OpenLDAP, libnss, PAM
To get from a base debian etch (4.0) config to a working basic un/pw/gecos system-auth off ldap config here’s what you do
From a totally minimal base install (minimal, no addition repos), you must at this point have a working network, I’ll leave that to you…
Then…
—
edit /etc/apt/sources.list to read:
—
deb http://http.us.debian.org/debian etch main contrib non-free
deb http://security.debian.org/ etch/updates main contrib non-free
deb-src http://http.us.debian.org/debian etch main contrib non-free
deb-src http://security.debian.org/ etch/updates main contrib non-free
—
Update the system to current:
# apt-get update && apt-get upgrade (say yes if there are any upgrades)
Install what I consider essential apps and a reasonable build environment for later and slapd, libnss-ldap, and libpam-ldap:
# apt-get install autoconf automake1.9 bison build-essential bzip2 colordiff ctags debconf-utils debian-keyring elinks flex gcc-4.1-locales gdb gpm htop ldap-utils libltdl3-dev libmudflap0-dev libnss-ldap libpam-ldap libtool linux-headers-`uname -r` lynx mimedecode mime-support ncftp2 netcat nmap openssh-blacklist openssh-client openssh-server psmisc screen slapd ssh sysstat sysv-rc-conf telnet telnetd urlview vim vim-scripts
Replace /etc/ldap/slapd.conf with the following:
—
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/misc.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 0
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
backend bdb
checkpoint 512 30
database bdb
suffix “dc=fakedom,dc=dom”
rootdn “cn=admin,dc=fakedom,dc=dom”
rootpw (run slappasswd and paste output here)
directory “/var/lib/ldap”
lastmod on
access to attrs=userPassword,shadowLastChange
by dn=”cn=admin,dc=fakedom,dc=dom” write
by anonymous auth
by self write
by * none
access to *
by dn=”cn=admin,dc=fakedom,dc=dom” write
by * read
—
Replace /etc/nsswitch.conf with the following:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference’ and `info’ packages installed, try:
# `info libc “Name Service Switch”‘ for information about this file.
passwd: compat ldap
group: compat
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
—
Replace /etc/libnss-ldap.conf with the following:
—
base dc=fakedom,dc=dom
uri ldap://127.0.0.1
ldap_version 3
rootbinddn cn=admin,dc=fakedom,dc=dom
—
Replace /etc/pam_ldap.conf with the following:
—
host 127.0.0.1
base dc=fakedom,dc=dom
uri ldap://127.0.0.1
ldap_version 3
rootbinddn cn=admin,dc=fakedom,dc=dom
pam_password exop
—
Replace /etc/ldap/ldap.conf with the following:
—
BASE dc=fakedome, dc=dom
URI ldap://127.0.0.1
—
Create a base.ldif file in /tmp to import into the directory to test against:
—
dn: dc=fakedom,dc=dom
objectClass: top
objectClass: dcObject
objectClass: organization
o: fakedom.dom
dc: fakedom
dn: cn=admin,dc=fakedom,dc=dom
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: (Paste output from slappasswd)
dn: ou=People,dc=fakedom,dc=dom
ou: People
objectClass: organizationalUnit
objectClass: top
dn: uid=testy,ou=People,dc=fakedom,dc=dom
uid: testy
cn: testy
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/testy
gecos: Testy,,,,
userPassword: (Paste output from slappasswd)
—
#/etc/init.d/slapd restart
#ldapadd -x -W -D ‘cn=admin,dc=fakedom,dc=dom’ -f /tmp/base.ldif (enter password when prompted)
# /etc/init.d/slapd restart
# getent passwd | grep testy (should return testy’s entry)
# /etc/init.d/openbsd-inetd start
# telnet localhost and use testy’s login credentials, if it works you’re set
If it doesn’t… I’m sorry :)