Set up LDAP

Summary:

1) Install LDAP server (slapd)

2) Configure LDAP

3) Install web interface (PHPldapadmin)

4) Configure web interface

5) Update the web interface

6) Populate LDAP directory

iRODS Server

Set up LDAP

iRODS Server

$ sudo apt-get install slapd ldap-utils

1) Install LDAP server

Answer the questions:

• Administrator password? admin! (suggested)

Set up LDAP

iRODS Server

$ sudo dpkg-reconfigure slapd

2) Reconfigure slapd

Answer the questions:

• Omit OpenLDAP server configuration? No

• DNS domain name? irods.example.org (not actually DNS referenced)

• Organization name? irods.example.org 

• Administrator password? admin! (suggested)

• Database backend to use? HDB

• Remove the database when slapd is purged? No

• Move old database? Yes

• Allow LDAPv2 protocol? No

Set up LDAP

iRODS Server

$ sudo apt-get install phpldapadmin

3) Install administrative web interface

Set up LDAP

iRODS Server

$ sudo nano /etc/phpldapadmin/config.php

4) Configure PHPldapadmin

Make some modifications:

- $servers->setValue('server','host','localhost');
- $servers->setValue('server','base',array('dc=irods, dc=example, dc=org'));
- $servers->setValue('login','bind_id','cn=admin,dc=irods, dc=example, dc=org');
- $config->custom->appearance['hide_template_warning'] = true;

Set up LDAP

iRODS Server

$ sudo nano /usr/share/phpldapadmin/lib/TemplateRender.php

5) Update the web interface

Make a modification:

- $default = $this->getServer()->getValue('appearance','password_hash_custom');

Set up LDAP

iRODS Server

6) Populate the LDAP directory

Point your webbrowser to http://<hostname>/phpldapadmin

Set up LDAP

iRODS Server

6) Populate the LDAP directory (continued)

Click login to... log in

Set up LDAP

iRODS Server

6) Populate the LDAP directory (continued)

Click the plus to expand the domain components. Click "Create new entry here" and create a "generic organisational unit" called "groups"

Commit the changes.

Set up LDAP

iRODS Server

6) Populate the LDAP directory (continued)

Click the plus to expand the domain components. Click "Create new entry here" and create a "generic organisational unit" called "users"

Commit the changes to achieve the following:

Set up LDAP

iRODS Server

6) Populate the LDAP directory (continued)

Click the new "groups" unit.

Click "Create a child entry" and select the "Generic: Posix Group" type.

Enter "users" in the Group field and create the object.

Commit the changes.

Set up LDAP

iRODS Server

6) Populate the LDAP directory (continued)

Click the new "users" unit.

Click "Create a child entry" and select the "Generic: User Account" type.

Create a new user, assigned to GID "users" with a password.

REMEMBER THE User Name field!

Commit the changes.

Set up the PAM Module

Summary:

1) Install libpam-ldap

2) Undo Unix login configuration

3) Update /etc/pam.d/irods

iRODS Server

Set up the PAM Module

iRODS Server

$ sudo apt-get install libpam-ldap

1) Install the libpam-ldap package

Answer the questions:

• LDAP server URI: ldap://localhost (note: not ldapi!)

• DN of the search base: "dc=irods,dc=example,dc=org

• LDAP version to use: 3

• Make local root Database admin: Yes

• Does the LDAP database require login? No

• LDAP account for root: "cn=admin,dc=irods,dc=example,dc=org"

• LDAP root account password: admin!

Set up the PAM Module

iRODS Server

$ sudo pam-auth-update

2) Undo Unix login configuration

Unstar the LDAP box.

The previous step installed the pam_ldap.so module (good) and set up the OS to use the module for system user authentication (bad)

Set up the PAM Module

iRODS Server

$ sudo nano /etc/pam.d/irods

3) Update /etc/pam.d/irods

Replace the existing configuration with the following directive:

auth sufficient pam_ldap.so

Questions?

This might help...

https://www.digitalocean.com/community/tutorials/how-to-change-account-passwords-on-an-openldap-server

Thank you!

Dan Bedard

danb@renci.org

+1-919-445-0632