LDAP (Light Weight Directory Access Protocall) is used as a central storage directory for storing user information. All the clients authenticate via a single LDAP server. It reduces data redundancy.
For authenticating clients we need to configure both the server and the client machines.
This configuration is for the deepOfix server and will work smoothly with debian clients (though the configuration is same for most of the linux clients) .
SERVER SIDE CONFIGURATION:
1. Configure /var/easypush/ldap/etc/openldap/slapd.conf file as follows:
allow bind_v2
allow bind_anon_dn
loglevel 0
include /var/easypush/ldap/etc/openldap/schema/addressbook.schemainclude /var/easypush/ldap/etc/openldap/schema/core.schema
include /var/easypush/ldap/etc/openldap/schema/cosine.schema
include /var/easypush/ldap/etc/openldap/schema/inetorgperson.schema
include /var/easypush/ldap/etc/openldap/schema/nis.schema
include /var/easypush/ldap/etc/openldap/schema/samba.schema
include /var/easypush/ldap/etc/openldap/schema/qmail.schema
include /var/easypush/ldap/etc/openldap/schema/deepofixuser.schema
pidfile /var/easypush/ldap/var/run/slapd.pid
argsfile /var/easypush/ldap/var/run/slapd.args
database bdb
suffix "dc=mnit,dc=ac,dc=in"
rootdn "uid=easypush,ou=people,dc=mnit,dc=ac,dc=in"
rootpw {SSHA}*************
directory /var/easypush/ldap/var/openldap-data
index objectClass eq
access to attrs="userPassword,sambaLMPassword,sambaNTPassword"
by dn="uid=easypush,ou=people,dc=mnit,dc=ac,dc=in" write
by anonymous auth
by self write
by * none
access to dn.subtree="dc=mnit,dc=ac,dc=in"
by dn="uid=easypush,ou=people,dc=mnit,dc=ac,dc=in" write
by dn="uid=deepofix,ou=people,dc=mnit,dc=ac,dc=in" read
by self write
by users read
access to dn.subtree="ou=people,dc=mnit,dc=ac,dc=in"
by dn="uid=deepofix,ou=people,dc=mnit,dc=ac,dc=in" read
by users read
access to dn.subtree="ou=group,dc=mnit,dc=ac,dc=in"
by dn="uid=deepofix,ou=people,dc=mnit,dc=ac,dc=in" read
by users read
access to dn.subtree="ou=addressbook,dc=mnit,dc=ac,dc=in"
by dn="uid=deepofix,ou=people,dc=mnit,dc=ac,dc=in" read
by users read
access to dn.subtree="dc=mnit,dc=ac,dc=in" by none
cachesize 1500
sizelimit 1500
TLSCertificateFile "/var/easypush/etc/certificates/server.crt"
TLSCertificateKeyFile "/var/easypush/etc/certificates/server.ke
2. Now add the users to the ldap directory through the easypush server manager.
For this open the Mozilla Firefox browser from any machine and write:
https://192.168.1.12:4080/
The easypush server manager would open up from where user accounts can be added very easily.
3. After this we start the standalone ldap server slapd by:
# sv –v up slapd
CLIENT SIDE CONFIGURATION:
A. Install the following packages
# apt-get install libpam-ldap libnss-ldap nss-switch nscd (On Debian)
B. Change the following configuration files:
1. /etc/libnss-ldap.conf
host 192.168.1.20
base dc=mnit,dc=ac,dc=in
ldap_version 3
binddn uid=admin,ou=people,dc=mnit,dc=ac,dc=in
bindpw ******
2. /etc/pam_ldap.conf
host 192.168.1.20
base dc=mnit,dc=ac,dc=in
ldap_version 3
pam_password_prohibit_message Please change the password using the EasyPush Server Manager.
binddn uid=admin,ou=people,dc=mnit,dc=ac,dc=in
bindpw ******
3. /etc/nss-switch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
4. /etc/ldap/ldap.conf
base dc=mnit,dc=ac,dc=in
uri ldap://192.168.1.20:389
ldap_version 3
scope sub
pam_login_attribute uid
pam_filter objectClass=posixAccount
5. /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure
6. /etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
7. /etc/pam.d/common-session
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_foreground.so
session sufficient pam_ldap.so
session required pam_unix.so
►Now restart the client machine and login as any of the users present in ldap directory added through the easypush server manager. (If correct passwords are given then the user gets authenticated and is given his separate home directory)