Conklin Technology Group, LLC IT Architecture. Identity Management. Unix Administration

27Apr/100

Adding Posix attributes to your LDAP users

dn: uid=msmith,ou=people,o=root
changetype:modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: 1000
-
add: gidnumber
gidnumber: 100
-
add: homedirectory
homedirectory: /home/msmith
-
add: loginshell
loginshell: /bin/bash

Now that you've got your OpenDS cloud-based server up and running, it's time to start configuring your Unix and Linux servers and workstations to use LDAP for authentication.

Before you get started, here's a few things to consider:

  • The POSIX attributes you'd normally find in the /etc/passwd and /etc/shadow files will now be stored in LDAP.  Things like login shell, numeric user ID, home directory, etc.
  • All of the attributes stored in LDAP for each user will be the same across all of your systems.  Meaning, the 'homedirectory' attribute (let's say its value is "/home/username") will need to exist on all the machines you're going to configure to use LDAP authentication.
  • If you don't have an existing source for what you're going to set the uid value to (something like an employee ID), you'll need to create some sort of mechanism for tracking which values have been used.  This could be a MySQL database, a spreadsheet, or a Post-It note, but you'll want to be sure that you don't assign one uid to multiple users.

(If you missed the last post, about populating your LDAP server with user data, check out the instructions here)

So, one of the first steps you'll need to do is to assign the necessary attribute values to the user records.  You can use the sample LDIF below to get started.  Notice the first change is to add a new objectclass called 'PosixAccount' -- this objectclass contains the attributes you'll need to do Unix authentication.

dn: uid=msmith,ou=people,o=root
changetype:modify
add: objectclass
objectclass: posixaccount

-

add: uidnumber
uidnumber: 1000

-

add: gidnumber
gidnumber: 100

-

add: homedirectory
homedirectory: /home/msmith

-

add: loginshell
loginshell: /bin/bash

Filed under: All, LDAP No Comments
6Apr/100

Getting started with your new LDAP server

So now that you've had a chance to get started with your new cloud-based LDAP server...  (you have fired it up, right?  If not, check out this post for more details on how you can have your own LDAP server running in 10 minutes or so!)

Some of the most common uses of LDAP are for centralized authentication, say, for a group of Linux servers in your office, or perhaps for a company-wide address book.  Today, we'll talk about just getting some basic user data into your directory server.  Next time, we'll tackle the attributes required for Linux authentication.

So, assuming you have followed the directions (found here), you should be able to bring up a browser and use the phpLDAPadmin tool to add a few new entries to your OpenDS instance.  The URL will be something like:  http://ec2-123-34-45-56.compute-1.amazonaws.com/pla   After logging in as the directory manager account (cn=directory manager, default password is dirmgr123), you should see one lone entry, called "o=root".  That's the top of your directory -- all the other groups and entries will be below here.  So, first, let's create two groups, or organizational units.  The first we'll call "ou=people', and the second "ou=groups".  Should be pretty self-explanatory as to what types of objects go into which group...

Using the phpLDAPadmin interface, click on the 'o=root' entry.  One of the options is 'Create a child entry' -- click there, and then choose 'Generic: organisational unit' from the available options.  Type 'people' into the text box, and click 'commit' when prompted if you want to create this entry.  That's it.  Now you've got a new organizational unit into which you can add accounts for people in your organization.

Next we'll create the 'ou=groups' container, but this time, we'll use a different method.  Click on the 'import' icon in the left-hand menu of the phpLDAPadmin screen, and paste the following lines into the text area:

dn: ou=groups,o=root
objectclass: organizationalUnit
objectclass: top
ou: groups

After clicking the 'Proceed' button, you should see a success message like 'Adding ou=groups,o=root Success'.  Also, you can now see in the left-hand menu a new container called 'ou=groups' under the root entry.  Pretty easy stuff.  The LDIF syntax lets you easily add many objects at once, without having to manually create each through the GUI of phpLDAPadmin.

Now that you have created these two containers, let's add one sample user into the people OU.  For our guinea pig, let's use the LDIF method.  Click the 'import' icon, and paste the following into the text area.  Replace values as you see fit:

dn: uid=jsmith,ou=people,o=root
givenname: Joe
sn: Smith
cn: Joe Smith
uid: jsmith
telephonenumber: 123-555-1234
objectclass: top
objectclass: person
objectclass: inetorgperson
dn: uid=jsmith,ou=people,o=root
givenname: Joe
sn: Smith
cn: Joe Smith
uid: jsmith
telephonenumber: 123-555-1234
userpassword: secret 
objectclass: top
objectclass: person
objectclass: inetorgperson

That's it.  Now you've added your first LDAP account -- you should be able to browse to it and view the object with phpLDAPadmin -- it's under 'ou=people'.

Continue to populate data into your LDAP server.  Next time we'll look at how you can start to use it for getting something done, like centralized authentication in Linux.

Filed under: All, LDAP No Comments