How to Build an Ubuntu 11.10 SBS (Small Business Server)

Part 3: OpenLDAP

OpenLDAP is a directory service. Think of it as a database for storing all your users, their groups and other information. In time you can use it to store much more, but initially we’re going to use it as a centralised authorisation system. Clients will check usernames and permissions against those stored in the directory on the server. Though it is also possible to store passwords in LDAP and use it for authentication, we’ll be using Kerberos for this purpose.

The first step is to install OpenLDAP along with some utilities for administering it. This process will use your hostname to configure your LDAP domina, therefore it is very important that you have set this correctly BEFORE continuing, else you will get error(49) invalid bind credentials. In this example the domain is danbishop.org and the server is called neo, so make sure /etc/hostname reads “neo.danbishop.org” if this is not the case, make this change then REBOOT. Now install OpenLDAP:

sudo apt-get install slapd ldap-utils

You will be prompted for an LDAP admin password, once you have set this, much of the manual configuration that had to be done in previous releases is handled automatically in 11.04 and above. Ubuntu will configure LDAP using the domain information we supplied in previous steps in this guide. If you do wish to make changes to this though, you can run “sudo dpkg-reconfigure slapd”. All that remains to be done is creating a place in the OpenLDAP directory to store our users and our groups.

This is done by creating a frontend.danbishop.org.ldif file like so:

dn: ou=Users,dc=danbishop,dc=org
objectClass: organizationalUnit
ou: Users

dn: ou=Groups,dc=danbishop,dc=org
objectClass: organizationalUnit
ou: Groups

Please note: it is important that you have a new line between “ou:Users” and “dn: ou=Groups,dc=danbishop,dc=org” if you’re copying and pasting the above, it will have a space at the beginning of the blank line, you must remove this!

Now we add the LDIF in the following way, entering your root LDAP password when prompted (the one you set during slapd installation):

sudo ldapadd -x -D cn=admin,dc=danbishop,dc=org -W -f frontend.danbishop.org.ldif

LDAP Indices

Although the above will work just fine, LDAP will complain every time a user is looked up in the database that you haven’t indexed the UIDs. Indexing allows LDAP to perform searches faster than it otherwise would. Though this increase in performance is negligible with only a few users, large scale deployments will see noticeable benefits. For the purpose of preparing for possible future expansion… and to keep our log clean, we’re going to create some indices.

Create an index.ldif file:

nano index.ldif

And insert the following:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres

Now we’re going to run the modification like so:

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f index.ldif

LDAP Authentication on the Server

LDAP doesn’t actually contain any users or groups yet, but now would be a good time to configure the server to check ldap for login information, so that after we’ve setup Kerberos and created our first users we’re ready to go! This is actually very easy to configure, it simply requires the installation of two packages:

sudo apt-get install libnss-ldapd libpam-ldapd

During the configuration section of the installation, you will be asked to confirm your LDAP settings and which services you’d like to enable LDAP for, you should select “group”, “passwd” and “shadow”. The packages will then configure /etc/nsswitch.conf, /etc/pam.d/common-auth and /etc/nslcd.conf to work automatically. All other questions should be left with the default answer.

References

http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-lucid-part2