OpenLDAP

OpenLDAP

configuration > server > openldap > openldap

mkdir /usr/local/etc/openldap/slapd.d/ cp -v /usr/local/etc/openldap/slapd.ldif.sample /usr/local/etc/openldap/slapd.d/slapd.ldif

now edit the file slapd.ldif and at least change:

12,13c12,13
< olcArgsFile: /var/db/run/slapd.args
< olcPidFile: /var/db/run/slapd.pid
---
> olcArgsFile: /var/run/openldap/slapd.args
> olcPidFile: /var/run/openldap/slapd.pid

because that is where FreeBSD expects openldap to put these files.

WIP

This does not work yet

# create the configuration database out of the ldif file:
slapadd -n0 -F /usr/local/etc/openldap/slapd.d/ -l /usr/local/etc/openldap/slapd.d/slapd.ldif
# start slapd with debug option to see error messages (CTRL-c if it works)
/usr/local/libexec/slapd -d1 -F /usr/local/etc/openldap/slapd.d/
# /etc/rc.conf.local
slapd_enable="YES"
# the following line makes slapd use slapd.d folder instead of slapd.conf
slapd_cn_config="YES"

This worked

Edit /usr/local/etc/slapd.conf, add further schema and enable the correct backend:

[...]

include         /usr/local/etc/openldap/schema/core.schema
+include  /usr/local/etc/openldap/schema/cosine.schema
+include  /usr/local/etc/openldap/schema/inetorgperson.schema
+include  /usr/local/etc/openldap/schema/nis.schema

[...]

-#moduleload      back_mdb
+moduleload      back_mdb

[...]


suffix          "dc=coderonline,dc=de"
rootdn          "cn=Manager,dc=coderonline,dc=de"

[...]

Import the settings from the config. Background is, that the conf-format gets converted into an LDAP config entry. This can be done by calling:

slapadd -f /usr/local/etc/openldap/slapd.conf

Now activate slapd (and do not configure slapd_cn_config, because that would expect files to live under /usr/local/etc/openldap/slapd.d)

# /etc/rc.conf.local
slapd_enable="YES"
# the following line makes slapd use slapd.d folder instead of slapd.conf
# slapd_cn_config="YES"

Create a test user

If this is the LDIF-file max-people-coderonline-de:

dn: cn=max,ou=groups,dc=coderonline,dc=de
objectClass: posixGroup
objectClass: top
gidNumber: 10000
cn: max

dn: uid=max,ou=people,dc=coderonline,dc=de
sn: pohle
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/max
loginShell: /bin/tcsh
userPassword: thisisatest
uid: max
cn: max

Call slapadd -l max-people-coderonline-de to import the user.

@TODO: there is also a field called authPassword, which is probably for the NT Domain. Further investigation is required.

SSH login with PAM

Nice to have packages (FreeBSD):

pkg install pam_ldap nss_ldap pam_mkhomedir

Where the first provides the functionality, the second shows user and group names when using ls -l and the this can be used to automatically create home folders when users log in.

pam_ldap

insert into /etc/pam.d/sshd (order matters):

auth            sufficient      pam_ldap.so        no_warn

[...]

session         required        pam_mkhomedir.so

NSS

NSS is for uid and gid what is DNS for domains. It translates into names. To configure it /etc/nsswitch.conf is used and is a colon separated file with the name in the first column and space separated values in the second. For LDAP we adjust

-group: compat
+group: files ldap
-passwd: compat
+passwd: files ldap

and we also want to configure /usr/local/etc/nss_ldap.conf, at least host and base and perhaps make the base names for users and groups explicit, e.g.

nss_base_passwd ou=people,dc=coderonline,dc=de
nss_base_group  ou=group,dc=coderonline,dc=de

which can directly be tested with something like id max if you have a user max

We check if it works with ldapsearch

ldapsearch -b uid=max3,ou=people,dc=coderonline,dc=de

cpu - change password utility

This is a good simplification script to manage user account and groups from the command line and it is included in many distributions or here.

Most important man page

man cpu-ldap

Most important commands

cpu cat                   # list all users and groups similar to /etc/passwd

cpu useradd testuser1     # create user account
cpu usermod testuser1 -p  # change password

cpu groupadd testgroup    # create a group
cpu groupmod -n test01    # rename group to test01
top