Difference between revisions of "LDAP"

From Hackerspace ACKspace
Jump to: navigation, search
(First setup for LDAP server/client)
 
m (fixed TOC transclusion)
 
(15 intermediate revisions by one other user not shown)
Line 7: Line 7:
 
LDAP installation so we can use space-wide logins instead of seperate logins for every computer/server.
 
LDAP installation so we can use space-wide logins instead of seperate logins for every computer/server.
  
'''NOTE:''' SSH keys don't yet work, in the meantime you can login using passwords if needed.
+
<noinclude>__TOC__</noinclude>
  
__TOC__
 
  
== Server ==
+
= Server =
  
Server IP is '''192.168.1.168'''.
+
Server IP is '''192.168.1.177'''.
 
The server uses an installation of OpenLDAP with [http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page phpLDAPAdmin]. The following settings were applied:
 
The server uses an installation of OpenLDAP with [http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page phpLDAPAdmin]. The following settings were applied:
  
=== OpenLDAP ===
+
== OpenLDAP ==
 
* DNS domain name: '''ackspace.nl''' ("dc=ackspace,dc=nl")
 
* DNS domain name: '''ackspace.nl''' ("dc=ackspace,dc=nl")
 
* Database backend: '''HDB'''
 
* Database backend: '''HDB'''
  
=== phpLDAPAdmin ===
+
== phpLDAPAdmin ==
==== /etc/phpldapadmin/config.php ====
+
=== /etc/phpldapadmin/config.php ===
 
The following values were set/changed in '''/etc/phpldapadmin/config.php''':
 
The following values were set/changed in '''/etc/phpldapadmin/config.php''':
 
  $servers->setValue('server','host','0.0.0.0');
 
  $servers->setValue('server','host','0.0.0.0');
 
  $servers->setValue('server','base',array('dc=ackspace,dc=nl'));
 
  $servers->setValue('server','base',array('dc=ackspace,dc=nl'));
 
  $config->custom->appearance['hide_template_warning'] = true;
 
  $config->custom->appearance['hide_template_warning'] = true;
 +
$servers->setValue('login','bind_id','cn=admin,dc=ackspace,dc=nl');
  
==== SSH keys ====
+
=== SSH keys ===
 
A field to insert SSH keys for users is not present in OpenLDAP/phpLDAPAdmin by default, for this I created a file called '''openssh-lpk.ldif''' with the following content:
 
A field to insert SSH keys for users is not present in OpenLDAP/phpLDAPAdmin by default, for this I created a file called '''openssh-lpk.ldif''' with the following content:
 
  dn: cn=openssh-lpk,cn=schema,cn=config
 
  dn: cn=openssh-lpk,cn=schema,cn=config
Line 41: Line 41:
 
   )
 
   )
  
The following command was then used to add support:
+
The following command was then used to add support (make sure '''ldapscripts''' is installed):
 
  ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-lpk.ldif
 
  ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-lpk.ldif
  
==== /etc/phpldapadmin/templates/creation/posixAccount.xml ====
+
=== /etc/phpldapadmin/templates/creation/posixAccount.xml ===
 
Finally the User Account creation template was changed to add an SSH public key input field to the form by default. For this, '''/etc/phpldapadmin/templates/creation/posixAccount.xml''' was changed to the following:
 
Finally the User Account creation template was changed to add an SSH public key input field to the form by default. For this, '''/etc/phpldapadmin/templates/creation/posixAccount.xml''' was changed to the following:
 
  <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 
  <?xml version="1.0" encoding="UTF-8" standalone="no"?>
Line 150: Line 150:
 
  </template>
 
  </template>
  
== Client ==
+
== Sudoers ==
To obtain a user on the LDAP server, contact [[User:Stuiterveer|Stuiterveer]].
+
Sudo roles are not included in LDAP by default. For this we need to create a few files.
 +
 
 +
=== /etc/ldap/schema/sudo.schema ===
 +
First of all, a schema was added called '''/etc/ldap/schema/sudo.schema'''. It contains the following:
 +
attributetype ( 1.3.6.1.4.1.15953.9.1.1
 +
    NAME 'sudoUser'
 +
    DESC 'User(s) who may  run sudo'
 +
    EQUALITY caseExactIA5Match
 +
    SUBSTR caseExactIA5SubstringsMatch
 +
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 +
 +
attributetype ( 1.3.6.1.4.1.15953.9.1.2
 +
    NAME 'sudoHost'
 +
    DESC 'Host(s) who may run sudo'
 +
    EQUALITY caseExactIA5Match
 +
    SUBSTR caseExactIA5SubstringsMatch
 +
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 +
 +
attributetype ( 1.3.6.1.4.1.15953.9.1.3
 +
    NAME 'sudoCommand'
 +
    DESC 'Command(s) to be executed by sudo'
 +
    EQUALITY caseExactIA5Match
 +
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 +
 +
attributetype ( 1.3.6.1.4.1.15953.9.1.4
 +
    NAME 'sudoRunAs'
 +
    DESC 'User(s) impersonated by sudo (deprecated)'
 +
    EQUALITY caseExactIA5Match
 +
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 +
 +
attributetype ( 1.3.6.1.4.1.15953.9.1.5
 +
    NAME 'sudoOption'
 +
    DESC 'Options(s) followed by sudo'
 +
    EQUALITY caseExactIA5Match
 +
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 +
 +
attributetype ( 1.3.6.1.4.1.15953.9.1.6
 +
    NAME 'sudoRunAsUser'
 +
    DESC 'User(s) impersonated by sudo'
 +
    EQUALITY caseExactIA5Match
 +
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 +
 +
attributetype ( 1.3.6.1.4.1.15953.9.1.7
 +
    NAME 'sudoRunAsGroup'
 +
    DESC 'Group(s) impersonated by sudo'
 +
    EQUALITY caseExactIA5Match
 +
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 +
 +
attributetype ( 1.3.6.1.4.1.15953.9.1.8
 +
    NAME 'sudoNotBefore'
 +
    DESC 'Start of time interval for which the entry is valid'
 +
    EQUALITY generalizedTimeMatch
 +
    ORDERING generalizedTimeOrderingMatch
 +
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
 +
 +
attributetype ( 1.3.6.1.4.1.15953.9.1.9
 +
    NAME 'sudoNotAfter'
 +
    DESC 'End of time interval for which the entry is valid'
 +
    EQUALITY generalizedTimeMatch
 +
    ORDERING generalizedTimeOrderingMatch
 +
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
 +
 +
attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
 +
    NAME 'sudoOrder'
 +
    DESC 'an integer to order the sudoRole entries'
 +
    EQUALITY integerMatch
 +
    ORDERING integerOrderingMatch
 +
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
 +
 +
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
 +
    DESC 'Sudoer Entries'
 +
    MUST ( cn )
 +
    MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $
 +
            description )
 +
    )
 +
 
 +
=== /etc/ldap/slapd.conf ===
 +
If '''/etc/ldap/slapd.conf''' exists, make sure you place the following at the top (where you find other includes as well):
 +
include        /etc/ldap/schema/sudo.schema
 +
 
 +
Note that slapd.conf is deprecated and should be replaced by the use of slapd-config<ref>https://www.openldap.org/doc/admin24/slapdconfig.html</ref>.
 +
 
 +
=== Restart service ===
 +
Restart the '''slapd''' service to make sure the schema is loaded.
 +
 
 +
=== LDIF file ===
 +
Last, a file was created called '''sudo.ldif''' that contains the following:
 +
dn: cn=sudo,cn=schema,cn=config
 +
objectClass: olcSchemaConfig
 +
cn: sudo
 +
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 +
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 +
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 +
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 +
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 +
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 +
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 +
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
 +
 
 +
You can import this file to LDAP using:
 +
ldapadd -Y EXTERNAL -H ldapi:/// -f sudo.ldif
 +
 
 +
= Client =
  
=== PAM ===
+
== PAM ==
 
To use LDAP to sign in to Linux, install '''libpam-ldapd'''. When asked, fill in the details mentioned in [[LDAP#OpenLDAP]].
 
To use LDAP to sign in to Linux, install '''libpam-ldapd'''. When asked, fill in the details mentioned in [[LDAP#OpenLDAP]].
  
==== /etc/nsswitch.conf ====
+
=== /etc/nsswitch.conf ===
 
Make sure LDAP is enabled for '''passwd''', '''group''' and '''shadow'''. To verify, check to see if the following is present (edit the existing entries if needed) in '''/etc/nsswitch.conf''':
 
Make sure LDAP is enabled for '''passwd''', '''group''' and '''shadow'''. To verify, check to see if the following is present (edit the existing entries if needed) in '''/etc/nsswitch.conf''':
 
  passwd:        ldap compat
 
  passwd:        ldap compat
Line 163: Line 265:
 
This will first check LDAP for entries, otherwise it will check locally. If preferred, you can switch around ''compat'' and ''ldap'' to first check locally and revert to LDAP on failure.
 
This will first check LDAP for entries, otherwise it will check locally. If preferred, you can switch around ''compat'' and ''ldap'' to first check locally and revert to LDAP on failure.
  
==== Home folder creation ====
+
=== Home folder creation ===
 
If you want to make sure a user folder is created upon login, add the following to the end of '''/etc/pam.d/common-session''':
 
If you want to make sure a user folder is created upon login, add the following to the end of '''/etc/pam.d/common-session''':
 
  session required        pam_mkhomedir.so skel=/etc/skel umask=0022
 
  session required        pam_mkhomedir.so skel=/etc/skel umask=0022
  
==== Restart service ====
+
=== SSH key login ===
When you restart the '''NSCD''' service you will be up and running. Sign in to the computer/VM with your LDAP account to verify that it works.
+
Create a file that has the following content:
 +
#!/bin/bash
 +
ldapsearch -h '''192.168.1.177''' -b "'''dc=ackspace,dc=nl'''" -x '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
 +
Make sure the file and ''all'' folders above it are owned by '''root:root''' and have umask '''022'''.<ref>https://stackoverflow.com/a/27638306</ref>
 +
 
 +
Then edit '''sshd_config''' to include the following:
 +
AuthorizedKeysCommand '''/path/to/file'''
 +
AuthorizedKeysCommandUser nobody
 +
 
 +
=== Sudoers ===
 +
In order to make sure you can use LDAP for sudoers, make sure your installation of sudo has support for LDAP. If it doesn't you can try installing '''sudo-ldap''' which will replace the existing sudo installation.
 +
 
 +
==== /etc/ldap.conf ====
 +
If '''/etc/ldap.conf''' doesn't exist yet, create it. Make sure it has at least the following lines in it:
 +
URI    ldap://'''192.168.1.177'''
 +
sudoers_base    ou=sudoers,dc=ackspace,dc=nl
 +
 
 +
==== /etc/nsswitch.conf ====
 +
Make sure '''/etc/nssswitch.conf''' has the following line in it:
 +
sudoers:        ldap files
 +
 
 +
Be aware that any matches found in LDAP will be overwritten if they are found in the regular files.
 +
 
 +
=== Restart services ===
 +
When you restart the '''nscd''' and '''ssh''' services you will be up and running. Sign in to the computer/VM with your LDAP account to verify that it works.
 +
 
 +
= Account =
 +
 
 +
To obtain a user on the LDAP server, contact [[User:Stuiterveer|Stuiterveer]].
 +
 
 +
== Reset password ==
 +
 
 +
To reset your password, visit '''192.168.1.177''' in the browser. Fill in the following credentials:
 +
 
 +
* '''Login DN''': cn=''YOUR_USERNAME'',ou=users,dc=ackspace,dc=nl (replace ''YOUR_USERNAME'' with your own LDAP username)
 +
* '''Password''': your LDAP password
 +
 
 +
Select your user on the left and fill in the new password in the "password" field. Select "Update Object" when you're done.
 +
 
 +
= References =
 +
<references />

Latest revision as of 17:31, 22 April 2023

Project: LDAP
Featured: No
State Active
Members Stuiterveer
GitHub No GitHub project defined. Add your project here.
Description LDAP server for central logins using passwords or keypairs
Picture
No project picture! Fill in form Picture or Upload a jpeg here

LDAP installation so we can use space-wide logins instead of seperate logins for every computer/server.


Server

Server IP is 192.168.1.177. The server uses an installation of OpenLDAP with phpLDAPAdmin. The following settings were applied:

OpenLDAP

  • DNS domain name: ackspace.nl ("dc=ackspace,dc=nl")
  • Database backend: HDB

phpLDAPAdmin

/etc/phpldapadmin/config.php

The following values were set/changed in /etc/phpldapadmin/config.php: 

$servers->setValue('server','host','0.0.0.0');
$servers->setValue('server','base',array('dc=ackspace,dc=nl'));
$config->custom->appearance['hide_template_warning'] = true;
$servers->setValue('login','bind_id','cn=admin,dc=ackspace,dc=nl');

SSH keys

A field to insert SSH keys for users is not present in OpenLDAP/phpLDAPAdmin by default, for this I created a file called openssh-lpk.ldif with the following content: 

dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
  DESC 'MANDATORY: OpenSSH Public key'
  EQUALITY octetStringMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
  DESC 'MANDATORY: OpenSSH LPK objectclass'
  MAY ( sshPublicKey $ uid )
  )

The following command was then used to add support (make sure ldapscripts is installed): 

ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-lpk.ldif

/etc/phpldapadmin/templates/creation/posixAccount.xml

Finally the User Account creation template was changed to add an SSH public key input field to the form by default. For this, /etc/phpldapadmin/templates/creation/posixAccount.xml was changed to the following: 

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">

<template>
<askcontainer>1</askcontainer>
<description>New User Account</description>
<icon>ldap-user.png</icon>
<invalid>0</invalid>
<rdn>cn</rdn>
<title>Generic: User Account</title>
<visible>1</visible>

<objectClasses>
<objectClass id="inetOrgPerson"></objectClass>
<objectClass id="posixAccount"></objectClass>
<objectClass id="ldapPublicKey"></objectClass>
</objectClasses>

<attributes>
<attribute id="givenName">
    <display>First name</display>
    <icon>ldap-uid.png</icon>
    <onchange>=autoFill(cn;%givenName% %sn%)</onchange>
    <onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
    <order>1</order>
    <page>1</page>
</attribute>
<attribute id="sn">
    <display>Last name</display>
    <onchange>=autoFill(cn;%givenName% %sn%)</onchange>
    <onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
    <order>2</order>
    <page>1</page>
</attribute>
<attribute id="cn">
    <display>Common Name</display>
    <order>3</order>
    <page>1</page>
</attribute>
<attribute id="uid">
    <display>User ID</display>
    <onchange>=autoFill(homeDirectory;/home/users/%uid%)</onchange>
    <order>4</order>
    <page>1</page>
    <spacer>1</spacer>
</attribute>
<attribute id="homeDirectory">
    <display>Home directory</display>
    <order>8</order>
    <page>1</page>
</attribute>
<attribute id="uidNumber">
    <display>UID Number</display>
    <icon>terminal.png</icon>
    <order>6</order>
    <page>1</page>
    <readonly>1</readonly>
    <value>=php.GetNextNumber(/;uidNumber)</value>
</attribute>
<attribute id="gidNumber">
    <display>GID Number</display>
    <order>7</order>
    <page>1</page>
    <value><![CDATA[=php.PickList(/;(&(objectClass=posixGroup));gidNumber;%cn%;;;;cn)]]></value>
</attribute>
<attribute id="loginShell">
    <display>Login shell</display>
    <order>9</order>
    <page>1</page>
    <type>select</type>
    <value id="/bin/bash">/bin/bash</value>
    <value id="/bin/sh">/bin/sh</value>
    <value id="/bin/csh">/bin/csh</value>
    <value id="/bin/tsh">/bin/tsh</value>
</attribute>
<attribute id="userPassword">
    <display>Password</display>
    <icon>lock.png</icon>
    <order>5</order>
    <page>1</page>
    <post>=php.PasswordEncrypt(%enc%;%userPassword%)</post>
    <spacer>1</spacer>
    <verify>1</verify>
</attribute>
<attribute id="sshPublicKey">
        <display>SSH public key</display>
        <icon>lock.png</icon>
        <order>10</order>
        <page>1</page>
</attribute>
</attributes>

</template>

Sudoers

Sudo roles are not included in LDAP by default. For this we need to create a few files.

/etc/ldap/schema/sudo.schema

First of all, a schema was added called /etc/ldap/schema/sudo.schema. It contains the following: 

attributetype ( 1.3.6.1.4.1.15953.9.1.1
    NAME 'sudoUser'
    DESC 'User(s) who may  run sudo'
    EQUALITY caseExactIA5Match
    SUBSTR caseExactIA5SubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.2
    NAME 'sudoHost'
    DESC 'Host(s) who may run sudo'
    EQUALITY caseExactIA5Match
    SUBSTR caseExactIA5SubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.3
    NAME 'sudoCommand'
    DESC 'Command(s) to be executed by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.4
    NAME 'sudoRunAs'
    DESC 'User(s) impersonated by sudo (deprecated)'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.5
    NAME 'sudoOption'
    DESC 'Options(s) followed by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.6
    NAME 'sudoRunAsUser'
    DESC 'User(s) impersonated by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.7
    NAME 'sudoRunAsGroup'
    DESC 'Group(s) impersonated by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.8
    NAME 'sudoNotBefore'
    DESC 'Start of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

attributetype ( 1.3.6.1.4.1.15953.9.1.9
    NAME 'sudoNotAfter'
    DESC 'End of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
    NAME 'sudoOrder'
    DESC 'an integer to order the sudoRole entries'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
    DESC 'Sudoer Entries'
    MUST ( cn )
    MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $
            description )
    )

/etc/ldap/slapd.conf

If /etc/ldap/slapd.conf exists, make sure you place the following at the top (where you find other includes as well): 

include         /etc/ldap/schema/sudo.schema

Note that slapd.conf is deprecated and should be replaced by the use of slapd-config[1].

Restart service

Restart the slapd service to make sure the schema is loaded.

LDIF file

Last, a file was created called sudo.ldif that contains the following: 

dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )

You can import this file to LDAP using: 

ldapadd -Y EXTERNAL -H ldapi:/// -f sudo.ldif

Client

PAM

To use LDAP to sign in to Linux, install libpam-ldapd. When asked, fill in the details mentioned in LDAP#OpenLDAP.

/etc/nsswitch.conf

Make sure LDAP is enabled for passwd, group and shadow. To verify, check to see if the following is present (edit the existing entries if needed) in /etc/nsswitch.conf: 

passwd:         ldap compat
group:          ldap compat
shadow:         ldap compat

This will first check LDAP for entries, otherwise it will check locally. If preferred, you can switch around compat and ldap to first check locally and revert to LDAP on failure.

Home folder creation

If you want to make sure a user folder is created upon login, add the following to the end of /etc/pam.d/common-session: 

session required        pam_mkhomedir.so skel=/etc/skel umask=0022

SSH key login

Create a file that has the following content: 

#!/bin/bash
ldapsearch -h 192.168.1.177 -b "dc=ackspace,dc=nl" -x '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'

Make sure the file and all folders above it are owned by root:root and have umask 022.[2]

Then edit sshd_config to include the following: 

AuthorizedKeysCommand /path/to/file
AuthorizedKeysCommandUser nobody

Sudoers

In order to make sure you can use LDAP for sudoers, make sure your installation of sudo has support for LDAP. If it doesn't you can try installing sudo-ldap which will replace the existing sudo installation.

/etc/ldap.conf

If /etc/ldap.conf doesn't exist yet, create it. Make sure it has at least the following lines in it: 

URI     ldap://192.168.1.177
sudoers_base    ou=sudoers,dc=ackspace,dc=nl

/etc/nsswitch.conf

Make sure /etc/nssswitch.conf has the following line in it: 

sudoers:        ldap files

Be aware that any matches found in LDAP will be overwritten if they are found in the regular files.

Restart services

When you restart the nscd and ssh services you will be up and running. Sign in to the computer/VM with your LDAP account to verify that it works.

Account

To obtain a user on the LDAP server, contact Stuiterveer.

Reset password

To reset your password, visit 192.168.1.177 in the browser. Fill in the following credentials:

  • Login DN: cn=YOUR_USERNAME,ou=users,dc=ackspace,dc=nl (replace YOUR_USERNAME with your own LDAP username)
  • Password: your LDAP password

Select your user on the left and fill in the new password in the "password" field. Select "Update Object" when you're done.

References

  1. https://www.openldap.org/doc/admin24/slapdconfig.html
  2. https://stackoverflow.com/a/27638306
Retrieved from "https://ackspace.nl/w/index.php?title=LDAP&oldid=9480"