You do not have permission to edit this page, for the following reason:
The action you have requested is limited to users in the group: Users.
Free text:
LDAP installation so we can use space-wide logins instead of seperate logins for every computer/server. <noinclude>__TOC__</noinclude> = Server = Server IP is '''192.168.1.177'''. The server uses an installation of OpenLDAP with [http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page phpLDAPAdmin]. The following settings were applied: == OpenLDAP == * DNS domain name: '''ackspace.nl''' ("dc=ackspace,dc=nl") * Database backend: '''HDB''' == phpLDAPAdmin == === /etc/phpldapadmin/config.php === The following values were set/changed in '''/etc/phpldapadmin/config.php''': $servers->setValue('server','host','0.0.0.0'); $servers->setValue('server','base',array('dc=ackspace,dc=nl')); $config->custom->appearance['hide_template_warning'] = true; $servers->setValue('login','bind_id','cn=admin,dc=ackspace,dc=nl'); === SSH keys === A field to insert SSH keys for users is not present in OpenLDAP/phpLDAPAdmin by default, for this I created a file called '''openssh-lpk.ldif''' with the following content: dn: cn=openssh-lpk,cn=schema,cn=config objectClass: olcSchemaConfig cn: openssh-lpk olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY DESC 'MANDATORY: OpenSSH LPK objectclass' MAY ( sshPublicKey $ uid ) ) The following command was then used to add support (make sure '''ldapscripts''' is installed): ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-lpk.ldif === /etc/phpldapadmin/templates/creation/posixAccount.xml === Finally the User Account creation template was changed to add an SSH public key input field to the form by default. For this, '''/etc/phpldapadmin/templates/creation/posixAccount.xml''' was changed to the following: <?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE template SYSTEM "template.dtd"> <template> <askcontainer>1</askcontainer> <description>New User Account</description> <icon>ldap-user.png</icon> <invalid>0</invalid> <rdn>cn</rdn> <!--<regexp>^ou=People,o=.*,</regexp>--> <title>Generic: User Account</title> <visible>1</visible> <objectClasses> <objectClass id="inetOrgPerson"></objectClass> <objectClass id="posixAccount"></objectClass> <objectClass id="ldapPublicKey"></objectClass> </objectClasses> <attributes> <attribute id="givenName"> <display>First name</display> <icon>ldap-uid.png</icon> <onchange>=autoFill(cn;%givenName% %sn%)</onchange> <onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange> <order>1</order> <page>1</page> </attribute> <attribute id="sn"> <display>Last name</display> <onchange>=autoFill(cn;%givenName% %sn%)</onchange> <onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange> <!-- <onchange>=autoFill(homeDirectory;/home/users/%uid|0-1/l%/%uid%)</onchange> --> <order>2</order> <page>1</page> </attribute> <attribute id="cn"> <display>Common Name</display> <order>3</order> <page>1</page> </attribute> <attribute id="uid"> <display>User ID</display> <onchange>=autoFill(homeDirectory;/home/users/%uid%)</onchange> <order>4</order> <page>1</page> <spacer>1</spacer> </attribute> <attribute id="homeDirectory"> <display>Home directory</display> <!-- <onchange>=autoFill(homeDirectory;/home/users/%gidNumber|0-0/T%/%uid|3-%)</onchange> --> <order>8</order> <page>1</page> </attribute> <attribute id="uidNumber"> <display>UID Number</display> <icon>terminal.png</icon> <order>6</order> <page>1</page> <readonly>1</readonly> <value>=php.GetNextNumber(/;uidNumber)</value> </attribute> <attribute id="gidNumber"> <display>GID Number</display> <!-- <onchange>=autoFill(homeDirectory;/home/users/%gidNumber|0-0/T%/%uid|3-%)</onchange> --> <order>7</order> <page>1</page> <value><![CDATA[=php.PickList(/;(&(objectClass=posixGroup));gidNumber;%cn%;;;;cn)]]></value> </attribute> <attribute id="loginShell"> <display>Login shell</display> <order>9</order> <page>1</page> <!-- <value><![CDATA[=php.PickList(/;(&(objectClass=posixAccount));loginShell;%loginShell%;;;;loginShell)]]></value> --> <type>select</type> <value id="/bin/bash">/bin/bash</value> <value id="/bin/sh">/bin/sh</value> <value id="/bin/csh">/bin/csh</value> <value id="/bin/tsh">/bin/tsh</value> </attribute> <attribute id="userPassword"> <display>Password</display> <!-- <helper> <display>Encryption</display> <id>enc</id> <value>=php.PasswordEncryptionTypes()</value> </helper> --> <icon>lock.png</icon> <order>5</order> <page>1</page> <post>=php.PasswordEncrypt(%enc%;%userPassword%)</post> <spacer>1</spacer> <verify>1</verify> </attribute> <attribute id="sshPublicKey"> <display>SSH public key</display> <icon>lock.png</icon> <order>10</order> <page>1</page> </attribute> </attributes> </template> == Sudoers == Sudo roles are not included in LDAP by default. For this we need to create a few files. === /etc/ldap/schema/sudo.schema === First of all, a schema was added called '''/etc/ldap/schema/sudo.schema'''. It contains the following: attributetype ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) attributetype ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ description ) ) === /etc/ldap/slapd.conf === If '''/etc/ldap/slapd.conf''' exists, make sure you place the following at the top (where you find other includes as well): include /etc/ldap/schema/sudo.schema Note that slapd.conf is deprecated and should be replaced by the use of slapd-config<ref>https://www.openldap.org/doc/admin24/slapdconfig.html</ref>. === Restart service === Restart the '''slapd''' service to make sure the schema is loaded. === LDIF file === Last, a file was created called '''sudo.ldif''' that contains the following: dn: cn=sudo,cn=schema,cn=config objectClass: olcSchemaConfig cn: sudo olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) ) You can import this file to LDAP using: ldapadd -Y EXTERNAL -H ldapi:/// -f sudo.ldif = Client = == PAM == To use LDAP to sign in to Linux, install '''libpam-ldapd'''. When asked, fill in the details mentioned in [[LDAP#OpenLDAP]]. === /etc/nsswitch.conf === Make sure LDAP is enabled for '''passwd''', '''group''' and '''shadow'''. To verify, check to see if the following is present (edit the existing entries if needed) in '''/etc/nsswitch.conf''': passwd: ldap compat group: ldap compat shadow: ldap compat This will first check LDAP for entries, otherwise it will check locally. If preferred, you can switch around ''compat'' and ''ldap'' to first check locally and revert to LDAP on failure. === Home folder creation === If you want to make sure a user folder is created upon login, add the following to the end of '''/etc/pam.d/common-session''': session required pam_mkhomedir.so skel=/etc/skel umask=0022 === SSH key login === Create a file that has the following content: #!/bin/bash ldapsearch -h '''192.168.1.177''' -b "'''dc=ackspace,dc=nl'''" -x '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' Make sure the file and ''all'' folders above it are owned by '''root:root''' and have umask '''022'''.<ref>https://stackoverflow.com/a/27638306</ref> Then edit '''sshd_config''' to include the following: AuthorizedKeysCommand '''/path/to/file''' AuthorizedKeysCommandUser nobody === Sudoers === In order to make sure you can use LDAP for sudoers, make sure your installation of sudo has support for LDAP. If it doesn't you can try installing '''sudo-ldap''' which will replace the existing sudo installation. ==== /etc/ldap.conf ==== If '''/etc/ldap.conf''' doesn't exist yet, create it. Make sure it has at least the following lines in it: URI ldap://'''192.168.1.177''' sudoers_base ou=sudoers,dc=ackspace,dc=nl ==== /etc/nsswitch.conf ==== Make sure '''/etc/nssswitch.conf''' has the following line in it: sudoers: ldap files Be aware that any matches found in LDAP will be overwritten if they are found in the regular files. === Restart services === When you restart the '''nscd''' and '''ssh''' services you will be up and running. Sign in to the computer/VM with your LDAP account to verify that it works. = Account = To obtain a user on the LDAP server, contact [[User:Stuiterveer|Stuiterveer]]. == Reset password == To reset your password, visit '''192.168.1.177''' in the browser. Fill in the following credentials: * '''Login DN''': cn=''YOUR_USERNAME'',ou=users,dc=ackspace,dc=nl (replace ''YOUR_USERNAME'' with your own LDAP username) * '''Password''': your LDAP password Select your user on the left and fill in the new password in the "password" field. Select "Update Object" when you're done. = References = <references />
Summary:
This is a minor edit Watch this page
Cancel
