Vous êtes sur la page 1sur 15

Set up OpenLDAP server

Install OpenLDAP Server


su - root yum install gcc yum install openldap*

Setup OpenLDAP Server via Webmin Point brower to Webmin ->Unused Modules ->LDAP Server -> Module Config and change values to match attached screenshot

Point brower to Webmin ->Unused Modules ->LDAP Server -> OpenLDAP Server configuration and change values to match attached screenshot

Point brower to Webmin ->Unused Modules ->LDAP Server -> Manage Schema and change values to match attached screenshot

Edit slapd.conf

su - root gedit /etc/openldap/slapd.conf

paste the following lines into slapd.conf (Add Access Control Rules)
access to attrs=userPassword,shadowLastChange by dn="cn=manager,dc=saioc,dc=in" write by anonymous auth by self write by * none access to * by dn="cn=manager,dc=saioc,dc=in" write by dn="cn=nss,dc=saioc,dc=in" read by * auth

After above step, point brower to Webmin ->Unused Modules ->LDAP Server -> LDAP Access control and match with attached screenshot

Start LDAP server Point brower to Webmin ->Servers ->LDAP Server and click on Start server

LDAP Directory Structure - design and implementation

Design considerations and explanation for LDAP Directory Structure


SAIoC LDAP Directory structure as a tree
dc=in | dc=saioc----|------------|------------|------------|------------| | | | | | | | | | | | | ou=People ou=Group ou=Hosts ou=policies ou=machines cn=nss,ldapadmin | | | | | cn=ldapusers, labadmin, students, myfuse | | | cn=adminuser, pcuser1, labteacher1, labstudent1

Design comments The base DN or root of the LDAP directory tree was 1 derived from the domain name in use in SAIoC LAN i.e. saioc.in organizationalUnit is a standard ObjectClass? in LDAP. It is used to define entries that represent a 1 relatively static grouping in an organization. We have chosen to create 5 top-level organizationalUnits. 1 People - all user accounts representing people in

Notes

1 1 1

1 1

1 1

1 1 1

Design comments Notes SAIoC will belong to this organizationalUnit Group - the concept of groups is used to logically organize resources for managing them. This seems similar to the concept of organizationalUnit but one thumb-rule to differentiate between them is that a resource can belong to only one organizationalUnit at a time but it can belong to multiple groups Hosts - this is for future use Machines - this is for future use Policies - this is for future use organizationalRole is a standard ObjectClass? in LDAP. It is used to define entries that represent roles held by people within an organization simpleSecurityObject is a standard ObjectClass? in LDAP. It is used to allow an entry to contain the userPassword attribute We have chosen to create two roles. nss represents a role which is allowed to perform What is nss or name switch read-only operations on LDAP and will be used by service? LDAP clients especially nss ldapadmin represents a role which is allowed to change passwords for user accounts created in LDAP server posixGroup is a standard ObjectClass? in LDAP. It Special Note for adminstrators: it is is an abstraction of a group of accounts. It decided to reserve the range 10000 corresponds to Unix groups. to 10199 to be used as groupId for We have chosen to create 4 groups groups created in LDAP. ldapusers - this is the primary group to which all user The groupId is 10000. accounts created in LDAP belong to. The groupId is 10001. This group labadmin - this is the group which represents the will typically be used to provide its computer lab administrators typically the lab members with extra privileges like teachers. read/write/execute access to home directories of all students etc students - this groups represents students who use the The groupId is 10002 computer lab. The groupId is 107. All users who myfuse - this corresponds to an inbuilt group in need to have USB drives autoUbuntu 8, named fuse with groupId 107. mounted need to be made members of this group

Explanation for LDIF


LDIF saioc.ldif
dn: dc=saioc,dc=in objectClass: domain dc: saioc dn: cn=nss,dc=saioc,dc=in objectClass: organizationalRole objectClass: simpleSecurityObject cn: nss description: LDAP NSS user userPassword: testpwd dn: cn=ldapadmin,dc=saioc,dc=in objectClass: organizationalRole objectClass: simpleSecurityObject cn: ldapadmin description: LDAP Password Admin user userPassword: testpwd dn: ou=Hosts,dc=saioc,dc=in ou: Hosts objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject associatedDomain: saioc.in dn: ou=People,dc=saioc,dc=in objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject ou: People associatedDomain: saioc.in dn: ou=Group,dc=saioc,dc=in ou: Group objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject associatedDomain: saioc.in dn: cn=ldapusers,ou=Group,dc=saioc,dc=in cn: ldapusers objectClass: posixGroup gidNumber: 10000 dn: cn=labadmin,ou=Group,dc=saioc,dc=in cn: labadmin objectClass: posixGroup gidNumber: 10001 dn: cn=myfuse,ou=Group,dc=saioc,dc=in cn: myfuse

Design comments TBD

LDIF
objectClass: posixGroup gidNumber: 107 dn: cn=students,ou=Group,dc=saioc,dc=in cn: students objectClass: posixGroup gidNumber: 10002 dn: ou=machines,dc=saioc,dc=in objectClass: organizationalUnit ou: machines dn: ou=policies,dc=saioc,dc=in ou: policies objectClass: top objectClass: organizationalUnit

Design comments

Create LDAP directory structure (Create LDAP objects using saioc.ldif) Create a file named saioc.ldif first.
ldapadd -W -x -D "cn=manager,dc=saioc,dc=in" -f saioc.ldif

saioc.ldif

dn: dc=saioc,dc=in objectClass: domain dc: saioc dn: cn=nss,dc=saioc,dc=in objectClass: organizationalRole objectClass: simpleSecurityObject cn: nss description: LDAP NSS user userPassword: testpwd dn: cn=ldapadmin,dc=saioc,dc=in objectClass: organizationalRole objectClass: simpleSecurityObject cn: ldapadmin description: LDAP Password Admin user userPassword: testpwd dn: ou=Hosts,dc=saioc,dc=in ou: Hosts objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject associatedDomain: saioc.in dn: ou=People,dc=saioc,dc=in objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject ou: People associatedDomain: saioc.in

dn: ou=Group,dc=saioc,dc=in ou: Group objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject associatedDomain: saioc.in dn: cn=ldapusers,ou=Group,dc=saioc,dc=in cn: ldapusers objectClass: posixGroup gidNumber: 10000 dn: cn=labadmin,ou=Group,dc=saioc,dc=in cn: labadmin objectClass: posixGroup gidNumber: 10001 dn: cn=myfuse,ou=Group,dc=saioc,dc=in cn: myfuse objectClass: posixGroup gidNumber: 107 dn: cn=students,ou=Group,dc=saioc,dc=in cn: students objectClass: posixGroup gidNumber: 10002 dn: ou=machines,dc=saioc,dc=in objectClass: organizationalUnit ou: machines dn: ou=policies,dc=saioc,dc=in ou: policies objectClass: top objectClass: organizationalUnit

After above step, point brower to Webmin ->Servers ->LDAP Server -> Browse Database and match with attached screenshot

Restart LDAP server Point brower to Webmin ->Servers ->LDAP Server and restart server Setup ldap client on Gratitude Point browser to webmin ->System ->LDAP client ->Module config and change values to match attached screenshot

Point browser to webmin ->System ->LDAP client ->LDAP Server Config and change values to match attached screenshot

Point browser to webmin ->System ->LDAP client ->LDAP Search Bases and change values to match attached screenshot

Point browser to webmin ->System ->LDAP client ->Authentication options and change values to match attached screenshot

Point browser to webmin ->System ->LDAP client ->Services using LDAP. Edit options to match attached screenshot

Screenshot of editing service options

Create users in LDAP


Create admin user in LDAP (via Webmin using screen) Point browser to Webmin ->System ->LDAP user and groups -> Add LDAP user Create adminuser by following attached screenshots

Create other users in LDAP (via Webmin in batch-mode) Create file users.txt using content below Use Webmin to import users in batch mode Point browser to Webmin ->System ->LDAP user and groups -> Run batch file (Refer to Instructions and batch format for help)

users.txt
create:pcuser1:testpwd:10202:10000:PC user1:/home/pcuser1:/bin/bash::::: create:pcuser2:testpwd:10203:10000:PC user1:/home/pcuser2:/bin/bash::::: create:labteacher1:testpwd:10204:10000:Lab teacher1:/home/labteacher1:/bin/bash::::: create:labteacher2:testpwd:10205:10000:Lab teacher2:/home/labteacher2:/bin/bash::::: create:labstudent1:testpwd:10206:10000:Lab student1:/home/labstudent1:/bin/bash::::: create:labstudent2:testpwd:10207:10000:Lab student2:/home/labstudent2:/bin/bash:::::

Associate all users with secondary group myfuse This will allow users to automount USB drives in Ubuntu Point browser to Webmin ->System ->LDAP user and groups -> Groups Click on myfuse

Associate lab teachers with secondary group labadmin This will allow lab teachers to access home directories of lab students Point browser to Webmin ->System ->LDAP user and groups -> Groups Click on labadmin

Enable SSL in OpenLDAP server


Point brower to Webmin ->Servers ->LDAP Server -> OpenLDAP Server configuration and click on Generate SSL certificate