Server Side setup
#######################
Check DNS with Public IP
#####################################
root@ip-172-31-3-85:~# nslookup 13.127.170.246
Server: 172.31.0.2
Address: 172.31.0.2#53
Non-authoritative answer:
246.170.127.13.in-addr.arpa
name = ec2-13-127-170-246.ap-south-1.compute.amazonaws.com.
(Copy the above DNS to paste it in configuration step)
Install updates if any
##############################################
root@ip-172-31-3-85:~# sudo apt-get update
Install ldap software package
##############################################
root@ip-172-31-3-85:~# sudo apt-get install slapd ldap-utils -y
(During the above setup installation, the installer will prompt
you to set a password for LDAP administrator. Just enter a
password of your wish.)
Reconfigure ldap configuration if required
#######################################
root@ip-172-31-3-85:~# sudo dpkg-reconfigure slapd
Omit OpenLDAP server configuration? No (If you select yes, it will
just cancel the configuration)
DNS Domain name: This will construct the base DN of the LDAP directory.
Just enter the domain name from the above command(refer first step)
ec2-13-127-170-246.ap-south-1.compute.amazonaws.com
Organization name: You can just name your organization - Crevise
Enter the administrator password for LDAP admin account, by default;
admin is the name of the administrator user
Confirm the administrator password
Choose the backend format for LDAP: MDB (BDB/HDB/MDBoptions
depends on the working and requirement)
Choose whether you want the database to be removed when slapd is purged. Select No.
If you have any old data in the LDAP, you can consider to move the old
database before creating a new one
Option to allow or disable LDAPv2 protocol. Select No
Once the reconfiguration is complete, you would get an output like below.
Moving old database directory to /var/backups:
- directory unknown... done.
Creating initial configuration... done.
Creating LDAP directory... done.
(The above output will clear that your ldap setup has been configured)
Verify the LDAP by port no
######################
root@ip-172-31-3-85:~# sudo netstat -tnlp | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 27798/slapd
tcp6 0 0 :::389 :::* LISTEN 27798/slapd
Add ldap service to the firewall rule
##############################################
root@ip-172-31-3-85:~# sudo ufw allow ldap
Check for the Ldap Base by ldapsearch command
##########################################
root@ip-172-31-3-85:~# ldapsearch -x -LLL -H ldap:///
-b dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazonaws,
dc=com dn
(It shows the output as below)
dn: dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazonaws,
dc=com
dn: cn=admin,dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,
dc=amazonaws,dc=com
Now Install PhpLDAPadmin
######################################
root@ip-172-31-3-85:~# sudo apt-get install phpldapadmin
(Now we need to configure phpLDAPadmin to use our domain,
and to not autofill the LDAP login information.)
Configure PhpLDAPAdmin in the main configuration file
#################################################
root@ip-172-31-3-85:~# vim /etc/phpldapadmin/config.php
(Line no: 161 is a setting that controls the visibility of some phpLDAPadmin
warning messages. By default the application will show quite a few warning
messages about template files. These have no impact on our current use of
the software. We can hide them as below:)
Uncomment and change False to true
#########################################################
/* Hide the warnings for invalid objectClasses/attributes in templates. */
$config->custom->appearance['hide_template_warning'] = true;
(Line no: 286 - displays name for your LDAP server, which the web interface
uses for headers and messages about the server.)
Change the name of the your LDAP server as below:
########################################################
/* A convenient name that will appear in the tree viewer and throughout
phpLDAPadmin to identify this LDAP server to users. */
$servers->setValue('server','name','test Server');
(Line no: 300 tells phpLDAPadmin what the root of the LDAP hierarchy is.
This is based on the value we typed in when reconfiguring the slapd package.)
Change the server base array as below:
##############################################################
/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
auto-detect it for you. */
$servers->setValue('server','base',array
(‘dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazonaws,dc=com’));
(Line no: 326 pre-populates the admin login details in the web interface.
This is information we shouldn't share if our phpLDAPadmin page is publicly accessible.)
Comment it out with a # at the beginning of the line as below:
###################################################################
/* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or
'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS
BLANK. If you specify a login_attr in conjunction with a cookie or session
auth_type, then you can also specify the bind_id/bind_pass here for searching
the directory for users (ie, if your LDAP server does not allow anonymous
binds. */
#$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');
After configuration restart apache2 service
###########################################
root@ip-172-31-3-85:~# systemctl restart apache2
root@ip-172-31-3-85:~# systemctl enable apache2
(The Login DN is the username which contains the account name
as a cn= section, and the domain name you selected for the server broken
into dc= sections. The default admin account that we set up during install is
called admin, so in our case:
Login DN is : cn=admin,dc=ec2-13-127-170-246,
dc=ap-south 1,dc=compute,dc=amazonaws,dc=com
After entering the appropriate string for your domain, type in the admin
password you created during configuration, then click the Authenticate button as below:
At this point, you are logged into the phpLDAPadmin interface.
You have the ability to add users, organizational units, groups, and relationships.
Click on dc=ec2-13-127-170-246,dc=ap-south-1,
dc=compute,dc=amazonaws,dc=com (1) then click on create new entry here
Select and Click on Generic: Organisational Unit
Create Organisational Unit as : groups
Commit it
Add another organisation unit as : users same as above.
It will look like below: see on the left side. The two organisational units
groups and users are added
Now create posix group in the groups organisational unit.
Click on the ou=groups(on the left) , click on Create a child entry
and then click on Generic: Posix Group
Create a group named user and admin. Commit changes
You will see the two posix group admin and user added on the left side
in the groups organisational unit.
Now create users in the users organisational unit.
Click on the ou=users(on the left) , click on
Create a child entry and then click on Generic: Users Account
Fill up the entries as required and then click on create object and
commit on the next step You can see that the ldapuser is added in
the ou=users organisational unit
Repeat the same steps for the other users to add
Check for the groups and users by ldapsearch
#######################################################
root@ip-172-31-3-85:~# ldapsearch -x -LLL -H ldap:///
-b dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazonaws,dc=com dn
(See the groups and users are added below)
dn: dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazonaws,dc=com
dn: cn=admin,dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazonaws,dc=co
m
dn: ou=groups,dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazonaws,dc=c
om
dn: ou=users,dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazonaws,dc=co
m
dn: cn=user,ou=groups,dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazon
aws,dc=com
dn: cn=admin,ou=groups,dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazo
naws,dc=com
dn: cn=ldapuser,ou=users,dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=ama
zonaws,dc=com
dn: cn=shashank,ou=users,dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=ama
zonaws,dc=com
No comments:
Post a Comment