Featured image of post Setup A Minimal Debian64 12 OpenLDAP Server and Client

Setup A Minimal Debian64 12 OpenLDAP Server and Client

Happy Chinese New Year. I welcome the Year of the Wood Snake with a blog post on how to setup a minimal Debian64 12 OpenLDAP server and client.

NOTE: I recommend you make a common normal user with sudo access for both the server and client. “regular” might be a good idea, but you’re free to choose what you like. :) Shell commands enumerated below are to be executed as user “root”.

OpenLDAP server setup

  1. Setup a minimal Debian 12 64-bit. Deselect everything under “Software selection” (tasksel) window.

  2. Note your host name and domain name, and substitute when necessary. I used “server” for the host name, and “ldap.lan” for the domain name.

  3. # Remove CDROM from /etc/apt/sources.list and then

     apt-get update
     apt-get upgrade
     apt-get install net-tools openssh-server openssh-client sudo
     usermod -a -G sudo regular # This command adds user "regular" to group "sudo".
    
  4. # Edit /etc/hosts appropriately. Make sure it has something like this(note that you need to substitute “192.168.1.2” with your IP):

     192.168.1.2 ldap.lan server.ldap server.ldap.lan server
    
  5. # Also, comment out “127.0.1.1 server.ldap.lan server” in /etc/hosts if it’s there.

  6. apt-get install slapd ldap-utils migrationtools

  7. You will be prompted for the LDAP admin password. Please remember it. No special characters, please.

  8. mv /etc/ldap/slapd.d /etc/ldap/slap.d.orig

  9. dpkg-reconfigure slapd

     Omit OpenLDAP server configuration? No
     DNS domain name: ldap.lan
     Organization name: ldap
     Password: Use the one you entered in step 7.
     Do you want the database to be removed when slapd is purged? Yes
     Move old database? Yes
    
  10. systemctl restart slapd.service

  11. # Edit /etc/migrationtools/migrate_common.ph . Look for the following variables, and assign them as such:

    $DEFAULT_MAIL_DOMAIN = "ldap.lan";
    $DEFAULT_BASE = "dc=ldap,dc=lan";
    
  12. apt-get install libfile-which-perl

  13. cd /usr/share/migrationtools/

  14. ./migrate_group.pl /etc/group ~/group.ldif

  15. ./migrate_passwd.pl /etc/passwd ~/passwd.ldif

  16. cd ~

  17. # Make a frontend.ldap.lan.ldif file with the following contents:

    dn: ou=People,dc=ldap,dc=lan
    objectclass: organizationalUnit
    objectclass: top
    ou: People
    
    dn: ou=Group,dc=ldap,dc=lan
    objectclass: organizationalUnit
    objectclass: top
    ou: Group
    
  18. Now we add the LDIF in the following way, entering your admin LDAP password when prompted (the one you set during step 7 of “OpenLDAP server setup”):

    ldapadd -x -D cn=admin,dc=ldap,dc=lan -W -f frontend.ldap.lan.ldif
    ldapadd -x -D cn=admin,dc=ldap,dc=lan -W -f group.ldif
    ldapadd -x -D cn=admin,dc=ldap,dc=lan -W -f passwd.ldif
    
  19. # To make things handy, you can “sudo apt-get install phpldapadmin”. :) Edit /etc/phpldapadmin/config.php, and correct the “$servers->setValue(‘server’,‘base’,array(‘dc=example,dc=com’));” line. In this example, the proper value is “$servers->setValue(‘server’,‘base’,array(‘dc=ldap,dc=lan’));”. Also, change “$servers=>setValue(’login’,‘bind_id’,‘cn=admin,dc=example,dc=com’);” to “$servers=>setValue(’login’,‘bind_id’,‘cn=admin,dc=ldap,dc=lan’);".To access phpldapadmin, fire up a browser and browse http://192.168.1.2/phpldapadmin

  20. apt-get install nscd nslcd libnss-ldapd libpam-ldapd

  21. # When asked for “LDAP server URI:”, enter “ldap://server.ldap.lan/”

  22. # When asked for the “LDAP server search base:”, enter “dc=ldap,dc=lan”

  23. # When asked for “Name services to configure:”, choose “passwd”, “group”, and “shadow”.

  24. mkdir /home/users

  25. # Edit “/etc/pam.d/common-account”, and append the following line:

    session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent
    
  26. # In the server: “sudo reboot”. Logins through the server will be done through LDAP after successful reboot. It may take a little while after the “login:” prompt’s appearance before you could successfully login.

  27. # To create an user:

    Open in a browser(substitute IP if necessary): http://192.168.1.2/phpldapadmin 
    Login, then expand "dc=ldap,dc=lan (2)"
    Expand "ou=People".
    Click "Create new entry here"
    Select "Generic: User Account" template.
    Supply the requested information for the new user. I suggest you use "users" for the "GID Number" option. And don't forget to give a shell ("bash" may be a good idea).
    

OpenLDAP client setup

  1. Setup Debian 12 64-bit(this guide will also work with a minimal install). I used hostname “client001” and domain “ldap.lan”.

  2. Remove CDROM from /etc/apt/sources.list. Then:

     apt-get update
     apt-get upgrade
     apt-get install net-tools openssh-server openssh-client
    
  3. vi /etc/hosts # and add:

     192.168.1.2 ldap.lan server.ldap.lan server ldap
    
  4. apt-get install libnss-ldapd libpam-ldapd nscd

     LDAP server URI: ldap://server.ldap.lan/
     LDAP server search base: dc=ldap,dc=lan
     Name services to configure: passwd, group, and shadow
    
  5. mkdir /home/users

  6. # Edit “/etc/pam.d/common-account”, and append the following line:

     session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent
    
  7. pam-auth-update # Make ensure that “LDAP Authentication” is the ONLY enabled option!

  8. # The following steps are needed to give “sudo su -” (this is the only way to get root access in OpenLDAP clients setup in this procedure) access to an user. Please make sure you do this for at least one user, otherwise you’ll be locked out from root access.

     apt-get install sudo
     usermod -a -G sudo regular # This command adds user "regular" to group "sudo".
    
  9. reboot

  10. It may take a while to successfully login after the “login:” prompt appears.

comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy