Setting System Linux dengan LDAP Server Centos 5.5
===================================================
A. Instalasi LDAP
-----------------
Paket-paket yang harus diinstall untuk LDAP adalah openldap-server openldap-clients nss_ldap.
Caranya :
# yum install openldap-servers openldap-clients nss_ldap
B. Mengkonfigurasi LDAP Server
------------------------------
1. Memberikan password administrator untuk openldap server.
# slappasswd
New password:
Re-enter new password:
{SSHA}ntokc0c+JJwxXWqoAI17EqX7UvNMzXQd
2. Edit file /etc/openldap/slapd.conf.
# vim /etc/openldap/slapd.conf
Ubah pada :
suffix "dc=tunas,dc=com"
rootdn "cn=Manager,dc=tunas,dc=com"
rootpw "{SSHA}ntokc0c+JJwxXWqoAI17EqX7UvNMzXQd"
3. Restart openldap-server anda.
# service ldap restart
C. Menambahkan nilai ke dalam LDAP Server
-----------------------------------------
1. Ubahlah konfigurasi default migrasi pada
/usr/share/openldap/migration/migrate_common.ph
# vim /usr/share/openldap/migration/migrate_common.ph
ubah pada :
-------------------------------------------
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "tunas.com";
# Default base
$DEFAULT_BASE = "dc=tunas,dc=com";
-------------------------------------------
2. Buatlah file ldif, untuk dimasukkan
# /usr/share/openldap/migration/migrate_base.pl > root.ldif
# vim root.ldif
Hapus baris yang tidak diperlukan hingga menjadi :
dn: dc=tunas,dc=com
dc: tunas
objectClass: top
objectClass: domain
dn: ou=People,dc=tunas,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=tunas,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
3. Masukkan root.ldif ke dalam LDAP
# ldapadd -x -D "cn=Manager,dc=tunas,dc=com" -f root.ldif -W
4. Memigrasi user dan password di system ke dalam LDAP
# /usr/share/openldap/migration/migrate_passwd.pl /etc/passwd user.ldif
5. Masukkan user.ldif ke dalam LDAP
# ldapadd -x -D "cn=Manager,dc=tunas,dc=com" -f user.ldif -W
6. Memigrasi group dan password di system ke dalam LDAP
# /usr/share/openldap/migration/migrate_group.pl /etc/group group.ldif
7. Masukan group.ldif ke dalam LDAP
# ldapadd -x -D "cn=Manager,dc=tunas,dc=com" -f group.ldif -W
D. Mengatur autentikasi Sistem menggunakan LDAP Client Fedora 14
---------------------------------------------
1. Install tools ldap client
[root@www03 ~]# yum -y install openldap-clients nss_ldap
2. Jalankan perintah :
# setup
+--------[ Choose a Tool ]---------+
| |
| Authentication configuration |
| Firewall configuration |
| Keyboard configuration |
| Network configuration |
| System services |
| Timezone configuration |
| X configuration |
| |
| +----------+ +------+ |
| | Run Tool | | Quit | |
| +----------+ +------+ |
| |
| |
+----------------------------------+
Pilih : Authentication configuration
+----------------[ Authentication Configuration ]-----------------+
| |
| User Information Authentication |
| [ ] Cache Information [*] Use MD5 Passwords |
| [ ] Use Hesiod [*] Use Shadow Passwords |
| [*] Use LDAP [*] Use LDAP Authentication |
| [ ] Use NIS [ ] Use Kerberos |
| [ ] Use Winbind [ ] Use SMB Authentication |
| [ ] Use Winbind Authentication |
| [ ] Local authorization is sufficient |
| |
| +--------+ +------+ |
| | Cancel | | Next | |
| +--------+ +------+ |
| |
| |
+-----------------------------------------------------------------+
Berikan bintang "*" seperti contoh di atas, kemudian klik Next.
+-----------------[ LDAP Settings ]-----------------+
| |
| [ ] Use TLS |
| Server: ldap://192.168.1.1/_______________________ |
| Base DN: dc=tunas,dc=com________________________ |
| |
| +------+ +----+ |
| | Back | | Ok | |
| +------+ +----+ |
| |
| |
+---------------------------------------------------+
Masukkan server di 127.0.0.1 dan Base DN : dc=pctoto, dc=com
3. Edit file ldap.conf dan pastikan sudah terdapat comment berikut:
[root@www03 ~]# vi /etc/openldap/ldap.conf
URI ldap://192.168.1.1/
BASE dc=tunas,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
4. Edit file nss_ldap dan pastikan sudah terdapat comment berikut:
[root@www03 ~]# vi /etc/nss_ldap.conf
base dc=tunas,dc=com
uri ldap://192.168.1.1/
ssl no
tls_cacertdir /etc/openldap/cacerts
5. Edit file pam_ldap.conf dan pastikan sudah terdapat comment berikut:
[root@www03 ~]# vi /etc/pam_ldap.conf
base dc=tunas,dc=com
uri ldap://192.168.1.1/
ssl no
tls_cacertdir /etc/openldap/cacerts
6. Edit file system-auth dan pastikan sudah terdapat comment berikut:
[root@www03 ~]# vi /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
# Masukkan comment ini apabila ingin membuat home folder otomatis
session optional pam_mkhomedir.so skel=/etc/skel umask=077
7. Edit file nsswitch.conf dan pastikan terdapat comment berikut ini:
[root@www03 ~]# vi /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
netgroup: nisplus ldap
8. Setelah itu restart operating system:
[root@www03 ~]# shutdown -r now
E. Autentikasi Squid dengan LDAP
--------------------------------
1. Edit paramater authentication pada Squid
# vim /etc/squid/squid.conf
-----------------------------------------------
auth_param basic program /usr/lib/squid/squid_ldap_auth -b dc=tunas,dc=com -f "cn=%s" -s sub -h localhost
auth_param basic children 5
auth_param basic realm Login dulu yach
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl proxy_user proxy_auth REQUIRED
acl lan src 192.168.1.0/24
http_access allow lan proxy_user
http_access deny all
-----------------------------------------------
2. Restart service squid
# service squid restart
3. Atur client agar menggunakan proxy Anda.
