Set up Ubuntu centralized management network with LDAP

In the near future, free and open source software will most likely become an indispensable option for organizations / businesses. With the advantages of open source, easy to expand, stable operation ... this field of application is increasingly demonstrating its usability and effectiveness.

1. Introduction

In the near future, free and open source software will most likely become an indispensable option for organizations / businesses. With the advantages of open source, easy to expand, stable operation . this field of application is increasingly demonstrating its usability and effectiveness.

Most organizations need to have an intranet system to support daily work handling, operational operations, work coordination .

This article will guide you through the process of building a centralized Ubuntu management system with LDAP, a solution that can completely replace the Microsoft Windows network with Active Directory.

2. System requirements

We use three computers with the following information:

  1. Ubuntu server computer:
    1. IP address: 192.168.10.2
    2. DNS server: 192.168.10.2
    3. Machine name: ubuntu-server
  2. Ubuntu computer desktop 01:
    1. IP address: 192.168.10.12
    2. DNS server: 192.168.10.2
    3. Computer name: ubuntu-desktop01
  3. Computer Ubuntu desktop 02:
    1. IP address: 192.168.10.14
    2. DNS server: 192.168.10.2
    3. Computer name: ubuntu-desktop02

3. System configuration

3.1. Configuring ubuntu-server

On ubuntu-server machines, we do:

  1. Install and configure DNS server with BIND software.
    1. Domain name: bits.com.vn
    2. Add 02 Host (A) records corresponding to 02 Ubuntu workstations to DNS server:

      ubuntu-desktop01.bits.com.vn 192.168.10.12
      ubuntu-desktop02.bits.com.vn 192.168.10.14
  2. Install and configure LDAP server with OpenLDAP software.
    1. Add 02 accounts corresponding to 2 Ubuntu workstations to LDAP server:

      Account 01 - last: ********
      Account 02 - ctbach: ********

The steps in turn are as follows:

Install and configure DNS server with BIND software

1. Install Ubuntu server, version 7.10

During the installation process, set the following parameters:

  1. IP address: 192.168.10.2
  2. DNS server: 192.168.10.2
  3. Netmask: 255.255.255.0
  4. Machine name: ubuntu-server
  5. Software: select installation packages for DNS server

2. Configure DNS server

Software used to build DNS servers on Ubuntu is BIND (Berkeley Internet Name Domain). We will work on BIND files to configure the DNS server. The steps are as follows:

  1. Backup copy of BIND files:

    thai @ ubuntu-server: ~ $ sudo -i
    [sudo] password for comment:
    root @ ubuntu-server: ~ #
    root @ ubuntu-server: ~ # mkdir / backup
    root @ ubuntu-server: ~ # cp -R / etc / bind / backup
  2. BIND configuration:
    Edit BIND's main configuration file - /etc/bind/named.conf - by adding the following lines to the end of the file:

    root @ ubuntu-server: ~ # vim /etc/bind/named.conf
    .
    // The zone definition
    zone 'bits.com.vn' {
    type master;
    file '/etc/bind/zones/bits.com.vn.db';
    };
    // The zone definition for reverse DNS
    zone '10 .168.192.in-addr.arpa '{
    type master;
    file '/etc/bind/zones/rev.10.168.192.in-addr.arpa';
    };

    Edit the file /etc/bind/named.conf.options to transfer (forward) the requests that this DNS server cannot resolve:

    root @ ubuntu-server: ~ # vim /etc/bind/named.conf.options
    options {
    .
    forwarders {
    10.238.200.1;
    10,238,200.8;
    10,238,200.12;
    };
    };

    Create file zones:
    1. /etc/bind/zones/bits.com.vn.db: used for storing IP address / machine name pairs to resolve this DNS server.
    2. /etc/bind/zones/rev.10.168.192.in-addr.arpa: for reverse resolution purposes.

      root @ ubuntu-server: ~ # mkdir / etc / bind / zones
      root @ ubuntu-server: ~ # vim /etc/bind/zones/bits.com.vn.db
      $ TTL 604800
      @ IN SOA ubuntu-server.bits.com.vn. admin.bits.com.vn. (
      first ; Serial
      604800; Refresh
      86400; Retry
      2419200; Expire
      604800); Negative Cache TTL
      ;
      ; Thay thế theo sau dòng như cần:
      ; ns1 = DNS server name
      ; mail = Mail server name
      ; bits.com.vn. IN MX 10 mail.bits.com.vn.

      @ IN NS ubuntu-server.bits.com.vn.
      @ IN A 192.168.10.2
      ubuntu-server.bits.com.vn. IN A 192.168.10.2

      root @ ubuntu-server: ~ # vim /etc/bind/zones/rev.10.168.192.in-addr.arpa
      ; Số số trước IN PTR ubuntu-server.bits.com.vn is
      ; máy phục vụ địa chỉ của máy phục vụ DNS. In this case, it's
      ; 2, as my IP address is 192.168.10.2.

      $ TTL 604800
      @ IN SOA ubuntu-server.bits.com.vn. admin.bits.com.vn. (
      first ; Serial
      604800; Refresh
      86400; Retry
      2419200; Expire
      604800); Negative Cache TTL
      ;
      @ IN NS ubuntu-server.bits.com.vn.
      2 IN PTR ubuntu-server.bits.com.vn.

Edit the /etc/resolv.conf file to list the DNS servers in your network:

root @ ubuntu-server: ~ # vim /etc/resolv.conf
search bits.com.vn
nameserver 192.168.10.2

  1. Restart the BIND service:

    root @ ubuntu-server: ~ # /etc/init.d/bind9 restart
  2. Check DNS server with dig (domain information groper) utility. dig is a data query utility on DNS server (DNS lookup utility). This utility will search the DNS server and display the information returned by the DNS server.

    root @ ubuntu-server: ~ # dig bits.com.vn

    Besides, we also need to use the ping utility to check:

    root @ ubuntu-server: ~ # ping bits.com.vn
    root @ ubuntu-server: ~ # ubuntu-server ping
    root @ ubuntu-server: ~ # ping ubuntu-server.bits.com.vn

Install and configure LDAP server with OpenLDAP software

1. Install OpenLDAP

The software used to build LDAP server on Ubuntu is OpenLDAP. We will install the necessary software and utilities to set up LDAP server, including:

  1. slapd (OpenLDAP Server - OpenLDAP standalone server) : This software is used to create a standalone directory service and include a slurpd replication server.
  2. ldap-utils (OpenLDAP Utilities) : This package contains utilities to access LDAP server locally or remotely (local or remote). ldap-utils also contains all the necessary programs (required client programs) to access LDAP servers.
  3. db4.2-util (Berkeley v4.2 Database Utility) : This package contains tools that are used for manipulating with databases formatted as Berkeley v4.2 Database.

The steps are as follows:

  1. Update the package list on Ubuntu and install OpenLDAP:

    thai @ ubuntu-server: ~ $ sudo -i
    [sudo] password for comment:
    root @ ubuntu-server: ~ #
    root @ ubuntu-server: ~ # aptitude update
    root @ ubuntu-server: ~ # apt-get install slapd
    root @ ubuntu-server: ~ # apt-get install ldap-utils
    root @ ubuntu-server: ~ # apt-get install db4.2-util

    Note : when installing slapd, ldap-utils, db4.2-util packages, the system needs to use the CD containing Ubuntu server 7.10.

2. Configure LDAP server

We will work on OpenLDAP files to configure LDAP server. The steps are as follows:

  1. Backup copy of OpenLDAP files:

    root @ ubuntu-server: ~ # cp -R / etc / ldap / backup
  2. Use the slappasswd utility to encrypt admin passwords and save the encrypted string at the end of the /etc/ldap/slapd.conf file:

    root @ ubuntu-server: ~ # slappasswd >> /etc/ldap/slapd.conf
    New password:
    Re-enter new password:
  3. OpenLDAP configuration:

    Edit the /etc/ldap/slapd.conf file (OpenLDAP's main configuration file) as follows:

    root @ ubuntu-server: ~ # vim /etc/ldap/slapd.conf
    suffix 'dc = bits, dc = com, dc = vn'
    rootdn 'cn = admin, dc = bits, dc = com, dc = vn'
    This # password is generated by the ldappasswd utility.
    rootpw {SSHA} AwiGYep3HmBbL5rQka4Bchd4g8ofhnXC
    directory '/ var / lib / ldap'

    # Set change password permission
    access to attrs = userPassword, shadowLastChange
    by dn = 'cn = admin, dc = bits, dc = com, dc = vn' write
    by anonymous auth
    bởi self ghi
    by * none

    # Ensure đọc được truy cập cho cơ bản để làm việc
    # supportedSASLMechanisms.
    access to dn.base = '' by * read

    # Người dùng dn có đủ truy cập được ghi được, ai khác có thể
    # read everything.
    access to *
    by dn = 'cn = admin, dc = bits, dc = com, dc = vn' write
    by * read

    Note : keeping the default settings of the /etc/ldap/slapd.conf file is not mentioned above.
  4. Launch standalone LDAP server:

    root @ ubuntu-server: ~ # /etc/init.d/slapd start
    Starting OpenLDAP: slapd

    At this step, LDAP server is ready. In order to start bringing this server into operation, we need to add entries (entities - user, group, ou .) initialized on the server.
  5. Add the initial entry:

    LDAP server can add entries with a command or from files with ldif format (ldap directory interchange format). Below, we create the init.ldif file and save it to the / etc / ldap directory.

    root @ ubuntu-server: ~ # vim /etc/ldap/init.ldif
    dn: dc = bits, dc = com, dc = vn
    objectClass: dcObject
    objectClass: organizationalUnit
    dc: bits
    ou: bits.com.vn

    dn: cn = admin, dc = bits, dc = com, dc = vn
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    cn: admin
    description: LDAP administrator
    userPassword: {SSHA} AwiGYep3HmBbL5rQka4Bchd4g8ofhnXC

    dn: ou = users, dc = bits, dc = com, dc = vn
    objectClass: organizationalUnit
    ou: users

    dn: ou = groups, dc = bits, dc = com, dc = vn
    objectClass: organizationalUnit
    ou: groups

    dn: cn = ktm, ou = groups, dc = bits, dc = com, dc = vn
    objectClass: posixGroup
    cn: ktm
    gidNumber: 5000

    Note : The UID / GID in this article is set as follows:
    1. System account: UID <500
    2. Real People in LDAP: 499
    3. Local users, groups (not in LDAP): UID> 10,000

Follow the steps below to add entry to LDAP server:

      Stop LDAP service:
root @ ubuntu-server: ~ # /etc/init.d/slapd stop

      Delete content that was automatically created while installing OpenLDAP:
root @ ubuntu-server: ~ # rm -rf / var / lib / ldap / *

      Add new entry:
root @ ubuntu-server: ~ # slapadd -l init.ldif

      Edit permissions on the database:
root @ ubuntu-server: ~ # chown -R openldap: openldap / var / lib / ldap

      Launch LDAP service:
root @ ubuntu-server: ~ # /etc/init.d/slapd start

  1. Check out the newly added entries:

    We can check the newly added entries by using the ldapsearch utility:

    root @ ubuntu-server: ~ # ldapsearch –xLLL –b 'dc = bits, dc = com, dc = vn'

    Inside:
    1. -x: do not use SASL authentication method (default).
    2. -LLL: disable printing of LDIF information.
    3. -b: basic search.

If additional entry operations to LDAP server are performed correctly, the ldapsearch utility will display information about these entries similar to the content created in the file /etc/init.ldif.

With the above configuration steps, we have completed the installation and configuration of LDAP server on the ubuntu-server computer. Next, we proceed with the installation and configuration of Ubuntu workstation systems.

3.2. Configure ubuntu-desktop01

In order for the workstation to log in with the account created on LDAP server, we need to perform the configuration steps on the PAM (Pluggable Authentication Modules) and NSSWITCH (Name Service Switch) files in Ubuntu. The steps are as follows:

1. LDAP client installation

The software and utilities that need to be installed on the Ubuntu workstation are:

  1. libpam-ldap : library used to allow authentication (allow for authentication) via LDAP.
  2. libnss-ldap : library used to allow querying of session information (allow session information) via LDAP.
  3. nss-updatedb : utility used to create a local database of the user names. This database is used to overcome the situation where the network has been slowed down by network access (network slowdown), or has been stopped due to a problem (outage).

The steps are as follows:

  1. Update the package list on Ubuntu and install libpam-ldap, libnss-ldap and nss-updatedb:

    ctbach @ ubuntu-desktop01: ~ $ sudo -i
    [sudo] password for ctbach:
    root @ ubuntu-desktop01: ~ #
    root @ ubuntu-desktop01: ~ # aptitude update
    root @ ubuntu-desktop01: ~ # apt-get install libpam-ldap

    When installing this library, we need to provide the following parameters:
    1. LDAP Server Uniform Resource Identifier: ldap: //192.168.10.2
    2. Distinguished name of search base: dc = bits, dc = com, dc = vn
    3. LDAP version để sử dụng: 3
    4. LDAP account for root: cn = admin, dc = bits, dc = com, dc = vn
    5. LDAP root account password: ******

root @ ubuntu-desktop01: ~ # apt-get install libnss-ldap

When installing this library, we need to provide the following parameters:

  1. LDAP account for root: cn = admin, dc = bits, dc = com, dc = vn
  2. LDAP root account password: ******

Note : a dialog box appears, informing you that the system cannot manage nsswitch.conf file automatically. We click the OK button and will change the configuration of this file later.

root @ ubuntu-desktop01: ~ # apt-get install nss-updatedb

2. Configure LDAP client

We will manipulate the files of PAM and NSSWITCH to configure the LDAP client. The steps are as follows:

  1. Backup of files of PAM and NSSWITCH:

    root @ ubuntu-desktop01: ~ # mkdir / backup
    root @ ubuntu-desktop01: ~ # cp /etc/nsswitch.conf / backup
    root @ ubuntu-desktop01: ~ # cp -R / etc / pam / backup
  2. Configure NSSWITCH:

    Edit the file /etc/nsswitch.conf (the main configuration file of NSSWITCH). This file identifies the name service that the system uses to search for information. This file also shows the order of the name services so that the search priority system is in a set order.

    root @ ubuntu-desktop01: ~ # vim /etc/nsswitch.conf
    passwd: ldap files
    group: ldap files

    Check the configuration just set by executing 02 commands:

    root @ ubuntu-desktop01: ~ # getent passwd
    root @ ubuntu-desktop01: ~ # getent group

    The above two commands will list passwords and groups on Ubuntu desktop and on LDAP server.
  3. Configure PAM:

    There are four configuration files for PAM related to LDAP:
    1. /etc/pam.d/common-account
    2. /etc/pam.d/common-auth
    3. /etc/pam.d/common-password
    4. /etc/pam.d/common-session

Edit these files according to the following steps:

    1. root @ ubuntu-desktop01: ~ # cd /etc/pam.d
    2. root @ ubuntu-desktop01: /etc/pam.d# vim ./common-account
      account sufficient pam_ldap.so
      account required pam_unix.so
    3. root @ ubuntu-desktop01: /etc/pam.d# vim ./common-auth
      auth sufficient pam_ldap.so
      auth required pam_unix.so nullok_secure use_first_pass
    4. root @ ubuntu-desktop01: /etc/pam.d# vim ./common-password
      password sufficient pam_ldap.so
      password required pam_unix.so nullok obscure min = 4 max = 8 md5
    5. root @ ubuntu-desktop01: /etc/pam.d# vim ./common-session
      session required pam_unix.so
      session required pam_mkhomedir.so skel = / etc / skel /
      session optional pam_ldap.so
      session optional pam_foreground.so
  1. Create a directory to store home directories corresponding to each account logged into the workstation:

    root @ ubuntu-desktop01: ~ # mkdir / home / users
    root @ ubuntu-desktop01: ~ # mkdir / home / users / ktm

Note : if you do not follow this step after creating an account on LDAP, you will get an error message during the login process to the Ubuntu client.

    1. 'Authentication failed'. If you look in the /var/log/auth.log file, we will see the cause of the error: 'Unable to create / home directory / users / ktm / modules'; 'không mở được phiên bản để thực hiện'.

3. Create a login account with phpLDAPadmin

For simplicity in managing OpenLDAP server, we use phpLDAPadmin. This is the web application used to manipulate OpenLDAP server.

The following steps will help us install and use phpLDAPadmin on the Ubuntu workstation to manage LDAP server.

Install phpLDAPadmin with the command :

root @ ubuntu-desktop01: ~ # apt-get install phpldapadmin

Configuring phpLDAPadmin :

root @ ubuntu-desktop01: ~ # cp -R / usr / share / phpldapadmin / var / www / myphpldapadmin
root @ ubuntu-desktop01: ~ # cp /etc/phpldapadmin/config.php /etc/phpldapadmin/first.config.php
root @ ubuntu-desktop01: ~ # rm /var/www/myphpldapadmin/config/config.php
root @ ubuntu-desktop01: ~ # ln -s /etc/phpldapadmin/first.config.php /var/www/myphpldapadmin/config/config.php
root @ ubuntu-desktop01: ~ # chmod + r /etc/phpldapadmin/first.config.php

Access phpLDAPadmin :

  1. From the browser window, enter the address http:/// localhost / myphpldapadmin.

Set up Ubuntu centralized management network with LDAP Picture 1Set up Ubuntu centralized management network with LDAP Picture 1

Click the Login button in the left pane, enter the root account information:

  1. Login DN: cn = admin, dc = bits, dc = com, dc = vn
  2. Password: ******

Click the Authenticate button to login.

Set up Ubuntu centralized management network with LDAP Picture 2Set up Ubuntu centralized management network with LDAP Picture 2

If login to LDAP server is successful, the system will notify:

Set up Ubuntu centralized management network with LDAP Picture 3Set up Ubuntu centralized management network with LDAP Picture 3

Create an account on phpLDAPadmin :

  1. Click on ou = users, select Create new entry here, select User Account. Click Process >> button.

Set up Ubuntu centralized management network with LDAP Picture 4Set up Ubuntu centralized management network with LDAP Picture 4

  1. Fill in the information related to the account and click the Process >> button.

Set up Ubuntu centralized management network with LDAP Picture 5Set up Ubuntu centralized management network with LDAP Picture 5

  1. Review information. After making sure, click the Create Object button.

Set up Ubuntu centralized management network with LDAP Picture 6Set up Ubuntu centralized management network with LDAP Picture 6

  1. After the creation, the screen showing the information of the newly created account will appear.

Set up Ubuntu centralized management network with LDAP Picture 7Set up Ubuntu centralized management network with LDAP Picture 7

  1. Click the Add new attribute button to add the LoginShell attribute.

Set up Ubuntu centralized management network with LDAP Picture 8Set up Ubuntu centralized management network with LDAP Picture 8

Click the Add button to complete the operation to create and edit the account. At this point, we click the Logout button and start checking the performance of the LDAP system on Ubuntu.

3.3. Configuring ubuntu-desktop02

Take the same steps as the ubuntu-desktop01 computer.

4. Check the system

To check the system after completing the configuration steps, from the ubuntu workstation, we log in with the account created on the LDAP server. In my case, on ubuntu-desktop01, after the system starts, we enter:

  1. Username: last
  2. Password: ******

The system will notify: ' Creating directory' / home / users / ktm / date '', we click the OK button to complete the login operation.

Conclude

Using LDAP to build intranet with client / server model, with Ubuntu computers is an effective and cost-effective centralized management solution. With simple installation steps, easy configuration, designing internal network systems with LDAP and Ubuntu is completely feasible.

Appendix 1 - Some useful operations when configuring LDAP on Ubuntu

1. Configure the Ubuntu computer to allow the account on the LDAP server to switch to (sudo) the root system administrator account

To allow the account on LDAP server to be transferred to the root account, on the Ubuntu workstation, we do the following:

Open the file / etc / group, add user01 to the admin line .

# gedit / etc / group

Find admin line: x: 117: ctbach, administrator

Add user01 to the end of the line. After addition, we get the same result as follows:

admin: x: 117: ctbach, administrator, comment

Next, update the LDAP server password so that the Ubuntu system can understand this password:

root @ ubuntu-server: ~ # passwd
Enter login (LDAP) password: ******
New password: ******
Re-enter new password: ******

2. Use a USB disk on Ubuntu server

To use the USB disks on the Ubuntu server (command line interface), we must perform the operation of mounting the USB disk into the Ubuntu server.

  1. For regular USB disks (without MP3):
    root @ ubuntu-server: ~ # mkdir / usb-disk
    root @ ubuntu-server: ~ # mount -t vfat / dev / sdb1 / usb-disk
  2. For USB disks with MP3 music features:
    root @ ubuntu-server: ~ # mkdir / usbmp3-disk
    root @ ubuntu-server: ~ # mount -t vfat / dev / sdb / usbmp3-disk
  3. Once you're done, we should safely disconnect between Ubuntu server and USB disk by:
    root @ ubuntu-server: ~ # umount / usb-disk
    root @ ubuntu-server: ~ # umount / usbmp3-disk

3. See the login error on the Ubuntu workstation

To see the login errors on the Ubuntu workstation to help us determine the cause of the error during Ubuntu logging in via LDAP, we open the file /var/log/auth.log

References

1. OpenLDAP Server
https://help.ubuntu.com/community/OpenLDAPServer

2. LDAP Client Authentication
https://help.ubuntu.com/community/LDAPClientAuthentication

3. OpenLDAP Client Configuration Guide
http://ubuntuforums.org/showthread.php?t=597056

4. Ubuntu User Document (good)
https://help.ubuntu.com/community/UserDocumentation

5. DNS Server Setup Using Bind in Ubuntu
http://www.ubuntugeek.com/dns-server-setup-using-bind-in-ubuntu.html

6. BIND9 Administrator Reference Manual
http://www.isc.org/index.pl?/sw/bind/index.php

7. Installing phpLDAPadmin
https://help.ubuntu.com/community/InstallingphpLDAPadmin

8. An Introduction to LDAP
http://www.ldapman.org/articles/intro_to_ldap.html

9. Introduction to LDAP (good)
http:///quark.humbug.org.uau/publications/ldap/ldap_tut.html

10. LDAP mini HOWTO (good)
http://www.grennan.com/ldap_HOWTO.html

11. OpenLDAP 2.2 Administrator's Guide
http://www.bind9.net/manual/openldap/2.2/index.html

12. OpenLDAP Everywhere
http://www.linuxjournal.com/article/6266

13. LDAP Attributes
http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm

14. Berkeley v4.2 Database Utility
http://packages.ubuntu.com/feisty/utils/db4.2.-util

15. Berkeley Database
http://packages.ubuntu.com/edgy/doc/db3-doc

16. Berkeley Database
http://directory.fsf.org/project/BerkeleyDB/

17. Performing Backup and Recovery with Berkeley DB
http://packages.ubuntu.com/edgy/doc/db3-doc

18. Chapter 19. I / O Redirection (Advanced Bash - Scripting Guide)
http://tldp.org/LDP/abs/html/io-redirection.html

19. /etc/nsswitch.conf - Name Service Switch File
http://www.softpanorama.org/Solaris/Reference/etc/nsswitch.shtml

-------------------------------------------------- -----------
To Thanh Hai - Email: tthai@huesoft.com.vn

4 ★ | 24 Vote