Raspberry Pi Infrastructure Series
In this second tutorial for the Raspberry Pi I'm going to cover the basics of setting an LDAP server and how to configure a client to authenticate against it. For those unfamiliar with it, LDAP (Lightweight Directory Access Protocol) provides a directory of information that you can use to store your users and groups so that you're not constantly setting up said entities on each local machine.
LDAP is actually fairly simple to setup in Debian despite what I think is a lack of clear-cut instructions for doing so. So let's get down to it. Once again for this tutorial I'm starting out with just a fresh copy of Raspian "Wheezy" from the Raspberry Pi website.
The first thing we want to do is actually install slapd which provides the LDAP serving and ldap-utils which is a set of tools for testing and connecting to LDAP.
sudo apt-get install slapd ldap-utils
Here put in the password you want for your LDAP administrator account.
Re-enter it again.
Unfortunately since slapd doesn't ask you for the domain we have to manually run the setup to set it. We can do this with the following command.
sudo dpkg-reconfigure slapd
At the first screen select no because we want to change the configuration.
Next enter the name of your domain (this can be whatever you want, it's not a real domain that you have to own or anything).
Type in your organization name.
Enter the password you want for your administrator account.
Re-enter the password.
Here we'll just select HDB for the database as that's what Debian recommends.
When asked if we want to purge the database we'll say no.
Select yes here because we need to move the old database that Debian setup during the install.
And here we can say no because LDAPv2 is obsolete.
And with that our actual LDAP server is up and running now, but we need an easy way to manage it. Next we'll install PHP, Nginx, and phpldapadmin so that we can manage our LDAP server using a web interface. We're also going to install APC for PHP while we're at it. This will help reduce the amount of recompiling that PHP does when we request web pages.
sudo apt-get install php5-fpm php5-cli php5-ldap php-apc phpldapadmin nginx
Now we need to crack open /etc/phpldapadmin/config.php and change a couple lines so that it matches the domain we just setup.
sudo nano /etc/phpldapadmin/config.php
We need to look for the following lines and modify them slightly.
Now we just need to make a modification to /etc/nginx/conf/sites-available/default so that Nginx knows where to serve up the PHP from.
sudo nano /etc/nginx/sites-available/default
Let's comment out or remove the main server block and replace it with the following.
We should be all set to use the web interface so let's restart Nginx for the changes to effect.
sudo service nginx restart
Now in a browser, head to the IP of your Rapsberry Pi and you should be presented with the following screen.
From the left side click Login and then enter your admin password to proceed.
So this is the main interface for managing LDAP, I'm not going to go into great detail as it's something you just have to explore and get a feel for but for now click Create new entry here in the left tree. From here we select the type of object we want to create. We need to have a group before we can have a user so go ahead and select Generic: POSIX Group.
Now type a name for the group, hit Create object and then Commit on the page after that.
Follow the same process to create user. When you get to the user screen, select the group you just created and fill in all necessary fields.
Once the user and group are created then we're ready to move on to setting up the Raspberry Pi to be able to authenticate against the LDAP server.
For setting up the client I'm going to just use the server we just setup LDAP on but you could perform these same steps for any Debian installation that you want to authenticate against LDAP.
The process of setting up a client for LDAP authentication used to be more manual, thankfully it's lot easier to do. We'll need to run the command below to install two packages which will get things going.
sudo apt-get install libpam-ldapd libnss-ldapd
At the first screen we need to enter the LDAP server address (port is optional). Since I'm doing this on the LDAP server I'm using the localhost address.
Tell it the base DN where it needs to search for users and groups.
Here we need to tell the system what we should use LDAP for, it's safe to go ahead and select everything for now.
Now we need to open /etc/pam.d/common-session and the add the following line. What this will do is create the LDAP users home directories upon login if they don't exist.
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
At this point LDAP client authentication is setup, so if we run the following command you should see the user you added to the LDAP server previously at the bottom of the output.
sudo getent passwd
Go ahead and open and SSH console, or terminal session and try logging in as the LDAP user and you should be greeted with a command line prompt.
Leave a comment
malc great tutorial, when i login as the LDAP user the shell is /bin/sh not bas ha nd things like tab completion no longer work
Me Thanks for a great tutorial!
sudo dpkg-reconfigure libnss-ldapd
/etc/pam.d/common_session = /etc/pam.d/common-session
Brian Page Awesome directions! Thanks! This all worked for me step-by-step the first time. You saved me HOURS!
tried it two times, but
"From the left side click Login and then enter your admin password to proceed."
"Fehler: Can't contact LDAP server (-1) for user"
"Authentifizierung mit Server fehlgeschlagen
Ungültiger Benutzername oder ungültiges Passwort."
(no autentification, user name and pwd wrong)
Many thanks in advance
Diego How can I reconfigure a client?
Klaus Could you please extend this tutorial for LDAP configuration for samba PDC authentication