ ldapsearch -d5 -x
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 4
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 4
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ubuntu16@mail:~$

#client
ubuntu16@mail:~$ ldapsearch -x -H ldap://ubuntu.local
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1


mysql1@ubuntu:~$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn
No such object (32)
mysql1@ubuntu:~$ ldapsearch -x -LLL -H ldap:/// -b dc=ubuntu,dc=local dn
dn: dc=ubuntu,dc=local

dn: cn=admin,dc=ubuntu,dc=local

mysql1@ubuntu:~$ cat /etc/hosts
127.0.0.1    localhost
127.0.1.1    ubuntu
192.168.154.140 ubuntu.local



mysql1@ubuntu:~$ ldapsearch -x LLL -b dc=ubuntu,dc=local
# extended LDIF
#
# LDAPv3
# base <dc=ubuntu,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: LLL
#

# ubuntu.local
dn: dc=ubuntu,dc=local

# admin, ubuntu.local
dn: cn=admin,dc=ubuntu,dc=local

# search result
search: 2
result: 0 Success

# numResponses: 3

# numEntries: 2



mysql1@ubuntu:~$ sudo grep hide_template /etc/phpldapadmin/config.php
$config->custom->appearance['hide_template_warning'] = true;




#####CLIENT


mysql1@ubuntu:~$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


ubuntu16@mail:~$ sudo auth-client-config -t nss -p lac_ldap


ubuntu16@mail:~$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

# pre_auth-client-config # passwd:         compat
passwd: files ldap
# pre_auth-client-config # group:          compat
group: files ldap
# pre_auth-client-config # shadow:         compat
shadow: files ldap
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

# pre_auth-client-config # netgroup:       nis
netgroup: nis

ubuntu16@mail:~$ ldapsearch -x -b "cn=admin,dc=ubuntu,dc=local"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

ubuntu16@mail:~$ nmap -n 192.168.154.140

Starting Nmap 7.01 ( https://nmap.org ) at 2017-05-25 01:24 EEST
Nmap scan report for 192.168.154.140
Host is up (0.00045s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
80/tcp   open  http
389/tcp  open  ldap
8009/tcp open  ajp13
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

ubuntu16@mail:~$ sudo ldapsearch -x -d 1 -b "cn=admin,dc=ubuntu,dc=local"
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 4
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 4
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ubuntu16@mail:~$

#SERVER
mysql1@ubuntu:~$ sudo ldapsearch -x -d 1 -b "cn=admin,dc=ubuntu,dc=local"
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful


Comments

Post a Comment

Popular posts from this blog

HAproxy logging

By OK -
ubuntu@ubuntu:/etc/haproxy$ cat /etc/rsyslog.d/haproxy.conf # Create an additional socket in haproxy's chroot in order to allow logging via # /dev/log to chroot'ed HAProxy processes $ModLoad imudp $UDPServerRun 514 local0.* -/var/log/haproxy-0.log local1.* -/var/log/haproxy-1.log ### keep logs in localhost ## $AddUnixListenSocket /var/lib/haproxy/dev/log ------------------- ubuntu@ubuntu:/etc/haproxy$ cat /etc/haproxy/haproxy.cfg global chroot /var/lib/haproxy user haproxy group haproxy log 127.0.0.1   local0         log 127.0.0.1   local1 notice daemon frontend www     bind 192.168.40.128:8282    # haproxy public IP     default_backend as-backend    # backend used backend as-backend    balance leastconn    mode http  server as1 192.168.40.128:8082 check    # application srv 1 defaults log global mode http option httplog option dontlognull         contimeout 5000    
Read more

tomcat catalina coyote jasper cluster

By OK -
Tomcat Component are Catalina Coyote Jasper Cluster Catalina :  Catalina is the name of the servlet container of Apache Tomcat since version 4.x. Tomcat implements Sun Microsystems' specifications for servlet and JavaServer Pages (JSP), which are important Java-based Web technologies. Tomcat's servlet container was redesigned as Catalina in Tomcat version 4.x. other components of the Tomcat engine are: Tomcat Jasper which converts the code portions within JavaServer Pages into servlets and pass them to Catalina to process. Tomcat Coyote which is an HTTP connector based on HTTP/1.1 specifications that receives and transmits web requests to the Tomcat engine by listening to a TCP/IP port and returns requests back to the requesting client. Coyote :  The Coyote JK Connector element represents a Connector component that communicates with a web connector via the JK protocol (also known as the AJP protocol). This is used for cases where you wish to invisibly integr
Read more

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all

By OK -
Redhat recommends us to add  _netdev  option for NFS file system in /etc/fstab. So that they can be mounted after starting the networking service. Alternative ways to refer to partitions: Label : LABEL=label Network ID Samba : //server/share NFS : server:/share SSHFS : sshfs#user@server:/share Device : /dev/sdxy (not recommended) Example #1 //192.168.1.134/share_name /mnt/share_name cifs username=server_user,password=server_password,_netdev 0 0 ^ Path to your share ^ Mountpoint ^ Username ^ Password ^ See note A Note A: The  _netdev  options makes sure the mount is only attempted AFTER a network connection has been established. Example #2 10.10.10.1:/vol1/fs1 /data nfs defaults,_netdev 0 0 ============================ [root@localhost ~]# firewall-cmd --list-all public   target: default   icmp-block-inversion: no   interfaces:   sources:   services: dhcpv6-client high-availability ssh   ports:   protocols:   masquera
Read more