Breaking News

Ubuntu - Single Sign On Server pada Ubuntu 12.04











Tutorial kali ini kita membahas cara membangun single sign on server pada ubuntu 12.04 precise pangolin. Cara membangun single sign on seperti dibahas pada bagian sebelumnya hanya terdapat sedikit perubahan, terutama pada server OpenLDAP. Tutorial terdiri dari dua bagian, pertama konfigurasi server OpenLDAP dan kedua integrasi Samba dengan OpenLDAP.

Instalasi OpenLDAP
apt-get install slapd ldap-utils migrationtools phpldapadmin
apt-get install samba smbldap-tools smbclient samba-doc
cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/gzip -d /etc/ldap/schema/samba.schema.gz

Konfigurasi File slapd.conf
vim /usr/share/slapd/slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/openldap.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_hdb.la
sizelimit 500
tool-threads 1
backend hdb
database hdb
suffix “dc=kurusetra,dc=web,dc=id”
rootdn “cn=admin,dc=kurusetra,dc=web,dc=id”
rootpw 1111
directory “/var/lib/ldap”
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
checkpoint 512 30
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,top,person,organizationalPerson,inetOrgPerson,posixAccount
by self write
by * read
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by dn=”cn=admin,dc=kurusetra,dc=web,dc=id” write
by anonymous auth
by self write
by * none
# access to attrs=userPassword,shadowLastChange
# by dn=”cn=admin,dc=kurusetra,dc=web,dc=id” write
# by anonymous auth
# by self write
# by * none
access to dn.base=”" by * read
access to *
by dn=”cn=admin,dc=kurusetra,dc=web,dc=id” write
by * read

Konversi Direktori Konfigurasi
rm -fr /etc/ldap/slapd.d/*
slaptest -f /usr/share/slapd/slapd.conf -F /etc/ldap/slapd.d/
chown -R openldap.openldap slapd.d/
/etc/init.d/slapd restart

Konfigurasi Top Level Domain
vim kurusetra.ldif
dn: dc=kurusetra,dc=web,dc=id
objectClass: top
objectClass: dcObject
objectclass: organization
o: kurusetra
dc: kurusetra
description: Kurusetra Computer

Penambahan Top Level Domain
ldapadd -x -D cn=admin,dc=kurusetra,dc=web,dc=id -f kurusetra.ldif -W
Integrasi Samba LDAP
workgroup = KURUSETRA
security = user
passdb backend = ldapsam:ldap://localhost/
ldap ssl = off
obey pam restrictions = no
#######################################################################
#COPY AND PASTE THE FOLLOWING UNDERNEATH “OBEY PAM RESTRICTIONS = NO”
#######################################################################
#
# Begin: Custom LDAP Entries
#

ldap admin dn = cn=admin,dc=kurusetra,dc=web,dc=id
ldap suffix = dc=kurusetra,dc=web,dc=id
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
; Do ldap passwd sync
ldap passwd sync = Yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
add user script = /usr/sbin/smbldap-useradd -m “%u”
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel “%u”
add machine script = /usr/sbin/smbldap-useradd -w “%u”
add group script = /usr/sbin/smbldap-groupadd -p “%g”
delete group script = /usr/sbin/smbldap-groupdel “%g”
add user to group script = /usr/sbin/smbldap-groupmod -m “%u” “%g”
delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” “%g”
set primary group script = /usr/sbin/smbldap-usermod -g “%g” “%u”
domain logons = yes

#invalid users = root
# Restart SAMBA.
/etc/init.d/samba restart
/etc/init.d/smbd restart
/etc/init.d/nmbd restart

#Tambahkan password LDAP pada samba
smbpasswd -w 1111

Konfigurasi SMBLDAP-TOOLS
cd /usr/share/doc/smbldap-tools/examples/
cp smbldap_bind.conf /etc/smbldap-tools/
cp smbldap.conf.gz /etc/smbldap-tools/
gzip -d /etc/smbldap-tools/smbldap.conf.gz
cd /etc/smbldap-tools/
net getlocalsid
vim smbldap.conf

# Edit the file so that the following information is correct (according to your individual setup):

SID=”S-1-5-21-949328747-3404738746-3052206637″ ## This line must have the same SID as when you ran “net getlocalsid”
sambaDomain=”KURUSETRA”
slaveLDAP=”127.0.0.1″
masterLDAP=”127.0.0.1″
ldapTLS=”0″
suffix=”dc=kurusetra,dc=web,dc=id”
defaultMaxPasswordAge=”45000″
sambaUnixIdPooldn=”sambaDomainName=EXAMPLE,${suffix}”
userSmbHome=
userProfile=
userHomeDrive=
userScript=
mailDomain=”kurusetra.web.id”
vim smbldap_bind.conf
# Edit the file so that the following information is correct (according to your individual setup):
slaveDN=”cn=admin,dc=ardelinux,dc=com”
slavePw=”1111″
masterDN=”cn=admin,dc=ardelinux,dc=com”
masterPw=”1111″

# Set the correct permissions on the above files:
chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Populate LDAP using smbldap-tools
# Execute the command to populate the directory.
smbldap-populate -u 30000 -g 30000
# At the password prompt assign your root password:
smbpasswd -w
1111

# Verify that the directory has information in it by running the command:
ldapsearch -x -b dc=kurusetra,dc=web,dc=id | less

Step 8: Add an LDAP user to the system
# Add the user to LDAP
smbldap-useradd -a -m -M ricky -c “Richard M” ricky
smbldap-useradd -w client-winxp

# Here is an explanation of the command switches that we used.
-a allows Windows as well as Linux login
-m makes a home directory, leave this off if you do not need local access
-M sets up the username part of their email address
-c specifies their full name

# Set the password the new account.
smbldap-passwd ricky

Step 9: Configure the server to use LDAP authentication.
# Install the necessary software for this to work.
apt-get install auth-client-config libpam-ldap libnss-ldap

# Answer the prompts on your screen with the following:
Should debconf manage LDAP configuration?: Yes
LDAP server Uniform Resource Identifier: ldapi://127.0.0.1
Distinguished name of the search base: dc=kurusetra,dc=web,dc=id
LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=kurusetra,dc=web,dc=id
LDAP root account password: 1111

#untuk mengulang konfigurasi
#dpkg-reconfigure ldap-auth-client
#dpkg-reconfigure ldap-auth-config
#dpkg-reconfigure libnss-ldap
# Open the /etc/ldap.conf file for editing.
vim /etc/ldap.conf

# Configure the following according to your setup:
host 127.0.0.1
base dc=kurusetra,dc=web,dc=id
uri ldap://127.0.0.1/
rootbinddn cn=admin,dc=kurusetra,dc=web,dc=id
bind_policy soft

# Copy the /etc/ldap.conf file to /etc/ldap/ldap.conf
cp /etc/ldap.conf /etc/ldap/ldap.conf

# Create a new file /etc/auth-client-config/profile.d/open_ldap:
vim /etc/auth-client-config/profile.d/open_ldap

# Insert the following into that new file:
[open_ldap]
nss_passwd=passwd: compat ldap
nss_group=group: compat ldap
nss_shadow=shadow: compat ldap
nss_netgroup=netgroup: compat ldap
pam_auth=auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam_account=account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so
pam_password=password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_first_pass
password required pam_deny.so
pam_session=session required pam_limits.so
session required pam_mkhomedir.so skel=/etc/skel/
session required pam_unix.so
session optional pam_ldap.so

# Backup the /etc/nsswitch.conf file:
cp /etc/nsswitch.conf /etc/nsswitch.conf.original

# Backup the /etc/pam.d/ files:
cd /etc/pam.d/
mkdir bkup
cp * bkup/

# Enable the new LDAP Authentication Profile by executing the following
auth-client-config -a -p open_ldap

# Reboot the server and test to ensure that you can still log in using SSH and LDAP.
ldconfig
id ricky
reboot

1 comment:

  1. As we know there are many companies which are converting into Big data platform managed service. with the right direction we can definitely predict the future.

    ReplyDelete