Ubuntu HPC LDAP server setup on linux container

From Notes_Wiki

Home > Ubuntu > Ubuntu HPC setup with slurm and linux containers > Ubuntu HPC LDAP server setup on linux container


LDAP Server Setup on Ubuntu 22.04 linux container

This document provides step-by-step instructions to set up an OpenLDAP server on Ubuntu 22.04, along with configuring LDAPS (LDAP over SSL).

1. Set the Hostname

 
sudo hostnamectl set-hostname slurm-ldapsrv.local 
shutdown -r now

2. Edit /etc/hosts

Add the LDAP server's IP and hostname: 

 
vim /etc/hosts

Example entry: 

192.168.2.10 slurm-ldapsrv.local slurm-ldapsrv

3. Install OpenLDAP Packages

 
apt install slapd ldap-utils -y

You will be prompted to set the admin password during the installation. Provide and confirm a strong password.

4. Configure OpenLDAP Server

Run the configuration tool: 

 
dpkg-reconfigure slapd

Follow the prompts:

  • Select No when asked to omit configuration.
  • Enter domain name (e.g., slurm-ldapsrv.local) — this forms the base DN.
  • Enter organization name (can be same as domain).
  • Enter and confirm the LDAP admin password.
  • Choose No when asked to remove the database when slapd is purged.
  • Choose Yes to remove the old database and create a new one.

5. Update /etc/ldap/ldap.conf

 
sudo nano /etc/ldap/ldap.conf

Add or edit: 

 
BASE dc=slurm-ldapsrv,dc=local
URI ldap://192.168.2.10

6. Start and Enable slapd

 
systemctl Start slapd 
systemctl enable slapd

7. Confirm LDAP Configuration

 
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:///

Expected output should include: 

 
dn: dc=slurm-ldapsrv,dc=local
objectClass: top 
objectClass: dcObject 
objectClass: organization 
o: slurm-ldapsrv.local
dc: ldap

8. Populate the Directory

Create a file add_content.ldif: 

 
vim add_content.ldif

Content: 

 
dn: ou=People,dc=slurm-ldapsrv,dc=local
objectClass: organizationalUnit 
ou: People 
dn: ou=Groups,dc=slurm-ldapsrv,dc=local 
objectClass: organizationalUnit 
ou: Groups 
dn: cn=miners,ou=Groups,dc=slurm-ldapsrv,dc=local
objectClass: posixGroup 
cn: miners 
gidNumber: 5000 
dn: uid=john,ou=People,dc=slurm-ldapsrv,dc=local
objectClass: inetOrgPerson 
objectClass: posixAccount 
objectClass: shadowAccount 
uid: john 
sn: Doe 
givenName: John 
cn: John Doe 
displayName: John Doe 
uidNumber: 10000 
gidNumber: 5000 
userPassword: {CRYPT}x 
gecos: John Doe 
loginShell: /bin/bash 
homeDirectory: /home/john

Purpose of add_content.ldif

After setting up and configuring your OpenLDAP server, the LDAP directory is empty except for the base DN (like dc=slurm-ldapsrv,dc=local). You need to manually create organizational units (OUs), groups, and users — and this is where the add_content.ldif file comes in.

Add the entries: 

ldapadd -x -D cn=admin,dc=slurm-ldapsrv,dc=local -W -f add_content.ldif

Configuring LDAPS on the current server

1. Install TLS Tools

 
apt install gnutls-bin ssl-cert

2. Create CA Private Key

 
certtool --generate-privkey --bits 4096 --outfile /etc/ssl/private/mycakey.pem

3. Create CA Info Template

vim /etc/ssl/ca.info

Content: 

 
cn = Example Company 
ca 
cert_signing_key 
expiration_days = 3650

4. Generate Self-Signed CA Certificate

 
certtool --generate-self-signed \ --load-privkey /etc/ssl/private/mycakey.pem \ --template /etc/ssl/ca.info \ --outfile /usr/local/share/ca-certificates/mycacert.crt

Update trusted CA certificates: 

 
update-ca-certificates

5. Create Server Private Key

 
certtool --generate-privkey --bits 2048 --outfile /etc/ldap/ldap_slapd_key.pem

6. Create Server Certificate Template

 
vim /etc/ssl/ldap.info

Content: 

 
organization = Example Company 
cn = slurm-ldapsrv.local
tls_www_server 
encryption_key 
signing_key 
expiration_days = 365

7. Generate Server Certificate

 
certtool --generate-certificate \ --load-privkey /etc/ldap/ldap_slapd_key.pem \ --load-ca-certificate /etc/ssl/certs/mycacert.pem \ --load-ca-privkey /etc/ssl/private/mycakey.pem \ --template /etc/ssl/ldap.info \ --outfile /etc/ldap/ldap_slapd_cert.pem

8. Set Permissions

 
chgrp openldap /etc/ldap/ldap_slapd_key.pem 
chmod 0640 /etc/ldap/ldap_slapd_key.pem

9. Configure slapd to Use TLS Certificates

Create the config file: 

 
vim certinfo.ldif

Content: 

 
dn: cn=config 
add: olcTLSCACertificateFile 
olcTLSCACertificateFile: /etc/ssl/certs/mycacert.pem 
- 
add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/ldap_slapd_cert.pem 
- 
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/ldap_slapd_key.pem

Apply with: 

 
ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif

10. Enable LDAPS in slapd Configuration

Edit slapd default settings: 

vim /etc/default/slapd

Ensure this line is present: 

 
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

Restart slapd: 

 
systemctl restart slapd

11. Test TLS and LDAPS

Test StartTLS: 

 
ldapwhoami -x -ZZ -H ldap://slurm-ldapsrv.local

Test LDAPS: 

 
ldapwhoami -x -H ldaps://slurm-ldapsrv.local

Why LDAPS Configuration is Required

  • LDAPS encrypts LDAP traffic, protecting usernames, passwords, and queries from being intercepted.
  • Without LDAPS or StartTLS, users cannot change their own passwords, as password operations require a secure connection.
  • Enabling LDAPS ensures secure authentication and meets compliance and security best practices.

Home > Ubuntu > Ubuntu HPC setup with slurm and linux containers > Ubuntu HPC LDAP server setup on linux container

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Ubuntu_HPC_LDAP_server_setup_on_linux_container&oldid=8800"