so i will try to implement this but i have no idea what to do, anyways we'll see (hope someone helps)
packages installed :
- openldap-servers-2.2.13-2
- openldap-clients-2.2.13-2
- nss_ldap-220-3
- openldap-devel-2.2.13-2
- openldap-2.2.13-2
configuration files :
- /etc/openldap/slapd.conf (server conf)
- /etc/ldap.conf (client application conf)
now after you install the packages you start by editing slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
## ACL ##
access to * by * read
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=lab,dc=local"
rootdn "cn=admin,dc=lab,dc=local"
rootpw {crypt}
defaultaccess read
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
#index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
#index nisMapName,nisMapEntry eq,pres,sub
now some concepts (don't rely on me for concepts), these are my 2cents notes on understanding this issue
- ldap data are stored in databse backend as objects
- ldap objects are a set of attributes
- Each object has a DN (distinguished name) attribute that identifies it uniquely
- Objects in an LDAP database are organized into a tree hierarchy, based on their DN
- the tree should start from to to bottom of your organization example: "com -> company -> OU (organisational unit) -> user"
- each application needs/understands certain attributes
example of an entry for a user (see how it has DN object to identify it and the a set of attributes for details)
dn: uid=john,ou=people,dc=example,dc=com cn: John Doe uid: john uidNumber: 1001 gidNumber: 100 homeDirectory: /home/john loginShell: /bin/bash objectClass: top objectClass: posixAccount
now the most important thing to do thetrick is to figure out what to put in that ldif file (that took a lot of time and reading, lucky for you i did my homework and you can bypass that time, i hope) here is my sample file
dn: dc=lab, dc=local
objectClass: top
objectclass: organization
objectclass: dcObject
o: Opencraft labs
dc: lab
dn: ou=users,dc=lab, dc=local
ou: users
objectClass: top
objectClass: organizationalUnit
dn: ou=groups,dc=lab, dc=local
ou: groups
objectClass: top
objectClass: organizationalUnit
dn: cn=engineering, ou=groups, dc=lab, dc=local
objectclass: top
objectclass: posixGroup
cn: engineering
gidnumber: 500
memberuid: foo
dn: cn=ramez hanna,ou=users,dc=lab, dc=local
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: ramez
userpassword: {crypt}
uidnumber: 500
gidnumber: 500
gecos:ramez zoheir hanna
loginShell:/bin/bash
homeDirectory: /home/rhanna
shadowLastChange:10877
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
cn: ramez hanna
givenname: ramez
sn: hanna
mail: me@domain.com
title: CEO
StreetAddress: somewhere
l: cairo
postalCode: huh
telephoneNumber: 54545454
homephone: 454545454
mobile: 555555555
facsimileTelephoneNumber: 555555
TDOD :
- secure the server using ssl
- more on the acls
- figure out how to create {crypt} passwords
- let other webapps that don't use pam authenticate against this server
references :
Comments
Contribution
LDAP stands for Lightweight Directory Access Protocol.
Thanks
this is a wiki page you could contribute direct through the edit tab on the top of the document.
so you can place them(contribution)on the suitable place of the document.
Diaa Radwan
confused
so, Ramez can structure it well.