nano /etc/hostsVerify the following, please substitue ip and host/domain name according to your setup.
192.168.1.20 ldap.testlab.dev ldapUpdate all packages and install updates if any
apt-get update && apt-get upgrade -yThe base DN or suffix of ldap tree will be populated/created based on the domain name specified in
/etc/hosts
file, in my case it is testlab.devsudo apt-get install slapd ldap-utils -ythe password would test like I mentioned in the beginning
nano log.ldif
and paste the following in it then save the file and exit out
dn: cn=config changetype: modify add: olcLogLevel olcLogLevel: stats
Add the above ldif file to ldap database
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f log.ldifDone, at this point we have working OpneLDAP server
sudo apt-get install libnss-ldap -yThere would few questions here, answer them like following
ldap://127.0.0.1 dc=testlab,dc=dev 3 Yes No cn=admin,dc=testlab,dc=dev testIf you make a mistake you can try again using
sudo dpkg-reconfigure ldap-auth-configNow configure the LDAP profile for NSS
sudo auth-client-config -t nss -p lac_ldapThere should not be any error, if you have some error(s) go back and check your config
sudo pam-auth-updateOptionally, make few change to /etc/ldap.conf and copy it over to /etc/ldap/ directory
nano /etc/ldap.confand verify these
host 127.0.0.1 base dc=testlab,dc=dev uri ldap://127.0.0.1/ rootbinddn cn=admin,dc=testlab,dc=dev ldap_version 3 bind_policy softThat is it, we have configured our ldap server successfully and is ready to authenticate user
nano indices.ldif
and paste the following
dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: uid eq,pres,sub
Now add the above ldif data
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f indices.ldifVerify new indices
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcDbIndexYou should see all above indices !
nano base.ldif
and paste the following to it, save it and exit out of it
dn: ou=Users,dc=testlab,dc=dev objectClass: organizationalUnit ou: Users dn: uid=rkhan,ou=Users,dc=testlab,dc=dev objectClass: organizationalPerson objectClass: person objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: rkhan sn: Khan givenName: Ryaz cn: Ryaz Khan displayName: Ryaz Khan uidNumber: 10000 gidNumber: 10000 userPassword: test gecos: Ryaz Khan loginShell: /bin/bash homeDirectory: /profiles/rkhan mail: ryaz.khan@live.com telephoneNumber: 000-000-0000 st: NY manager: uid=rkhan,ou=Users,dc=testlab,dc=dev shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 title: System Administrator
Now add the above ldif data to ldap database
ldapadd -x -D cn=admin,dc=testlab,dc=dev -w test -f base.ldifand again password is test
ldapsearch -x -LLL -b dc=testlab,dc=dev 'uid=rkhan' uid uidNumber displayName ldapsearch -x -LLL -b dc=testlab,dc=dev 'uid=*kh*' uid uidNumber displayName ldapsearch -x -LLL -b dc=testlab,dc=dev 'uid=*an' uid uidNumber displayName ldapsearch -x -LLL -b dc=testlab,dc=dev 'uid=rk*' uid uidNumber displayNameAll above queries should retrieve user rkhan from ldap database
ssh rkhan@localhostI was able to login to the system as rkhan with ldap credentials so should you, rkhan might be welcomed with error about home path not found etc.. that is because you probably have not created
/profile/rkhan
, remember we are not using any script to create user we are just using ldif which will/should not create any directory on Linux system. ldap_bind: Invalid credentials (49)So by default the ldap tree [base DN] comes from /etc/hosts file, whatever domain you have there would be your new DN or ldap base tree, and if you have dont have any domain in there then your base DN would be nodomain and that's exactly what happened here. There are two ways I know to correct this, first one easy and script does the job, second one is also easy but involved manual process
sudo dpkg-reconfigure slapdAnd answer like
No testlab.dev testlab.dev test test HDB No Yes NoNow try to run
ldapadd -x -D cn=admin,dc=testlab,dc=dev -w test -f base.ldifHopefully you will be happy
nano /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldifChange
olcSuffix: dc=nodomainwith
olcSuffix: dc=testlab,dc=devChange dn, don't change anything else unless you sure what you are doing
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=nodomain" write by * nonewith
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=testlab,dc=dev" write by * noneChange
olcRootDN: cn=admin,dc=nodomainwith
olcRootDN: cn=admin,dc=testlab,dc=devRemove existing ldap database
rm /var/lib/ldap/*Restart ldap
service slapd restartAdd the following to the top your base.ldif file otherwise you will get
no such object (32)
error.
dn: dc=testlab,dc=dev dc: TESTLAB objectClass: top objectClass: domainNow run the add command again and hopefully you will by happy
ldapadd -x -D cn=admin,dc=testlab,dc=dev -w test -f base.ldif