OpenLDAP User Auth in Ubuntu 12.04

Today's post is about the authentication and authorization against an OpenLDAP diretcory.
(Ez a cikk magyarul is olvasható.)
We start with having the system ask all the questions when installing a package:

sudo dpkg-reconfigure debconf

Here we choose low priority.
Next we check the file /etc/hosts, as it tends to suck. Make it look like this (assuming you work on host ubuserver in the domain itthon.cucc):

127.0.0.1       localhost.localdomain localhost
192.168.56.101  ubuserver.itthon.cucc ubuserver

When we're done we can begin the installation.

sudo apt-get install slapd

You can leave all settings as default. The importatnt thing is to see what we 'answer' here. On my setup the base DN will be itthon.cucc. It seems to be a good idea to note the password.
With a lone slapd one cannot do much so let's get some utilities too:

sudo apt-get install ldap-utils

It's nice to know how to check the LDAP configuration just in case:

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

Listing the schemas already installed:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn

Lo and behold! We have exactly the four schemas installed all HOWTOs begin with:)
Listing the 'real' data (users, groups, whatever) from the directory:

ldapsearch -D cn=admin,dc=itthon,dc=cucc -b dc=itthon,dc=cucc -W -LLL

Okay, it's quiet empty, there are only the base DN and the admin user there.

Let's create a new file, containers.ldif:

dn: ou=People,dc=itthon,dc=cucc
objectClass: top
objectClass: organizationalUnit
ou: People
description: we put users here

dn: ou=Groups,dc=itthon,dc=cucc
objectClass: top
objectClass: organizationalUnit
ou: Groups
description: we put groups here

And add it to LDAP:

ldapadd -x -D cn=admin,dc=itthon,dc=cucc -w secretpassword -f containers.ldif

Let's create another file: examplegroup_and_exampleuser.ldif (do not use accented characters in the names as those should be base64-coced):

dn: cn=examplegroup,ou=Groups,dc=itthon,dc=cucc
objectClass: posixGroup
cn: peldacsoport
gidNumber: 5000
description: example group (to be removed)

dn: uid=jdoe,ou=People,dc=itthon,dc=cucc
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: jdoe
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: iamjohn
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/jdoe
description: example user (to be removed)

And add it to LDAP:

ldapadd -x -D cn=admin,dc=itthon,dc=cucc -w secretpassword -f examplegroup_and_exampleuser.ldif

To turn on logging first we create the file logging.ldif fájlt:

dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: stats

And add it to LDAP:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f logging.ldif

(By default logs go to the syslog. If you don' like that you have to redirect local4.
Next we could set the ACLs, but we are happy with the defaults. You can check them like this:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcAccess

Swicth to the client computer. Like on the server, we issue the command

sudo dpkg-reconfigure debconf

here as well and set the treshold to low. Then we install a package that depends on some ohers:

sudo apt-get install libnss-ldap

We get a lot of questions. The defaults are okay, except the three following. The first of them asks for the LDAP server Uniform Resource Identifier. Let's put our server's name here, beginning not(!) with ldapi:/// but only ldap://. For example on my setup it's ldap://ubuserver.itthon.cucc. The other is the Distinguished name of the search base, on my setup it's dc=itthon,dc=cucc . (Excluding the last dot.) The third question is Make local root Database admin where we choose no.
Based on the asnwers the file /etc/ldap.conf is created - check the contents if you like. If you'd like the previous dialog back, run the command sudo dpkg-reconfigure ldap-auth-config.
By now the client knows whom to speak with, but they did not start the conversation. If you run

getent passwd

now, only the local users are listed. No John Doe. When running

getent group

we cannot see examplegroup eighther.
So we need to put in the file /etc/nsswitch.conf that belongs there. We used to edit that file by hand, but we don't do that any more:

sudo auth-client-config -t nss -p lac_ldap

If you run the previous two getent-commands you'll see example group and you'll see John Doe too. If we run the command sudo pam-auth-update so we can see that we're really using LDAP-auth. And if we'd like to be John Doe for a while all we have to do is run

sudo su jdoe

That is kind of ready, but there is still much to do. Next time we set up LDAP indexing.

Irodalom:
http://www.openldap.org/lists/openldap-technical/201007/msg00232.html
https://help.ubuntu.com/11.10/serverguide/C/openldap-server.html