I’m starting to get quite a number of systems at home. Physical machines, virtual machines, desktop, laptops, smartphones, tablet,… most of them running Unix flavor (I still have a few Windows, but less and less 🙂
At home, we are 5: 2 parents, and 3 kids. Guess what ? All of them are willing to use a computer…
So I build up a little network that I’m trying to manage as simply as possible.
My challenge of the day: centralize logins and passwords to ensure consistent authentication across any device at home for everyone in the family.
When I started as Unix administrator, we were implementing Sun YP (yellow pages), which turned into NIS soon after.
I was looking for something even more flexible and more “in-line” with today usage of authentication…
This is how I came to look at LDAP (OpenLDAP)
Step 1: configure LDAP server
Objective: install a LDAP service at home to host user authentication on all my computers.
I selected a Ubuntu 10.20 server (Virtual Machine by the way) to host the LDAP service.
Software installation
First, you need to install binaries:
sudo apt-get install slapd ldap-utils
On my server, this added extra packages:
libdb4.7 odbcinst odbcinst1debian1 unixodbc
Also note that slapd installation created new user and new config file:
Setting up slapd (2.4.21-0ubuntu5.7) ...
Creating new user openldap... done.
Creating initial slapd configuration... done.
Then, you need to add to your LDAP server a few predefined schema:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
Server backend configuration
It’s now time to create a backend schema. Create a file, for example /var/tmp/backend.example.com.ldif (replace “dc=mondomain,dc=fr” with yours):
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=mondomain,dc=fr
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=mondomain,dc=fr
olcRootPW: secret
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=mondomain,dc=fr" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=mondomain,dc=fr" write by * read
Note: it is much safer to store the admin password as a hash.
For that, simply replace it (‘secret’ string above), with the result of the output of command ‘slappasswd’ (string should start with ‘{SSHA}…’: include it all !)
Command to import this backend scheme into your LDAP database:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /var/tmp/backend.example.com.ldif
Server Frontend data
Next step is to import minimum data (adjust to your needs, and to your expected structure). Create a file /var/tmp/frontend.example.com.ldif, and copy/paste the following (adjust domain name, and users creation):
# Create top-level object in domain
dn: dc=mondomain,dc=fr
objectClass: top
objectClass: dcObject
objectclass: organization
o: My Organization
dc: Mondomain
description: LDAP Example
# Admin user.
dn: cn=admin,dc=mondomain,dc=fr
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: {SSHA}aobrpti5d0rnoT48U+XfZT9XecpYXyVA
dn: ou=people,dc=mondomain,dc=fr
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=mondomain,dc=fr
objectClass: organizationalUnit
ou: groups
dn: uid=john,ou=people,dc=mondomain,dc=fr
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 1000
gidNumber: 1000
userPassword: password
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: john.doe@example.com
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: JD
dn: cn=example,ou=groups,dc=mondomain,dc=fr
objectClass: posixGroup
cn: example
gidNumber: 10000
Import this scheme:
sudo ldapadd -x -D cn=admin,dc=hugue,dc=fr -W -f /var/tmp/frontend.example.com.ldif
Backup
That’s almost it !
But I would strongly advice you to backup this LDAP database regularly, in case of major issue (corruption, system crash,…). There are plenty of ways to do that (including setting up a LDAP replication server), but my choice was a simple “dump”, on a weekly basis, in order to be able to transfer this dump file on another server.
So, I modified the root’s crontab to add:
# Sauvegarde de la base LDAP 01 00 * * 6 /usr/sbin/slapcat -l /root/DumpLDAP.ldif -b "dc=mondomain,dc=fr"
And I setup a script that transfer this file to another server (in case of disk crash...)
Last step: populate
Another step is to populate this LDAP database with valid entries.
We already saw a way to do that via a file.
I must confess I'm also interested with a nice GUI, so I setup phpldapadmin program:
sudo apt-get install phpldapadmin
Then, I edited the config file (/etc/phpldapadmin/config.php) to setup the name of my LDAP server (localhost by default), the top domain name (dc=mondomain,dc=fr),... Many attributes can me tuned there, it is widely explained in the file itself (I didn't need to tune anything else on my side).
You just have to modify/create all what you need inside the LDAP structure, directly from phpldapadmin web interface...
Step 2: configure client authentication on Ubuntu
Most of my servers are running Ubuntu. So I followed the Ubuntu site recommendations to install and setup PAM authentication with LDAP
First I need to install appropriate packages:
sudo apt-get install libnss-ldap
This will install additional packages on my 12.04 test distribution:
auth-client-config ldap-auth-client ldap-auth-config libnss-ldap libpam-ldap
During this installation, several questions are asked:
- ldap server name
- domain name (dc=mondomain,dc=fr)
- ldap version (I let LDAP v3)
- make local root Database admin (yes)
- does ldap database require login ? (no, in my case, as this is restricted to home LAN)
- LDAP account for root (cn=admin,dc=mondomain,dc=fr)
- LDAP root account password
(all those information are stored in /etc/ldap.conf)
Then, you have to instruct your Unix system how to manage passwd, group and shadow entries. For that edit file /etc/nsswitch.conf, and update it as such:
passwd: files ldap group: files ldap shadow: files ldap
This will instruct to look in the local files first, and then, to use ldap...
(note: this can also be done automatically via command sudo auth-client-config -t nss -p lac_ldap, but I prefer a full control on my system modifications 🙂
Tested from command line, and it works fine.
Now, I faced a little issue on front panel (console) to log, using the login manager. It only shows local users, and does not present any option to select another username... (this is true since Ubuntu 12.04, I think).
Solution is very simple: instruct lightdm to access "other" logins, by running command sudo /usr/lib/lightdm/lightdm-set-defaults -m true (restart lightdm : /etc/init.d/lightdm restart). This allows you to select another login inside lightdm.
Note: after reboot, I noticed that all LDAP users are also displayed as potential users to connect. That's great ! (hopefully, I don't have so many 🙂
Then I have to duplicate this client installation on all concerned systems, and...
... that's it !
Job done.
