Debian Ldap Howto

From Pruonckk.org

Autor: Pruonckk le Punk

Conteúdo

Prefacio

Até algum tempo atrás, o metodo mais usado para isso éra o nis com nfs, porém de algum tempo para cá, o ldap está ficando bastante popular, principalmente pela sua capacidade de integração com outros serviços, neste tutorial é mostrado como você pode criar um servidor para autenticar estações de trabalho Linux no ldap.


Instalando o servidor

apt-get install ldap-utils slapd nscd libnss-ldap libpam-ldap libpam-passwdqc

Configurando o servidor

Criando chaves ssl

mkdir /etc/ldap/certificados
cd /etc/ldap/certificados

Gerador

#!/bin/sh
# /etc/openldap/certificados/gerador.sh

# certificado servidor
openssl genrsa -des3 -out server.key 4096
openssl rsa -in server.key -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.csr

# Certificado cliente
openssl genrsa -des3 -out client.key 1024
openssl rsa -in client.key -out client.key
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -signkey client.key -out client.csr   

Setando as chaves

No fim do arquivo /etc/ldap/slapd.conf, adicione a seguinte entrada

# Opcoes SSL
TLSCertificateFile /etc/ldap/certificados/server.csr
TLSCertificateKeyFile   /etc/ldap/certificados/server.key
TLSVerifyClient 0
startls=yes

Agora edite o arquivo /etc/ldap/ldap.conf e adicione as seguintes entradas

# SSL Options
TLS_CERT        /etc/ldap/certificados/client.csr
TLS_KEY         /etc/ldap/certificados/client.key
TLS_REQCERT     allow

o arquivo completo se parecerá com o abaixo

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=dominio, dc=com
URI     ldap://ldap.dominio.com

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# SSL Options
TLS_CERT        /etc/ldap/certificados/client.csr
TLS_KEY         /etc/ldap/certificados/client.key
TLS_REQCERT     allow                                                                          

Configurando o pam

/etc/pam.d/


arquivo common-account

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
#account        required        pam_unix.so

account sufficient pam_unix.so
account sufficient pam_ldap.so
account sufficient pam_permit.so

arquivo common-password

#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define  the services to be
#used to change user passwords.  The default is pam_unix

# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.

#password   required   pam_unix.so nullok obscure min=4 max=8 md5

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
#password required        pam_cracklib.so retry=3 minlen=6 difok=3
#password required        pam_unix.so use_authtok nullok md5

password sufficient pam_passwdqc.so min=disabled,16,12,8,6 max=256
password sufficient pam_unix.so use_authtok md5
password sufficient pam_ldap.so use_first_pass use_authtok md5
password required pam_deny.so

Arquivo common-auth

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
#auth   required        pam_unix.so nullok_secure

auth sufficient pam_unix.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

Arquivo common-session

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#
session required        pam_unix.so

libnss-ldap.conf

/etc/libnss-ldap.conf Altere as opcoes host e base

host ldap.intranet.ttc.inf.br
base dc=intranet,dc=ttc,dc=inf,dc=br

pam_ldap.conf

/etc/pam_ldap.conf Altere as mesmas opcoes do libnss-ldap.conf

Configurando clientes

Para configurar os clientes, instala-se os mesmos aplicativos do servidor, mas sem o slapd

 apt-get install ldap-utils nscd libnss-ldap libpam-ldap

depois configure os mesmos arquivos da mesma maneira, porém sem as opcoes de ssl no ldap.conf e claro nao é necessario conf no slapd.conf

Criando os usuarios e grupos

Criando o grupo

Para cada grupo que voce quer para os usuarios do ldap, voce tera no arquivo ldif do grupo, uma entrada como a abaixo

(voce pode usar o migrationtools (apt-get install migrationtools) para gerar o ldif com todo o seu arquivo /etc/group, assim, voce tira as opcoes indesejadas, os arquivos do migrationtools ficam em /usr/share/migrationtools

grupos.ldif

cn=NOME_DO_GRUPO,ou=Group,dc=dominio,dc=com
objectClass: posixGroup
objectClass: top
cn: NOME_DO_GRUPO
userPassword: {Crypt}x
gidNumber: GID_DO_GRUPO
memberUid: USUARIO_MEMBRO_DO_GRUPO
memberUid: OUTRO_USUARIO_MEMBRO_DO_GRUPO

Criando usuarios

Gerando a senha

para gerar a senha, use a seguinte rotina

a=`slappasswd`
echo "NOME_DO_USUARIO: $a" >> senhas.ldap

Com o arquivo gerado com cada senha para cada usuario, voce irá gerar o ldiff, para o usuario, e colocar a senha (sem o nome do usuario) na linha userPassword do arquivo

usuarios.ldif

uid=USUARIO,ou=People,dc=dominio,dc=com
uid: USUARIO
cn: DESCRICAO DO USUARIO
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: COLE AQUI A SENHA DO USUARIO
shadowLastChange: 13417
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: UID_DO_USUARIO
gidNumber: GID_DO_USUARIO
homeDirectory: /HOME/DO/USUARIO

levantando os ldifs

invoke-rc.d slapd stop
slapadd < grupos.ldif
slapadd < usuarios.ldif
slapindex
invoke-rc.d slapd start

Para administracao pode ser instalado phpldapadmin

apt-get install phpldapadmin


Voltar

Ferramentas pessoais
Inutilidades