I’ve previously posted about the success I’ve had with my RHEL6 workstation joining the Windows Domain at the office. This has in-part inspired me to attempt to learn LDAP. I currently use a number of services that would be nice to have a unified authentication mechanism. I frequently use SSH (all the time) on multiple servers for administration work for eSource. I also run the eSource Mail server on Postfix/Dovecot + MySQL, using postfixadmin as my administrative tool. Lastly, my little SVN server that hardly gets any updates, especially now that I’m out of school. Unifying the Authentication across these three services would provide a great deal of flexibility for eSource, as well as my own personal stuff. So here we go.

First, my LDAP server will be CentOS 6 (another motivation for the move to LDAP is that I have to move mail, svn, and web services anyway.) It doesn’t take much to get a slapd service running, but you have to be careful. I thought it was as easy as editing slapd.conf, but it’s not….RHEL6 moved to a new slapd configuration format. Once I figured out where to stick the stupid password, slapd config was done. I installed phpldapadmin, and haven’t had any problems since. The trick has been learning what LDAP is all about. I’m still very confused, but I’m at last limping along. I’ve been able to successfully create an ldap entry, and use it to log in via ssh to my new server. Here’s an LDIF entry that I’ve exported from my running LDAP server, and slightly modified to obfuscate any information I’m concerned about. This isn’t a tutorial, so I can’t guarantee any of this will work cut-and-paste for you.

dn: cn=Kai Meyer,dc=example,dc=com
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: inetLocalMailRecipient
uid: kaiuser
givenname: Kai
sn: Meyer
cn: Kai Meyer
cn: Master of the Universe
telephonenumber: 555-555-5555
mail: therewasan@emailhere.com
maillocaladdress: therewasan@emailhere.com
userpassword: CENSORED
uidnumber: 1000
gidnumber: 1000
homedirectory: /home/users/kaiuser
loginshell: /bin/bash

I did other sorts of things, like create an Organizational unit, and add the object to the OU by modifying the “dn:” to include the OU after the cn. (If that made sense to you, you should probably be doing this for me.) The only other thing I needed to do to enable SSH + LDAP is to configure authentication for the machine to allow LDAP. This is CentOS 6, so I did it like so:

yum -y install nss-pam-ldapd
authconfig --enablemkhomedir --enableldap --enableldapauth --ldapserver=localhost --ldapbasedn="dc=example,dc=com" --updateall

It ended up looking like this:

[kai@example.com ~]$ ssh kaiuser@localhost
kaiuser@localhost's password:
Creating directory '/home/users/kaiuser'.
[kaiuser@example.com ~]$ pwd
/home/users/kaiuser

Next up, Postfix/Dovecot + LDAP. Then after that, SVN + LDAP.