LDAP Server

参考：http://www.debuntu.org/how-to-set-up-a-ldap-server-and-its-clients/

1. LDAP Server

ubuntu lamp

apt-get install  apache2 mysql-server mysql-client  libapache2-mod-php5 php5 php5-cli php5-common php5-dev \
php5-gd php5-imagick php5-imap php5-ldap php5-memcache \
php5-mhash php5-mysql php5-pgsql php5-recode php5-snmp php5-sqlite php5-curl

1.1. Installation

In order to get our LDAP server setted up, we need a couple of packages to be installed:# apt-get install slapd ldap-utils migrationtoolsAnswer the questions and then reconfigure slapd in order to have dpkg ask us a few more questions.#dpkg-reconfigure slapdOmit OpenLDAP server configuration? ... No
DNS domain name: ... debuntu.local
Name of your organization: ... Whatever & Co
Admin Password: XXXXX
Confirm Password: XXXXX
OK
BDB
Do you want your database to be removed when slapd is purged? ... No
Move old database? ... Yes
Allow LDAPv2 Protocol? ... NoRight, from now on, we have got our domain set up, as well as our administrator user: "admin".You can now check if you can access your ldap server by typing:$ ldapsearch -x -b dc=debuntu,dc=localIf you get an error message like:ldap_bind: Can't contact LDAP server (-1)Most chances are that your server is not running. use:# /etc/init.d/slapd startto start it.Ok, now, it is about time to add our users and groups to the LDAP database.

1.2. Populating The Database

Using migrationtools we are going to be able to quickly import all existing users and groups from our local system to LDAP.#cd /usr/share/migrationtools/We need to edit the default migrationtools' config file migrate_common.ph and replace the following parameters with:$DEFAULT_MAIL_DOMAIN = "debuntu.local";
$DEFAULT_BASE = "dc=debuntu,dc=local";Then export the values:# ./migrate_group.pl /etc/group ~/group.ldif
# ./migrate_passwd.pl /etc/passwd ~/passwd.ldifUnfortunately, the script does not create the Group and People nodes, so we need to create it. To do this, create a file called ~/people_group.ldif and fill it up with:dn: ou=People, dc=debuntu, dc=local
ou: People
objectclass: organizationalUnitdn: ou=Group, dc=debuntu, dc=local
ou: Group
objectclass: organizationalUnitNow, we have our users and groups converted to LDAP's ldif format. Let import them into our LDAP database.# cd
# ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/people_group.ldif
# ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/group.ldif
# ldapadd -x -W -D "cn=admin,dc=debuntu,dc=local" -f ~/passwd.ldifwhere:-x specify that we are not using sasl

-W prompt for password

-D is used to identify the administrator

-f to specify the file where ldapadd should find the data to add

Well, now the server is ready to identify your users. Let's go on and set up the clients.

2. Configuring The Clients

Each client will need a set of packages. So, now that you are logged on one of your clients, install:#apt-get install libnss-ldap libpam-ldap nscd
LDAP Account for root: cn=admin,dc=debuntu,dc=local
Password: XXXX
Make local root database admin: yes
Database require logging in: No
Root login account: cn=admin,dc=debuntu,dc=local
Root login password: XXXXlibnss-ldap will allow us to use ldap as a naming service, libpam-ldap allows pm to authenticate users through LDAP and finally nscd is a password, group and host lookup daemon which caches result so LDAP won't be questionned any time the authentication as to be done.Now, let's edit the files and make sure you get the following setting:#vi /etc/libnss-ldap.conf
host ldap
base dc=debuntu,dc=local
rootbinddn cn=admin,dc=debuntu,dc=local#vi /etc/libnss-ldap.secret
XXXXX#vi /etc/pam_ldap.conf
host ldap
base dc=debuntu,dc=local
rootbinddn cn=admin,dc=debuntu,dc=local#vi /etc/pam_ldap.secret
XXXXXpam configuration files need to be modfied a bit like:#vi /etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
#if you want user homedir to be created on first login
#session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent#vi /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass#vi /etc/pam.d/common-password
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5#vi /etc/pam.d/common-session
session sufficient pam_ldap.so
session required pam_unix.so
session optional pam_foreground.soFinally, let's edit nsswitch so the system will be able to switch from local system authentication to ldap authentication.# vim /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldapWith this settings, login is going to be tried agains the local system users first. If it cannot find a match, it will then try to authenticate against the ldap server.
Now, you should be able to connect on any client by using any LDAP user details.This tutorial is far from being complete, but you should be able to get started .

2. Configuring The Clients

Each client will need a set of packages. So, now that you are logged on one of your clients, install:#apt-get install libnss-ldap libpam-ldap nscd
LDAP Account for root: cn=admin,dc=debuntu,dc=local
Password: XXXX
Make local root database admin: yes
Database require logging in: No
Root login account: cn=admin,dc=debuntu,dc=local
Root login password: XXXXlibnss-ldap will allow us to use ldap as a naming service, libpam-ldap allows pm to authenticate users through LDAP and finally nscd is a password, group and host lookup daemon which caches result so LDAP won't be questionned any time the authentication as to be done.Now, let's edit the files and make sure you get the following setting:#vi /etc/libnss-ldap.conf
host ldap
base dc=debuntu,dc=local
rootbinddn cn=admin,dc=debuntu,dc=local#vi /etc/libnss-ldap.secret
XXXXX#vi /etc/pam_ldap.conf
host ldap
base dc=debuntu,dc=local
rootbinddn cn=admin,dc=debuntu,dc=local#vi /etc/pam_ldap.secret
XXXXXpam configuration files need to be modfied a bit like:#vi /etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
#if you want user homedir to be created on first login
#session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent#vi /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass#vi /etc/pam.d/common-password
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5#vi /etc/pam.d/common-session
session sufficient pam_ldap.so
session required pam_unix.so
session optional pam_foreground.soFinally, let's edit nsswitch so the system will be able to switch from local system authentication to ldap authentication.# vim /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldapWith this settings, login is going to be tried agains the local system users first. If it cannot find a match, it will then try to authenticate against the ldap server.
Now, you should be able to connect on any client by using any LDAP user details.This tutorial is far from being complete, but you should be able to get started .