In this second tutorial for the Raspberry Pi I'm going to cover the basics of setting an LDAP server and how to configure a client to authenticate against it. For those unfamiliar with it, LDAP (Lightweight Directory Access Protocol) provides a directory of information that you can use to store your users and groups so that you're not constantly setting up said entities on each local machine.

LDAP is actually fairly simple to setup in Debian despite what I think is a lack of clear-cut instructions for doing so. So let's get down to it. Once again for this tutorial I'm starting out with just a fresh copy of Raspian "Wheezy" from the Raspberry Pi website.

Server Setup

The first thing we want to do is actually install slapd which provides the LDAP serving and ldap-utils which is a set of tools for testing and connecting to LDAP.

sudo apt-get install slapd ldap-utils

Here put in the password you want for your LDAP administrator account.

LDAP administrator password

Re-enter it again.

Confirm password

Unfortunately, since slapd doesn't ask you for the domain we have to manually run the setup to set it. We can do this with the following command.

sudo dpkg-reconfigure slapd

At the first screen select no because we want to change the configuration.

Change LDAP configuration

Next enter the name of your domain (this can be whatever you want, it's not a real domain that you have to own or anything).

Domain name

Type in your organization name.

Organization name

Enter the password you want for your administrator account.

Enter administrator password

Re-enter the password.

Confirm password

Here we'll just select HDB for the database as that's what Debian recommends.

LDAP database type

When asked if we want to purge the database we'll say no.

Purge the database

Select yes here because we need to move the old database that Debian setup during the install.

Move the old database

And here we can say no because LDAPv2 is obsolete.

Disable LDAPv2

And with that our actual LDAP server is up and running now, but we need an easy way to manage it. Next we'll install PHP, Nginx, and phpldapadmin so that we can manage our LDAP server using a web interface. We're also going to install APC for PHP while we're at it. This will help reduce the amount of recompiling that PHP does when we request web pages.

sudo apt-get install php5-fpm php5-cli php5-ldap php-apc phpldapadmin nginx

Now we need to crack open /etc/phpldapadmin/config.php and change a couple lines so that it matches the domain we just setup.

sudo nano /etc/phpldapadmin/config.php

We need to look for the following lines and modify them slightly.

//Original line
$servers->setValue('server','base',array('dc=example,dc=com'));
//Change to this domain so it matches yours like below
$servers->setValue('server','base',array('dc=ducky-pond,dc=lan'));

//Original line
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
//Change the line so it matches your LDAP admin user, my example below
$servers->setValue('login','bind_id','cn=admin,dc=ducky-pond,dc=lan');

Now we just need to make a modification to /etc/nginx/conf/sites-available/default so that Nginx knows where to serve up the PHP from.

sudo nano /etc/nginx/sites-available/default

Let's comment out or remove main server block replace it with the following.

server {

        root /usr/share/phpldapadmin/htdocs;
        index index.php index.html;

        server_name localhost;

        location ~ \.php$ {
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }
}

We should be all set to use the web so let's restart Nginx for the changes to take effect.

sudo service nginx restart

Now in a browser, head to the IP of your Rapsberry Pi and you should be presented with the following screen.

phpLDAPadmin start page

From the left side click Login and then enter your admin password to proceed.

Login screen

So this is the main interface for managing LDAP, I'm not going to go into great detail as it's something you just have to explore and get a feel for but for now click Create new entry here in the left tree. From here we select the type of object we want to create. We need to have a group before we can have a user so go ahead and select Generic: POSIX Group.

Main screen

Now type a name for the group, hit Create object and then Commit on the page after that.

Create a group

Follow the same process to create user. When you get to the user screen, select the group you just created and fill in all necessary fields.

Create a user

Once the user and group are created then we're ready to move on to setting up the Raspberry Pi to be able to authenticate against the LDAP server.

Client Setup

For setting up the client I'm going to just use the server we just setup LDAP on but you could perform these same steps for any Debian installation that you want to authenticate against LDAP.

The process of setting up a client for LDAP authentication used to be more manual, thankfully it's lot easier to do. We'll need to run the command below to install two packages which will get things going.

sudo apt-get install libpam-ldapd libnss-ldapd

At the first screen we need to enter the LDAP server address (port is optional). Since I'm doing this on the LDAP server I'm using the localhost address.

LDAP server address

Tell it the base DN where it needs to search for users and groups.

DN for users and groups

Here we need to tell the system what we should use LDAP for, it's safe to go ahead and select everything for now.

NSS groups

Now we need to open /etc/pam.d/common-session and the add the following line. What this will do is create the LDAP users home directories upon login if they don't exist.

session required pam_mkhomedir.so umask=0022 skel=/etc/skel

At this point LDAP client authentication is setup, so if we run the following command you should see the user you added to the LDAP server previously at the bottom of the output.

sudo getent passwd

Go ahead and open and SSH console, or terminal session and try logging in as the LDAP user and you should be greeted with a command line prompt.


Comments

comments powered by Disqus