LDAP Authentication

From VVCWiki
Revision as of 01:17, 9 December 2009 by Vvc (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search
  • Install required packages
yum install openldap-servers openldap-clients nss_ldap
  • generate admin user password
[root@centos64 ~]# slappasswd 
New password: 
Re-enter new password: 
{SSHA}KaqRGp1hT8E8s6pqdtyAamWxXxVRODZ9
  • update /etc/openldap/slapd.conf
database        bdb
suffix          "dc=chepkov,dc=lan"
rootdn          "cn=root,dc=chepkov,dc=lan"
rootpw          {SSHA}KaqRGp1hT8E8s6pqdtyAamWxXxVRODZ9

access to attrs="userPassword"
	by anonymous auth
	by self write
	by * none

access to *
        by users read
	by * none

  • copy DB_CONFIG in place
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
  • start ldap server
chkconfig ldap on
service ldap start
  • edit /usr/share/openldap/migration/migrate_common.ph
$DEFAULT_MAIL_DOMAIN = "chepkov.lan";
$DEFAULT_BASE = "dc=chepkov,dc=lan";
  • populate basic entries
/usr/share/openldap/migration/migrate_base.pl |ldapadd -x -D "cn=root,dc=chepkov,dc=lan" -W
  • create a user template from root user
grep ^root /etc/passwd | /usr/share/openldap/migration/migrate_passwd.pl - > /tmp/testuser.ldiff
  • edit /tmp/testuser.ldiff:
dn: uid=testuser,ou=People,dc=chepkov,dc=lan
uid: testuser
cn: testuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$33w5rgPO$bd.N.h6yMRiiCPvRLAJPV.
shadowLastChange: 14481
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 100
homeDirectory: /home/testuser
gecos: Test User

  • Add testuser
ldapadd -x -D "cn=root,dc=chepkov,dc=lan" -W -f /tmp/testuser.ldiff
  • enable pam_ldap
authconfig --update --enableldap --enableldapauth --ldapserver="centos64.chepkov.lan" \
--ldapbasedn="dc=chepkov,dc=lan" --enablelocauthorize --enablemkhomedir
  • update /etc/ldap.conf
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=root,dc=chepkov,dc=lan
  • Now you can change testuser password using regular passwd utility
passwd testuser
  • and login as testuser
[root@centos64 migration]# ssh testuser@localhost
testuser@localhost's password: 
Creating directory '/home/testuser'.
[testuser@centos64 ~]$ id
uid=1000(testuser) gid=100(users) groups=100(users)
  • Enjoy