This is an old revision of the document!
Table of Contents
LDAP
Count Persons (objects derived from 'person')
ldapsearch [-h hostname] -D "cn=root" -w '?' -b "o=/usr/local,c=de" -s sub 'objectclass=person' dn | grep -c =
-w '?'
will prompt for a password (without echo)-s scope
search scope (base, one, or sub)dn
is a dummy output attribute (distinguished name is printed in any case)
— Courtesy of Oliver D. 2010/05/04 15:04
Use OpenLDAP and phpldapadmin on Ubuntu 14.04
Server
Installation
apt-get install slapd phpldapadmin ldap-auth-config
Configure phpldapadmin
- Disable
$servers→setValue('server','base',array('dc=example,dc=com'));
in/etc/phpldapadmin/config.php
to get automatically the base DN you configured on your LDAP server - Before creating a Posix Account you have to create a Posix Group (Thanks)
- To get rid of the error “Error trying to get a non-existant value (appearance,password_hash)” replace password_hash by password_hash_custom in line 2469 of
/usr/share/phpldapadmin/lib/TemplateRender.php
(Thanks) - Uncomment und edit the line
$servers→setValue('auto_number','min',array('uidNumber'⇒2000,'gidNumber'⇒500));
in/etc/phpldapadmin/config.php
to get a numerical uid range different from the one selected by local useradd.
Remarks
- When creating Posix groups, the gid is preset and fixed by phpldapadmin, but you can modify it afterwards in the editor.
- The ldap adminstrator account is of the object class organizationalRole with auxilary class simpleSecurityObject. Maybe this can be used for simple accounts to authenticate against ldap itself with
cn=…
as well?
Configure OpenLDAP Logging
It should be done by ldapmodify, but as ldapsearch did not work, I modified /etc/ldap/slapd.d/cn=config.ldif
olcLogLevel: ACL stats stats2 shell
to confirm that libpam_ldap.so did use the right accounts, DNs and credentials.
Set password for cn=config
To configure OpenLDAP you need to access it by ldapmodify and Bind DN cn=root, which does not have a known password by default. To set it, create an ldif file
dn: olcDatabase={0}config,cn=config changetype: modify replace: olcRootPW olcRootPW: <PW in Clear>
and load it with
ldapmodify -Y EXTERNAL -H ldapi:/// -f <file>
Afterwards you cann access the config by
ldapsearch -x -D cn=config -w <PW in Clear> -b cn=config
(Finally found here)
Client
Configure nsswitch
Add ldap
to list of methods in /etc/nsswitch.con
behind passwd
and groups
: passwd: compat ldap group: compat ldap :
Configure PAM
add pam_mkhomedirs.so
to common-session
: session required pam_mkhomedir.so
Override Home Directory settings
apt-get install libpam-ldapd libnss-ldapd
This will remove libpam-ldap and libnss-ldap but install nslcd which is capable of overwriting values from LDAP entries more flexible. I.e. to have all users their home directories in /local/home
instead of the LDAP entries value homeDirectory, add this line to /etc/nslcd.conf
:
: map passwd homeDirectory "/local/home/$uid" :
(Found here)
Password Self Service on Ubuntu 14.10
- Download self-service-password_0.9-1_all.deb (or later) from http://ltb-project.org/wiki/download#self_service_password
dpkg -i self-service-password_0.9-1_all.deb apt-get install php5-mcrypt'' php5enmod mcrypt
- Edit Apache configuration:
Alias /passwd /usr/share/self-service-password/
- Edit /usr/share/self-service-password/conf/config.ini.php
- (ldap_url)
- ldap_binddn
- ldap_bindpw
- ldap_base
/etc/init.d/apache2 stop /etc/init.d/apache2 start