LDAP

Revision as of 23:45, 31 August 2010

Hosts should be to use LDAP for users and some other stuff.

Things are moving to NIS... very, very slowly...

setup LDAP client on new machine

• run /home/wikipedia/bin/setup-ldap
• copy zwinger:/etc/ldap.conf to the new machine

LDAP server is on srv1 (master) and srv2 (slave). failover should be automatic. to add new users, add them on srv1, then run ldapsync. srv2 will update automatically.

Overload

If the local caching daemon nscd dies on clients, the server can get badly overloaded and logins can fail.

If necessary restart it sitewide. :P

Server logging

slapd's logging stuff goes to a channel on syslog that's not logged by default. On a new server, you may have to manually edit syslog.conf and add something for local4.*

Then set an appropriate loglevel in /etc/openldap/slapd.conf

LDAP take 2

Installing/Configuring the server manually

Install required packages

apt-get install openjdk-6-jre openjdk-6-jdk ldap-utils

Initial installation

Create a Basic Directory Information Tree (DIT)

Top level structure

Object classes and attributes for objects

Users

Objectclasses:

• top
• person
• inetorgperson
• posixaccount
• shadowaccount

Attributes:

• Required:
  • sn
  • cn
  • uid
  • uidnumber
  • gidnumber
  • homedirectory
• Optional:
  • userpassword
  • loginshell
  • description

Groups

Objectclasses:

• top
• posixgroup

Attributes:

• Required:
  • cn
  • gidnumber
• Optional:
  • description

Netgroups

Objectclasses:

• top
• nisnetgroup

Attributes:

• Required:
  • cn
• Optional:
  • membernisnetgroup
  • nisnetgrouptriple
  • description

In practice, every entry should either have membernisnetgroup or nisnetgrouptriple.

NisMap entries (automount)

Objectclasses:

• top
• nismap

Attributes:

• Required:
  • nismapname
• Optional:
  • description

NisObject entries (automount)

• Required:
  • cn
  • nismapentry
  • nismapname
• Optional:
  • description

Sudo entries

Objectclasses:

• top
• sudorole

Attributes:

• Required:
  • cn
• Optional:
  • sudouser
  • sudohost
  • sudocommand
  • sudorunas
  • sudorunasuser
  • sudorunasgroup
  • sudooption
  • description

In practice, most entries will define sudouser, sudohost, and sudocommand. cn=defaults,ou=sudoers should be added with sudooption attributes that should apply globally (like mailto address, etc.).

Security groups

Objectclasses:

• top
• groupofnames

Attributes:

• Required:
  • cn
  • member
• optional
  • description

Hosts

Objectclasses:

• top
• iphost

Attributes:

• Required:
  • cn
  • iphostnumber
• Optional:
  • description

Add a proxy agent

Add the sudoers schema

Enable replication

Install/configure phpldapadmin

Installing/Configuring the client manually

Install required packages

apt-get install ldap-utils sudo-ldap libpam-ldap libnss-ldap nss-updatedb libnss-db autofs5 autofs5-ldap nscd

Install the server certificate's CA

1. Install to /etc/ssl/certs/ldapca.crt
2. Run:

pushd /etc/ssl/certs
ln -s ldapca.crt $(openssl x509 -hash -noout -in ldapca.crt).0
popd

Configure openldap's ldap.conf

Add the following options to /etc/ldap/ldap.conf:

BASE            <basedn>
URI             ldap://<servername>:389
TLS_CRLCHECK    require
TLS_CACERTDIR   /etc/ssl/certs
TLS_CACERT      /etc/ssl/certs/ldapca.crt

• Note: TLS_CACERTDIR is likely ignored, since gnutls doesn't support the directive, but for future compatibility, it should be defined.
• Note: Though we define the URI as ldap/389, we should always use encryption, so all clients should use StartTLS

Configure libnss's ldap.conf

Configure nss

Configure pam

Configure autofs

Configure sudo