Welcome again to this three-party journey to getting OpenLDAP up and working in an effort to authenticate your Linux desktop machines to the LDAP server. Partly one, we put in OpenLDAP on Ubuntu Server 18.04 and added our first LDAP entries to the listing tree through the Command Line Interface (CLI).
The method of manually including knowledge could be cumbersome and isn’t for everybody. When you’ve got employees members that work higher with a useful GUI software, you’re in luck, as there’s a very strong web-based software that makes coming into new customers a snap. That software is the LDAP Account Supervisor (LAM).
Assist for 2-factor authentication
Schema and LDAP browser
Assist for a number of LDAP servers
Assist for account creation profiles
File system quotas
CSV file add
Computerized creation/deletion of dwelling directories
PDF output for all accounts
And far more
We’ll be putting in LAM on the identical server we put in OpenLDAP, so ensure you’ve walked by way of the method from the earlier article. With that taken care of, let’s get LAM up and working, so you possibly can extra simply add customers to your LDAP listing tree.
Happily, LAM is present in the usual Ubuntu repository, so set up is so simple as opening a terminal window and issuing the command:
sudo apt-get set up ldap-account-manager -y
When the set up finishes, you possibly can then restrict connections to LAM to native IP addresses solely (if wanted), by opening a particular .conf file with the command:
sudo nano /and so on/apache2/conf-enabled/ldap-account-manager.conf
In that file, search for the road:
Require all granted
Remark that line out (add a # character in the beginning of the road) and add the next entry beneath it:
Require ip 192.168.1.zero/24
Make sure that to substitute your community IP handle scheme rather than the one above (ought to yours differ). Save and shut that file, and restart the Apache net server with the command:
sudo systemctl restart apache2
You at the moment are able to entry the LAM net interface.
Level your net browser to http://SERVER_IP/lam (the place SERVER_IP is the IP handle of the server internet hosting LAM). Within the ensuing display (Determine 1), click on LAM configuration within the higher proper nook of the window.
Within the ensuing window, click on Edit server profiles (Determine 2).
You’ll be prompted for the default profile password, so sort lam and click on OK. You’ll then be introduced with the Server settings web page (Determine three).
Within the Server Settings part, enter the IP handle of your LDAP server. Since we’re putting in LAM on the identical server as OpenLDAP, we’ll depart the default. In case your OpenLDAP and LAM servers are usually not on the identical machine, be sure to enter the proper IP handle for the OpenLDAP server right here. Within the Tree suffix entry, add the area parts of your OpenLDAP server within the type dc=instance,dc=com.
Subsequent, maintain the next configurations:
Within the Safety settings part (Determine four), configure the listing of legitimate customers within the type cn=admin,dc=instance,dc=com (be sure to make use of your LDAP admin consumer and area parts).
Within the Account Sorts tab (Determine 5), configure the Energetic account sorts LDAP choices. First, configure the LDAP suffix, which will likely be within the type ou=group,dc=instance,dc=com. That is the suffix of the LDAP tree from the place you’ll seek for entries. Solely entries on this subtree will likely be displayed within the account listing. In different phrases, use the group attribute you probably have created a gaggle in your OpenLDAP server that your entire customers (who will likely be authenticating in opposition to the LDAP listing tree) will likely be a member of. For instance, if your entire customers who will likely be allowed to log in on desktops machines are a part of the group login, use that.
Subsequent, configure the Record attributes. These are the attributes that will likely be displayed within the account listing, and are predefined values, equivalent to #uid, #givenName, #sn, #uidNumber, and so on. Fill out each the LDAP suffix and Record attributes for each Customers and teams.
After configuring each customers and teams, click on Save. This may also log you out of the Server profile supervisor and take you again to the login display. Now you can log into LAM utilizing your LDAP server admin credentials. Choose the consumer from the Person identify drop-down, sort your LDAP admin password, and click on Login. This may take you to the LAM Customers tab (Determine 6), the place you can begin including new customers to the LDAP listing tree.
Click on New Person and the New Person window will open (Determine 7), the place you possibly can fill within the crucial blanks.
Make sure that to click on Set password, so you possibly can create a password for the brand new consumer (in any other case the consumer gained’t have the ability to log into their account). Additionally be sure to click on on the Unix tab, the place you possibly can set the username, dwelling listing, major group, login shell, and extra. When you’ve entered the mandatory data for the consumer, click on Save and the consumer account can then be discovered within the LDAP listing tree.
Welcome to Less complicated Person Creation
The LDAP Account Supervisor makes working with OpenLDAP exponentially simpler. With out utilizing this software, you’ll spend extra time coming into customers to the LDAP tree than you most likely would really like. The very last thing you want is to take extra time than crucial out of your busy admin day to create and handle customers in your LDAP tree through command line.
Within the subsequent (and remaining entry) on this three-part collection, I’ll stroll you thru the method of configuring a Linux desktop machine, such that it will possibly authenticate in opposition to the OpenLDAP server.