## Setting up LDAP Authentication I'm not going to weigh in on LDAP vs. Kerberos. However here's how you can get LDAP working on the server and client ends. first, assume we have a DNS of `moc-ldap.bu.edu` for the LDAP server. (it can be a VM on moc02, as long as it has an IP address reachable from all the clients) client setup - Fedora / Centos - (to do - I've had it working on an FC13 machine at NU for a couple of years, but I'll have to see if the setup needs updating for FC20) Client setup - Ubuntu ```shell apt-get install libpam-ldapd ``` It will ask a few questions ```shell LDAP uri: ldaps://moc-ldap.bu.edu verify cert never select passwd, group, and shadow for LDAP databases to use ``` finally run ```shell service nscd restart ``` Assuming the LDAP server is up, you can test with the 'id' command - 'id ' for a user in LDAP but not `/etc/passwd` should return the right data. Server setup - this is a lot harder. The documentation I found was for Ubuntu, so that's what I tested it on. 1. install packages: ```shell apt-get install slapd ldap-utils ldapscripts ``` 1. Run: ```shell dpkg-reconfigure slapd ``` At this point you'll be asked some questions; answers are: - Omit OpenLDAP server configuration? *No* - DNS Domain Name: *moc.bu.edu* - Organization Name: *Mass Open Cloud* - Administrator Password: (choose one) - Database backend: *HDB* (doesn't really matter) - Do you want the database to be removed when slapd is purged? *No* - Move old database? *Yes* - Allow LDAPv2 protocol? *No* Now we have to create the categories for our groups and users, because for some reason they're not built into the LDAP server. (taken from [Modifying/Populating your Database](https://help.ubuntu.com/12.04/serverguide/openldap-server.html)) Create a file `foo.ldif` containing the lines: ```shell dn: ou=People,dc=moc,dc=bu,dc=edu objectClass: organizationalUnit ou: People dn: ou=Groups,dc=moc,dc=bu,dc=edu objectClass: organizationalUnit ou: Groups` ``` Now run the command: ```shell ldapadd -x -W -D cn=admin,dc=moc,dc=bu,dc=edu -f foo.ldif ``` We're ready to add users and groups - first configure `ldapscripts`, which makes it easier. Edit the file `/etc/ldapscripts/ldapscripts.config`, changing the following lines: ```shell SERVER="ldap://localhost" SUFFIX=dc=moc,dc=bu,dc=edu BINDDN="cn=admin,dc=moc,dc=bu,dc=edu" ``` Edit the file `/etc/ldapscripts/ldapscripts.passwd` to contain the admin password **WITHOUT ANY NEWLINE**. You can use emacs, or use `echo -n passed > ldapscripts.passwd` Now we can add a group or two: ```shell sudo ldapaddgroup mocusers ``` and some users: ```shell sudo ldapadduser pjd mocusers sudo ldapadduser okrieg mocusers ``` To set a random password for a user: ```shell pjd@ubuntu-pjd:~$ ldappasswd -D cn=admin,dc=moc,dc=bu,dc=edu -W uid=pjd,ou=People,dc=moc,dc=bu,dc=edu Enter LDAP Password: New password: RcspWt12 pjd@ubuntu-pjd:~$` ``` or else you can add the `-S` flag and it will prompt you for the new password. Note that 'Enter LDAP Password' means the admin password. Or if I wanted to change my own password: ```shell ldappasswd -D cn=pjd,dc=moc,dc=bu,dc=edu -W -S ``` and from another machine: ```shell ldappasswd -H ldaps://ldap.moc.bu.edu -D cn=pjd,dc=moc,dc=bu,dc=edu -W -S ``` in either case you will be prompted for your old password.