Some sources of information or used applications:
Some abbreviation which are important to comprehend LDAP.
| Abbr | Description | Context |
|---|---|---|
| ACI | Access Control Instruction | A set of rules that define permissions for accessing directory entries. |
| ACL | Access Control List | A list defining permissions for users and groups to access LDAP directory entries. |
| BER | Basic Encoding Rules | Encoding rules used in LDAP for encoding data for transmission |
| BIND | Bind Operation | An operation in LDAP to authenticate a user to the directory. |
| CN | Common Name | Attribute used to refer to the name of an object, typically used in DNs |
| DAP | Directory Access Protocol | Protocol used to access X.500 directory services |
| DC | Domain Component | A component used in a DN to represent parts of a domain name. |
| DIT | Directory Information Tree | The hierarchical structure of entries in an LDAP directory. |
| DN | Distinguished Name | The unique name that identifies an entry in the LDAP directory. |
| DSA | Directory System Agent | The server component that provides access to the directory information |
| DSE | DSA-Specific Entry | Special entry at the root of the DIT containing operational attributes about the DSA |
| LDAP | Lightweight Directory Access Protocol | Protocol used for accessing and maintaining distributed directory information services over a network |
| LDIF | LDAP Data Interchange Format | A standard plain-text format for representing LDAP directory entries. |
| OID | Object Identifier | A globally unique identifier used to name objects in an LDAP directory. |
| OU | Organizational Unit | A type of attribute used to organize entries in a directory hierarchically. |
| PDU | Protocol Data Unit | A single unit of communication transmitted among peer entities of a network. |
| RDN | Relative Distinguished Name | The component of the DN that is unique to a single level of the directory. |
| SASL | Simple Authentication and Security Layer | A framework for authentication and data security in internet protocols. |
| SLDAP | Secure LDAP | LDAP over SSL/TLS to ensure secure transmission of data. |
| SSL | Secure Sockets Layer | Protocol for encrypting information sent over the network, often used with LDAP for secure communication |
| SSO | Single Sign-On | An authentication process that allows a user to access multiple applications with one set of login credentials. |
| TLS | Transport Layer Security | A cryptographic protocol designed to provide secure communication over a computer network. |
| UID | User Identifier | An attribute representing the unique identifier of a user. |
| URI | Uniform Resource Identifier | A string of characters used to identify a resource, often used in LDAP URLs. |
Install the needed packages.
apt install slapd ldap-utils ldapvi
Where ldapvi is an editor using ldapsearch results to modify and update it to the LDAP/SLAPD.
(Re-)configure slapd.
dpkg-reconfigure slapd
Set up the initial configuration where the DN is configured and the admin password set.
For in this example DN is scanframe.com is the organisation name is scanframe.
To check the configuration execute the ldapsearch command.
At the LDAP server host option switch -H ldap://canberra can be omitted or be ldap:/// or ldap://localhost/.
The option -LLL removes all the comments from the response and can also be omitted.
Option -b determines the search base.
ldapsearch -x -b dc=scanframe,dc=com
ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=scanframe,dc=com
ldapsearch -x -H ldap://canberra:389 -b dc=scanframe,dc=com
Authentication option -D <binddn> is the Distinguished Name (binddn) to bind to the LDAP directory.
ldapsearch -x -W -D cn=admin,dc=scanframe,dc=com -b dc=scanframe,dc=com dc
ldapsearch -W -H ldap://canberra:389 -D cn=admin,dc=scanframe,dc=com -b dc=scanframe,dc=com dc
Query the Directory Information Tree (DIT) where the search base is cn=config which is
only accessible using the next command using SASL/EXTERNAL authentication on the LDAP host.
Show content of 'cn=config' by using a filter.
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config cn=config
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config
Who am I?
ldapwhoami -Q -Y EXTERNAL -H ldapi:///
Authenticated and also remote to modify the DIT.
ldapwhoami -W -H ldap://canberra:389 -D cn=admin,dc=scanframe,dc=com
Enabled logging by setting the log-level 256 + 512 + 2048 (= 2816 16384).
ldapmodify -Y EXTERNAL -H ldapi:/// -f /dev/stdin <<'EOF'
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: 19200
EOF
This is the password initially asked when configuring the openldap package and is designated by DN cn=admin,dc=scanframe,dc=com .
Get the current password hash using the next command retrieving olcRootPw and olcRootDn attributes from
object class olcDatabaseConfig in the database configuration.
ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}mdb,cn=config '(objectClass=olcDatabaseConfig)' olcRootPw olcRootDn
Modify by using ldapvi but first generate the password hash which is then copied and pasted in the editor.
slappasswd -s "new-password"
# Edit the database with ldapvi.
ldapvi -Y EXTERNAL -h ldapi:/// -b olcDatabase={1}mdb,cn=config '(objectClass=olcDatabaseConfig)' olcRootPw
Or use a single ldapmodify command where the password is generated on the fly.
ldapmodify -Y EXTERNAL -H ldapi:/// -f /dev/stdin <<EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPw
olcRootPw: $(slappasswd -s "the-new-password")
EOF
For SSSD to work control 1.3.6.1.4.1.1466.20037 TLS start is needed even if the communication is
unsecure using ldap://my-ldap-host and ldaps://my-ldap-host.
Note: The number "1.3.6.1.4.1.1466.20037" refers to ASN1 description.
To check if it is installed is supported.
ldapsearch -LLL -x -b "" -s base "" supportedExtension
# Alternative listing all supported
ldapsearch -LLL -x -b "" -s base "" supportedFeatures supportedControl supportedExtension
It produces output like below and contains extension '1.3.6.1.4.1.1466.20037' when configured.
dn:
supportedExtension: `1.3.6.1.4.1.1466.20037`
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedExtension: 1.3.6.1.1.21.3
supportedExtension: 1.3.6.1.1.21.1
List the global configuration using the next command.
ldapsearch -LLL -Q -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=olcGlobal)'
Note: This is actually the content of
/etc/ldap/slapd.d/cn=config.ldif.
The result is shown below as it should be when fully configured.
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: 19200
olcPidFile: /var/run/slapd/slapd.pid
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
olcTLSCertificateFile: /etc/ldap/ssl/ldap.crt
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.key
olcTLSCACertificatePath: /etc/ldap/ssl
olcToolThreads: 1
For this the full-chain-file and the key-file is needed.
When installed check the validity with th next OpenSSL command.
openssl s_client -connect app.scanframe.com:636
Generate a private key.
openssl genrsa -out /etc/ldap/ssl/ldap.key 2048
Generate a certificate signing request (CSR):
openssl req -new -key /etc/ldap/ssl/ldap.key -out /etc/ldap/ssl/ldap.csr
Filled in the following.
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Flevoland
Locality Name (eg, city) []:Almere
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Scanframe BV
Organizational Unit Name (eg, section) []:Development
Common Name (e.g. server FQDN or YOUR name) []:app.scanframe.com
Email Address []:ldap@scanframe.com
Generate a self-signed certificate valid for 10 years (=3650 days).
openssl x509 -req -days 3650 -in /etc/ldap/ssl/ldap.csr -signkey /etc/ldap/ssl/ldap.key -out /etc/ldap/ssl/ldap.crt
The files need to be owned by the openldap system user and the private files
have permissions set to 600 which is the default for the openssl command.
chown openldap:openldap /etc/ldap/ssl/*
Set the LDAP slapd service configuration to the created files.
For some reason adding attributes
olcTLSCertificateKeyFileandolcTLSCertificateKeyFileis not possible (2024/06)
so edit the/etc/ldap/slapd.d/cn=config.ldifdirectly (even if it says not too in the top of the file).
Use theslaptest -uto test the configuration file. (does not test if file are present)
This is probably not working.
ldapmodify -Y EXTERNAL -H ldapi:/// -f /dev/stdin <<'EOF'
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/ldap.key
EOF
Just edit file /etc/ldap/slapd.d/cn=config.ldif and add or modify the entries.
Use slaptest -u to test the file.
Restart the slapd service and check if it is running errorless.
To fix the CRC of the file use ldapvi to fiddle around with other values until its fixed.
Weird behavior happened when modifying the olcGlobal object through
ldapmodifylogging
was not possible anymore. After fiddling around withldapvi -h ldapi:/// -Y EXTERNAL -b cn=config '(objectClass=olcGlobal)')and restartingslapd
it was possible to login.
systemctl restart slapd
systemctl status slapd
On the service host, the listen ports are configured in file /etc/default/slapd.conf
using SLAPD_SERVICES with space separated entries.
| Value | Interface | Port | Secure |
|---|---|---|---|
ldapi:/// |
Unix Socket | n/a | n/a |
ldap:/// |
0.0.0.0 | 389 | Optional |
ldap://0.0.0.0:389/ |
0.0.0.0 | 389 | Optional |
ldaps:/// |
0.0.0.0 | 636 | Always |
ldaps://0.0.0.0:636/ |
0.0.0.0 | 636 | Always |
ldap://127.0.0.1/ |
localhost | 389 | Optional |
SLAPD_SERVICES = "ldapi:/// ldap://0.0.0.0:389/ ldaps://0.0.0.0:636/"
When a self-signed certificate is used for encryption a connection to the server is refused
set the environment variable LDAPTLS_REQCERT to never.
LDAPTLS_REQCERT=never \
ldapsearch -H ldaps://canberra -D cn=admin,dc=scanframe,dc=com -x -W \
-b dc=scanframe,dc=com -s one '(objectClass=*)' ou
This module allows checking if a user is member of a group (objectClass > groupOfNames).
This must be done before adding user to a group since the 'memberOf' field is maintained
by the LDAP server in the database when a user is added to a group (Object person or iNetOrgPerson).
To check it a user is member of a group use the following command.
ldapsearch -Y EXTERNAL -H ldapi:/// -b 'ou=users,dc=scanframe,dc=com' '(&(cn=test)(memberOf=cn=operators,dc=scanframe,dc=com))'
Query to check if the module is available use the following command(s).
ldapsearch -LLL -Q -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=olcMemberOfConfig)' -u objectClass
Resulting output is when all overlay are installed:
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
ufn: {0}memberof, {1}mdb, config
objectClass: olcMemberOfConfig
objectClass: olcOverlayConfig
Add the module in the LDAP module list configuration.
ldapadd -Y EXTERNAL -H ldapi:/// -f /dev/stdin <<EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof.la
EOF
Configure the module for the database.
ldapadd -Y EXTERNAL -H ldapi:/// -f /dev/stdin <<EOF
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcMemberOf
objectClass: olcOverlayConfig
olcOverlay: memberof
olcMemberOfDN: cn=admin,dc=scanframe,dc=com
EOF
Delete the just created entry when needed.
ldapadd -Y EXTERNAL -H ldapi:/// -f /dev/stdin <<EOF
dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
changetype: delete
EOF
This allows the creation of the pwdPolicy objects.
Add the module to the LDAP configuration.
ldapadd -Y EXTERNAL -H ldapi:/// -f /dev/stdin <<EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.la
EOF
The default DN cn=default,ou=policies,dc=scanframe,dc=com must still be created after this.
ldapadd -Y EXTERNAL -H ldapi:/// -f /dev/stdin <<EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=scanframe,dc=com
olcPPolicyHashCleartext: TRUE
EOF
Add the default policy to the DIT.
ldapmodify -x -W -D cn=admin,dc=scanframe,dc=com -f /dev/stdin <<EOF
dn: cn=default,ou=policies,dc=scanframe,dc=com
changetype: add
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
description: Default policy for module ppolicy.
EOF
List of additional policy fields:
pwdLockoutDuration: 0
pwdInHistory: 6
pwdCheckQuality: 2
pwdExpireWarning: 1000
pwdMaxAge: 30000
pwdMinLength: 4
pwdGraceAuthnLimit: 3
pwdAllowUserChange: FALSE
pwdMustChange: TRUE
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdSafeModify: TRUE
pwdLockout: TRUE
Create organizational unit (ou) for access/bind to LDAP for service access purposes.
ldapadd -x -W -D cn=admin,dc=scanframe,dc=com -f /dev/stdin <<EOF
dn: ou=services,dc=scanframe,dc=com
changetype: add
ou: services
description: Accounts to bind to LDAP for controlling services access
objectClass: organizationalUnit
objectClass: top
EOF
Modify the configuration to allow database access from the services accounts.
First check the content without the change.
ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}mdb,cn=config
ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}mdb,cn=config olcAccess
Show current access configuration.
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}mdb,cn=config 'objectClass=olcDatabaseConfig' olcAccess
Result is initially as below.
0 olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
Where the attribute olcAccess being to * by * read makes anonymous users have read access to all.
This should as show next where information is not accessible anymore to anybody and the
user pam has read-only access to all. Allows services to access groups/roles.
0 olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.subtree="dc=scanframe,dc=com" by dn.exact="cn=pam,ou=services,dc=scanframe,dc=com" read by * none
Modify it using ldapvi on the host.
ldapvi -h ldapi:/// -Y EXTERNAL -b olcDatabase={1}mdb,cn=config '(objectClass=olcDatabaseConfig)' olcAccess
Just replace all attributes with a single ldapmodfy call.
ldapmodify -Y EXTERNAL -H ldapi:/// -f /dev/stdin <<'EOF'
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.subtree="dc=scanframe,dc=com" by dn.exact="cn=pam,ou=services,dc=scanframe,dc=com" read by * none
EOF
Create service user for Linux LDAP PAM module for example.
Get hashed password for the user using slappasswd.
slappasswd -s "your-pam-passwd"
ldapadd -x -W -D cn=admin,dc=scanframe,dc=com -f /dev/stdin <<EOF
dn: cn=pam,ou=services,dc=scanframe,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: person
cn: pam
sn: Admin
description: Readonly bind account for PAM
userPassword: {SSHA}yShV1cd8myv8hM2pcV6KwwdwUecdvSdn
EOF
Validate service user and password.
# Local
ldapwhoami -W -H ldap:/// -D cn=pam,ou=services,dc=scanframe,dc=com
# Remote
ldapwhoami -W -H ldap://canberra:389 -D cn=pam,ou=services,dc=scanframe,dc=com
Add organizational unit named groups.
ldapadd -x -W -D cn=admin,dc=scanframe,dc=com -f /dev/stdin <<EOF
dn: ou=groups,dc=scanframe,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups
description: Roles to assign users to
EOF
Add organizational unit named users.
ldapadd -x -W -D cn=admin,dc=scanframe,dc=com -f /dev/stdin <<EOF
dn: ou=users,dc=scanframe,dc=com
objectClass: top
objectClass: organizationalUnit
ou: users
description: All available users
EOF
Modify organizational unit name.
ldapmodify -x -W -D cn=admin,dc=scanframe,dc=com -f /dev/stdin <<EOF
dn: ou=groups,dc=scanframe,dc=com
changetype: moddn
newrdn: ou=roles
deleteoldrdn: 1
newsuperior: dc=scanframe,dc=com
EOF
Add an administrators users role.
ldapadd -x -W -D cn=admin,dc=scanframe,dc=com -f /dev/stdin <<EOF
dn: cn=administrators,ou=roles,dc=scanframe,dc=com
changetype: add
uniqueMember:
cn: administrators
objectClass: groupOfUniqueNames
objectClass: top
description: Administrator users role
EOF
The attribute userPassword is generated using slappasswd command.
ldapmodify -x -W -D cn=admin,dc=scanframe,dc=com -f /dev/stdin <<EOF
dn: cn=user,ou=users,dc=scanframe,dc=com
changetype: add
uid: user
mail: user@scanframe.com
cn: user
sn: User of Users
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
userPassword: {SSHA}VRYzu+X7FpzWj1VazPUHqLW5AYO77kQk0i+OXQ==
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/user
EOF
Delete users test entry.
ldapmodify -x -W -D cn=admin,dc=scanframe,dc=com -f /dev/stdin <<EOF
dn: cn=test,ou=users,dc=scanframe,dc=com
changetype: delete
EOF
Add givenName attribute to a users entry.
ldapmodify -x -W -D cn=admin,dc=scanframe,dc=com -f /dev/stdin <<EOF
dn: cn=user,ou=users,dc=scanframe,dc=com
changetype: modify
add: givenName
givenName: User
EOF
Add loginShell attribute to a users entry.
ldapmodify -x -W -D cn=admin,dc=scanframe,dc=com -f /dev/stdin <<EOF
dn: cn=user,ou=users,dc=scanframe,dc=com
changetype: modify
add: loginShell
loginShell: /bin/bash
EOF
Add user as member to a role.
ldapmodify -x -W -D cn=admin,dc=scanframe,dc=com -f /dev/stdin <<EOF
dn: cn=administrators,ou=roles,dc=scanframe,dc=com
changetype: modify
delete: uniqueMember
uniqueMember:
-
add: uniqueMember
uniqueMember: cn=user,ou=users,dc=scanframe,dc=com
EOF
Remove user entry as member to a role.
ldapmodify -x -W -D cn=admin,dc=scanframe,dc=com -f /dev/stdin <<EOF
dn: cn=administrators,ou=roles,dc=scanframe,dc=com
changetype: modify
delete: uniqueMember
uniqueMember: cn=user,ou=users,dc=scanframe,dc=com
-
EOF
ldapmodify -x -W -D cn=admin,dc=scanframe,dc=com -f /dev/stdin <<EOF
dn: uid=user,ou=users,dc=scanframe,dc=com
changetype: add
cn: user
objectClass: inetOrgPerson
sn: of USers
givenName: User
displayName: User of Users
gecos: User of Users
mail: user@scanframe.nl
userPassword: xs4me!
objectClass: posixAccount
uid: 10000
gid: 10000
loginShell: /bin/bash
EOF
| Object Class | Description | Attributes (Examples) |
|---|---|---|
| top | Base class for all objects | objectClass, cn (Common Name) |
| inetOrgPerson | Represents a person | sn (Surname), givenName (Given Name), mail (Email Address) |
| organizationalUnit | Represents an organizational unit | ou (Organizational Unit), description |
| groupOfNames | Represents a group of other LDAP entries | cn (Common Name), member (Member DNs) |
| posixAccount | Represents a Unix account | uidNumber (User ID), gidNumber (Group ID), homeDirectory, loginShell |
| device | Represents a network device (printer, server) | cn (Common Name), description, host (Hostname) |
| domain | Represents a network domain | dc (Domain Component) |
| pwdPolicy | Defining a password policy in effect for a set of users | cn (Common Name), pwdAttribute |
Note: This table only includes a small selection of common object classes.
The available object classes and their attributes will vary depending on your specific LDAP server
implementation. Refer to the official OpenLDAP documentation (https://openldap.org/doc/)
for a more comprehensive list.
The used structure of the DIT is as follows having 3 organisational units users, services and roles.
Where the services entry is used to configure accounts for non-anonymous LDAP server access.
Root DSE
└─ dc=scanframe,dc=com (dc:organization,dcObject)
├─ policies (ou:organizationalUnit)
│ └─ default (cn:device,pwdPolicy)
├─ roles (ou:organizationalUnit)
│ ├─ administrators (cn:groupOfNames)
│ ├─ developers (cn:groupOfNames)
│ ├─ operators (cn:groupOfNames)
├─ services (ou:organizationalUnit)
│ └─ pam (cn:person,inetOrgPerson)
├─ systems (ou:organizationalUnit)
│ └─ workstations (cn:groupOfNames)
│ ├─ system-groups (cn:groupOfUniqueNames)
│ │ ├─ cdrom (cn:posixGroup)
│ │ ├─ lpadmin (cn:posixGroup)
│ │ ├─ operator (cn:posixGroup)
│ │ └─ sudo (cn:posixGroup)
│ └─ user-groups (cn:groupOfUniqueNames)
│ ├─ user (cn:posixGroup)
| └─ test (cn:posixGroup)
└─ users (ou:organizationalUnit)
├─ test (cn:person,inetOrgPerson,posixAccount)
└─ user (cn:person,inetOrgPerson,posixAccount)
Note: The
nslcdpackage does not support dynamic group assignments.
So only a fixed set groups can be added using a fixed LDAP DN.
Install the needed packages nslcd and nscd.
apt install nslcd nscd
During the installation configuration questions are asked:
Name services to configure:
[*] passwd
[*] group
[*] shadow
[ ] hosts
[ ] networks
[ ] ethers
[ ] protocols
[ ] services
[ ] rpc
[*] netgroup
[ ] aliases
Optional packages to allow e.g. command-line LDAP queries.
apt install nslcd-utils ldap-utils
Add ldap to lines in file /etc/nsswitch.conf.
For the Ubuntu OS-es this could look like this:
passwd: files ldap systemd
group: files ldap systemd
shadow: files ldap
For other OS-es it maybe look like this:
passwd: compat ldap
group: compat ldap
shadow: compat ldap
Add procedure to for PAM to create home directories for new users by
adding a file /etc/pam.d/mkhomedir containing the following content
which creates a home directory according the skeleton directory /etc/skel
using the correct permissions.
session required pam_mkhomedir.so skel=/etc/skel umask=0022
Include this file in the files /etc/pam.d/common-session,
/etc/pam.d/common-session-noninteractive and /etc/pam.d/runuser.
pushd /etc/pam.d && \
for f in "common-session" "common-session-noninteractive" "runuser" ; do \
echo "@include mkhomedir" >> "${f}" ; done ; popd
Note: Failure to do this correctly can result in a system not allowing to log in at all.
Only this left then is to use a rescue disk.
For fast access testing use the sshpass and ssh commands to report
the groups the account is part of:
sshpass -p the-password ssh the-account@localhost id
To allow users access to the workstation modify the /etc/nlscd.conf file accordingly.
Note: After each modification of the file restart service
nslcd.
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# Cache limit in seconds.
timelimit 10
bind_timelimit 10
# The location at which the LDAP server(s) should be reachable.
uri ldap://canberra.fritz.box/
# The search base that will be used for all queries.
base ou=users,dc=scanframe,dc=com
# The LDAP protocol version to use.
ldap_version 3
# The DN to bind with for normal lookups.
binddn cn=pam,ou=services,dc=scanframe,dc=com
bindpw the-pam-password
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=scanframe,dc=com
# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# The search scope.
scope sub
# Search base for user entries
base passwd ou=users,dc=scanframe,dc=com
#map passwd uid uid
#map passwd homeDirectory HomeDirectory
# Filter for user entries who are members of a specific group
filter passwd (&(objectClass=person)(objectClass=posixAccount)(uidNumber>=10000)(uidNumber<=19999)(memberOf=*)(employeeType=active))
# Ignore user with UID less then... (also already dealt with in the filter query)
nss_min_uid 10000
# Search base for groups
base group ou=roles,dc=scanframe,dc=com
# Filter for groups
filter group (objectClass=posixGroup)
The base passwd field tells where the accounts are located in the DIT.
Where password filter checks if the account has been allowed access.
Install the needed packages sssd-ldap.
apt install sssd-ldap ldap-utils
??? apt install sssd sssd-tools libnss-sss libpam-sss adcli ldap-utils
Optional packages to allow e.g. command-line LDAP queries.
apt install ldap-utils
Optionally, create on the home directory when it does not exist.
pam-auth-update --enable mkhomedir
Edit the configuration file /etc/sssd.conf for this.
List of useful expressions which are able to be substituted for only directory entries in the configuration.
| Expression | Description |
|---|---|
%u |
Username of the user being authenticated (login name) |
%U |
UID number of the user |
%d |
Domain name |
%g |
Group name |
%f |
fully qualified user name (user@domain) |
%l |
The first letter of the login name. |
%G |
GID number of the group |
%P |
UPN - User Principal Name (name@REALM)(useful in Kerberos) |
%p |
Primary group name of the user |
%h |
Home directory of the user |
%H |
The value of configure option homedir_substring. |
%% |
A literal '%' |
%o |
The original home directory retrieved from the identity provider. |
[sssd]
config_file_version = 2
domains = LDAP
[pam]
offline_credentials_expiration = 4
[domain/LDAP]
debug_level = 7
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://canberra.fritz.box
ldap_search_base = dc=scanframe,dc=com
;override_homedir = /home/%u
fallback_homedir = /home/anyhome
;ldap_schema = rfc2307bis
ldap_schema = rfc2307
# Cache credentials and 'False' for now.
cache_credentials = false
# Enable enumeration (optional, but useful for testing)
enumerate = true
# Specific settings that might be relevant
ldap_account_expire_policy = shadow
# SSL/TLS settings
ldap_tls_reqcert = never
ldap_id_use_start_tls = false
ldap_tls_cacertdir = /etc/ssl/certs
# Bind credentials
ldap_default_bind_dn = cn=admin,dc=scanframe,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = admin
# User attribute mapping
ldap_user_search_base = ou=users,dc=scanframe,dc=com
ldap_user_object_class = posixAccount
ldap_user_name = uid
ldap_user_fullname = cn
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_gecos = gecos
ldap_user_home_directory = homeDirectory
ldap_user_shell = loginShell
ldap_user_member_of = memberOf
# Group attribute mapping
ldap_group_search_base = cn=workstation,ou=roles,dc=scanframe,dc=com
ldap_group_object_class = posixGroup
ldap_group_name = cn
ldap_group_gid_number = gidNumber
ldap_group_member = memberUid
# Determine workstation access of users by group membership.
access_provider = ldap
ldap_access_filter = (&(memberOf=cn=workstation,ou=roles,dc=scanframe,dc=com)(uidNumber>=10000)(uidNumber<=19999)(employeeType=active))
;ldap_access_order = filter, host, authorized_service
ldap_sudo_use_host_filter = false