«

»

Oct 15

Single Sign On Server pada Ubuntu 12.04

Single Sign On Server Ubuntu 12.04

Single Sign On Server

[button link="http://kurusetra.web.id/single-sign-on-server/" color="#f98b8b" size="3" style="5" dark="1" radius="auto" target="self"]KLIK KURSUS LINUX SINGLE SIGN ON SERVER[/button]

Tutorial kali ini kita membahas cara membangun single sign on server pada ubuntu 12.04 precise pangolin. Cara membangun single sign on seperti dibahas pada bagian sebelumnya hanya terdapat sedikit perubahan, terutama pada server OpenLDAP. Tutorial terdiri dari dua bagian, pertama konfigurasi server OpenLDAP dan kedua integrasi Samba dengan OpenLDAP.

Instalasi OpenLDAP

apt-get install slapd ldap-utils migrationtools phpldapadmin

apt-get install samba smbldap-tools smbclient samba-doc

cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/

gzip -d /etc/ldap/schema/samba.schema.gz

 

Konfigurasi File slapd.conf

vim /usr/share/slapd/slapd.conf

include /etc/ldap/schema/core.schema

include /etc/ldap/schema/cosine.schema

include /etc/ldap/schema/nis.schema

include /etc/ldap/schema/inetorgperson.schema

include /etc/ldap/schema/samba.schema

include /etc/ldap/schema/misc.schema

include /etc/ldap/schema/openldap.schema

pidfile /var/run/slapd/slapd.pid

argsfile /var/run/slapd/slapd.args

loglevel none

modulepath /usr/lib/ldap

moduleload back_hdb.la

sizelimit 500

tool-threads 1

backend hdb

database hdb

suffix “dc=kurusetra,dc=web,dc=id”

rootdn “cn=admin,dc=kurusetra,dc=web,dc=id”

rootpw 1111

directory “/var/lib/ldap”

dbconfig set_lk_max_objects 1500

dbconfig set_lk_max_locks 1500

dbconfig set_lk_max_lockers 1500

index objectClass eq

lastmod on

checkpoint 512 30

 

access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,top,person,organizationalPerson,

inetOrgPerson,posixAccount

by self write

by * read

 

access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword

by dn=”cn=admin,dc=kurusetra,dc=web,dc=id” write

by anonymous auth

by self write

by * none

 

#access to attrs=userPassword,shadowLastChange

# by dn=”cn=admin,dc=kurusetra,dc=web,dc=id” write

# by anonymous auth

# by self write

# by * none

access to dn.base=”" by * read

access to *

by dn=”cn=admin,dc=kurusetra,dc=web,dc=id” write

by * read

 

Konversi Direktori Konfigurasi

rm -fr /etc/ldap/slapd.d/*

slaptest -f /usr/share/slapd/slapd.conf -F /etc/ldap/slapd.d/

chown -R openldap.openldap slapd.d/

/etc/init.d/slapd restart

 

Konfigurasi Top Level Domain

vim kurusetra.ldif

dn: dc=kurusetra,dc=web,dc=id

objectClass: top

objectClass: dcObject

objectclass: organization

o: kurusetra

dc: kurusetra

description: Kurusetra Computer

 

Penambahan Top Level Domain

ldapadd -x -D cn=admin,dc=kurusetra,dc=web,dc=id -f kurusetra.ldif -W

Integrasi Samba LDAP

workgroup = KURUSETRA

security = user

passdb backend = ldapsam:ldap://localhost/

ldap ssl = off

obey pam restrictions = no

#######################################################################

#COPY AND PASTE THE FOLLOWING UNDERNEATH “OBEY PAM RESTRICTIONS = NO”

#######################################################################

#

# Begin: Custom LDAP Entries

#

ldap admin dn = cn=admin,dc=kurusetra,dc=web,dc=id

ldap suffix = dc=kurusetra,dc=web,dc=id

ldap group suffix = ou=Groups

ldap user suffix = ou=Users

ldap machine suffix = ou=Computers

ldap idmap suffix = ou=Users

; Do ldap passwd sync

ldap passwd sync = Yes

passwd program = /usr/sbin/smbldap-passwd %u

passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*

add user script = /usr/sbin/smbldap-useradd -m “%u”

ldap delete dn = Yes

delete user script = /usr/sbin/smbldap-userdel “%u”

add machine script = /usr/sbin/smbldap-useradd -w “%u”

add group script = /usr/sbin/smbldap-groupadd -p “%g”

delete group script = /usr/sbin/smbldap-groupdel “%g”

add user to group script = /usr/sbin/smbldap-groupmod -m “%u” “%g”

delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” “%g”

set primary group script = /usr/sbin/smbldap-usermod -g “%g” “%u”

domain logons = yes

#invalid users = root

 

 

# Restart SAMBA.

/etc/init.d/samba restart

/etc/init.d/smbd restart

/etc/init.d/nmbd restart

 

#Tambahkan password LDAP pada samba

smbpasswd -w 1111

 

 

Konfigurasi SMBLDAP-TOOLS

cd /usr/share/doc/smbldap-tools/examples/

cp smbldap_bind.conf /etc/smbldap-tools/
cp smbldap.conf.gz /etc/smbldap-tools/

gzip -d /etc/smbldap-tools/smbldap.conf.gz

cd /etc/smbldap-tools/

net getlocalsid

vim smbldap.conf

 

# Edit the file so that the following information is correct (according to your individual setup):

SID=”S-1-5-21-949328747-3404738746-3052206637″ ## This line must have the same SID as when you ran “net getlocalsid”

sambaDomain=”KURUSETRA”

slaveLDAP=”127.0.0.1″

masterLDAP=”127.0.0.1″

ldapTLS=”0″

suffix=”dc=kurusetra,dc=web,dc=id”

defaultMaxPasswordAge=”45000″

sambaUnixIdPooldn=”sambaDomainName=EXAMPLE,${suffix}”

userSmbHome=

userProfile=

userHomeDrive=

userScript=

mailDomain=”kurusetra.web.id”

vim smbldap_bind.conf

# Edit the file so that the following information is correct (according to your individual setup):

slaveDN=”cn=admin,dc=ardelinux,dc=com”

slavePw=”1111″

masterDN=”cn=admin,dc=ardelinux,dc=com”

masterPw=”1111″

# Set the correct permissions on the above files:

chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

 

Populate LDAP using smbldap-tools

# Execute the command to populate the directory.

smbldap-populate -u 30000 -g 30000

 

# At the password prompt assign your root password:

smbpasswd -w

1111

 

# Verify that the directory has information in it by running the command:

ldapsearch -x -b dc=kurusetra,dc=web,dc=id | less

 

Step 8: Add an LDAP user to the system

# Add the user to LDAP

smbldap-useradd -a -m -M ricky -c “Richard M” ricky

smbldap-useradd -w client-winxp

# Here is an explanation of the command switches that we used.

-a allows Windows as well as Linux login
-m makes a home directory, leave this off if you do not need local access
-M sets up the username part of their email address
-c specifies their full name

# Set the password the new account.

smbldap-passwd ricky

Step 9: Configure the server to use LDAP authentication.

# Install the necessary software for this to work.

apt-get install auth-client-config libpam-ldap libnss-ldap

 

# Answer the prompts on your screen with the following:

Should debconf manage LDAP configuration?: Yes
LDAP server Uniform Resource Identifier: ldapi://127.0.0.1
Distinguished name of the search base: dc=kurusetra,dc=web,dc=id
LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=kurusetra,dc=web,dc=id
LDAP root account password: 1111

#untuk mengulang konfigurasi

#dpkg-reconfigure ldap-auth-client

#dpkg-reconfigure ldap-auth-config

#dpkg-reconfigure libnss-ldap

# Open the /etc/ldap.conf file for editing.

vim /etc/ldap.conf

# Configure the following according to your setup:

host 127.0.0.1

base dc=kurusetra,dc=web,dc=id

uri ldap://127.0.0.1/

rootbinddn cn=admin,dc=kurusetra,dc=web,dc=id

bind_policy soft

# Copy the /etc/ldap.conf file to /etc/ldap/ldap.conf

cp /etc/ldap.conf /etc/ldap/ldap.conf

 

# Create a new file /etc/auth-client-config/profile.d/open_ldap:

vim /etc/auth-client-config/profile.d/open_ldap

 

# Insert the following into that new file:

[open_ldap]

nss_passwd=passwd: compat ldap

nss_group=group: compat ldap

nss_shadow=shadow: compat ldap

nss_netgroup=netgroup: compat ldap

pam_auth=auth required pam_env.so

auth sufficient pam_unix.so likeauth nullok

auth sufficient pam_ldap.so use_first_pass

auth required pam_deny.so

pam_account=account sufficient pam_unix.so

account sufficient pam_ldap.so

account required pam_deny.so

pam_password=password sufficient pam_unix.so nullok md5 shadow use_authtok

password sufficient pam_ldap.so use_first_pass

password required pam_deny.so

pam_session=session required pam_limits.so

session required pam_mkhomedir.so skel=/etc/skel/

session required pam_unix.so

session optional pam_ldap.so

# Backup the /etc/nsswitch.conf file:

cp /etc/nsswitch.conf /etc/nsswitch.conf.original

 

# Backup the /etc/pam.d/ files:

cd /etc/pam.d/
mkdir bkup
cp * bkup/

# Enable the new LDAP Authentication Profile by executing the following

auth-client-config -a -p open_ldap

 

# Reboot the server and test to ensure that you can still log in using SSH and LDAP.

ldconfig

id ricky

reboot

Related External Links

Incoming search terms:

Leave a Reply

Your email address will not be published. Required fields are marked *

Connect with Facebook


+ 8 = 12

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>