I decided to set up local LDAP server for VMs and containers. Initially, I was thinking of using a shared SSH key, but
apt install slapd ldap-utils ldapscripts nslcd
Since Debian offers sane defaults for slapd, there's not much to do after the
initial installation.
Try slapcat or lsldap to dump LDAP database contents onto terminal. Right
after installation, you'll get only two entries: domain and admin account.
ldapscripts provides scripts that make lives easier, but should be
provided with authentication info before it can do something useful.
In /etc/ldapscripts/ldapscripts.conf, change BINDDN to cn=admin of
your LDAP domain, like this:
cn=admin,dc=eon,dc=lan
Store the admin password in /etc/ldapscripts/ldapscripts.passwd.
echo -n "password-for-admin" > /etc/ldapscripts/ldapscripts.passwd
Note that no newline should present at the end of the file, or you'll get
Invalid credentials (49) error in /var/log/ldapscripts.log. If you're using
VIM, use :set nofixeol before saving.
Everything is magically solved by ldapscripts. clap clap
We need to initialize our DB w/ basic orgianizations, which is already covered by ldapscripts.
ldapinit
Then, we can add some users and groups using ldapadduser, ldapaddgroup,
and ldapaddusertogroup.
ldapaddgroup members
ldapaddgroup admins
ldapadduser eon members
ldapaddusertogroup eon admins
Update user passwords using ldapsetpasswd
ldapsetpasswd eon
We need PAM to use LDAP, and libpam-ldapd does that for us. There are
alternatives, but this one is fairly simple and should work most of the cases.
apt install libpam-ldapd nscd
While installing the package, apt asks you how nsswitch should be updated, and
you should choose passwd, group, and shadow. After this,
nsswitch.conf should look like:
passwd: files ldap
group: files ldap
shadow: files ldap
(No need to remove excessive items tho.)
The module relies on nslcd, and /etc/nslcd.conf should contain good default
values, which should work on server itslef, at least. So, before blaming client
settings, install this on the server, and try logging into it w/ an LDAP user.
Make sure this works before jumping onto clients.
So, on actual clients, a little change to /etc/nslcd.conf:
...
uri ldap://ldap.eon.lan/
...
(or you can dpkg-reconfigure nslcd for convinience.)
Some services(nscd, nslcd) need to be restarted, but let's just reboot.
There still is a problem w/ homedir, since LDAP users don't have their homes on
every machine. Luckily, PAM comes with mkhomedir module, and there's
already a profile for it under /usr/share/pam-configs. All we need is:
pam-auth-update --enable mkhomedir
Flushing nscd caches:
nscd -i passwd
nscd -i group
# restart services, just in case
systemctl restart nscd nslcd
Whenever something doesn't work after a change, this should be your first bet.
Listing users and groups:
getent passwd [username]
getent group [groupname]
Sometimes, getent fails to retrieve item, even when it lists the item
correctly. This is 100% because of the god damn caches, so clear them.