Lightweight Directory Access Protocol or LDAP, is a high-level application protocol for managing directory services in a hierarchical manner. It's most common use is to manage domain related information, such as an email directory or user information. In my case, I will use the Unix-related structures for managing users and their system access to my services. The same user name and login will be used for Subsonic, Owncloud, COPS (e-book server), SSH-SFTP logins, etc.
To start installing OpenLDAPServer, you can use 2 guides over at Ubuntu, here and here. The second link actual corrects a few things in the guide, but most of it is unnecessary for an initial LDAP server.
First off, install the packages.
sudo apt-get install slapd ldap-utilsIn my case, my host is already joined to a domain, so I didn't need the next step, but just to make sure, reconfigure slapd to add the ldap domain and reset the password.
sudo dpkg-reconfigure slapdThat's pretty much all you need to get running. The latest builds of Ubuntu handle the inclusion of various basic schemas, but to verify your ldap is up and running, run the following.
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=configInitially this command should list 10-15 entries and is a good first check.
User Configuration
A great utility for managing users and settings includes a web app called LAM, or ldap-account-manager. There is another great write-up regarding using LAM with Nginx here.
Install the necessary packages
sudo apt-get install php5-fpm php5 php5-ldap php-apc php5-gd php-fpdf ldap-account-managerNormally php5-fpm is configured listening on 127.0.0.1 port 9000. We're going to change this to a Unix socket, just to clean up the ports a bit and potentially increases performance under load. In general it won't help much, but theoretically removes some of the TCP overhead.
sudo vi /etc/php5/fpm/pool.d/www.confLook for
listen = 127.0.0.1:9000Change to
listen = /var/run/php5-fpm.sockRestart the service
sudo service php5-fpm restartAdd the following section to /etc/nginx/sites-enabled/default to create a sub-domain for the account manager, and will point it to the main launch page.
location /ldap-account-manager {Add the following section to /etc/nginx/sites-enabled/default to point Nginx to the LAM directory, the php Unix socket, and tweak a couple of fastcgi parameters.
alias /usr/share/ldap-account-manager;
index index.html index.php;
}
location ~ ^/ldap-account-manager/.*\.php$ {Restart Nginx
root /usr/share;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
include /etc/nginx/fastcgi_params;
}
sudo service nginx restart
You should be able to now browse to LAM https://www.domain.com/ldap-account-manager. At this point, I refer you to the ducky-pond.com post for how to initially setup LAM.
Client Access
First, configure your client config for ldap client apps.
First install the packages
Client Access
First, configure your client config for ldap client apps.
sudo vi /etc/ldap.confMake sure the domain is properly specified
base dc=domain,dc=comand the uri is correct
uri ldap://127.0.0.1:389I refer you to this thread for the instructions I used to setup local and ssh logins for your users. This will automatically create their home directories if they do not exist. There is a correction by a later contributer, which I have included in my quick setup below
First install the packages
sudo apt-get install ldap-utils libpam-ldap libnss-ldap nslcdNext edit /etc/nsswitch.conf and change the lines for passwd, group, and shadow
passwd: compat ldapEdit /etc/pam.d/lightdm and add
group : compat ldap
shadow: compat ldap
session required pam_mkhomedir.so skel=/etc/skel umask=0022Edit /etc/pam.d/common-session and add
session required pam_mkhomedir.so skel=/etc/skel umask=0022Apply changes
sudo update-rc.d nslcd enableConfigure lightdm to allow user to specify a username for login
sudo /usr/lib/lightdm/lightdm-set-defaults -m trueAnd reboot. If the user logs in locally or via ssh, her home directory will be created automatically.
No comments:
Post a Comment