Difference between revisions of "Debian LDAP Client Installation"
(13 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
+ | __NOTOC__ | ||
+ | |||
+ | <div class="thumbnail img-thumbnail">http://wiki.sc3.uis.edu.co/images/a/a8/Logo_sc33.png</div> | ||
+ | <p><div class="btn btn-primary"><i class="fa fa-long-arrow-left"></i> [[LDAP]]</div></p> | ||
+ | |||
+ | <div class="col-md-14"> | ||
+ | <div class="panel panel-darker-white-border"> | ||
+ | <div class="panel-heading"> | ||
+ | <h3 class="panel-title">Debian LDAP Client Installation</h3> | ||
+ | </div> | ||
+ | <div class="panel-body"> | ||
+ | <p> | ||
+ | |||
This procedure shows how to create a ldap client installation from packages. | This procedure shows how to create a ldap client installation from packages. | ||
+ | {{Note|<nowiki>This procedure works for Debian 7 "Wheezy"</nowiki>}} | ||
1. First install the required packages: | 1. First install the required packages: | ||
− | |||
{{Command|<nowiki>aptitude -y install libnss-ldap libpam-ldap ldap-utils | {{Command|<nowiki>aptitude -y install libnss-ldap libpam-ldap ldap-utils | ||
</nowiki>}} | </nowiki>}} | ||
An interface is shown at the end of the installation of the packages; In that interface is were the configuration parameters must be entered. | An interface is shown at the end of the installation of the packages; In that interface is were the configuration parameters must be entered. | ||
− | |||
2. Server setup | 2. Server setup | ||
+ | ldap://192.168.66.120 | ||
+ | 3. Entering the base | ||
+ | dc=uis,dc=edu,dc=co | ||
+ | 4. Setting-up the protocol version | ||
+ | select 3 | ||
+ | 5. Setting-up pam-utilities to change passwords | ||
+ | Select Yes | ||
+ | 6. Database access | ||
+ | Select No | ||
+ | 7. Setting-up account with LDAP access priviledges Configurar la cuenta de acceso con privilegios a LDAP | ||
+ | cn=admin,dc=uis,dc=edu,dc=co | ||
+ | 8. Entering the password for said account. | ||
− | + | Now to configure LDAP-PAM integration: | |
− | 3) | + | 1. Install the required packages: |
+ | {{Command|<nowiki>apt-get install ldap-utils libpam-ldap libnss-ldap nscd</nowiki>}} | ||
+ | 2. Edit the file /etc/libnss-ldap.conf like this: | ||
+ | {{File|/etc/libnss-ldap.conf|<pre><nowiki> | ||
+ | ... | ||
+ | base dc=local,dc=net | ||
+ | uri ldaps://ldap.local.net | ||
+ | ldap_version 3 | ||
+ | binddn cn=nss,ou=Admin,dc=local,dc=net | ||
+ | bindpw COLOQUE_AQUI_LA_CLAVE | ||
+ | scope one | ||
+ | pam_filter objectclass=posixAccount | ||
+ | pam_login_attribute uid | ||
+ | pam_password crypt | ||
+ | nss_base_passwd ou=People,dc=local,dc=net?one | ||
+ | nss_base_shadow ou=People,dc=local,dc=net?one | ||
+ | nss_base_group ou=Group,dc=local,dc=net?one | ||
+ | ssl on | ||
+ | tls_checkpeer no | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | 3. Set-up the file /etc/nsswitch.conf | ||
+ | {{File|/etc/nsswitch.conf|<pre><nowiki> | ||
+ | ... | ||
+ | passwd: files ldap | ||
+ | shadow: files ldap | ||
+ | group: files ldap | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | 4. Add the following option to /etc/openldap/ldap.conf | ||
+ | {{File|/etc/openldap/ldap.conf|<pre><nowiki> | ||
+ | ... | ||
+ | TLS_REQCERT never | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | 5. Replace the following line in /etc/pamd.d/common-password | ||
+ | {{File|/etc/pamd.d/common-password|<pre><nowiki> | ||
+ | ... | ||
+ | password required pam_unix.so nullok obscure md5 | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | for | ||
+ | {{File|/etc/pamd.d/common-password|<pre><nowiki> | ||
+ | ... | ||
+ | password required pam_passwdqc.so min=disabled,16,12,8,6 max=256 | ||
+ | password sufficient pam_unix.so use_authtok md5 | ||
+ | password sufficient pam_ldap.so use_first_pass use_authtok md5 | ||
+ | password required pam_deny.so | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | 6) Replace the following line in /etc/pamd.d/common-auth | ||
+ | {{File|/etc/pamd.d/common-auth|<pre><nowiki> | ||
+ | ... | ||
+ | auth required pam_unix.so nullok_secure | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | for | ||
+ | {{File|/etc/pamd.d/common-auth|<pre><nowiki> | ||
+ | ... | ||
+ | auth sufficient pam_unix.so | ||
+ | auth sufficient pam_ldap.so use_first_pass | ||
+ | auth required pam_deny.so | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | 7. Replace the following line in /etc/pamd.d/common-account | ||
+ | {{File|/etc/pamd.d/common-account|<pre><nowiki> | ||
+ | ... | ||
+ | account required pam_unix.so | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | Por | ||
+ | {{File|/etc/pamd.d/common-account|<pre><nowiki> | ||
+ | ... | ||
+ | account sufficient pam_unix.so | ||
+ | account sufficient pam_ldap.so | ||
+ | account required pam_deny.so | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | 8. Edit /etc/pam_ldap.conf and add the following lines | ||
+ | {{File|/etc/pam_ldap.conf|<pre><nowiki> | ||
+ | ... | ||
+ | # lines to be added | ||
+ | base dc=platino,dc=gov,dc=ve | ||
+ | uri ldaps://ldap.platino.gov.ve | ||
+ | ldap_version 3 | ||
+ | pam_password crypt | ||
+ | </nowiki></pre>}} | ||
+ | 9. Start the nscd daemon | ||
+ | {{Command|<nowiki>/etc/init.d/nscd start</nowiki>}} | ||
+ | 10. Test the setup | ||
+ | {{Command|<nowiki>getent passwd</nowiki>}} | ||
− | + | {{Note|<nowiki> | |
− | + | If the client is already set-up and you only need to modify the connection parameters, the procedure is as follows: | |
− | + | </nowiki>}} | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | 1. Edit the file /etc/libnss-ldap.conf y change the line shown below to the new uri (The uri being in this case ldap://someroot.somedc.somedc) | |
+ | {{File|/etc/libnss-ldap.conf|<pre><nowiki> | ||
+ | ... | ||
+ | uri ldap://someroot.somedc.somedc | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | 2. Edit /etc/pam_ldap.conf change the line with the uri | ||
+ | {{File|/etc/pam_ldap.conf|<pre><nowiki> | ||
+ | ... | ||
+ | uri ldap://someroot.somedc.somedc | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | 3. Edit /etc/ldap/ldap.conf adding the following lines (somedc and the uri written are placeholder texts) | ||
+ | {{File|/etc/ldap/ldap.conf|<pre><nowiki> | ||
+ | ... | ||
+ | BASE dc=somedc,dc=somedc,dc=somedc | ||
+ | URI ldaps://someroot.somedc.somedc | ||
+ | TLS_REQCERT never | ||
+ | ... | ||
+ | </nowiki></pre>}} | ||
+ | 4. Backup the following files | ||
+ | {{Command|<nowiki>cp /etc/pam_ldap.secret /etc/pam_ldap.secret.orig</nowiki>}} | ||
+ | {{Command|<nowiki>cp /etc/libnss-ldap.secret /etc/libnss-ldap.secret.orig</nowiki>}} | ||
+ | 5. Edit the files /etc/pam_ldap.secret and /etc/libnss-ldap.secret changing the password. | ||
− | + | 6. Test the setup by login-in in the machine with an ldap user. | |
+ | |||
+ | </p> | ||
+ | </div> | ||
+ | </div> | ||
+ | </div> |
Latest revision as of 19:45, 9 April 2015
Debian LDAP Client Installation
This procedure shows how to create a ldap client installation from packages.
1. First install the required packages:
An interface is shown at the end of the installation of the packages; In that interface is were the configuration parameters must be entered. 2. Server setup
ldap://192.168.66.120
3. Entering the base
dc=uis,dc=edu,dc=co
4. Setting-up the protocol version
select 3
5. Setting-up pam-utilities to change passwords
Select Yes
6. Database access
Select No
7. Setting-up account with LDAP access priviledges Configurar la cuenta de acceso con privilegios a LDAP
cn=admin,dc=uis,dc=edu,dc=co
8. Entering the password for said account.
Now to configure LDAP-PAM integration:
1. Install the required packages:
2. Edit the file /etc/libnss-ldap.conf like this:
... base dc=local,dc=net uri ldaps://ldap.local.net ldap_version 3 binddn cn=nss,ou=Admin,dc=local,dc=net bindpw COLOQUE_AQUI_LA_CLAVE scope one pam_filter objectclass=posixAccount pam_login_attribute uid pam_password crypt nss_base_passwd ou=People,dc=local,dc=net?one nss_base_shadow ou=People,dc=local,dc=net?one nss_base_group ou=Group,dc=local,dc=net?one ssl on tls_checkpeer no ...
3. Set-up the file /etc/nsswitch.conf
... passwd: files ldap shadow: files ldap group: files ldap ...
4. Add the following option to /etc/openldap/ldap.conf
... TLS_REQCERT never ...
5. Replace the following line in /etc/pamd.d/common-password
... password required pam_unix.so nullok obscure md5 ...
for
... password required pam_passwdqc.so min=disabled,16,12,8,6 max=256 password sufficient pam_unix.so use_authtok md5 password sufficient pam_ldap.so use_first_pass use_authtok md5 password required pam_deny.so ...
6) Replace the following line in /etc/pamd.d/common-auth
... auth required pam_unix.so nullok_secure ...
for
... auth sufficient pam_unix.so auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so ...
7. Replace the following line in /etc/pamd.d/common-account
... account required pam_unix.so ...
Por
... account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so ...
8. Edit /etc/pam_ldap.conf and add the following lines
... # lines to be added base dc=platino,dc=gov,dc=ve uri ldaps://ldap.platino.gov.ve ldap_version 3 pam_password crypt
9. Start the nscd daemon
10. Test the setup
1. Edit the file /etc/libnss-ldap.conf y change the line shown below to the new uri (The uri being in this case ldap://someroot.somedc.somedc)
... uri ldap://someroot.somedc.somedc ...
2. Edit /etc/pam_ldap.conf change the line with the uri
... uri ldap://someroot.somedc.somedc ...
3. Edit /etc/ldap/ldap.conf adding the following lines (somedc and the uri written are placeholder texts)
... BASE dc=somedc,dc=somedc,dc=somedc URI ldaps://someroot.somedc.somedc TLS_REQCERT never ...
4. Backup the following files
5. Edit the files /etc/pam_ldap.secret and /etc/libnss-ldap.secret changing the password.
6. Test the setup by login-in in the machine with an ldap user.