I spent some time setting up a new server at work to be the computation server for opensource alternatives to the normal applications we have. I thought it was the perfect time to migrate from NIS to LDAP.
I thought of using Microsoft Active Directory, however, that creates difficulties meeting end user needs due to politics. This is supposed to be an opensource server, thus OpenLDAP seems the option to go with here.
I set up an Ubuntu server and pretty much followed the instructions s in the Server Guide, however, there were hurdles getting it to actually function normally. I wanted it to use TLS for security reasons only. I changed the line in /etc/default/slapd to be:
SLAPD_SERVICES="ldap://127.0.0.1/ ldaps:/// ldapi:///
This allowed the server to listen on the network for TLS connections and allow non-encrypted connections if coming from the server itself. That was my biggest stumbling block as many references indicated that I needed to put the IP address or name of the server for the ldaps:/// entry. However, doing this, Ubuntu wouldn't listen on that port.
Also, following the instructions blindly results in a lot of extra stuff that you may not need, for instance, I really didn't want all the address book fields. I just wanted a replacement for NIS.
Now again, the online documentation for Ubuntu server was accurate enough to add the client successfully, but there were still a number of issues. Namely, I couldn't change the password, and newgrp didn't function as needed. installing libcap2-bin and using setcap to change newgrp itself soon fixed this problem.
The other issue was sudo, which seemed to know about ldap but still gave an non-helpful error. Installing nscd appeared to fix this issue.
Outside of a few minor tweaks, the only other thing I did was best practice security set up on the server and client. I have a functional LDAP server, and a client connected to it. Now, I can move on to the work group sharing options the users need as well as account provisioning...
0 comments:
Post a Comment