GuidePedia

0
Configure LDAP Server in order to share users' accounts among local networks.
[1] Install and Configure Openldap
root@master:~#
vi /etc/hosts
127.0.0.1       localhost
# add own hostname

10.0.0.100      master.server.world master

root@master:~#
aptitude -y install slapd ldap-utils
# Input LDAP admin password during installation

# check working

root@master:~#
slapcat

dn: dc=server,dc=world
objectClass: top
objectClass: dcObject
objectClass: organization
o: server.world
dc: server
structuralObjectClass: organization
entryUUID: 07e5921c-60e9-1033-9781-152cb26d0fc5
creatorsName: cn=admin,dc=server,dc=world
createTimestamp: 20140425171606Z
entryCSN: 20140425171606.337548Z#000000#000#000000
modifiersName: cn=admin,dc=server,dc=world
modifyTimestamp: 20140425171606Z

dn: cn=admin,dc=server,dc=world
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9VkZJL0ZiWUw4SzdNUlRiSFhWOWFoQ09BQ0NqOU5rMUo=
structuralObjectClass: organizationalRole
entryUUID: 07e6e2e8-60e9-1033-9782-152cb26d0fc5
creatorsName: cn=admin,dc=server,dc=world
createTimestamp: 20140425171606Z
entryCSN: 20140425171606.346175Z#000000#000#000000
modifiersName: cn=admin,dc=server,dc=world
modifyTimestamp: 20140425171606Z
[2] Add new directory
root@master:~#
vi base.ldif
# create new

# change to your own suffix for the field 'dc=server,dc=world'

dn: ou=people,dc=server,dc=world
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=server,dc=world
objectClass: organizationalUnit
ou: groups 

root@master:~#
ldapadd -x -D cn=admin,dc=server,dc=world -W -f base.ldif

Enter LDAP Password:
# LDAP admin password (set in installation of openldap)

adding new entry "ou=people,dc=server,dc=world"

adding new entry "ou=groups,dc=server,dc=world"
[3] Add existing local users to LDAP directory
root@master:~#
vi ldapuser.sh
# extract local users who have 4-digit UID

# this is an example

#!/bin/bash

SUFFIX='dc=server,dc=world'
LDIF='ldapuser.ldif'

echo -n > $LDIF
for line in `grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/g"`
do
    UID1=`echo $line | cut -d: -f1`
    NAME=`echo $line | cut -d: -f5 | cut -d, -f1`
    if [ ! "$NAME" ]
    then
        NAME=$UID1
    else
        NAME=`echo $NAME | sed -e "s/%/ /g"`
    fi
    SN=`echo $NAME | awk '{print $2}'`
    if [ ! "$SN" ]
    then
        SN=$NAME
    fi
    GIVEN=`echo $NAME | awk '{print $1}'`
    UID2=`echo $line | cut -d: -f3`
    GID=`echo $line | cut -d: -f4`
    PASS=`grep $UID1: /etc/shadow | cut -d: -f2`
    SHELL=`echo $line | cut -d: -f7`
    HOME=`echo $line | cut -d: -f6`
    EXPIRE=`passwd -S $UID1 | awk '{print $7}'`
    FLAG=`grep $UID1: /etc/shadow | cut -d: -f9`
    if [ ! "$FLAG" ]
    then
        FLAG="0"
    fi
    WARN=`passwd -S $UID1 | awk '{print $6}'`
    MIN=`passwd -S $UID1 | awk '{print $4}'`
    MAX=`passwd -S $UID1 | awk '{print $5}'`
    LAST=`grep $UID1: /etc/shadow | cut -d: -f3`

    echo "dn: uid=$UID1,ou=people,$SUFFIX" >> $LDIF
    echo "objectClass: inetOrgPerson" >> $LDIF
    echo "objectClass: posixAccount" >> $LDIF
    echo "objectClass: shadowAccount" >> $LDIF
    echo "uid: $UID1" >> $LDIF
    echo "sn: $SN" >> $LDIF
    echo "givenName: $GIVEN" >> $LDIF
    echo "cn: $NAME" >> $LDIF
    echo "displayName: $NAME" >> $LDIF
    echo "uidNumber: $UID2" >> $LDIF
    echo "gidNumber: $GID" >> $LDIF
    echo "userPassword: {crypt}$PASS" >> $LDIF
    echo "gecos: $NAME" >> $LDIF
    echo "loginShell: $SHELL" >> $LDIF
    echo "homeDirectory: $HOME" >> $LDIF
    echo "shadowExpire: $EXPIRE" >> $LDIF
    echo "shadowFlag: $FLAG" >> $LDIF
    echo "shadowWarning: $WARN" >> $LDIF
    echo "shadowMin: $MIN" >> $LDIF
    echo "shadowMax: $MAX" >> $LDIF
    echo "shadowLastChange: $LAST" >> $LDIF
    echo >> $LDIF
done

root@master:~#
sh ldapuser.sh

root@master:~#
ldapadd -x -D cn=admin,dc=server,dc=world -W -f ldapuser.ldif

Enter LDAP Password:
# admin password

adding new entry "uid=trusty,ou=people,dc=server,dc=world"

adding new entry "uid=fedora,ou=people,dc=server,dc=world"

adding new entry "uid=ubuntu,ou=people,dc=server,dc=world"

adding new entry "uid=debian,ou=people,dc=server,dc=world"

adding new entry "uid=redhat,ou=people,dc=server,dc=world"
[4] Add existing local groups to LDAP directory
root@master:~#
vi ldapgroup.sh
# extract local groups who have 4-digit UID

# this is an example

#!/bin/bash

SUFFIX='dc=server,dc=world'
LDIF='ldapgroup.ldif'

echo -n > $LDIF
for line in `grep "x:[1-9][0-9][0-9][0-9]:" /etc/group`
do
    CN=`echo $line | cut -d: -f1`
    GID=`echo $line | cut -d: -f3`
    echo "dn: cn=$CN,ou=groups,$SUFFIX" >> $LDIF
    echo "objectClass: posixGroup" >> $LDIF
    echo "cn: $CN" >> $LDIF
    echo "gidNumber: $GID" >> $LDIF
    users=`echo $line | cut -d: -f4 | sed "s/,/ /g"`
    for user in ${users} ; do
        echo "memberUid: ${user}" >> $LDIF
    done
    echo >> $LDIF
done

root@master:~#
sh ldapgroup.sh

root@master:~#
ldapadd -x -D cn=admin,dc=server,dc=world -W -f ldapgroup.ldif

Enter LDAP Password:
# admin password

adding new entry "cn=trusty,ou=groups,dc=server,dc=world"

adding new entry "cn=fedora,ou=groups,dc=server,dc=world"

adding new entry "cn=ubuntu,ou=groups,dc=server,dc=world"

adding new entry "cn=debian,ou=groups,dc=server,dc=world"

adding new entry "cn=redhat,ou=groups,dc=server,dc=world"
[5] If you'd like to delete User or Group in LDAP, Do as below.
root@master:~#
ldapdelete -x -W -D 'cn=admin,dc=server,dc=world' "uid=ubuntu,ou=people,dc=server,dc=world"

Enter LDAP Password:
root@master:~#
ldapdelete -x -W -D 'cn=admin,dc=server,dc=world' "cn=ubuntu,ou=groups,dc=server,dc=world"

Enter LDAP Password:
-------------------------------------------------------------------------------------------------------------
Configure LDAP Client:---

[1] Configure LDAP Client
root@www:~#
aptitude -y install libnss-ldap libpam-ldap ldap-utils
(1) specify LDAP server's URI


(2) specify suffix


(3) specify LDAP version


(4) select the one you like. ( this example selects 'Yes' )


(5) select the one you like. ( this example selects 'No' )


(6) specify LDAP admin account's suffix


(7) specify password for LDAP admin account

root@www:~#
vi /etc/nsswitch.conf
# line 7: add

passwd:
compat
ldap

group:
compat
ldap

shadow:
compat
ldap
root@www:~#
vi /etc/pam.d/common-password
# line 26: change ( remove 'use_authtok' )

password     [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass
root@www:~#
vi /etc/pam.d/common-session
# add at the last if needed ( create home directory automatically at first login )

session optional        pam_mkhomedir.so skel=/etc/skel umask=077
root@www:~#
sysv-rc-conf libnss-ldap on

root@www:~#
reboot
www login:
redhat
# user on LDAP

Password:
Creating directory '/home/redhat'.
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat Apr 26 14:52:01 JST 2014

  System load:  0.06               Processes:           281
  Usage of /:   0.6% of 180.75GB   Users logged in:     0
  Memory usage: 1%                 IP address for eth0: 10.0.0.31
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

redhat@www:~$
# just logined

redhat@www:~$
passwd
# try to change LDAP password

Enter login(LDAP) password:
# input current password

New password:
# input new password

Re-enter new password:
# confirm

LDAP password information changed for redhat
passwd: password updated successfully
# just changed
 

Post a Comment

Blogger Tips and TricksLatest Tips And TricksBlogger Tricks

Visitors

Cloud Power For You

Website Hosting At Low Price

Contatc

Empire Views
 
Top