In this video we are going to install and configure the openLDAP server on the Raspberry Pi. The RPi in may ways makes a great openLDAP server where the demands of the directory or not massive. I am using the Model B with 512MB RAM and that is sufficent for a small to medium directory and this can power your authentication and directory needs.
On Raspbian there is a little auto-configuration that happens during the installation of openLDAP. A local directory is created with the DN taken form the domain name of the host. For this reason we should configure the 127.0.1.1 entry in the /etc/hosts file with the host and domain name the we would like the LDAP server to host. For example if we would like to create a directory for dc=tup,dc=com then we would ensure the entry in the hosts files was similar to the following:
127.0.1.1 raspberrypi.tup.com raspberrypi
This only needs to be in place for the installation and if required it can be reverted once the installation has completed.
The install is simple and we should be used to the apt utility where we update the metadata before the install.
sudo apt-get install -y slapd ldap-utils
We install both the LDAP server, slapd and the required command line tools, ldap-utils. At the end of the installation we will be prompted for the administrator password for the OpenLDAP server, this in my case will be the account: cn=admin,dc=tup,dc=com . The password can be anything, but try to keep it secure and separate from the root users password.
The configuration of openLDAP is stored in the directory itself. This can only be access by root and is done using the command:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn:
Explained:
◉ -Q SASL Authentication
◉ -LLL Output in LDIF format, ignore comments and ignore version
◉ -Y EXTERNAL SASL authentication method
◉ -H host to connect to
◉ –b is the LDAP base to search. The ldapi method will take us to the configuration Directory and we look to list the config folder
◉ dn: List just the distinguished name attributes.
Next we can use similar syntax to connect to the actual tup Directory, with this we can run ldapsearch as a normal user as we authenticate to the directory rather than using using the root account. We can additionally, for this search run without authentication as we can read elements of the Directory as a public account.
ldapsearch -x -LLL -H ldap:/// -b dc=tup,dc=com
The -x is using simple authentication and the method of access now it ldap to the localhost rather than ldapi. The base dn that we search is the top container, and currently the only container in the Directory, dc=tup,dc=com.
The final part of this lesson is to create OUs, Organizational Units for users and groups, the usual names ou=people and ou=groups. The add entries to the Directory we use and LDIF file and ldapadd. The LDIF file has to be created and here I use a file I have named structure.ldif.
structure.ldif
dn: ou=people,dc=tup,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=tup,dc=com
objectClass: organizationalUnit
ou: groups
We then need to import this using the admin name and password entered when we installed openLDAP, of course, we cannot use the anonymous account we used for the search. The option -W will prompt for the password.
ldapadd -W -D cn=admin,dc=tup,dc-com -f structure.ldif
Pre-Install Configuration
On Raspbian there is a little auto-configuration that happens during the installation of openLDAP. A local directory is created with the DN taken form the domain name of the host. For this reason we should configure the 127.0.1.1 entry in the /etc/hosts file with the host and domain name the we would like the LDAP server to host. For example if we would like to create a directory for dc=tup,dc=com then we would ensure the entry in the hosts files was similar to the following:
Local Host File
127.0.1.1 raspberrypi.tup.com raspberrypi
This only needs to be in place for the installation and if required it can be reverted once the installation has completed.
Installing OpenLDAP
The install is simple and we should be used to the apt utility where we update the metadata before the install.
sudo apt-get install -y slapd ldap-utils
We install both the LDAP server, slapd and the required command line tools, ldap-utils. At the end of the installation we will be prompted for the administrator password for the OpenLDAP server, this in my case will be the account: cn=admin,dc=tup,dc=com . The password can be anything, but try to keep it secure and separate from the root users password.
The configuration of openLDAP is stored in the directory itself. This can only be access by root and is done using the command:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn:
Explained:
◉ -Q SASL Authentication
◉ -LLL Output in LDIF format, ignore comments and ignore version
◉ -Y EXTERNAL SASL authentication method
◉ -H host to connect to
◉ –b is the LDAP base to search. The ldapi method will take us to the configuration Directory and we look to list the config folder
◉ dn: List just the distinguished name attributes.
Next we can use similar syntax to connect to the actual tup Directory, with this we can run ldapsearch as a normal user as we authenticate to the directory rather than using using the root account. We can additionally, for this search run without authentication as we can read elements of the Directory as a public account.
ldapsearch -x -LLL -H ldap:/// -b dc=tup,dc=com
The -x is using simple authentication and the method of access now it ldap to the localhost rather than ldapi. The base dn that we search is the top container, and currently the only container in the Directory, dc=tup,dc=com.
Adding Users and Groups
The final part of this lesson is to create OUs, Organizational Units for users and groups, the usual names ou=people and ou=groups. The add entries to the Directory we use and LDIF file and ldapadd. The LDIF file has to be created and here I use a file I have named structure.ldif.
structure.ldif
dn: ou=people,dc=tup,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=tup,dc=com
objectClass: organizationalUnit
ou: groups
We then need to import this using the admin name and password entered when we installed openLDAP, of course, we cannot use the anonymous account we used for the search. The option -W will prompt for the password.
ldapadd -W -D cn=admin,dc=tup,dc-com -f structure.ldif
0 comments:
Post a Comment