OpenLDAP configuration: client and server summary
While setting up your home network with all its devices and users, you may have thought at one point to better organize your users. To have maybe a single database of users, able to login with the same credentials everywhere in the network. You may have thought about NFS sharing and its user access issues. Either way, if it’s one network shared by several users, there should be a single list of logins. At least that would be ideal.
Of course it doesn’t have to be this way. Having a single set of users is both empowering but also extremely limiting, especially in a home network. If you have three users that want to manage their own devices, having an identity server in your network could soon become a burden for them. Also, no matter how nice you setup your identities, phones with Android and iOS will never be part of this login database. They simply cannot join a domain and cannot use LDAP login.
Having said all that, I wrote before about how to configure LDAP login in your network in detail, but because the whole tutorial spanned several articles, I felt it would be nice to have a single article summary of the whole process. As the title says, it’s just a summary. I will skip the detailed explanations and also some script listings which you can find on github instead. So let’s make the whole process quick and easy.
Configuring the Raspberry PI 4 server
We will assume we have a Raspberry PI 4 home network server and that it runs Ubuntu Server. First thing we need to do is install OpenLDAP:
#apt install slapd ldap-utils
#dpkg-reconfigure slapdThe reconfigure process will ask for the domain name (yourdomain.com) and a LDAP password which we will consider to be ldap-password. We also need to set the domain name in /etc/idmapd.conf. Next we need to create a LDAP admin password which will be admin-password:
#ldapmodify -Y EXTERNAL -H ldapi:/// -w "" -f root.ldifYou can find the root.ldif file used above on github, just remember to change the password used there. Finally we are ready to add the network users and groups, using the users.ldif and groups.ldif files on github:
#ldapadd -x -D cn=admin,dc=yourdomain,dc=com -w ldap-password -f users.ldif
#ldapadd -x -D cn=admin,dc=yourdomain,dc=com -w ldap-password -f groups.ldifOf course, we will need to change those files to reflect our own users and groups. Also, the user passwords should be Salted SHA1 strings (SSHA) and should look like this: {SSHA}DkMTwB;+a/3DQTxCYEApdUtNXG. After adding all that, we can define the sudoers. For that, we need to import the sudoers.schema.ldif schema found on github and then add the sudoers.ldif to configure the users with sudo rights:
#ldapadd -D cn=config -H ldapi:/// -w admin-password -f sudoers.schema.ldif
#ldapadd -x -D cn=admin,dc=yourdomain,dc=com -w ldap-password -f sudoers.ldifAgain, we will need to edit sudoers.ldif to give sudo rights to the correct users. Finally, we can also add automount definitions to OpenLDAP if we wish to. These definitions will provide automatic mounts to NFS shares found on the Raspberry PI 4 server. Again we need to import the autofs.schema.ldif first and then the share definitions found in shares.ldif on github:
#ldapadd -D cn=config -H ldapi:/// -w admin-password -f autofs.schema.ldif
#ldapadd -x -D cn=admin,dc=yourdomain,dc=com -w ldap-password -f shares.ldifNote that the shares.ldif file describes the exports configured here, so be sure to make the appropriate changes to have your shares work. Here is another view of the configured automount hierarchy, to make it easier to understand:
automount
auto.direct
/mnt/storage/radu
/mnt/storage/media
/mnt/storage/shared
auto.master
/- (this enables auto.direct)After all schemas and LDAP content is imported, we need to restart the LDAP service to reload the LDAP configuration database:
#sudo systemctl restart slapdConfiguring the clients
As with the server, first we need to install OpenLDAP. Note that this whole client section needs to be run on the server too, as the server is also a LDAP client. It participates in the same network and wants to use the same LDAP user database:
#apt install libnss-ldap libpam-ldap ldap-utils sssd libsss-sudo autofs autofs-ldapNext we need to add a new service to PAM, the Linux login manager. So let’s edit /etc/pam.d/common-session and add a new line enabling login to create the user home folder if not found, by copying the /etc/skel folder.
session optional pam_mkhomedir.so skel=/etc/skel umask=077We need to check /etc/nsswitch.conf to have sss added as a login option:
passwd: files sss systemd
group: files sss systemd
netgroup: sss files
automount: sss files
services: sss filesFinally we need to configure sssd by creating the /etc/sssd/sssd.conf file. We also need to give it strict access permissions: sudo chmod 600 /etc/sssd/sssd.conf. An example sssd.conf file can be found on github, we just need to change it to reflect our network domain and settings. We just need to enable and start the sssd service now:
#sudo systemctl restart sssd
#sudo systemctl enable sssdAnd we are done. The clients should be rebooted and we can login with the configured LDAP users. The user’s home folder will automatically be created and the NFS shares should be automounted. Also be sure to check sudo rights just so we know that everything works.
Even though having an identity server in your network is a big deal and it’s not usually treated lightly, I hope you see by following this small summarized guide that it’s not a daunting task either. Also you should know, OpenLDAP is just one solution, the light solution because you could also be going the full enterprise grade way with all bells and whistles: FreeIPA.
I hope you enjoyed the article and I hope it made you consider the identity server as a possible and available solution for your network, even though it’s rarely needed. See you next time!
