How to install and configure LDAP
LDAP, or Lightweight Directory Access Protocol, is a protocol used to access directory services over a network.
To install and configure LDAP on your server, you will need to perform the following steps:
- Install the LDAP server software on your server. This will typically involve downloading the appropriate package for your operating system and installing it using the package manager.
- Configure the LDAP server by editing the configuration files. These files will typically be located in the /etc/ldap directory and will include files such as ldap.conf and slapd.conf.
- Create the LDAP directory structure. This will typically involve creating a root domain for your LDAP directory and then creating the necessary organizational units (OUs) and user and group entries.
- Configure LDAP clients to access the LDAP server. This will typically involve installing the LDAP client software on the client machines and then configuring the LDAP client to connect to the LDAP server using the appropriate settings.
- Test the LDAP configuration by attempting to authenticate a user against the LDAP server and accessing the LDAP directory from a client machine.
Install and configure LDAP Using Ubuntu 18.04 LTS
Add LDAP server address to /etc/hosts
192.16.1.100 ldap.opensourcelisting.com ldapInstalling openLDAP
apt install -y slapd ldap-utils
export SUDO_FORCE_REMOVE=yes
apt install -y sudo-ldapcopy schema.OpenLDAP as sudo if not found than we can add manually
cp /usr/share/doc/sudo-ldap/schema.OpenLDAP /etc/ldap/schema/sudo.schemaOpen `/etc/ldap/schema/sudo.schema` in your favorite editor and add the following if empty
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo (deprecated)'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.6
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.8
NAME 'sudoNotBefore'
DESC 'Start of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
Create ldif files on the location and save (`/etc/ldap/schema/sudo.ldif`)
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
Update database LDAP entry by running the following
slapadd -n 0 -F /etc/ldap/slapd.d -l /etc/ldap/slapd.d/cn\=config.ldif -u
OR
slapadd -n 0 -F /etc/ldap/slapd.d -l /etc/ldap/slapd.d/cn\=config.ldifOpen `/usr/share/slapd/slapd.conf` in your favorite editor and add the following if empty
include /etc/ldap/schema/sudo.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schemaRun the below commands
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/sudo.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldifOpen `/etc/ldap/basedn.ldif` in your favorite editor and add/edit the following
dn: dc=dc=opensourcelisting,dc=com
objectClass: dcObject
objectClass: organization
objectClass: top
o: opensourcelisting
dc: opensourcelisting
dn: ou=groups,dc=dc=opensourcelisting,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
dn: ou=people,dc= dc=opensourcelisting,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people
Open `/etc/ldap/sudomaster.ldif` in your favorite editor and add/edit the following
dn: cn=defaults,ou=Sudoers,dc=dc=opensourcelisting,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: env_reset
sudoOption: mail_badpass
sudoOption: secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Run the following commands
ldapadd -x -W -D "cn=admin,dc=dc=opensourcelisting,dc=com" -f /etc/ldap/basedn.ldif
ldapadd -x -W -D "cn=admin,dc=dc=opensourcelisting,dc=com" -f /etc/ldap/sudomaster.ldif
Install LDAP account Manager
apt -y install ldap-account-manager
