Installing and configuring LDAP
For this paper, I will be using Ubuntu as the host operating system of both the client and server. LDAP (short for Lightweight Directory Access Protocol) is a protocol used on servers to allow for SSO (single sign on) for users. In other words, LDAP allows for users to access their files and account from any computer that has the LDAP server specified as the login server. LDAP is useful in many environments ranging from schools and homes to small and large businesses.
The first step is installing the LDAP server daemon, slapd. A daemon is software that remains running on *nix (UNIX or Linux) systems that normally offers a service of some sort. Along with slapd, Ubuntu requires that ldap-utils and db4.2-utils be installed as well. These can be installed by using your choice of a package manager. For apt-get, use the commands [as root]:
# apt-get install ldap-utils
# apt-get install db4.2-utils
Before installation, you must decide on the domain you wish to refer to the server as. You can choose something along the lines of mydomain.com or myname.local. The domain you choose will be split into two parts, each part referred to as a domain component (dc). In the configuration files the domain is referred to as “dc=mydomain,dc=com”, replacing mydomain and com with whatever you chose.
The first step is to configure slapd by modifying the /etc/ldap/slapd.conf file. This file contains all configuration information for slapd. Open the file in the editor of your choice and locate the “database” directive. The edits must go after this directive. Make the following changes ($ indicates a field you will need to change):
<code>
suffix “dc=$myname,dc=$local”
directory “/var/lib/ldap”
rootdn “cn=admin,dc=$myname,dc=$local”
rootpw $mypassword</code>
You may wish to create an encrypted password by using slappasswd to generate a SSHA encryption for your use. You can specify the encryption in the slapd.conf file by pre-pending your password with {SSHA}.
In the /etc/ldap/ldap.conf file, add the line:
<code>BASE dc=myname,dc=local</code>
The next step is to populate the directory tree by using an init.ldif file. An example might be as follows:
<code>
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organizationalUnit
dc: example
ou: Example Dot Com
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
dn: uid=john,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 1000
gidNumber: 10000
userPassword: password
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: john.doe@example.com
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: JD
dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
gidNumber: 10000</code>
The init.ldif file contains information for groups/nodes and base users.
After restarting your LDAP server, you must configure your clients. This differs by operating system, but summarized, you must install the needed software and configure it. For Ubuntu, you must install PAM modules and configure them for LDAP authentication as well as install a name service switcher, nsswitch. Each (PAM and NSSwitch) have files that must be modified.
PAM is used to set security for users. PAM determines the length of passwords and the authentication methods used. If you’re setting up a server that is going to be used by many people, you definitely want to read up on PAM settings for security. Be sure to keep passwords long and alpha-numerical (maybe even throw some symbols in). Also, don’t forget to use good passwords for the LDAP accounts you create. The root account password for LDAP (and the server itself) should be extremely strong. It should be several (8+) characters long and consist of letters, numbers and the occasional symbol.
After modifying both PAM and NSSwitch on each Ubuntu client you wish to use, you may now try to login to the account you specified in the init.ldif file. If it works, then great! If not, then you may want to check your configuration files for LDAP, PAM and NSSwitch.