Download - Set Up OpenLDAP Server on Centos
-
7/31/2019 Set Up OpenLDAP Server on Centos
1/15
Set up OpenLDAP server
Install OpenLDAP Serversu - root
yum install gcc
yum install openldap*
Setup OpenLDAP Server via Webmin
Point brower to Webmin ->Unused Modules ->LDAP Server -> Module Config and
change values to match attached screenshot
Point brower to Webmin ->Unused Modules ->LDAP Server -> OpenLDAP Server
configuration and change values to match attached screenshot
-
7/31/2019 Set Up OpenLDAP Server on Centos
2/15
Point brower to Webmin ->Unused Modules ->LDAP Server -> Manage Schema andchange values to match attached screenshot
Edit slapd.confsu - root
gedit /etc/openldap/slapd.conf
paste the following lines into slapd.conf (Add Access Control Rules)
access to attrs=userPassword,shadowLastChange
by dn="cn=manager,dc=saioc,dc=in" writeby anonymous auth
by self write
by * none
access to *
by dn="cn=manager,dc=saioc,dc=in" write
by dn="cn=nss,dc=saioc,dc=in" read
by * auth
-
7/31/2019 Set Up OpenLDAP Server on Centos
3/15
After above step, point brower to Webmin ->Unused Modules ->LDAP Server -> LDAPAccess control and match with attached screenshot
-
7/31/2019 Set Up OpenLDAP Server on Centos
4/15
Start LDAP server
Point brower to Webmin ->Servers ->LDAP Server and click on Start server
LDAP Directory Structure - design and implementation
Design considerations and explanation for LDAP
Directory Structure
SAIoC LDAP Directory structure as a treedc=in
|
dc=saioc----|------------|------------|------------|------------|
| | | | | |
| | | | | |
ou=People ou=Group ou=Hosts ou=policies ou=machines
cn=nss,ldapadmin
| || |
| cn=ldapusers, labadmin, students, myfuse
|
|
|
cn=adminuser, pcuser1, labteacher1, labstudent1
# Design comments Notes
1
The base DN or root of the LDAP directory tree was
derived from the domain name in use in SAIoC LAN
i.e. saioc.in
1
organizationalUnit is a standard ObjectClass? inLDAP. It is used to define entries that represent a
relatively static grouping in an organization. We have
chosen to create 5 top-level organizationalUnits.
1 People - all user accounts representing people in
http://www.zytrax.com/books/ldap/ape/#organizationalunithttp://weusefoss.sriaurobindoinstitute.org/tiki-editpage.php?page=ObjectClasshttp://www.zytrax.com/books/ldap/ape/#organizationalunithttp://weusefoss.sriaurobindoinstitute.org/tiki-editpage.php?page=ObjectClass -
7/31/2019 Set Up OpenLDAP Server on Centos
5/15
# Design comments Notes
SAIoC will belong to this organizationalUnit
1
Group - the concept of groups is used to logicallyorganize resources for managing them. This seems
similar to the concept of organizationalUnit but one
thumb-rule to differentiate between them is that aresource can belong to only one organizationalUnit at
a time but it can belong to multiple groups
1 Hosts - this is for future use
1 Machines - this is for future use
1 Policies - this is for future use
1
organizationalRole is a standard ObjectClass? in
LDAP. It is used to define entries that represent rolesheld by people within an organization
simpleSecurityObject is a standard ObjectClass? in
LDAP. It is used to allow an entry to contain the
userPassword attributeWe have chosen to create two roles.
1
nss represents a role which is allowed to perform
read-only operations on LDAP and will be used byLDAP clients especially nss
What is nss or name switch
service?
1ldapadmin represents a role which is allowed to
change passwords for user accounts created in LDAP
server
1
posixGroup is a standard ObjectClass? in LDAP. It
is an abstraction of a group of accounts. It
corresponds to Unix groups.We have chosen to create 4 groups
Special Note for adminstrators: it is
decided to reserve the range 10000
to 10199 to be used as groupId forgroups created in LDAP.
1ldapusers - this is the primary group to which all user
accounts created in LDAP belong to.The groupId is 10000.
1labadmin - this is the group which represents the
computer lab administrators typically the lab
teachers.
The groupId is 10001. This groupwill typically be used to provide its
members with extra privileges like
read/write/execute access to homedirectories of all students etc
1students - this groups represents students who use the
computer lab.The groupId is 10002
1myfuse - this corresponds to an inbuilt group in
Ubuntu 8, named fuse with groupId 107.
The groupId is 107. All users whoneed to have USB drives auto-
mounted need to be made members
of this group
1
http://www.zytrax.com/books/ldap/ape/#organizationalrolehttp://weusefoss.sriaurobindoinstitute.org/tiki-editpage.php?page=ObjectClasshttp://www.zytrax.com/books/ldap/ape/core-schema.html#simplesecurityobjecthttp://weusefoss.sriaurobindoinstitute.org/tiki-editpage.php?page=ObjectClasshttp://www.wlug.org.nz/NSShttp://www.wlug.org.nz/NSShttp://www.zytrax.com/books/ldap/ape/nis.htmlhttp://weusefoss.sriaurobindoinstitute.org/tiki-editpage.php?page=ObjectClasshttp://www.zytrax.com/books/ldap/ape/#organizationalrolehttp://weusefoss.sriaurobindoinstitute.org/tiki-editpage.php?page=ObjectClasshttp://www.zytrax.com/books/ldap/ape/core-schema.html#simplesecurityobjecthttp://weusefoss.sriaurobindoinstitute.org/tiki-editpage.php?page=ObjectClasshttp://www.wlug.org.nz/NSShttp://www.wlug.org.nz/NSShttp://www.zytrax.com/books/ldap/ape/nis.htmlhttp://weusefoss.sriaurobindoinstitute.org/tiki-editpage.php?page=ObjectClass -
7/31/2019 Set Up OpenLDAP Server on Centos
6/15
Explanation for LDIF
LDIF Design comments
saioc.ldifdn: dc=saioc,dc=in
objectClass: domaindc: saioc
dn: cn=nss,dc=saioc,dc=in
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: nss
description: LDAP NSS user
userPassword: testpwd
dn: cn=ldapadmin,dc=saioc,dc=in
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldapadmin
description: LDAP Password Admin user
userPassword: testpwd
dn: ou=Hosts,dc=saioc,dc=in
ou: Hosts
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: saioc.in
dn: ou=People,dc=saioc,dc=in
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObjectou: People
associatedDomain: saioc.in
dn: ou=Group,dc=saioc,dc=in
ou: Group
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: saioc.in
dn: cn=ldapusers,ou=Group,dc=saioc,dc=in
cn: ldapusers
objectClass: posixGroupgidNumber: 10000
dn: cn=labadmin,ou=Group,dc=saioc,dc=in
cn: labadmin
objectClass: posixGroup
gidNumber: 10001
dn: cn=myfuse,ou=Group,dc=saioc,dc=in
cn: myfuse
TBD
-
7/31/2019 Set Up OpenLDAP Server on Centos
7/15
LDIF Design commentsobjectClass: posixGroup
gidNumber: 107
dn: cn=students,ou=Group,dc=saioc,dc=in
cn: students
objectClass: posixGroupgidNumber: 10002
dn: ou=machines,dc=saioc,dc=in
objectClass: organizationalUnit
ou: machines
dn: ou=policies,dc=saioc,dc=in
ou: policies
objectClass: top
objectClass: organizationalUnit
Create LDAP directory structure (Create LDAP objects using saioc.ldif)
Create a file named saioc.ldiffirst.
ldapadd -W -x -D "cn=manager,dc=saioc,dc=in" -f saioc.ldif
saioc.ldifdn: dc=saioc,dc=in
objectClass: domain
dc: saioc
dn: cn=nss,dc=saioc,dc=in
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: nss
description: LDAP NSS useruserPassword: testpwd
dn: cn=ldapadmin,dc=saioc,dc=in
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldapadmin
description: LDAP Password Admin user
userPassword: testpwd
dn: ou=Hosts,dc=saioc,dc=in
ou: Hosts
objectClass: top
objectClass: organizationalUnitobjectClass: domainRelatedObject
associatedDomain: saioc.in
dn: ou=People,dc=saioc,dc=in
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
ou: People
associatedDomain: saioc.in
-
7/31/2019 Set Up OpenLDAP Server on Centos
8/15
dn: ou=Group,dc=saioc,dc=in
ou: Group
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: saioc.in
dn: cn=ldapusers,ou=Group,dc=saioc,dc=in
cn: ldapusers
objectClass: posixGroup
gidNumber: 10000
dn: cn=labadmin,ou=Group,dc=saioc,dc=in
cn: labadmin
objectClass: posixGroup
gidNumber: 10001
dn: cn=myfuse,ou=Group,dc=saioc,dc=in
cn: myfuse
objectClass: posixGroupgidNumber: 107
dn: cn=students,ou=Group,dc=saioc,dc=in
cn: students
objectClass: posixGroup
gidNumber: 10002
dn: ou=machines,dc=saioc,dc=in
objectClass: organizationalUnit
ou: machines
dn: ou=policies,dc=saioc,dc=in
ou: policies
objectClass: top
objectClass: organizationalUnit
After above step, point brower to Webmin ->Servers ->LDAP Server -> Browse Database
and match with attached screenshot
-
7/31/2019 Set Up OpenLDAP Server on Centos
9/15
Restart LDAP server
Point brower to Webmin ->Servers ->LDAP Server and restart server
Setup ldap client on Gratitude
Point browser to webmin ->System ->LDAP client ->Module config and change values tomatch attached screenshot
-
7/31/2019 Set Up OpenLDAP Server on Centos
10/15
Point browser to webmin ->System ->LDAP client ->LDAP Server Config and changevalues to match attached screenshot
Point browser to webmin ->System ->LDAP client ->LDAP Search Bases and change
values to match attached screenshot
-
7/31/2019 Set Up OpenLDAP Server on Centos
11/15
Point browser to webmin ->System ->LDAP client ->Authentication options and changevalues to match attached screenshot
Point browser to webmin ->System ->LDAP client ->Services using LDAP.
Edit options to match attached screenshot
-
7/31/2019 Set Up OpenLDAP Server on Centos
12/15
Screenshot of editing service options
Create users in LDAPCreate admin user in LDAP (via Webmin using screen)
Point browser to Webmin ->System ->LDAP user and groups -> Add LDAP userCreate adminuser by following attached screenshots
-
7/31/2019 Set Up OpenLDAP Server on Centos
13/15
-
7/31/2019 Set Up OpenLDAP Server on Centos
14/15
users.txtcreate:pcuser1:testpwd:10202:10000:PC user1:/home/pcuser1:/bin/bash:::::
create:pcuser2:testpwd:10203:10000:PC user1:/home/pcuser2:/bin/bash:::::
create:labteacher1:testpwd:10204:10000:Lab
teacher1:/home/labteacher1:/bin/bash:::::
create:labteacher2:testpwd:10205:10000:Lab
teacher2:/home/labteacher2:/bin/bash:::::
create:labstudent1:testpwd:10206:10000:Lab
student1:/home/labstudent1:/bin/bash:::::
create:labstudent2:testpwd:10207:10000:Lab
student2:/home/labstudent2:/bin/bash:::::
Associate all users with secondary group myfuse
This will allow users to automount USB drives in Ubuntu
Point browser to Webmin ->System ->LDAP user and groups -> Groups
Click on myfuse
Associate lab teachers with secondary group labadmin
This will allow lab teachers to access home directories of lab studentsPoint browser to Webmin ->System ->LDAP user and groups -> Groups
Click on labadmin
Enable SSL in OpenLDAP server
Point brower to Webmin ->Servers ->LDAP Server -> OpenLDAP Server configurationand click on Generate SSL certificate
-
7/31/2019 Set Up OpenLDAP Server on Centos
15/15