LDAP Single-Sign-On with Webmin on Ubuntu 12.04 HOWTO
In order to setup a LAMP cluster we usually need a way to share the master server uid/gid with other else member servers, for whatever NFS shared home directory, or running Apache2 + PHP5 in suexec style. Using LDAP + Webmin can simplify this Single-Sign-On (SSO) need in a handy way.
This HOWTO will guide you though installation of Webmin and OpenLDAP server, then use it as SSO between 2 server with nss-pam-ldapd. First of all let's fouce on making it works, and then enhence it with better security.
In this example let's assume we have 2 servers: dev6c1 and dev6c2, with domain name "localdomain" and IP information as below:
172.24.145.25 dev6c1.localdomain dev6c1 172.24.145.26 dev6c2.localdomain dev6c2
Where dev6c1 will be the master for OpenLDAP, where dev6c2 will be slave that using nss-pam-ldapd as SSO.
Install Webmin Manually
Simply execute following commands:
cat >> /etc/apt/sources.list.d/virtualmin.list <<-EOF deb http://download.webmin.com/download/repository sarge contrib deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib deb http://software.virtualmin.com/gpl/ubuntu/ virtualmin-precise main deb http://software.virtualmin.com/gpl/ubuntu/ virtualmin-universal main EOF
wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add - wget -q http://software.virtualmin.com/lib/RPM-GPG-KEY-virtualmin -O- | sudo apt-key add - wget -q http://software.virtualmin.com/lib/RPM-GPG-KEY-webmin -O- | sudo apt-key add -
aptitude -y install ubuntu-extras-keyring && \ aptitude update && \ aptitude -y full-upgrade && \ tasksel install openssh-server && \ tasksel install server && \ tasksel install mail-server && \ aptitude -y install usermin webmin && \ aptitude update && aptitude -y full-upgrade && aptitude autoclean && aptitude clean
Execute following commands at dev6c1 as OpenLDAP master:
aptitude -y install slapd libnet-ldap-perl ldap-utils
Don't care about the initial question, just feel free to answer them, as we will now reconfigure it with:
- dpkg-reconfigure slapd
- Omit OpenLDAP server configuration? No
- DNS domain name: localdomain
- Organization name: localdomain
- Administrator password: (your password)
- Database backend to use: HDB
- Do you want the database to be removed when slapd is purged? No
- Move old database? Yes
- Allow LDAPv2 protocol? No
Configure LDAP Server for Webmin
Log into webmin with https://172.24.145.25:10000/, go to "Un-used Modules -> LDAP Server"
Go to "OpenLDAP Server Configuration", and update the password with "New administration password"
Go back and click on "Create Tree", create new DN as below:
- For Unix user:
- Distinguished name: dc=Users,dc=localdomain
- Create example object under new DN? Unix user
- For Unix group:
- Distinguished name: dc=Groups,dc=localdomain
- Create example object under new DN? Unix group
Now verify the slapd setup by "Apply Configuration", "Stop Server", "Start Server"; also clock on "Browse Database" and should show sometime similar as below:
Execute following commands on both machines as LDAP SSO client:
aptitude -y install libnet-ldap-perl libpam-ldapd libnss-ldapd ldap-utils nscd nslcd
Don't care about the initial question, just feel free to answer them.
Also disable nscd or else may generate unexpected result during LDAP lookup debug:
update-rc.d-insserv -f nscd remove /etc/init.d/nscd stop
Reconfigure all above packages as below:
- dpkg-reconfigure libpam-ldapd
- PAM profiles to enable: Unix authentication, LDAP Authentication
- dpkg-reconfigure libnss-ldapd
- Name services to configure: group, passwd, shadow
- dpkg-reconfigure nslcd
- LDAP server URI: ldap://dev6c1/
- LDAP server search base: dc=localdomain
- LDAP authentication to use: none
- Use StartTLS? No
As long as example user and group created in above section, now we can check if LDAP lookup works:
getent passwd | grep example
Should show similar result as:
Don't forget to test with both machines.
Configure LDAP Client for Webmin
Note that Webmin just support libpam-ldap/libnss-ldap officially, but not libpam-ldapd/libnss-ldapd, so the key point for setup LDAP Client at Webmin is to allow all else Webmin module able to access our LDAP server correctly (i.e. also benefit for Virtualmin setup with LDAP authentication backend).
Log into webmin with https://172.24.145.25:10000/, go to "Un-used Modules -> LDAP Client"
As it complaint configuration file not found (well, for sure, as we are using libpam-ldapd/libnss-ldapd), click on "Module Config" and update as:
- LDAP client configuration file: /etc/ldap/ldap.conf
- PAM LDAP configuration file: Same as LDAP client file
- Root LDAP client password files: /etc/ldap/ldap.secret
Now it should looks fine. Before configure with Webmin interface let's key in some default value as reference to /etc/ldap/ldap.conf:
cat >> /etc/ldap/ldap.conf <<-EOF host dev6c1 rootbinddn cn=admin,dc=localdomain base dc=localdomain nss_base_passwd dc=Users,dc=localdomain nss_base_shadow dc=Users,dc=localdomain nss_base_group dc=Groups,dc=localdomain EOF
Access the Webmin interface again, and so click on "LDAP Server Configuration" and double confirm as below:
- LDAP server hostnames: dev6c1
- Login for root user: cn=admin,dc=localdomain
- Password for root user: (your_secret_password)
Go back and click on "LDAP Search Bases" and double confirm as below:
- Global search base: dc=localdomain
- Base for Unix users: dc=Users,dc=localdomain
- Base for Unix password: dc=Users,dc=localdomain
- Base for Unix groups: dc=Users,dc=localdomain
Go back and click on "Validate Configuration", if all works it should report as similar as below:
Oh if you are going use Virtualmin then now you can configure it as LDAP backend user storage. Virtualmin will therefore create all new user into your LDAP tree so can populate for any cluster setup usage.
If you are going to use NFS or other else cluster file system, using LDAP as SSO can now make other member machine share the same uid/gid with host, therefore Apache2 suexec can operate correctly.