Difference between revisions of "Debian LDAP Client Installation"
(7 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | + | __NOTOC__ | |
+ | |||
+ | <div class="thumbnail img-thumbnail">http://wiki.sc3.uis.edu.co/images/a/a8/Logo_sc33.png</div> | ||
+ | <p><div class="btn btn-primary"><i class="fa fa-long-arrow-left"></i> [[LDAP]]</div></p> | ||
+ | |||
+ | <div class="col-md-14"> | ||
+ | <div class="panel panel-darker-white-border"> | ||
+ | <div class="panel-heading"> | ||
+ | <h3 class="panel-title">Debian LDAP Client Installation</h3> | ||
+ | </div> | ||
+ | <div class="panel-body"> | ||
+ | <p> | ||
This procedure shows how to create a ldap client installation from packages. | This procedure shows how to create a ldap client installation from packages. | ||
{{Note|<nowiki>This procedure works for Debian 7 "Wheezy"</nowiki>}} | {{Note|<nowiki>This procedure works for Debian 7 "Wheezy"</nowiki>}} | ||
− | |||
1. First install the required packages: | 1. First install the required packages: | ||
− | |||
{{Command|<nowiki>aptitude -y install libnss-ldap libpam-ldap ldap-utils | {{Command|<nowiki>aptitude -y install libnss-ldap libpam-ldap ldap-utils | ||
</nowiki>}} | </nowiki>}} | ||
An interface is shown at the end of the installation of the packages; In that interface is were the configuration parameters must be entered. | An interface is shown at the end of the installation of the packages; In that interface is were the configuration parameters must be entered. | ||
− | |||
2. Server setup | 2. Server setup | ||
− | |||
ldap://192.168.66.120 | ldap://192.168.66.120 | ||
− | |||
3. Entering the base | 3. Entering the base | ||
− | |||
dc=uis,dc=edu,dc=co | dc=uis,dc=edu,dc=co | ||
− | |||
4. Setting-up the protocol version | 4. Setting-up the protocol version | ||
− | |||
select 3 | select 3 | ||
− | |||
5. Setting-up pam-utilities to change passwords | 5. Setting-up pam-utilities to change passwords | ||
− | |||
Select Yes | Select Yes | ||
− | |||
6. Database access | 6. Database access | ||
− | |||
Select No | Select No | ||
− | |||
7. Setting-up account with LDAP access priviledges Configurar la cuenta de acceso con privilegios a LDAP | 7. Setting-up account with LDAP access priviledges Configurar la cuenta de acceso con privilegios a LDAP | ||
− | |||
cn=admin,dc=uis,dc=edu,dc=co | cn=admin,dc=uis,dc=edu,dc=co | ||
− | |||
8. Entering the password for said account. | 8. Entering the password for said account. | ||
Line 76: | Line 72: | ||
5. Replace the following line in /etc/pamd.d/common-password | 5. Replace the following line in /etc/pamd.d/common-password | ||
{{File|/etc/pamd.d/common-password|<pre><nowiki> | {{File|/etc/pamd.d/common-password|<pre><nowiki> | ||
+ | ... | ||
password required pam_unix.so nullok obscure md5 | password required pam_unix.so nullok obscure md5 | ||
+ | ... | ||
</nowiki></pre>}} | </nowiki></pre>}} | ||
for | for | ||
{{File|/etc/pamd.d/common-password|<pre><nowiki> | {{File|/etc/pamd.d/common-password|<pre><nowiki> | ||
+ | ... | ||
password required pam_passwdqc.so min=disabled,16,12,8,6 max=256 | password required pam_passwdqc.so min=disabled,16,12,8,6 max=256 | ||
password sufficient pam_unix.so use_authtok md5 | password sufficient pam_unix.so use_authtok md5 | ||
password sufficient pam_ldap.so use_first_pass use_authtok md5 | password sufficient pam_ldap.so use_first_pass use_authtok md5 | ||
password required pam_deny.so | password required pam_deny.so | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | 6) Replace the following line in /etc/pamd.d/common-auth | ||
+ | {{File|/etc/pamd.d/common-auth|<pre><nowiki> | ||
+ | ... | ||
+ | auth required pam_unix.so nullok_secure | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | for | ||
+ | {{File|/etc/pamd.d/common-auth|<pre><nowiki> | ||
+ | ... | ||
+ | auth sufficient pam_unix.so | ||
+ | auth sufficient pam_ldap.so use_first_pass | ||
+ | auth required pam_deny.so | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | 7. Replace the following line in /etc/pamd.d/common-account | ||
+ | {{File|/etc/pamd.d/common-account|<pre><nowiki> | ||
+ | ... | ||
+ | account required pam_unix.so | ||
+ | ... | ||
</nowiki></pre>}} | </nowiki></pre>}} | ||
− | |||
− | |||
− | |||
− | |||
Por | Por | ||
− | + | {{File|/etc/pamd.d/common-account|<pre><nowiki> | |
− | + | ... | |
− | + | account sufficient pam_unix.so | |
− | + | account sufficient pam_ldap.so | |
− | + | account required pam_deny.so | |
− | + | ... | |
− | + | </nowiki></pre>}} | |
− | + | 8. Edit /etc/pam_ldap.conf and add the following lines | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | 8. | ||
{{File|/etc/pam_ldap.conf|<pre><nowiki> | {{File|/etc/pam_ldap.conf|<pre><nowiki> | ||
... | ... | ||
Line 114: | Line 122: | ||
pam_password crypt | pam_password crypt | ||
</nowiki></pre>}} | </nowiki></pre>}} | ||
− | 9. | + | 9. Start the nscd daemon |
{{Command|<nowiki>/etc/init.d/nscd start</nowiki>}} | {{Command|<nowiki>/etc/init.d/nscd start</nowiki>}} | ||
10. Test the setup | 10. Test the setup | ||
{{Command|<nowiki>getent passwd</nowiki>}} | {{Command|<nowiki>getent passwd</nowiki>}} | ||
+ | |||
+ | {{Note|<nowiki> | ||
+ | If the client is already set-up and you only need to modify the connection parameters, the procedure is as follows: | ||
+ | </nowiki>}} | ||
+ | |||
+ | 1. Edit the file /etc/libnss-ldap.conf y change the line shown below to the new uri (The uri being in this case ldap://someroot.somedc.somedc) | ||
+ | {{File|/etc/libnss-ldap.conf|<pre><nowiki> | ||
+ | ... | ||
+ | uri ldap://someroot.somedc.somedc | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | 2. Edit /etc/pam_ldap.conf change the line with the uri | ||
+ | {{File|/etc/pam_ldap.conf|<pre><nowiki> | ||
+ | ... | ||
+ | uri ldap://someroot.somedc.somedc | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | 3. Edit /etc/ldap/ldap.conf adding the following lines (somedc and the uri written are placeholder texts) | ||
+ | {{File|/etc/ldap/ldap.conf|<pre><nowiki> | ||
+ | ... | ||
+ | BASE dc=somedc,dc=somedc,dc=somedc | ||
+ | URI ldaps://someroot.somedc.somedc | ||
+ | TLS_REQCERT never | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | 4. Backup the following files | ||
+ | {{Command|<nowiki>cp /etc/pam_ldap.secret /etc/pam_ldap.secret.orig</nowiki>}} | ||
+ | {{Command|<nowiki>cp /etc/libnss-ldap.secret /etc/libnss-ldap.secret.orig</nowiki>}} | ||
+ | 5. Edit the files /etc/pam_ldap.secret and /etc/libnss-ldap.secret changing the password. | ||
+ | |||
+ | 6. Test the setup by login-in in the machine with an ldap user. | ||
+ | |||
+ | </p> | ||
+ | </div> | ||
+ | </div> | ||
+ | </div> |
Latest revision as of 19:45, 9 April 2015
Debian LDAP Client Installation
This procedure shows how to create a ldap client installation from packages.
1. First install the required packages:
An interface is shown at the end of the installation of the packages; In that interface is were the configuration parameters must be entered. 2. Server setup
ldap://192.168.66.120
3. Entering the base
dc=uis,dc=edu,dc=co
4. Setting-up the protocol version
select 3
5. Setting-up pam-utilities to change passwords
Select Yes
6. Database access
Select No
7. Setting-up account with LDAP access priviledges Configurar la cuenta de acceso con privilegios a LDAP
cn=admin,dc=uis,dc=edu,dc=co
8. Entering the password for said account.
Now to configure LDAP-PAM integration:
1. Install the required packages:
2. Edit the file /etc/libnss-ldap.conf like this:
... base dc=local,dc=net uri ldaps://ldap.local.net ldap_version 3 binddn cn=nss,ou=Admin,dc=local,dc=net bindpw COLOQUE_AQUI_LA_CLAVE scope one pam_filter objectclass=posixAccount pam_login_attribute uid pam_password crypt nss_base_passwd ou=People,dc=local,dc=net?one nss_base_shadow ou=People,dc=local,dc=net?one nss_base_group ou=Group,dc=local,dc=net?one ssl on tls_checkpeer no ...
3. Set-up the file /etc/nsswitch.conf
... passwd: files ldap shadow: files ldap group: files ldap ...
4. Add the following option to /etc/openldap/ldap.conf
... TLS_REQCERT never ...
5. Replace the following line in /etc/pamd.d/common-password
... password required pam_unix.so nullok obscure md5 ...
for
... password required pam_passwdqc.so min=disabled,16,12,8,6 max=256 password sufficient pam_unix.so use_authtok md5 password sufficient pam_ldap.so use_first_pass use_authtok md5 password required pam_deny.so ...
6) Replace the following line in /etc/pamd.d/common-auth
... auth required pam_unix.so nullok_secure ...
for
... auth sufficient pam_unix.so auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so ...
7. Replace the following line in /etc/pamd.d/common-account
... account required pam_unix.so ...
Por
... account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so ...
8. Edit /etc/pam_ldap.conf and add the following lines
... # lines to be added base dc=platino,dc=gov,dc=ve uri ldaps://ldap.platino.gov.ve ldap_version 3 pam_password crypt
9. Start the nscd daemon
10. Test the setup
1. Edit the file /etc/libnss-ldap.conf y change the line shown below to the new uri (The uri being in this case ldap://someroot.somedc.somedc)
... uri ldap://someroot.somedc.somedc ...
2. Edit /etc/pam_ldap.conf change the line with the uri
... uri ldap://someroot.somedc.somedc ...
3. Edit /etc/ldap/ldap.conf adding the following lines (somedc and the uri written are placeholder texts)
... BASE dc=somedc,dc=somedc,dc=somedc URI ldaps://someroot.somedc.somedc TLS_REQCERT never ...
4. Backup the following files
5. Edit the files /etc/pam_ldap.secret and /etc/libnss-ldap.secret changing the password.
6. Test the setup by login-in in the machine with an ldap user.