User Tools

Site Tools


ldap

This is an old revision of the document!


LDAP

This page is a reference for Hacklab's server admins.

Client Configuration

Quick reference for Debian LDAP client setup:

  • apt-get install sssd libpam-mkhomedir
  • edit /etc/ldap/ldap.conf
BASE    dc=edinburghhacklab,dc=com
URI     ldap://ldap.lab.edinburghhacklab.com
TLS_CACERT      /etc/ldap/ca.crt
  • edit /etc/ldap/ca.crt
-----BEGIN CERTIFICATE-----
MIIDXjCCAkagAwIBAgIJALdurhaAKeuzMA0GCSqGSIb3DQEBBQUAMCgxJjAkBgNV
BAMTHWxkYXAubGFiLmVkaW5idXJnaGhhY2tsYWIuY29tMB4XDTEzMDIyNzExMDYz
N1oXDTIzMDIyNTExMDYzN1owKDEmMCQGA1UEAxMdbGRhcC5sYWIuZWRpbmJ1cmdo
aGFja2xhYi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOgdlS
4AOWmCVkdZbzWc62T+TkMar8fxEEeoBtP3h9M1jDJg8gEY3DmZz3SDq/Kv1OLHNw
MqrZ+xhmJHBSJcgwuAN1r83ZcOqxwRZKNl2JZf6PBIl29m8TbdsDRnY2GHvk8XOH
qtzL7hwKHwF64xmIW0djmLwogiYwHc4DWGtV6NvgL987/Iro/k/+vQlP8QudZotZ
Lkst2+9pZc1XCt1/MYeWYR6waAKQWaqdA1jSeYPWbaQM43IZfzQ+AAFUtUGupECU
UXyL180YvttX9m12/y+U6hF2HqhxBhyzlhf8riTkcNCUgtbXUMJMgL8sXVK27c4W
FcY5VFyCLBEwjlGPAgMBAAGjgYowgYcwHQYDVR0OBBYEFKslPV+kk13UzL2+8pPq
FGBrLbdTMFgGA1UdIwRRME+AFKslPV+kk13UzL2+8pPqFGBrLbdToSykKjAoMSYw
JAYDVQQDEx1sZGFwLmxhYi5lZGluYnVyZ2hoYWNrbGFiLmNvbYIJALdurhaAKeuz
MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAIcN/MUUTPg3DYyAtKoI
jCMeG7H6xw4F8r4Nh2IyRsjSe/0CnA2kiP+CwaE/QCstItWuujhbFOu2Pg0ORIUN
1FtYoxiCB5oBVblc5fAoeOBNEiMSZ21tq3crYk+hahyiWZZwXk50XVw529TjPw+C
Nq/2ihYLw7feICDC4ik5abHKMKfiCEPrz0vcToAPO2FjbAunojjwQQWaru/YK9eG
7p5BsVvY9V3xL0NylUh1+bMUIkw8dGU57vysfozehJTQoV8wcMfe0Gxfy7bab/DE
r3ffgGsbpVQ9fix7KnKhQo2GXpO+hzm6dZh8o7Jq+QkY78kvfU6wyMsYShBufiTl
uuE=
-----END CERTIFICATE-----
  • edit /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = hacklab

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/hacklab]
; Using enumerate = true leads to high load and slow response
enumerate = false
cache_credentials = true

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://ldap.lab.edinburghhacklab.com
ldap_search_base = dc=edinburghhacklab,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ldap/ca.crt
  • edit /etc/pam.d/common-session
# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so 
session optional                                        pam_sss.so 
session optional        pam_mkhomedir.so skel=/etc/skel umask=0022
# end of pam-auth-update config
  • edit /etc/nsswitch.conf
passwd:         compat sss
group:          compat sss
shadow:         compat sss

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis sss

Administration

The LDAP server (slapd) is hosted on bedivere, with a hostname alias of ldap.lab.edinburghhacklab.com in the local DNS.

Add a user with:

/root/addldapuser

Search the directory with:

ldapsearch -H ldapi:/// -Y EXTERNAL uid=tom

Reset a password with:

ldappasswd -H ldapi:/// -Y EXTERNAL 'uid=tom,ou=People,dc=edinburghhacklab,dc=com' -S

An interactive LDAP editor is also available:

ldapvi -h ldapi:/// -Y EXTERNAL
ldapvi -h ldapi:/// -Y EXTERNAL uid=tom
ldap.1384980430.txt.gz · Last modified: 2015-10-05 15:55 (external edit)

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki