Difference between revisions of "Debian LDAP Client Installation"

From Supercomputación y Cálculo Científico UIS
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Back to [[LDAP]]
+
__NOTOC__
 +
 
 +
<div class="thumbnail img-thumbnail">http://wiki.sc3.uis.edu.co/images/a/a8/Logo_sc33.png</div>
 +
<p><div class="btn btn-primary"><i class="fa  fa-long-arrow-left"></i> [[LDAP]]</div></p>
 +
 
 +
<div class="col-md-14">
 +
    <div class="panel panel-darker-white-border">
 +
        <div class="panel-heading">
 +
            <h3 class="panel-title">Debian LDAP Client Installation</h3>
 +
        </div>
 +
        <div class="panel-body">
 +
            <p>
  
 
This procedure shows how to create a ldap client installation from packages.
 
This procedure shows how to create a ldap client installation from packages.
  
 
{{Note|<nowiki>This procedure works for Debian 7 "Wheezy"</nowiki>}}
 
{{Note|<nowiki>This procedure works for Debian 7 "Wheezy"</nowiki>}}
 
 
1. First install the required packages:
 
1. First install the required packages:
 
 
{{Command|<nowiki>aptitude -y install libnss-ldap libpam-ldap ldap-utils
 
{{Command|<nowiki>aptitude -y install libnss-ldap libpam-ldap ldap-utils
 
</nowiki>}}
 
</nowiki>}}
 
An interface is shown at the end of the installation of the packages; In that interface is were the configuration parameters must be entered.
 
An interface is shown at the end of the installation of the packages; In that interface is were the configuration parameters must be entered.
 
 
2. Server setup
 
2. Server setup
 
 
  ldap://192.168.66.120
 
  ldap://192.168.66.120
 
 
3. Entering the base
 
3. Entering the base
 
 
  dc=uis,dc=edu,dc=co
 
  dc=uis,dc=edu,dc=co
 
 
4. Setting-up the protocol version
 
4. Setting-up the protocol version
 
 
  select 3
 
  select 3
 
 
5. Setting-up pam-utilities to change passwords
 
5. Setting-up pam-utilities to change passwords
 
 
  Select Yes
 
  Select Yes
 +
6. Database access
 +
Select No
 +
7. Setting-up account with LDAP access priviledges  Configurar la cuenta de acceso con privilegios a LDAP
 +
cn=admin,dc=uis,dc=edu,dc=co
 +
8. Entering the password for said account.
  
6. Database access
+
Now to configure LDAP-PAM integration:
  
  Select No
+
1. Install the required packages:
 +
{{Command|<nowiki>apt-get install ldap-utils libpam-ldap libnss-ldap nscd</nowiki>}}
 +
2. Edit the file /etc/libnss-ldap.conf like this:
 +
{{File|/etc/libnss-ldap.conf|<pre><nowiki>
 +
...
 +
base dc=local,dc=net
 +
uri ldaps://ldap.local.net
 +
ldap_version 3
 +
binddn cn=nss,ou=Admin,dc=local,dc=net
 +
bindpw COLOQUE_AQUI_LA_CLAVE
 +
scope one
 +
pam_filter objectclass=posixAccount
 +
pam_login_attribute uid
 +
pam_password crypt
 +
nss_base_passwd ou=People,dc=local,dc=net?one
 +
nss_base_shadow ou=People,dc=local,dc=net?one
 +
nss_base_group ou=Group,dc=local,dc=net?one
 +
ssl on
 +
tls_checkpeer no
 +
...
 +
</nowiki></pre>}}
 +
3. Set-up the file /etc/nsswitch.conf
 +
{{File|/etc/nsswitch.conf|<pre><nowiki>
 +
...
 +
passwd:      files ldap
 +
shadow:      files ldap
 +
group:      files ldap
 +
...
 +
</nowiki></pre>}}
 +
4. Add the following option to /etc/openldap/ldap.conf
 +
{{File|/etc/openldap/ldap.conf|<pre><nowiki>
 +
...
 +
TLS_REQCERT never
 +
...
 +
</nowiki></pre>}}
 +
5. Replace the following line in /etc/pamd.d/common-password
 +
{{File|/etc/pamd.d/common-password|<pre><nowiki>
 +
...
 +
password  required  pam_unix.so nullok obscure md5
 +
...
 +
</nowiki></pre>}}
 +
for
 +
{{File|/etc/pamd.d/common-password|<pre><nowiki>
 +
...
 +
password required pam_passwdqc.so min=disabled,16,12,8,6 max=256
 +
password sufficient pam_unix.so use_authtok md5
 +
password sufficient pam_ldap.so use_first_pass use_authtok md5
 +
password required pam_deny.so
 +
...
 +
</nowiki></pre>}}
 +
6) Replace the following line in /etc/pamd.d/common-auth
 +
{{File|/etc/pamd.d/common-auth|<pre><nowiki>
 +
...
 +
auth required pam_unix.so nullok_secure
 +
...
 +
</nowiki></pre>}}
 +
for
 +
{{File|/etc/pamd.d/common-auth|<pre><nowiki>
 +
...
 +
auth sufficient pam_unix.so
 +
auth sufficient pam_ldap.so use_first_pass
 +
auth required pam_deny.so
 +
...
 +
</nowiki></pre>}}
 +
7. Replace the following line in /etc/pamd.d/common-account
 +
{{File|/etc/pamd.d/common-account|<pre><nowiki>
 +
...
 +
account required pam_unix.so
 +
...
 +
</nowiki></pre>}}
 +
Por
 +
{{File|/etc/pamd.d/common-account|<pre><nowiki>
 +
...
 +
account sufficient pam_unix.so
 +
account sufficient pam_ldap.so
 +
account required pam_deny.so
 +
...
 +
</nowiki></pre>}}
 +
8. Edit /etc/pam_ldap.conf and add the following lines
 +
{{File|/etc/pam_ldap.conf|<pre><nowiki>
 +
...
 +
# lines to be added
 +
base dc=platino,dc=gov,dc=ve
 +
uri ldaps://ldap.platino.gov.ve
 +
ldap_version 3
 +
pam_password crypt
 +
</nowiki></pre>}}
 +
9. Start the nscd daemon
 +
{{Command|<nowiki>/etc/init.d/nscd start</nowiki>}}
 +
10. Test the setup
 +
{{Command|<nowiki>getent passwd</nowiki>}}
  
7. Setting-up account with LDAP access priviledges  Configurar la cuenta de acceso con privilegios a LDAP
+
{{Note|<nowiki>
 +
If the client is already set-up and you only need to modify the connection parameters, the procedure is as follows:
 +
</nowiki>}}
  
cn=admin,dc=uis,dc=edu,dc=co
+
1. Edit the file /etc/libnss-ldap.conf y change the line shown below to the new uri (The uri being in this case ldap://someroot.somedc.somedc)
 +
{{File|/etc/libnss-ldap.conf|<pre><nowiki>
 +
...
 +
uri ldap://someroot.somedc.somedc
 +
...
 +
</nowiki></pre>}}
 +
2. Edit /etc/pam_ldap.conf change the line with the uri
 +
{{File|/etc/pam_ldap.conf|<pre><nowiki>
 +
...
 +
uri ldap://someroot.somedc.somedc
 +
...
 +
</nowiki></pre>}}
 +
3. Edit /etc/ldap/ldap.conf adding the following lines (somedc and the uri written are placeholder texts)
 +
{{File|/etc/ldap/ldap.conf|<pre><nowiki>
 +
...
 +
BASE    dc=somedc,dc=somedc,dc=somedc
 +
URI    ldaps://someroot.somedc.somedc
 +
TLS_REQCERT never
 +
...
 +
</nowiki></pre>}}
 +
4. Backup the following files
 +
{{Command|<nowiki>cp  /etc/pam_ldap.secret  /etc/pam_ldap.secret.orig</nowiki>}}
 +
{{Command|<nowiki>cp  /etc/libnss-ldap.secret  /etc/libnss-ldap.secret.orig</nowiki>}}
 +
5. Edit the files /etc/pam_ldap.secret and /etc/libnss-ldap.secret changing the password.
  
8. Entering the password for said account.
+
6. Test the setup by login-in in the machine with an ldap user.
 +
               
 +
            </p>
 +
        </div>
 +
    </div>
 +
</div>

Latest revision as of 19:45, 9 April 2015


Logo_sc33.png

Debian LDAP Client Installation

This procedure shows how to create a ldap client installation from packages.

NOTE: This procedure works for Debian 7 "Wheezy"

1. First install the required packages:

aptitude -y install libnss-ldap libpam-ldap ldap-utils

An interface is shown at the end of the installation of the packages; In that interface is were the configuration parameters must be entered. 2. Server setup

ldap://192.168.66.120

3. Entering the base

dc=uis,dc=edu,dc=co

4. Setting-up the protocol version

select 3

5. Setting-up pam-utilities to change passwords

Select Yes

6. Database access

Select No

7. Setting-up account with LDAP access priviledges Configurar la cuenta de acceso con privilegios a LDAP

cn=admin,dc=uis,dc=edu,dc=co

8. Entering the password for said account.

Now to configure LDAP-PAM integration:

1. Install the required packages:

apt-get install ldap-utils libpam-ldap libnss-ldap nscd

2. Edit the file /etc/libnss-ldap.conf like this:

File: /etc/libnss-ldap.conf
...
base dc=local,dc=net
uri ldaps://ldap.local.net
ldap_version 3
binddn cn=nss,ou=Admin,dc=local,dc=net
bindpw COLOQUE_AQUI_LA_CLAVE
scope one
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_password crypt
nss_base_passwd ou=People,dc=local,dc=net?one
nss_base_shadow ou=People,dc=local,dc=net?one
nss_base_group  ou=Group,dc=local,dc=net?one
ssl on
tls_checkpeer no
...

3. Set-up the file /etc/nsswitch.conf

File: /etc/nsswitch.conf
...
passwd:      files ldap
shadow:      files ldap
group:       files ldap
...

4. Add the following option to /etc/openldap/ldap.conf

File: /etc/openldap/ldap.conf
...
TLS_REQCERT never
...

5. Replace the following line in /etc/pamd.d/common-password

File: /etc/pamd.d/common-password
...
password   required   pam_unix.so nullok obscure md5
...

for

File: /etc/pamd.d/common-password
...
password required pam_passwdqc.so min=disabled,16,12,8,6 max=256
password sufficient pam_unix.so use_authtok md5
password sufficient pam_ldap.so use_first_pass use_authtok md5
password required pam_deny.so
...

6) Replace the following line in /etc/pamd.d/common-auth

File: /etc/pamd.d/common-auth
...
auth required pam_unix.so nullok_secure
...

for

File: /etc/pamd.d/common-auth
...
auth sufficient pam_unix.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
...

7. Replace the following line in /etc/pamd.d/common-account

File: /etc/pamd.d/common-account
...
account required pam_unix.so
...

Por

File: /etc/pamd.d/common-account
...
account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so
...

8. Edit /etc/pam_ldap.conf and add the following lines

File: /etc/pam_ldap.conf
...
# lines to be added
base dc=platino,dc=gov,dc=ve
uri ldaps://ldap.platino.gov.ve
ldap_version 3
pam_password crypt

9. Start the nscd daemon

/etc/init.d/nscd start

10. Test the setup

getent passwd


NOTE: If the client is already set-up and you only need to modify the connection parameters, the procedure is as follows:


1. Edit the file /etc/libnss-ldap.conf y change the line shown below to the new uri (The uri being in this case ldap://someroot.somedc.somedc)

File: /etc/libnss-ldap.conf
...
uri ldap://someroot.somedc.somedc
...

2. Edit /etc/pam_ldap.conf change the line with the uri

File: /etc/pam_ldap.conf
...
uri ldap://someroot.somedc.somedc
...

3. Edit /etc/ldap/ldap.conf adding the following lines (somedc and the uri written are placeholder texts)

File: /etc/ldap/ldap.conf
...
BASE    dc=somedc,dc=somedc,dc=somedc
URI     ldaps://someroot.somedc.somedc
TLS_REQCERT never
...

4. Backup the following files

cp /etc/pam_ldap.secret /etc/pam_ldap.secret.orig
cp /etc/libnss-ldap.secret /etc/libnss-ldap.secret.orig

5. Edit the files /etc/pam_ldap.secret and /etc/libnss-ldap.secret changing the password.

6. Test the setup by login-in in the machine with an ldap user.