PART-2
Now its time we make our LDAP configurations in a more useful way so that it meets some of the basic needs of an organization. The first part is that, an LDAP client or user should be granted privileges to change his own password. Lets see how that can be accomplished.
ALLOW LDAP USER TO CHANGE HIS OWN PASSWORD
This is one of the easiest task related to LDAP setup. You will only have to edit a singe file to do this.
In default cases, when an LDAP client(testuser) tries to run the passwd command you will get an error message as shown below:
===========================================================
testuser@ubuntudesktop:]#passwd
Enter login(LDAP) password: (enter the current LDAP login password here)
passwd: Authentication information cannot be recovered
passwd: password unchanged
============================================================
To overcome this make sure you edit the PAM configuration file for password as shown below on the LDAP client:
ldapclient@ubuntuserver:]# vi /etc/pam.d/common-password
There you can find an entry as the one shown below:
—————————————————————————————————————–
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
—————————————————————————————————————–
Remove use_authtok from the above entry and save the file. Now login as an LDAP client (testuser) and run the passwd command.
===========================================================
testuser@ubuntudesktop:]#passwd
Enter login(LDAP) password: (enter the current ldap login password here)
New password: (enter your new ldap login password here)
Re-enter new password:
LDAP password information changed for testuser
passwd: password updated successfully
===========================================================
Thats it. This is useful when we create many LDAP users. If the above steps are done, we can set a common password for all LDAP users initially, so that all users can access the client first and can change the password to their desired one since we gave the clients privilege to do so.
Now lets see how to limit the amount of disk space available for our LDAP users or clients using disk quotas .
SETTING UP USER DISK QUOTAS FOR LDAP USERS:
First install the quota package by running the following command as root from the LDAP server:
root@ubuntuserver:]# apt-get install quota
Edit the /etc.fstab file and then add usrquota as shown below:
root@ubuntuserver:]# vi /etc/fstab
You will find a similar entry like the one shown below:
===========================================================
UUID=64b95014-f658-4ef1-b217-3981f0cc2c48 /home ext4 errors=remount-ro,ursquota 0 1
===========================================================
Here my mount point is /home and I’m setting quota for /home partition. You can see the usrquota added in the above entry. Save and quit the file.
Finish the setup by running the following commands:
root@ubuntuserver:]# touch /aquota.user
root@ubuntuserver:]# chmod 600 /aquota.user
Remount the /home partition using the command:
root@ubuntuserver:]# mount -o remount /home
You can check the quota using the following command:
root@ubuntuserver:]# quotacheck -avu
===========================================================
a- Check all quota-enabled, locally-mounted file systems
v- Display verbose status information as the quota check proceeds
u- Check user disk quota information
===========================================================
Finally turn on the quota by running:
root@ubuntuserver:]# quotaon -avu
You will see a similar output as shown below:
===========================================================
/dev/disk/by-uuid/64b95014-f658-4ef1-b217-3981f0cc2c48 [/home]: user quotas turned on
===========================================================
Thats it, you now have the quota enable for /home partition. Now lets see how to set quotas for each users.
We can see the quotas currently defined by:
root@ubuntuserver:]# repquota /home
You will see a similar output as shown below:
===========================================================
*** Report for user quotas on device /dev/disk/by-uuid/64b95014-f658-4ef1-b217-3981f0cc2c48
Block grace time: 7days; Inode grace time: 7days
Block limits File limits
User used soft hard grace used soft hard grace
———————————————————————-
root — 783468 0 0 32822 0 0
daemon — 56 0 0 4 0 0
man — 1128 0 0 145 0 0
libuuid — 24 0 0 2 0 0
syslog — 1224 0 0 14 0 0
landscape — 4 0 0 1 0 0
sage — 1642936 0 0 1303 0 0
bind — 12 0 0 3 0 0
openldap — 7088 0 0 90 0 0
statd — 16 0 0 4 0 0
ldapuser1 — 9076 0 0 381 0 0
testuser — 123164 0 0 940 0 0
===========================================================
Note that ldap user testuser is created using ldapscripts which we have already covered in PART-1. If a user reaches his soft limit value he will be warned that the quota is about to reach its limit and the hard limit is the limit beyond which the user can’t actually write data. So a user can write data even if he reaches his soft limit. All the soft and hard limit values are in kilobytes. The — displayed after each user is a quick way to determine whether the block or inode limits have been exceeded. If either soft limit is exceeded, a + appears in place of the corresponding -, the first – represents the block limit, and the second represents the inode limit. Here I’ll show how to setup disk quota for our LDAP user testuser:
First edit the quota for ldapuser1 using the following command:
root@ubuntuserver:]# edquota testuser
It will open a nano text editor with entries similar to the one below:
===========================================================
Disk quotas for user testuser (uid 10002):
Filesystem blocks soft hard inodes soft hard
/dev/disk/by-uuid/64b95014-f658-4ef1-b217-3981f0cc2c48 126176 0 0 963 0 0
===========================================================
I’ll show how to set a 10GB quota for testuser.
Edit the above entry as shown below:
===========================================================
Disk quotas for user testuser (uid 10002):
Filesystem blocks soft hard inodes soft hard
/dev/disk/by-uuid/64b95014-f658-4ef1-b217-3981f0cc2c48 126228 10485760 10485760 963 10485760 10485760
===========================================================
Here 10485760 KB is 10GB.
Save and exit the file. Now you can see the userquota by :
root@ubuntuserver:]# quota testuser
You can see the following output:
===========================================================
Disk quotas for user testuser (uid 10002):
Filesystem blocks soft hard inodes soft hard
/dev/disk/by-uuid/64b95014-f658-4ef1-b217-3981f0cc2c48 126228 10485760 10485760 963 10485760 10485760
===========================================================
Or you can see the user quota by :
root@ubuntuserver:]# repquota /home
===========================================================
*** Report3. ssl cert authentication for user quotas on device /dev/disk/by-uuid/64b95014-f658-4ef1-b217-3981f0cc2c48
Block grace time: 7days; Inode grace time: 7days
Block limits File limits
User used soft hard grace used soft hard grace
———————————————————————-
root — 783468 0 0 32822 0 0
daemon — 56 0 0 4 0 0
man — 1128 0 0 145 0 0
libuuid — 24 0 0 2 0 0
syslog — 1224 0 0 14 0 0
landscape — 4 0 0 1 0 0
sage — 1642936 0 0 1303 0 0
bind — 12 0 0 3 0 0
openldap — 7088 0 0 90 0 0
statd — 16 0 0 4 0 0
ldapuser1 — 9076 0 0 381 0 0
testuser — 123164 10485760 10485760 940 10485760 10485760
===========================================================
Now the ldap user testuser is allowed only to use 10GB of disk space of our LDAP server. Now lets see how to setup auto mount for LDAP users home directory.
SETUP AUTO MOUNTING OF LDAP USER HOME DIRECTORY USING NFS AND AUTOFS:
In oder to share a directory from one machine to another we should have a file sharing server setup first. In our scenario we need to share /home directory of the LDAP server to the clients. We will configure our LDAP server as NFS file sharing server first.
Install the nfs package for the LDAP server by logging into LDAP server as root and running the following command from a terminal:
root@ubuntuserver:]# apt-get install nfs-kernel-server
Once the package is installed edit the /etc/exports file as shown below:
root@ubuntuserver:]# vi /etc/exports
Add an entry as shown below to the EOF:
===========================================================
/home 192.168.1.yyy(rw,fsid=0,no_subtree_check)
===========================================================
Save the file and exit.
The above entry makes /home directory of our LDAP server as a shared directory with read-write permissions for the LDAP client 192.168.1.yyy.
NFS needs to be able to identify each file system that it exports. Normally it will use a UUID for the file system (if the file system has such a thing) or the device number of the device holding the file system (if the file system is stored on the device).
As not all file systems are stored on devices, and not all file systems have UUIDs, it is sometimes necessary to explicitly tell NFS how to identify a file system. This is done with the fsid= option. We use the root id as fsid. The subtree_check specifies the directory access permissions outside the shared directory.
Run the following command to finish the setup:
root@ubuntuserver:]# exportfs -a
exportfs helps to export the newly added entries in /etc/exports to the NFS server without restarting the service.
At this point we have a working NFS server with /home directory shared. Now let use the autofs utility on LDAP client so that the home directory of respective users gets mounted automatically when the corresponding LDAP user logs in.
Login to LDAP client as root and install autofs package as shown below:
ldapclient@ubuntuserver:]# apt-get install autofs
Once the package is installed, edit the file /etc/auto.master as shown below:
ldapclient@ubuntuserver:]# vi /etc/auto.master
Add an entry as shown below to the EOF:
===========================================================
/home /etc/auto.home
===========================================================
Save and exit the file. No create a new file /etc/auto.home and add the following entries to it:
===========================================================
* 192.168.1.xxx:/home/&
===========================================================
Save and exit the file.
The above entry specifies that any user(*) that logs into this machine will have its home directory as /home/username shared from the nfs server 192.168.1.xxx which is our LDAP server.
To correclty mount the LDAP user and Groups while auto mounting make sure named caching deamon nscd is installed on both the LDAP server and LDAP client as shown below:
root@ubuntuserver:]# apt-get install nscd
Make sure nscd is installed on both the client and the server. Finally restart autofs service as follows:
ldapclient@ubuntuserver:]# /etc/init.d/autofs restart
Thats it, Now login to LDAP client machine as LDAP user testuser. You can see the user testuser logging in with /home/testuser from LDAP server.
Now lets proceed to PART-3 for further configurations on making secure LDAP authentication using TLS Authentication method.