Setup A Minimal Debian64 12 OpenLDAP Server and Client

NOTE: I recommend you make a common normal user with sudo access for both the server and client. "regular" might be a good idea, but you're free to choose what you like. :) Shell commands enumerated below are to be executed as user "root".

OpenLDAP server setup

  1. Setup a minimal Debian 12 64-bit. Deselect everything under "Software selection" (tasksel) window.
  2. Note your host name and domain name, and substitute when necessary. I used "server" for the host name, and "ldap.lan" for the domain name.

  3. # Remove CDROM from /etc/apt/sources.list and then

    apt-get update
apt-get upgrade
apt-get install net-tools openssh-server openssh-client sudo
usermod -a -G sudo regular # This command adds user "regular" to group "sudo".

  4. # Edit /etc/hosts appropriately. Make sure it has something like this(note that you need to substitute "192.168.1.2" with your IP):

    192.168.1.2 ldap.lan server.ldap server.ldap.lan server

  5. # Also, comment out "127.0.1.1 server.ldap.lan server" in /etc/hosts if it's there.

  6. apt-get install slapd ldap-utils migrationtools
  7. You will be prompted for the LDAP admin password. Please remember it. No special characters, please.
  8. mv /etc/ldap/slapd.d /etc/ldap/slap.d.orig

  9. dpkg-reconfigure slapd

    Omit OpenLDAP server configuration? No
DNS domain name: ldap.lan
Organization name: ldap
Password: Use the one you entered in step 7.
Do you want the database to be removed when slapd is purged? Yes
Move old database? Yes

  10. systemctl restart slapd.service

  11. # Edit /etc/migrationtools/migrate_common.ph . Look for the following variables, and assign them as such:

    $DEFAULT_MAIL_DOMAIN = "ldap.lan";
$DEFAULT_BASE = "dc=ldap,dc=lan";

  12. apt-get install libfile-which-perl

  13. cd /usr/share/migrationtools/
  14. ./migrate_group.pl /etc/group ~/group.ldif
  15. ./migrate_passwd.pl /etc/passwd ~/passwd.ldif
  16. cd ~

  17. # Make a frontend.ldap.lan.ldif file with the following contents:

    dn: ou=People,dc=ldap,dc=lan
objectclass: organizationalUnit
objectclass: top
ou: People

dn: ou=Group,dc=ldap,dc=lan
objectclass: organizationalUnit
objectclass: top
ou: Group

  18. Now we add the LDIF in the following way, entering your admin LDAP password when prompted (the one you set during step 7 of "OpenLDAP server setup"):

    ldapadd -x -D cn=admin,dc=ldap,dc=lan -W -f frontend.ldap.lan.ldif
ldapadd -x -D cn=admin,dc=ldap,dc=lan -W -f group.ldif
ldapadd -x -D cn=admin,dc=ldap,dc=lan -W -f passwd.ldif

  19. # To make things handy, you can "sudo apt-get install phpldapadmin". :) Edit /etc/phpldapadmin/config.php, and correct the "$servers->setValue('server','base',array('dc=example,dc=com'));" line. In this example, the proper value is "$servers->setValue('server','base',array('dc=ldap,dc=lan'));". Also, change "$servers=>setValue('login','bind_id','cn=admin,dc=example,dc=com');" to "$servers=>setValue('login','bind_id','cn=admin,dc=ldap,dc=lan');".To access phpldapadmin, fire up a browser and browse http://192.168.1.2/phpldapadmin

  20. apt-get install nscd nslcd libnss-ldapd libpam-ldapd
  21. # When asked for "LDAP server URI:", enter "ldap://server.ldap.lan/"
  22. # When asked for the "LDAP server search base:", enter "dc=ldap,dc=lan"
  23. # When asked for "Name services to configure:", choose "passwd", "group", and "shadow".
  24. mkdir /home/users

  25. # Edit "/etc/pam.d/common-account", and append the following line: 

    session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent

  26. # In the server: "sudo reboot". Logins through the server will be done through LDAP after successful reboot. It may take a little while after the "login:" prompt's appearance before you could successfully login.

  27. # To create an user:
    Open in a browser(substitute IP if necessary): http://192.168.1.2/phpldapadmin 
Login, then expand "dc=ldap,dc=lan (2)"
Expand "ou=People".
Click "Create new entry here"
Select "Generic: User Account" template.
Supply the requested information for the new user. I suggest you use "users" for the "GID Number" option. And don't forget to give a shell ("bash" may be a good idea).

OpenLDAP client setup

  1. Setup Debian 12 64-bit(this guide will also work with a minimal install). I used hostname "client001" and domain "ldap.lan".

  2. Remove CDROM from /etc/apt/sources.list. Then:

    apt-get update
apt-get upgrade
apt-get install net-tools openssh-server openssh-client

  3. vi /etc/hosts # and add:

    192.168.1.2 ldap.lan server.ldap.lan server ldap

  4. apt-get install libnss-ldapd libpam-ldapd nscd

    LDAP server URI: ldap://server.ldap.lan/
LDAP server search base: dc=ldap,dc=lan
Name services to configure: passwd, group, and shadow

  5. mkdir /home/users

  6. # Edit "/etc/pam.d/common-account", and append the following line: 

    session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent

  7. pam-auth-update # Make ensure that "LDAP Authentication" is the ONLY enabled option!

  8. # The following steps are needed to give "sudo su -" (this is the only way to get root access in OpenLDAP clients setup in this procedure) access to an user. Please make sure you do this for at least one user, otherwise you'll be locked out from root access.

    apt-get install sudo
usermod -a -G sudo regular # This command adds user "regular" to group "sudo".

  9. reboot

  10. It may take a while to successfully login after the "login:" prompt appears.

Tags

E-mail

  • michael(a)balcos.net