ldap
This is an old revision of the document!
Table of Contents
LDAP
This page is a reference for Hacklab's server admins.
Client Configuration
Quick reference for Debian LDAP client setup:
- apt-get install sssd libpam-mkhomedir
- edit /etc/ldap/ldap.conf
BASE dc=edinburghhacklab,dc=com URI ldap://ldap.lab.edinburghhacklab.com TLS_CACERT /etc/ldap/ca.crt
- edit /etc/ldap/ca.crt
-----BEGIN CERTIFICATE----- MIIDXjCCAkagAwIBAgIJALdurhaAKeuzMA0GCSqGSIb3DQEBBQUAMCgxJjAkBgNV BAMTHWxkYXAubGFiLmVkaW5idXJnaGhhY2tsYWIuY29tMB4XDTEzMDIyNzExMDYz N1oXDTIzMDIyNTExMDYzN1owKDEmMCQGA1UEAxMdbGRhcC5sYWIuZWRpbmJ1cmdo aGFja2xhYi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOgdlS 4AOWmCVkdZbzWc62T+TkMar8fxEEeoBtP3h9M1jDJg8gEY3DmZz3SDq/Kv1OLHNw MqrZ+xhmJHBSJcgwuAN1r83ZcOqxwRZKNl2JZf6PBIl29m8TbdsDRnY2GHvk8XOH qtzL7hwKHwF64xmIW0djmLwogiYwHc4DWGtV6NvgL987/Iro/k/+vQlP8QudZotZ Lkst2+9pZc1XCt1/MYeWYR6waAKQWaqdA1jSeYPWbaQM43IZfzQ+AAFUtUGupECU UXyL180YvttX9m12/y+U6hF2HqhxBhyzlhf8riTkcNCUgtbXUMJMgL8sXVK27c4W FcY5VFyCLBEwjlGPAgMBAAGjgYowgYcwHQYDVR0OBBYEFKslPV+kk13UzL2+8pPq FGBrLbdTMFgGA1UdIwRRME+AFKslPV+kk13UzL2+8pPqFGBrLbdToSykKjAoMSYw JAYDVQQDEx1sZGFwLmxhYi5lZGluYnVyZ2hoYWNrbGFiLmNvbYIJALdurhaAKeuz MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAIcN/MUUTPg3DYyAtKoI jCMeG7H6xw4F8r4Nh2IyRsjSe/0CnA2kiP+CwaE/QCstItWuujhbFOu2Pg0ORIUN 1FtYoxiCB5oBVblc5fAoeOBNEiMSZ21tq3crYk+hahyiWZZwXk50XVw529TjPw+C Nq/2ihYLw7feICDC4ik5abHKMKfiCEPrz0vcToAPO2FjbAunojjwQQWaru/YK9eG 7p5BsVvY9V3xL0NylUh1+bMUIkw8dGU57vysfozehJTQoV8wcMfe0Gxfy7bab/DE r3ffgGsbpVQ9fix7KnKhQo2GXpO+hzm6dZh8o7Jq+QkY78kvfU6wyMsYShBufiTl uuE= -----END CERTIFICATE-----
- edit /etc/sssd/sssd.conf
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = hacklab [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/hacklab] ; Using enumerate = true leads to high load and slow response enumerate = false cache_credentials = true id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap.lab.edinburghhacklab.com ldap_search_base = dc=edinburghhacklab,dc=com ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ldap/ca.crt
- edit /etc/pam.d/common-session
# here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_sss.so session optional pam_mkhomedir.so skel=/etc/skel umask=0022 # end of pam-auth-update config
- edit /etc/nsswitch.conf
passwd: compat sss group: compat sss shadow: compat sss hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis sss
Administration
The LDAP server (slapd) is hosted on bedivere, with a hostname alias of ldap.lab.edinburghhacklab.com in the local DNS.
Add a user with:
/root/addldapuser
Search the directory with:
ldapsearch -H ldapi:/// -Y EXTERNAL uid=tom
Reset a password with:
ldappasswd -H ldapi:/// -Y EXTERNAL 'uid=tom,ou=People,dc=edinburghhacklab,dc=com' -S
An interactive LDAP editor is also available:
ldapvi -h ldapi:/// -Y EXTERNAL ldapvi -h ldapi:/// -Y EXTERNAL uid=tom
ldap.1384980430.txt.gz · Last modified: 2015-10-05 15:55 (external edit)