Debian LDAP Client Installation

From Supercomputación y Cálculo Científico UIS
Revision as of 18:45, 3 September 2014 by Sgelvez (talk | contribs)

Back to LDAP

This procedure shows how to create a ldap client installation from packages.

NOTE: This procedure works for Debian 7 "Wheezy"

1. First install the required packages:

aptitude -y install libnss-ldap libpam-ldap ldap-utils

An interface is shown at the end of the installation of the packages; In that interface is were the configuration parameters must be entered. 2. Server setup

ldap://192.168.66.120

3. Entering the base

dc=uis,dc=edu,dc=co

4. Setting-up the protocol version

select 3

5. Setting-up pam-utilities to change passwords

Select Yes

6. Database access

Select No

7. Setting-up account with LDAP access priviledges Configurar la cuenta de acceso con privilegios a LDAP

cn=admin,dc=uis,dc=edu,dc=co

8. Entering the password for said account.

Now to configure LDAP-PAM integration:

1. Install the required packages:

apt-get install ldap-utils libpam-ldap libnss-ldap nscd

2. Edit the file /etc/libnss-ldap.conf like this:

File: /etc/libnss-ldap.conf
...
base dc=local,dc=net
uri ldaps://ldap.local.net
ldap_version 3
binddn cn=nss,ou=Admin,dc=local,dc=net
bindpw COLOQUE_AQUI_LA_CLAVE
scope one
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_password crypt
nss_base_passwd ou=People,dc=local,dc=net?one
nss_base_shadow ou=People,dc=local,dc=net?one
nss_base_group  ou=Group,dc=local,dc=net?one
ssl on
tls_checkpeer no
...

3. Set-up the file /etc/nsswitch.conf

File: /etc/nsswitch.conf
...
passwd:      files ldap
shadow:      files ldap
group:       files ldap
...

4. Add the following option to /etc/openldap/ldap.conf

File: /etc/openldap/ldap.conf
...
TLS_REQCERT never
...

5. Replace the following line in /etc/pamd.d/common-password

File: /etc/pamd.d/common-password
...
password   required   pam_unix.so nullok obscure md5
...

for

File: /etc/pamd.d/common-password
...
password required pam_passwdqc.so min=disabled,16,12,8,6 max=256
password sufficient pam_unix.so use_authtok md5
password sufficient pam_ldap.so use_first_pass use_authtok md5
password required pam_deny.so
...

6) Replace the following line in /etc/pamd.d/common-auth

File: /etc/pamd.d/common-auth
...
auth required pam_unix.so nullok_secure
...

for

File: /etc/pamd.d/common-auth
...
auth sufficient pam_unix.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
...

7. Replace the following line in /etc/pamd.d/common-account

File: /etc/pamd.d/common-account
...
account required pam_unix.so
...

Por

File: /etc/pamd.d/common-account
...
account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so
...

8. Edit /etc/pam_ldap.conf and add the following lines

File: /etc/pam_ldap.conf
...
# lines to be added
base dc=platino,dc=gov,dc=ve
uri ldaps://ldap.platino.gov.ve
ldap_version 3
pam_password crypt

9. Start the nscd daemon

/etc/init.d/nscd start

10. Test the setup

getent passwd


NOTE: If the client is already set-up and you only need to modify some parameters, the procedure is as follows:


1. Edite el archivo /etc/libnss-ldap.conf y cambie la línea

File: /etc/libnss-ldap.conf
...
uri ldap://grid.uis.edu.co
...

Por la siguiente línea

File: /etc/libnss-ldap.conf
...
uri ldaps://192.168.66.5
...

2. Edite el archivo /etc/pam_ldap.conf y cambie la línea

File: /etc/pam_ldap.conf
...
uri ldap://grid.uis.edu.co
...
}}
Por la siguiente línea
{{File|/etc/pam_ldap.conf|<pre><nowiki>
...
uri ldaps://192.168.66.5
...
}}
3. Edite el archivo /etc/ldap/ldap.conf y agregue las siguientes líneas
{{File|/etc/ldap/ldap.conf|<pre><nowiki>
...
BASE    dc=uis,dc=edu,dc=co
URI     ldaps://192.168.66.5
TLS_REQCERT never
...
}}
4. Respalde los siguientes archivos haciendo una copia
{{Command|<nowiki>cp   /etc/pam_ldap.secret   /etc/pam_ldap.secret.orig
cp /etc/libnss-ldap.secret /etc/libnss-ldap.secret.orig

5. Edite los archivos /etc/pam_ldap.secret y /etc/libnss-ldap.secret y cambie por la nueva contraseña, la cual se las daré personalmente. 6. Pruebe el nodo entrando con el usuario de ustedes.