What is LDAP?
============
LDAP Installation in Debian:
# apt-get install slapd ldap-utils
After the completion of successful download of the LDAP Packages it will start installing automatically...
Follow the Steps during Installation....
>> Setup process will ask for Admin Password. Please provide your desired password
>> You have to re-enter the same passowrd to match the previous given password.
LDAP Configuration in Debian:
If you want to configure LDAP you need to edit /etc/ldap/slapd.conf file....
# vim /etc/ldap/ldap.conf
=============================================================
# LDAP Defaults
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=mehedi,dc=com
URI ldap://192.168.0.15/
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
=============================================================
Run the Configuration assistant....(Reconfigure)
# dpkg-reconfigure slapd
The following options will appear and chose the appropriate options as follows:
====================================================================
>> Ommit OpenLDAP Server configuration [SELECT NO]
>> Enter DNS Domain Name [mehedi.com] "without bracket"
>> Enter Organization Name [MEHEDI COMPANY] "without bracket"
>> Enter the LDAP Administrator password *********
>> Re-enter the password *********
>> Select the backend database [ SELECT HDB]
>> Do you want the database to be removed when slapd is purged [SELECT YES]
>> Move Old database [SELECT YES]
>> Allow LDAPv2 Protocol? [SELECT NO]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ya..Great work man....you have done....
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now check you ldap server....
======================
# ldapsearch -x
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# extended LDIF
# LDAPv3
# base <dc=mehedi,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# mehedi.com
dn: dc=mehedi,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Mehedi
dc: mehedi
# admin, mehedi.com
dn: cn=admin,dc=mehedi,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# Group, mehedi.com
dn: ou=Group,dc=mehedi,dc=com
ou: Group
objectClass: organizationalUnit
objectClass: top
# Admin Group, Group,mehedi.com
dn: cn=Admin Group,ou=Group,dc=mehedi,dc=com
cn: Admin Group
gidNumber: 1001
objectClass: posixGroup
objectClass: top
# Mehedi Hasan, Admin Group, Group, mehedi.com
dn: cn=Mehedi Hasan,cn=Admin Group,ou=Group,dc=mehedi,dc=com
givenName: Mehedi
sn: Hasan
cn: Mehedi Hasan
uid: mehedi
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/users/mehedi
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Install phpldapadmin for LDAP Server Administration:
# apt-get install phpldapadmin
Create a symbolic link for phpldapadmin directory.
# ln -s /usr/share/phpldapadmin/ /var/www/phpldapadmin
Now we have to edit the config file:
# vim /etc/phpldapadmin/config.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$servers = new Datastore();
$servers->newServer('ldap_pla');
$servers->setValue('server','name','Unixmen LDAP Server');
$servers->setValue('server','host','192.168.0.15');
$servers->setValue('server','base',array('dc=mehedi,dc=com'));
$servers->setValue('login','bind_id','cn=admin,dc=mehedi,dc=com');
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Common Errors and Solution :
=========================================================
Cannot create a posixAccount / posixGroup in a clear LDAP directory
=========================================================
Just we have to commented out the <readonly> tag in posixAccount.xml and posixGroup.xml
# vim /etc/phpldapadmin/templates/creation/posixAccount.xml
-----------------------------------------------------------
<attribute id="uidNumber">
<display>UID Number</display>
<icon>terminal.png</icon>
<order>6</order>
<page>1</page>
<!-- <readonly>1</readonly> -->
<value>=php.GetNextNumber(/;uidNumber)</value>
</attribute>
-----------------------------------------------------------
# vim /etc/phpldapadmin/templates/creation/posixGroup.xml
-------------------------------------------------------------
<attribute id="gidNumber">
<display>GID Number</display>
<order>2</order>
<page>1</page>
<!-- <readonly>1</readonly> -->
<spacer>1</spacer>
<value>=php.GetNextNumber(/;gidNumber)</value>
<!-- <value><![CDATA[=php.GetNextNumber(/;gidNumber;false;(&(objectClass=posixGroup));*2,+1000)]]></value> -->
</attribute>
--------------------------------------------------------------
Finally restart the Apache2 service:
# /etc/init.d/apache2 restart
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Now open a browser and give the URL http://192.168.0.15/phpldapadmin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Remember the following important steps:
>> Firstly add an Organizational Unit (OU)
>> Under the created OU we will create a new Generic:Posix Group
>> Under the posix group add or create some Generic: User Account
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
===========================================
===========================================
LDAP Cleint Configuration (Debian Squeeze):
===========================================
===========================================
LDAP client-package Installation in Debian:
# apt-get install libnss-ldap libpam-ldap nscd
During installation it will ask you for several credentials:
>> ldap://192.168.0.15 [ Use ldap not ldapi ]
>> dc=mehedi,dc=com [ as yours ]
>> LDAP version to use : 3
>> LDAP account for root: [clear every thing. The field should be Blank]
>> LDAP root account Password: [Leave it Blank]
>> Allow LDAP admin account to behave like local root? : NO
>> Does the LDAP database require login? : NO
Now we should modify the nsswitch file for Ldap to work....
# vim /etc/nsswitch.conf
add ldap beside compat in first three lines...[as follows]
-------------------------------------
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
--------------------------------------
At this stage we have to reconfigure LDAP cleint package by the following command:
# dpkg-reconfigure libpam-ldap
Now it will ask you for several credentials again:
>> ldap://192.168.0.15 [ Use ldap not ldapi ]
>> dc=mehedi,dc=com [ as yours ]
>> LDAP version to use : 3
>> Allow LDAP admin account to behave like local root? : NO
>> Does the LDAP database require login? : NO
>> Local encryption algorithm to use for passwords: crypt
>> PAM profiles to enable: [select both Unix & LDAP Authenticaion]
=======================================================================
Yahhhooooo.....great job...reboot LDAP client pc and login with LDAP user and passwd
=======================================================================
After successfully login with LDAP user name and password it will you a message [No directory, Logging in with HOME=/]
ha ha ha now check the Ldap server passwd file by the following command:
# getent passwd
now you can see the ldap users that you have create in LDAP admin panel.....
============
LDAP stands for Lightweight Directory Access Protocol. As the name suggests, it is a lightweight client-server protocol for accessing directory services specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services.
A directory is similar to a database, but tends to contain more descriptive, attribute-based information. The information in a directory is generally read much more often than it is written. Directories are tuned to give quick-response to high-volume lookup or search operations. They may have the ability to replicate information widely in order to increase availability and reliability, while reducing response time. When directory information is replicated temporary inconsistencies between the replicas may be OK, as long as they get in sync eventually.
LDAP Installation in Debian:
# apt-get install slapd ldap-utils
After the completion of successful download of the LDAP Packages it will start installing automatically...
Follow the Steps during Installation....
>> Setup process will ask for Admin Password. Please provide your desired password
>> You have to re-enter the same passowrd to match the previous given password.
LDAP Configuration in Debian:
If you want to configure LDAP you need to edit /etc/ldap/slapd.conf file....
# vim /etc/ldap/ldap.conf
=============================================================
# LDAP Defaults
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=mehedi,dc=com
URI ldap://192.168.0.15/
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
=============================================================
Run the Configuration assistant....(Reconfigure)
# dpkg-reconfigure slapd
The following options will appear and chose the appropriate options as follows:
====================================================================
>> Ommit OpenLDAP Server configuration [SELECT NO]
>> Enter DNS Domain Name [mehedi.com] "without bracket"
>> Enter Organization Name [MEHEDI COMPANY] "without bracket"
>> Enter the LDAP Administrator password *********
>> Re-enter the password *********
>> Select the backend database [ SELECT HDB]
>> Do you want the database to be removed when slapd is purged [SELECT YES]
>> Move Old database [SELECT YES]
>> Allow LDAPv2 Protocol? [SELECT NO]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ya..Great work man....you have done....
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now check you ldap server....
======================
# ldapsearch -x
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# extended LDIF
# LDAPv3
# base <dc=mehedi,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# mehedi.com
dn: dc=mehedi,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Mehedi
dc: mehedi
# admin, mehedi.com
dn: cn=admin,dc=mehedi,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# Group, mehedi.com
dn: ou=Group,dc=mehedi,dc=com
ou: Group
objectClass: organizationalUnit
objectClass: top
# Admin Group, Group,mehedi.com
dn: cn=Admin Group,ou=Group,dc=mehedi,dc=com
cn: Admin Group
gidNumber: 1001
objectClass: posixGroup
objectClass: top
# Mehedi Hasan, Admin Group, Group, mehedi.com
dn: cn=Mehedi Hasan,cn=Admin Group,ou=Group,dc=mehedi,dc=com
givenName: Mehedi
sn: Hasan
cn: Mehedi Hasan
uid: mehedi
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/users/mehedi
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Install phpldapadmin for LDAP Server Administration:
# apt-get install phpldapadmin
Create a symbolic link for phpldapadmin directory.
# ln -s /usr/share/phpldapadmin/ /var/www/phpldapadmin
Now we have to edit the config file:
# vim /etc/phpldapadmin/config.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$servers = new Datastore();
$servers->newServer('ldap_pla');
$servers->setValue('server','name','Unixmen LDAP Server');
$servers->setValue('server','host','192.168.0.15');
$servers->setValue('server','base',array('dc=mehedi,dc=com'));
$servers->setValue('login','bind_id','cn=admin,dc=mehedi,dc=com');
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Common Errors and Solution :
=========================================================
Cannot create a posixAccount / posixGroup in a clear LDAP directory
=========================================================
Just we have to commented out the <readonly> tag in posixAccount.xml and posixGroup.xml
# vim /etc/phpldapadmin/templates/creation/posixAccount.xml
-----------------------------------------------------------
<attribute id="uidNumber">
<display>UID Number</display>
<icon>terminal.png</icon>
<order>6</order>
<page>1</page>
<!-- <readonly>1</readonly> -->
<value>=php.GetNextNumber(/;uidNumber)</value>
</attribute>
-----------------------------------------------------------
# vim /etc/phpldapadmin/templates/creation/posixGroup.xml
-------------------------------------------------------------
<attribute id="gidNumber">
<display>GID Number</display>
<order>2</order>
<page>1</page>
<!-- <readonly>1</readonly> -->
<spacer>1</spacer>
<value>=php.GetNextNumber(/;gidNumber)</value>
<!-- <value><![CDATA[=php.GetNextNumber(/;gidNumber;false;(&(objectClass=posixGroup));*2,+1000)]]></value> -->
</attribute>
--------------------------------------------------------------
Finally restart the Apache2 service:
# /etc/init.d/apache2 restart
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Now open a browser and give the URL http://192.168.0.15/phpldapadmin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Remember the following important steps:
>> Firstly add an Organizational Unit (OU)
>> Under the created OU we will create a new Generic:Posix Group
>> Under the posix group add or create some Generic: User Account
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
===========================================
===========================================
LDAP Cleint Configuration (Debian Squeeze):
===========================================
===========================================
LDAP client-package Installation in Debian:
# apt-get install libnss-ldap libpam-ldap nscd
During installation it will ask you for several credentials:
>> ldap://192.168.0.15 [ Use ldap not ldapi ]
>> dc=mehedi,dc=com [ as yours ]
>> LDAP version to use : 3
>> LDAP account for root: [clear every thing. The field should be Blank]
>> LDAP root account Password: [Leave it Blank]
>> Allow LDAP admin account to behave like local root? : NO
>> Does the LDAP database require login? : NO
Now we should modify the nsswitch file for Ldap to work....
# vim /etc/nsswitch.conf
add ldap beside compat in first three lines...[as follows]
-------------------------------------
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
--------------------------------------
At this stage we have to reconfigure LDAP cleint package by the following command:
# dpkg-reconfigure libpam-ldap
Now it will ask you for several credentials again:
>> ldap://192.168.0.15 [ Use ldap not ldapi ]
>> dc=mehedi,dc=com [ as yours ]
>> LDAP version to use : 3
>> Allow LDAP admin account to behave like local root? : NO
>> Does the LDAP database require login? : NO
>> Local encryption algorithm to use for passwords: crypt
>> PAM profiles to enable: [select both Unix & LDAP Authenticaion]
=======================================================================
Yahhhooooo.....great job...reboot LDAP client pc and login with LDAP user and passwd
=======================================================================
After successfully login with LDAP user name and password it will you a message [No directory, Logging in with HOME=/]
ha ha ha now check the Ldap server passwd file by the following command:
# getent passwd
now you can see the ldap users that you have create in LDAP admin panel.....
Great artical man...Keep it up !!!
ReplyDelete