Network/Ldap

From Hackerspace Brussels
Jump to: navigation, search


Network/Ldap
[[Image:{{{picture}}}|200px]]
What:
LDAP server for the space
Tagline:
Managing members and users, corporate way.
Maintainer(s):
Askarel, you?
Archived:



PEN/OID[edit]

We have the following PEN from IANA: 1.3.6.1.4.1.43666.

This is based on previous work by User:TQ_Hirsh

1.3.6.1.4.1.43666.1 (EXPERIMENTAL)[edit]

1.3.6.1.4.1.43666.2 (LDAP)[edit]

1.3.6.1.4.1.43666.2.1 (LDAP Attribute type)[edit]

  1. x-hsbxl-pgpKey - PGP public key used for encrypted communications
  2. x-hsbxl-sponsorID - Sponsoring member
  3. x-hsbxl-membershipReason - Why you're becoming a member
  4. x-hsbxl-sshPubKey - SSH public key

The following entries might be included in the definitive user schema

  1. x-hsbxl-membershipStructuredComm - Structured communication for membership payments
  2. x-hsbxl-membershipAccountId - Internal identifier for membership account
  3. x-hsbxl-drinksStructuredcomm - Structured communication for drink account
  4. x-hsbxl-drinksAccountId - Internal identifier for fridge account
  5. x-hsbxl-RFID-id - Access control token ID

1.3.6.1.4.1.43666.2.2 (LDAP Object class)[edit]

1.3.6.1.4.1.43666.3 (SNMP)[edit]

(todo)

1.3.6.1.4.1.43666.4 (Member-defined objects)[edit]

This arc is reserved for HSBXL member-defined attributes. To use it, get your uidNumber from our LDAP database, and append it to this OID. Anything defined below the resulting OID is up to you. 

Example:

Your LDAP uidNumber is 4242. Your personal arc will then be 1.3.6.1.4.1.43666.4.4242.

Your 1.3.6.1.4.1.43666.4.4242 arc can then be subdivided as you like:
 1.3.6.1.4.1.43666.4.4242.1 (arc foo)
 1.3.6.1.4.1.43666.4.4242.2 (arc bar)
 1.3.6.1.4.1.43666.4.4242.3 (arc baz)

Getting started[edit]

root@xm1:~# apt-get install slapd ldap-utils migrationtools ldapscripts

Replication[edit]

Adding hosts[edit]

When you want to give shell access to a Linux desktop/server you install to HSBXL userbase, there are a few needed steps:

  • Request a machine account in the ou=machines,dc=hsbxl,dc=be organizational unit
  • apt-get install libpam-ldapd
    • Give the IP address of the LDAP server (currently 192.168.255.1)
    • Give the base DN (dc=hsbxl,dc=be)
    • Say yes to all options
  • Edit /etc/pam.d/common-account and add the following line at the end:
session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022
  • Edit the /etc/nslcd.conf file:
    • Verify that the server URI is correct:
uri ldap://192.168.255.1
    • Add the machine account details
binddn uid=<machinename>,ou=machines,dc=hsbxl,dc=be
bindpw <your machine account password>
ignorecase yes
  • Stop the nscd cache daemon (this is the cache daemon, and can get in the way during the testing phase)
/etc/init.d/nscd stop
  • Restart the nslcd daemon
/etc/init.d/nslcd restart
  • Use this command to see if you get more users than what's defined in /etc/passwd:
getent passwd
  • If you get the user list from the LDAP server, your setup is working and you can restart the nscd daemon:
/etc/init.d/nscd start

SUDO[edit]

Yes, sudo rights can be managed straight from the LDAP !

  • install sudo-ldap
apt-get install sudo-ldap
  • Edit the file /etc/sudo-ldap.conf:
URI	ldap://192.168.255.1
BASE	dc=hsbxl,dc=be
binddn <machine account>
bindpw <password>
sudoers_base	ou=sudoers,dc=hsbxl,dc=be
  • Add the following to /etc/nsswitch.conf:
sudoers:	ldap
  • Import my custom ldap-sudo schema
  • Create the ou=sudoers,dc=hsbxl,dc=be organizational unit
  • Add entries into that subtree


RADIUS[edit]

On the router: 

root@gate:~# apt-get install freeradius freeradius-utils


TODO[edit]

  • Local Replication
  • RADIUS server setup (spacefed)


This is work in progress

Retrieved from "https://wiki.hsbxl.be/smw/index.php?title=Network/Ldap&oldid=13353"