ubuntu openldap | getent passwd ldapsearch -x


OpenLDAP admin guide at http://www.openldap.org/doc/admin24/intro.html.

slapd(8) is an LDAP directory server that runs on many different platforms


Let's start with installing the LDAP package and helper utilities:
  1. Update your repository using the apt-get update command and then install the OpenLDAP package, slapd:
    $ sudo apt-get update
    $ sudo apt-get install slapd ldap-utils
    
  2. You will be asked to enter the admin password and to confirm it.
  3. The installation process simply installs the package without any configuration. We need to start the actual configuration process with the reconfiguration of the slapd package. Use the following command to start the re-configuration process:
    $ sudo dpkg-reconfigure slapd
    
  4. This command will ask you a series of questions including the domain name, admin account, password, database type, and others. Match your answers as follows:
    • Omit LDAP server configuration – NO.
    • DNS Domain name – Enter your domain name. You can use any domain name. For this setup, I will be using example.com. This domain name will determine the top structure of your directory:
    • Organization name – Enter your organization name. I am using example as my organization.
    • Admin password – Enter a password for the admin account. It can be the same as the one entered during installation, or a totally different one. Make sure you note this password as it will be used to access the admin account.
    • Database backend – HDB

    • Remove the database when slapd is purged - this is about removing the database in case you uninstall the slapd package. Choose NO as you don't want the database to be deleted:
    • Move old database - YES
    • Allow the LDAPv2 protocol - unless you are planning to use some old tools, choose NO:
  5. Once you have answered all the questions, the process will reconfigure the LDAP service. Now your LDAP service is installed and ready to use:
  6. Now you can use utility commands to query existing data. To test whether the LDAP service is installed and running properly, use the ldapsearch -x command. You should see output similar to following screenshot:

mysql1@ubuntu:~$ ldapsearch -x -LLL ldap:/// -b dc=ubuntu,dc=local dn
dn: dc=ubuntu,dc=local

dn: cn=admin,dc=ubuntu,dc=local

dn: ou=People,dc=ubuntu,dc=local

dn: cn=Users,dc=ubuntu,dc=local

dn: cn=useruday,dc=ubuntu,dc=local

dn: cn=ldap1,cn=Users,dc=ubuntu,dc=local


Follow these steps to install phpLDAPadmin:
  1. The Ubuntu package repository makes things easy again by providing the package for phpLDAPadmin. The web interface can be quickly installed in a single command as follows:
    $ sudo apt-get install phpldapadmin
    
  2. The installation process takes care of installing all dependencies including PHP and the Apache web server. It also creates necessary configurations and sets up Apache with the required settings for phpLDAPadmin. Once installation is complete, you can access the admin interface at http://youServerIP/phpldapadmin.
  3. Before we access the admin page, let's make some small changes in the configuration file. The file is located at /etc/phpldapadmin/config.php. By default, phpLDAPadmin shows warning messages for unused template files. These warning messages get shown in the main interface before the actual content. To hide them, search for hide_template_warning in the configuration file and set it to true. You will also need to uncomment the same line:
    $config->custom->appearance['hide_template_warning'] = true;
    
  4. The other settings should have already been set by the installation process. You can cross-check the following settings:
    $servers->setValue('server','host','127.0.0.1');
    $servers->setValue(
        'login','bind_id',
        'cn=admin,dc=example,
        dc=com'
    );
    $servers->setValue(
        'server','base',array('dc=example,dc=com')
    );
    
  5. Once you are done with the configuration file changes, save and close it and then access the admin interface through your browser:




Apache directory studio is another user interface for LDAP administration. It is a desktop application based on Java. You can get more details at https://directory.apache.org/studio/.

Ubuntu server logins with LDAP

So, we have installed and configured our own centralized auth server with LDAP. Now is the time to use LDAP to authenticate client logins. In this recipe, we will set up a separate Ubuntu server to use our LDAP server for authenticating users.

Getting ready

You will need a new Ubuntu server to be set as an LDAP client. Also, sudo privileges are needed for the initial setup.
Make sure you have followed the previous recipes and have set up your LDAP server.

How to do it…

  1. We will need to install the LDAP client-side package on the client system. This package will install all the required tools to authenticate with the remote LDAP server:
    $ sudo apt-get update
    $ sudo apt-get install ldap-auth-client nscd
    
  2. The installation process will ask you some questions regarding your LDAP server and its authentication details. Answer those questions as follows:
    • LDAP server URIldap://you-LDAP-server-IP: Make sure you change the protocol line from ldapi:/// to ldap://
    • Distinguished name of search base: Match this to the domain set on the LDAP server in the format dc=example,dc=com
    • LDAP version to use3
    • Make local root database adminYes
    • Does LDAP database require loginNo
    • LDAP account for rootcn=admin,dc=example,dc=com
    • LDAP root account password: The password for the LDAP admin account
  3. Next, we need to change the authentication configuration to check with the LDAP server. First, run the following command to set the name service switch file /etc/nsswitch.conf:
    $ sudo auth-client-config -t nss -p lac_ldap
    
  4. This will change /etc/nsswitch.conf as follows:
    How to do it…
  5. Next, add the following line to /etc/pam.d/common-session. This will create a local home directory for LDAP users. Edit the common-session file and add the following line at the end of the file:
    session required        pam_mkhomedir.so umask=0022 skel=/etc/skel
    
  6. Now restart the nscd service with the following command:
    $ sudo /etc/init.d/nscd restart
    
    Now you should be able to log in with the user account created on your LDAP server. I have set up an Organizational Unit (OU) named users and created an admin user under it:
    How to do it…
  7. Next, change the login to the newly created LDAP user account with the su username command. You will need to enter a password that is configured on LDAP server. As this is a first-time login for this new user, our PAM settings have created a new home directory for him:
    How to do it…
This new user is a member of the admin group on the LDAP server, so he will get sudo privileges on the local server as well.
You can always use a default login prompt to log in with LDAP users, as well as local user accounts that already exist on the server.
mysql1@ubuntu:~$ getent passwd

5553:*:1000:500:useruday:/home/users/5553:/bin/sh
5554:*:1001:500:ldap1:/home/users/5554:/bin/sh
ttest:*:1002:500:test test:/home/users/ttest:/bin/sh

mysql1@ubuntu:~$ su ttest
Password:
Creating directory '/home/users/ttest'.

ubu@client:~$ su 5553
Password:
Creating directory '/home/users/5553'.
$

ubu@ubuntu:~$ getent passwd | grep uda
5553:*:1000:500:useruday:/home/users/5553:/bin/sh
u

#even with below error it;s possible to use LDAP accounts on client
ubu@ubuntu:~$ ldapsearch -x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

getent - get entries from Name Service Switch libraries


#SERVER
mysql1@ubuntu:~$ sudo ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
-----------------------

#client
ubuntu16@mail:~$ ldapsearch -d5 -x
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 4
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 4
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ubuntu16@mail:~$

#client
ubuntu16@mail:~$ ldapsearch -x -H ldap://ubuntu.local
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1


mysql1@ubuntu:~$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn
No such object (32)
mysql1@ubuntu:~$ ldapsearch -x -LLL -H ldap:/// -b dc=ubuntu,dc=local dn
dn: dc=ubuntu,dc=local

dn: cn=admin,dc=ubuntu,dc=local

mysql1@ubuntu:~$ cat /etc/hosts
127.0.0.1    localhost
127.0.1.1    ubuntu
192.168.154.140 ubuntu.local



mysql1@ubuntu:~$ ldapsearch -x LLL -b dc=ubuntu,dc=local
# extended LDIF
#
# LDAPv3
# base <dc=ubuntu,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: LLL
#

# ubuntu.local
dn: dc=ubuntu,dc=local

# admin, ubuntu.local
dn: cn=admin,dc=ubuntu,dc=local

# search result
search: 2
result: 0 Success

# numResponses: 3

# numEntries: 2



mysql1@ubuntu:~$ sudo grep hide_template /etc/phpldapadmin/config.php
$config->custom->appearance['hide_template_warning'] = true;




#####CLIENT


mysql1@ubuntu:~$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


ubuntu16@mail:~$ sudo auth-client-config -t nss -p lac_ldap


ubuntu16@mail:~$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

# pre_auth-client-config # passwd:         compat
passwd: files ldap
# pre_auth-client-config # group:          compat
group: files ldap
# pre_auth-client-config # shadow:         compat
shadow: files ldap
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

# pre_auth-client-config # netgroup:       nis
netgroup: nis

ubuntu16@mail:~$ ldapsearch -x -b "cn=admin,dc=ubuntu,dc=local"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

ubuntu16@mail:~$ nmap -n 192.168.154.140

Starting Nmap 7.01 ( https://nmap.org ) at 2017-05-25 01:24 EEST
Nmap scan report for 192.168.154.140
Host is up (0.00045s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
80/tcp   open  http
389/tcp  open  ldap
8009/tcp open  ajp13
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

ubuntu16@mail:~$ sudo ldapsearch -x -d 1 -b "cn=admin,dc=ubuntu,dc=local"
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 4
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 4
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ubuntu16@mail:~$

#SERVER
mysql1@ubuntu:~$ sudo ldapsearch -x -d 1 -b "cn=admin,dc=ubuntu,dc=local"
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful


Comments

Popular posts from this blog

HAproxy logging

teamcity Automatic Agent Start under Linux

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all