How to Build an Ubuntu 11.10 SBS (Small Business Server)

Part 3: OpenLDAP

OpenLDAP is a directory service. Think of it as a database for storing all your users, their groups and other information. In time you can use it to store much more, but initially we’re going to use it as a centralised authorisation system. Clients will check usernames and permissions against those stored in the directory on the server. Though it is also possible to store passwords in LDAP and use it for authentication, we’ll be using Kerberos for this purpose.

The first step is to install OpenLDAP along with some utilities for administering it. This process will use your hostname to configure your LDAP domina, therefore it is very important that you have set this correctly BEFORE continuing, else you will get error(49) invalid bind credentials. In this example the domain is danbishop.org and the server is called neo, so make sure /etc/hostname reads “neo.danbishop.org” if this is not the case, make this change then REBOOT. Now install OpenLDAP:

sudo apt-get install slapd ldap-utils

You will be prompted for an LDAP admin password, once you have set this, much of the manual configuration that had to be done in previous releases is handled automatically in 11.04 and above. Ubuntu will configure LDAP using the domain information we supplied in previous steps in this guide. If you do wish to make changes to this though, you can run “sudo dpkg-reconfigure slapd”. All that remains to be done is creating a place in the OpenLDAP directory to store our users and our groups.

This is done by creating a frontend.danbishop.org.ldif file like so:

dn: ou=Users,dc=danbishop,dc=org
objectClass: organizationalUnit
ou: Users

dn: ou=Groups,dc=danbishop,dc=org
objectClass: organizationalUnit
ou: Groups

Please note: it is important that you have a new line between “ou:Users” and “dn: ou=Groups,dc=danbishop,dc=org” if you’re copying and pasting the above, it will have a space at the beginning of the blank line, you must remove this!

Now we add the LDIF in the following way, entering your root LDAP password when prompted (the one you set during slapd installation):

sudo ldapadd -x -D cn=admin,dc=danbishop,dc=org -W -f frontend.danbishop.org.ldif

LDAP Indices

Although the above will work just fine, LDAP will complain every time a user is looked up in the database that you haven’t indexed the UIDs. Indexing allows LDAP to perform searches faster than it otherwise would. Though this increase in performance is negligible with only a few users, large scale deployments will see noticeable benefits. For the purpose of preparing for possible future expansion… and to keep our log clean, we’re going to create some indices.

Create an index.ldif file:

nano index.ldif

And insert the following:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres

Now we’re going to run the modification like so:

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f index.ldif

LDAP Authentication on the Server

LDAP doesn’t actually contain any users or groups yet, but now would be a good time to configure the server to check ldap for login information, so that after we’ve setup Kerberos and created our first users we’re ready to go! This is actually very easy to configure, it simply requires the installation of two packages:

sudo apt-get install libnss-ldapd libpam-ldapd

During the configuration section of the installation, you will be asked to confirm your LDAP settings and which services you’d like to enable LDAP for, you should select “group”, “passwd” and “shadow”. The packages will then configure /etc/nsswitch.conf, /etc/pam.d/common-auth and /etc/nslcd.conf to work automatically. All other questions should be left with the default answer.

References

http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-lucid-part2

  • shane piper

    Hi Dan, I have been following your blog on setting up an SBS so far so good apart from when I get to the part for adding an ldap group.

    sudo ldapaddgroup domainadmins

    I get an error: Error adding group domainadmins to LDAP

    I have read in a previous blog about the ldap.secret password having to be 1 more than the password length but not having much joy.

    The ldapscripts log talks about the credentials not being correct (49).

    I have installed phpldapadmin as well to see if I can add the groups and users there but it doesn’t add a GID to the group.

    Any ideas?

  • shane piper

    I also added the ldap password to /etc/pam_ldap.secret and fixed the error I had above.

    Regards,

    Shane

  • shane piper

    Dan,

    Sorry to be a pain, but now that I have set up the client machine when I go to login with an ldap user, I get the message ‘Could not update ICEauthority file /home/spiper/.ICEauthority’

    When I look at the home folder on the server there is no ICEauthority file.

  • jim smith

    Dan (or anyone reading this page) , if you could help me on this that would be great… i run the command

    “sudo ldapaddgroup domainadmins”

    i receive an output of “Could not guess current user”

    having a look round it seems the error is related to the $USER variable not being defined. But other than that i have no idea how to debug and fix this.

  • Myself

    I’ve installed LDAP and Kerberos, but how the two work together is a complete puzzle. Can you elaborate a bit on the roles of each one?

  • Daiko Dauda

    Hi Dan

    Thanks for an excellent set of steps described above.
    I do have on query…everything works no problems, but I struggle to add normal users and am I able to create eg – print admin, etc (other like groups) with specific permissions?

    Thanks again

    Daiko

    NB: can add-users but cannot generate passwords am I missing the point here?

    • Dan Bishop

      To generate passwords, you just create a new kerberos principal with the same name as the username… 🙂

  • Dan,

    This is a great idea, but rather than make the same mistake microsoft made with SBS, why not use Linux Containers or KVM and modularize the single physical box design so as to make the system more scalable and easier to migrate to new hardware?

    Even back in my Windows consulting days, I found that installing SBS on top of ESXi often saved clients money in the long term.

    –Sam

    • Dan Bishop

      Hi Sam,

      I am hoping to look at KVM when I get a bit more time. Maybe even making some preconfigured images with a script to modify the configuration for a custom domain… 🙂

      Dan