This should also work with Ubuntu 9.04
apt-get install slapd ldap-utils libnss-ldap libpam-ldap migrationtools
Much like Debian, we must perform an extra step to make our changes permanent.
dpkg-reconfigure slapd
Omit OpenLDAP server configuration? No
DNS domain name: your-server
Organization name: whatever
Database backend to use: HDB
Do you want the database to be removed when slapd is purged? No
Move old database? Yes
Admin password: <password>
Confirm: <password>
Allow LDAPv2 protocol: No
Now we will populate LDAP. You should probably add a temporary LDAP user for testing. After we populate LDAP we’ll remove it.
adduser test
cd /usr/share/migrationtools
Edit migrate_common.ph and replace “padl.com” with your domain and dc=padl,dc=com with dc=YOUR,dc=DOMAIN
./migrate_base.pl > /tmp/base.ldif
./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
./migrate_group.pl /etc/group /tmp/group.ldif
Remove the top section of /tmp/base.ldif
dn: dc=dev
dc: dev
objectClass: top
objectClass: domain
Restart LDAP and add our information to LDAP
/etc/init.d/slapd restartldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/base.ldif
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/passwd.ldif
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/group.ldif
To enable PAM I suggest
cd /tmp
wget http://st0rage.org/files/pam.d.tar
tar xf pam.d.tar -C /etc
Alternativly, you can try the following Ubuntu specific method:
auth-client-config -t nss -p lac_ldap
pam-auth-update ldap
Please note that I was unable to change user passwords with ‘passwd’ using this method.
Remove the test user
userdel test
Set up TLS Certificate
mkdir /etc/ldap/ssl
cd /etc/ldap/sslopenssl req -new -nodes -out req.pem -keyout key.pem
#No challenge password, leave empty
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 9999
mv new.key.pem server.pem
cat ca-cert >> server.pem
Enable TLS on server
ldapmodify -x -D cn=admin,cn=config -W
Paste in the following:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/server.pem
Press ENTER a few times to finish modifying and then Control+C when you see:
modifying entry "cn=config"
Edit /etc/default/slapd and add
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
Restart slapd
/etc/init.d/slapd restart
If it fails, try:
chown -R openldap /etc/ldap/ssl
/etc/init.d/slapd restart
Client configuration
vi /etc/ldap.conf
uri ldaps://server
port 636
ssl start_tls
ssl on
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/server.pem
vi /etc/nsswitch.confpasswd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: ldap
Now test! Make sure to stop nscd if you’re using it
/etc/init.d/nscd stop
Test LDAP
$ id test
uid=1001(test) gid=1001(test) groups=1001(test)
Remember to keep an eye on /var/log/auth.log if you run into any problems