User accounts with OpenLDAP's central administration

Server Installation and Configuration

OpenLDAP can be found in repositories of all major distributions and can be installed with the appropriate package tool under Ubuntu using the following command:

$ sudo apt-get install slapd ldap-utils

The installer will ask for the LDAP administrator's password (Figure 1). To change data at a later date, run dpkg-reconfigure slapd . The ldap-utils package contains some command-line programs that you will need to manage the directory entry. The slapcat command provides the initial DIT (Figure 2), which, outside of the organization and the LDAP-Admin, does not contain very much.

Figure 1: With distribution package tools, such as apt-get, you can install the OpenLDAP server in a matter of minutes. The setup, on the other hand, proves to be rather tricky.

Figure 2: Slapcat shows the initial DIT, allowing the container objects and leaf objects to grow into a tree over time.

Files in Lightweight Database Interchange Format (LDIF) will help remedy this. In the LDIF files, you can create new container objects or leaf objects and assign values to them based upon object classifications and attributes. Listing 3, for example, shows an organization with departments, the OUs, as well as the management board, administration, and a user.

# structure.ldif
# Board
dn: ou=board,dc=cubed,dc=local
ou: board
objectclass: top
objectclass: organizationalunit
# Management
dn: ou=gf,dc=cubed,dc=local
ou: gf
description: Management
objectclass: top
objectclass: organizationalunit
# user Karl
dn: uid=karl,ou=board,dc=cubed,dc=local
uid: karl
cn: Karl Aschnikow
givenName: Karl
sn: Aschnikow
userPassword: {SSHA}lv6ZgRfpIVmBWjps/7B1LoPeZLdyjV7q
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 100
homeDirectory: /home/karl
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: person

An object always begins with the DN, followed by attributes and object classes. You can gain access to the password hash with slappasswd -s <privatepassword> . LDAP string objects are saved as Base64-code so that you need not worry about crackers when finding descriptions and password hashes.

$ ldapadd -x -D "DN" -W -f LDIF-Data

The contents of structure.ldif from Listing 3 will help you find your way into the LDAP directory if you use the following command:

$ ldapadd -x -D "cn=admin,dc=cubed,dc=local" -W -f structure.ldif

LDIF files, and some scripts, thus make is possible to create any number of objects automatically.

Since version 2.3, OpenLDAP has supported a dynamic configuration that most distributions automatically activate. This means you can save the complete configuration parameters in a LDAP tree and modify them using a LDIF file. Thanks to this feature, you can quickly make changes to your LDAP implementation without restarting your server. The static configuration in slapd.conf acts as an override and can be ignored.

The following command will display the entire configuration tree (Figure 3):

Figure 3: The dynamic configuration takes control of parameters in an LDAP tree without needing to restart the server.

$ ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

Here a disadvantage of the dynamic configuration pops up. The configuration is obviously more difficult than editing a simple textbox. The user identification should inherently still function with all distributions.

Client Setup

To benefit from central user management, you only need to take a few steps. Linux uses both PAM and Name Service Switch (NSS) for authentication to read user data from databases. For Ubuntu, you will need to install libnss-ldapd , libpam-ldapd and, if you would like to permit users to query the LDAP directory, ldap-utils . The installation routine will retrieve all of the necessary dependencies. All you have to do is make sure this matches the information of the server.

When users log in, you can signal the NSS to retrieve queries from the LDAP server. To do this, you add lines beginning with passwd , group , and shadow in the /etc/nsswitch.conf before ldap (Figure 4). To send LDAPSearch queries and similar requests to the server, you must also adjust the TLS_CACERT and URI parameters in /etc/ldap/ldap.conf .

Figure 4: By using /etc/nsswitch.conf, you are informing the system that it should also search for user data in an LDAP directory as well.

Now, you can log in. If this does not work, you can take a look at, for example, tail -f /var/log/auth.log , which is responsible for the logging of authentication events. It may be that no home directory exists on the LDAP client for users to log into. To create these automatically, add the following line to /etc/pam.d/common-session :

session required pam_mkhomedir.so skel=/etc/skel/ umask=0027

If your users use multiple computers, and you would you like to keep all of their data synchronized, you might want to consider using a NFS server that supplies the home directory.