Skip to content

Instantly share code, notes, and snippets.

@lijikun

lijikun/OpenLDAP-to-FreeIPA_Ubuntu.md

Last active August 14, 2020 14:26
Show Gist options
  • Save lijikun/497f5585644d646159325753c8be7be4 to your computer and use it in GitHub Desktop.
Save lijikun/497f5585644d646159325753c8be7be4 to your computer and use it in GitHub Desktop.
Download ZIP
Migrate a Client Computer (Debian/Ubuntu) from OpenLDAP to FreeIPA for User Authentication
Raw
OpenLDAP-to-FreeIPA_Ubuntu.md

A Guide for Migrating an OpenLDAP Client to FreeIPA (Debian/Ubuntu)

Introduction

As OpenLDAP is being phased out by various OS vendors, it might be necessary to migrate to a more "modern" directory software stack like FreeIPA (which is, of course, more than just a directory service), as I've recently done for a small scientific computing cluster.

This gist has been tested on a CentOS 8 FreeIPA server, and clients on various versions of Debian and Ubuntu LTS. The steps are tested to the extent that they are sufficient for migrating to a functional FreeIPA client, but I am not sure every step detailed here is necessary.

For "fresh" server and clients, one can pretty much follow the server setup procedure in Digital Ocean's tutorial and related client setup guides for Debian/Ubuntu and Fedora/RHEL/CentOS.

However, if a Debian/Ubuntu client is already enrolled in OpenLDAP, the above tutorials are not sufficient. One should follow these steps detailed here.

Server Preparation

  • If not done already, install a functioning FreeIPA server, e.g. ipaserver.example.test whose Kerberos realm is IPASERVER.EXAMPLE.TEST.

  • If not done already, copy all the data from the old LDAP server to the new FreeIPA server using the ipa migrate-ds command. There are many caveats and tricks with this especially if you are not migrating from an RHEL/CentOS server, because even the default schemas are different in different Linux distros. See the relevant Red Hat Documentation.

  • You may also have to do some cleanup using the IPA server web interface.

Client Installation

  • In the steps below, replace ipaserver.example.test with your own server's hostname, and ipaclient.example.test your own client's.

  • SSH into the client and obtain root access. All the following steps should be done on the client as root.

  • Use apt to update and upgrade all installed packages. If not already, install the dnsutils package.

  • Obtain the IP(v4) addresses of the server and the client.

    dig +short ipaserver.example.test A
dig +short ipaclient.example.test A

  • Run hostnamectl set-hostname ipaclient.example.test, or edit /etc/hostname of the client to reflect its FQDN (i.e. ipaclient.example.test, NOT just ipaclient).

  • Edit /etc/hosts, put at its beginning the FQDNs and IP addresses of the client and server.

    123.45.67.89 ipaclient.example.test ipaclient.example.test
234.56.78.90 ipaserver.example.test ipaserver.example.test

    Also remove any lines like 127.0.0.1 ipaclient.example.test.

  • Install FreeIPA client: apt install freeipa-client.
    Answer IPASERVER.EXAMPLE.TEST when asked for Kerberos realm.
    Answer ipaserver.example.test when asked for Kerberos server hostname.
    Answer ipaserver.example.test when asked for administrative server.

  • Run ipa-client-install --mkhomedir script.
    Answer ipaserver.example.test twice and yes twice.
    When prompted for the "User authorized to enroll computers", enter admin and then its password.

    When finished, the last line of output should be The ipa-client-install command was successful.

Client-Side Configuration

  • Check the end of /etc/ssh/sshd_config. Make sure the install scripts have added the following lines:

    KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
ChallengeResponseAuthentication yes
AuthorizedKeysCommandUser nobody

  • Edit /etc/nsswitch.conf. Remove all occurrences of ldap, and make sure to have sss in passwd, group, shadow, services, netgroup, sudoers lines.

  • Next, you need to edit a bunch of PAM module configs. You can run pam-auth-update --force, check Create home directory on login and uncheck LDAP authentication and select Ok.

    Or, add, edit or delete lines in the following files corresponding the *.so modules:

    Click here to expand/collapse PAM configuration details

    • Edit /etc/pam.d/common-account. Comment out the line with pam_ldap.so, and add the following lines to the end:

      account sufficient pam_localuser.so 
account [default=bad success=ok user_unknown=ignore] pam_sss.so

    • Edit /etc/pam.d/common-auth. Comment out the line with pam_ldap.so, and add the following line:

      auth [success=1 default=ignore] pam_sss.so use_first_pass

    • Edit /etc/pam.d/common-password. Again comment out the line with pam_ldap.so and add/edit the following lines:

      password requisite pam_pwquality.so retry=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password sufficient pam_sss.so use_authtok

    • Edit /etc/pam.d/common-session. Comment out the line with pam_ldap.so and add/edit the following lines:

      session optional pam_sss.so
session required pam_mkhomedir.so skel=/etc/skel umask=002

    • Edit /etc/pam.d/common-session-noninteractive. Comment out the line with pam_ldap.so.

  • Remove the OpenLDAP client packages: apt remove --purge libpam-ldap libnss-ldap ldap-utils -y.

  • Reboot the client computer.

Notes and Caveats

  • Users on MacOSX may have to login twice to get access. If the 1st login attempt fails, just try again.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment