Zentrale Benutzerverwaltung mit OpenLDAP und SSS: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 34: | Zeile 34: | ||
|} | |} | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
= OpenLDAP Manuelle Einrichtung (OLC)= | = OpenLDAP Manuelle Einrichtung (OLC)= | ||
[[OpenLDAP Manuelle Einrichtung (OLC)]] | [[OpenLDAP Manuelle Einrichtung (OLC)]] | ||
Version vom 2. April 2026, 04:46 Uhr
Installation
- passwort nach wahl festlegen
- apt update
- apt install slapd ldap-utils
- slapd
- OpenLDAP Standalone Server
- ldap-utils
- Utilities zum Zugriff auf den LDAP Server
Grundkonfiguration
OpenLDAP Configuration Dialogs (slapd)
The following table lists the exact English prompts encountered during dpkg-reconfigure slapd and the corresponding inputs for the it213.int environment.
| Debconf Question | Description | Recommended Input / Choice |
|---|---|---|
| Omit OpenLDAP server configuration? | Determines if the installer should skip creating a database. | No |
| DNS domain name: | Used to construct the base DN of the LDAP directory. | it213.int |
| Organization name: | The name of the organization to use in the base DN. | it213 |
| Administrator password: | The password for the admin entry (cn=admin). | 123Start$ |
| Confirm password: | Re-enter the password for verification. | 123Start$ |
| Database backend to use: | The storage engine for the LDAP database. | MDB |
| Do you want the database to be removed when slapd is purged? | Whether to delete the data if the package is completely removed. | No |
| Move old database? | If a database already exists, should it be moved aside? | Yes |
| Allow LDAPv2 protocol? | Support for the obsolete LDAP version 2. | No |
OpenLDAP Manuelle Einrichtung (OLC)
OpenLDAP Manuelle Einrichtung (OLC)
Konfiguration des Clients
ldap.conf
- cat /etc/ldap/ldap.conf
base dc=it213, dc=int uri ldap://ldap.it213.int ldap_version 3 rootbinddn cn=admin, dc=it213, dc=int pam_password md5
Passwort für den Adminzugang eintragen
- echo 123Start$ > /etc/ldap.secret
Kontrolle
Stimmt der base dn
- ldapsearch -x -LLL
dn: dc=it213,dc=int objectClass: top objectClass: dcObject objectClass: organization o: it213 dc: it213
Grundstruktur
Erstellen
- cat /root/struktur.ldif
dn: ou=users,dc=it213,dc=int objectClass: organizationalUnit ou: users dn: ou=groups,dc=it213,dc=int objectClass: organizationalUnit ou: groups dn: ou=hosts,dc=it213,dc=int objectClass: organizationalUnit ou: hosts
Anlegen
- ldapadd -xD cn=admin,dc=it213,dc=int -w 123Start$ -f struktur.ldif
adding new entry "ou=users,dc=it213,dc=int" adding new entry "ou=groups,dc=it213,dc=int" adding new entry "ou=hosts,dc=it213,dc=int"
Ldapscripts
Installation
- apt install ldapscripts
Konfiguration
Hauptkonfiguration
- cat /etc/ldapscripts/ldapscripts.conf
SERVER="ldap://ldap.it213.int" SUFFIX="dc=it213,dc=int" GSUFFIX="ou=groups" USUFFIX="ou=users" MSUFFIX="ou=hosts" BINDDN="cn=admin,dc=it213,dc=int" USHELL="/bin/bash" UHOMES="/home/%u" CREATEHOMES="yes" HOMESKEL="/etc/skel" BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" GIDSTART="10000" UIDSTART="10000" MIDSTART="20000" GCLASS="posixGroup" PASSWORDGEN="pwgen" RECORDPASSWORDS="no" PASSWORDFILE="/var/log/ldapscripts_passwd.log" LOGTOFILE="yes" LOGFILE="/var/log/ldapscripts.log" LOGTOSYSLOG="no" SYSLOGFACILITY="local4" SYSLOGLEVEL="info" LDAPSEARCHBIN="/usr/bin/ldapsearch" LDAPADDBIN="/usr/bin/ldapadd" LDAPDELETEBIN="/usr/bin/ldapdelete" LDAPMODIFYBIN="/usr/bin/ldapmodify" LDAPMODRDNBIN="/usr/bin/ldapmodrdn" LDAPPASSWDBIN="/usr/bin/ldappasswd" LDAPSEARCHOPTS="-o ldif-wrap=no"
Password Datei
- echo -n "123Start$" > /etc/ldapscripts/ldapscripts.passwd
Managment
Struktur
![Bearbeiten](javascript:editDrawio("1902623461", "it21-ldap.drawio.png", "png", false, false, false, true, "https://embed.diagrams.net")){kind=link}
![Bearbeiten](javascript:editDrawio("1281308848", "it21-2.drawio.png", "png", false, false, false, true, "https://embed.diagrams.net")){kind=link}
Gruppen anlegen
- ldapaddgroup it
Benutzer anlegen
- ldapadduser thomas it
- ldapadduser tina it
Passwörter setzen
- ldapsetpasswd thomas
- ldapsetpasswd tina
nsswitch und pam anbinden
Installation
- env DEBIAN_FRONTEND=noninteractive apt install -yqq libnss-ldap libpam-ldap nslcd
- Wir konfigurieren von Hand
ldap.conf
- cat /etc/ldap/ldap.conf
base dc=it213, dc=int uri ldap://server.it213.int ldap_version 3 rootbinddn cn=admin, dc=it213, dc=int pam_password md5
Passwort für den Adminzugang eintragen
- echo 123Start$ > /etc/ldap.secret
Wir benutzen nur eine Konfigurationdatei
- ln -fs /etc/ldap/ldap.conf /etc/libnss-ldap.conf
- ln -fs /etc/ldap/ldap.conf /etc/pam_ldap.conf
nslcd.conf
- cat /etc/nslcd.conf
uid nslcd gid nslcd uri ldap://ldap.it213.int base dc=it213,dc=int
Nsswitch anpassen
- cat /etc/nsswitch.conf
passwd: files ldap group: files ldap shadow: files ldap
PAM anpassen
Falls ein Home Verzeichnis gewünscht ist, muss folgende Datei bearbeitet werden:
- Eleganter
- pam-auth-update
- Manuell
- nano /etc/pam.d/common-session
session required pam_mkhomedir.so skel=/etc/skel umask=0022
Reboot
!!!Reboot!!!
Tests
- getent group it
it:*:10000:
- getent passwd thomas
thomas:*:10000:10000:thomas:/home/thomas:/bin/bash
- su - tina
tina@server:~$
Dienstverwaltung
- systemctl start slapd
- systemctl stop slapd
- systemctl restart slapd
Portprüfung
- netstat -lntp | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 499/slapd
Sudo
Sudo Gruppe auf dem ldap Server anlegen:
- ldapaddgroup sudo
- ldapaddusertogroup thomas sudo
- ldapaddusertogroup tina sudo
Pakete installieren:
- apt install sudo-ldap
Konfiguration:
- visudo -f /etc/sudoers.d/ldap-sudoers
%sudo ALL=(ALL:ALL) ALL
- vim /etc/sudo-ldap.conf
sudoers_base ou=sudo,dc=it213,dc=int
Testen:
- su - thomas
- sudo -l
- sudo whoami