This page is specific to Ubuntu version 10.04

If you find this information applicable to additional versions/releases, please edit this page and modify this header to reflect that. Please also include any necessary modifications for this information to apply to the additional versions.


LTSP-Cluster NAT and OpenLDAP

There is a howto for a basic LTSP-Cluster and for a LTSP-Cluster with NAT.

https://help.ubuntu.com/community/UbuntuLTSP/LTSP-Cluster

https://help.ubuntu.com/community/UbuntuLTSP/LTSP-Cluster_NAT

We continue here with LTSP-Cluster with NAT.

We have named two server this way.

Ltsp-root – 192.168.1.100 | Ltsp-appserv01 – 192.168.1.101

In this howto we do install basic OpenLDAP server to the ltsp-root server and also move user's home directory over NFS to the ltsp-root server. That way application server is only for applications.

We follow this howto.

https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html

Install OpenLDAP

sudo apt-get install slapd ldap-utils

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

Write two configuration files

After that go to the /etc/ldap directory and write two basic configuration files.

sudo nano /etc/ldap/backend.arkki.info.ldif

Replace XXXXXXX with your choice of password for a admin. Here is an example file.

# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=arkki,dc=info
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=arkki,dc=info
olcRootPW: XXXXXXX
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=arkki,dc=info" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=arkki,dc=info" write by * read

Add that file to the OpenLDAP server.

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.arkki.info.ldif

Another configuration file.

sudo nano /etc/ldap/frontend.arkki.info.ldif

Replace XXXXXXX with your choice of password for a admin. Here is an example file.

This file include one user.

# Top level hierarchy - arkki.info
dn: dc=arkki,dc=info
objectClass: top
objectClass: dcObject
objectclass: organization
o: LDAP LTSP
dc: arkki
description: LDAP LTSP 

# Admin user.
dn: cn=admin,dc=arkki,dc=info
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: XXXXXXX

# First level hierarchy - people
dn: ou=people,dc=arkki,dc=info
objectClass: organizationalUnit
ou: people

# First level hierarchy - groups
dn: ou=groups,dc=arkki,dc=info
objectClass: organizationalUnit
ou: groups

# Second level hierarchy - Example user
dn: uid=asmok,ou=people,dc=arkki,dc=info
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: asmok
sn: Koskinen
givenName: Asmo
cn: Asmo Koskinen
displayName: Asmo Koskinen
uidNumber: 10000
gidNumber: 10000
userPassword: edubuntu
gecos: Asmo Koskinen
loginShell: /bin/bash
homeDirectory: /opt/ltsp-users/asmok
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: asmo.koskinen@arkki.info
postalCode: 67100
l: Kokkola
o: LDAP LTSP
mobile: +358 xx xx xx xx
homePhone: +358 xx xx xx xx
title: LTSP User
postalAddress: Pitkänsillankatu 18 A 6
initials: AK

# Second level hierarchy - Example group
dn: cn=ltsp,ou=groups,dc=arkki,dc=info
objectClass: posixGroup
cn: ltsp
gidNumber: 10000

Add that file to the OpenLDAP server.

sudo ldapadd -x -D cn=admin,dc=arkki,dc=info -W -f frontend.arkki.info.ldif

adding new entry "dc=arkki,dc=info"

adding new entry "cn=admin,dc=arkki,dc=info"

adding new entry "ou=people,dc=arkki,dc=info"

adding new entry "ou=groups,dc=arkki,dc=info"

adding new entry "uid=asmok,ou=people,dc=arkki,dc=info"

adding new entry "cn=ltsp,ou=groups,dc=arkki,dc=info"

Do the test

Do the first test before continue.

ldapsearch -xLLL -b "dc=arkki,dc=info" uid=asmok sn givenName cn

dn: uid=asmok,ou=people,dc=arkki,dc=info
sn: Koskinen
givenName: Asmo
cn: Asmo Koskinen

Move home directory to the ltsp-root server

We follow this howto.

https://help.ubuntu.com/10.04/serverguide/C/network-file-system.html

Make new home directory to the ltsp-root server and export it.

sudo apt-get install nfs-kernel-server

ltsp-root@ltsp-root:~$ cat /etc/exports

/opt/ltsp-users    *(rw,sync,no_root_squash,no_subtree_check)

ltsp-root@ltsp-root:~$ sudo /etc/init.d/nfs-kernel-server start
[sudo] password for ltsp-root: 
 * Exporting directories for NFS kernel daemon...
 * Starting NFS kernel daemon

Mount new home directory to the ltsp-appserv01 server.

sudo apt-get install nfs-common

ltsp-appserv01@ltsp-appserv01:~$ cat /etc/fstab

192.168.1.100:/opt/ltsp-users /opt/ltsp-users nfs rsize=8192,wsize=8192,timeo=14,intr

sudo mount -a

192.168.1.100:/opt/ltsp-users on /opt/ltsp-users type nfs (rw,rsize=8192,wsize=8192,timeo=14,intr,addr=192.168.1.100)

Let ltsp-appserv01 use OpenLDAP server

Install OpenLDAP client to the ltsp-appserv01 server.

sudo apt-get install libnss-ldap

We have installed one more package here.

sudo apt-get install ecryptfs-utils

sudo dpkg-reconfigure ldap-auth-config

sudo auth-client-config -t nss -p lac_ldap

sudo pam-auth-update

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-LTSP-Cluster/00.png

After that we have added one line for the automatic home directory creation.

cat /etc/pam.d/common-session

session [default=1]     pam_permit.so
session requisite       pam_deny.so
session required        pam_permit.so
session required        pam_unix.so 
session optional        pam_ldap.so 
session optional        pam_ecryptfs.so unrwap
session optional        pam_ck_connector.so nox11


session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0022

Do this after all.

sudo /etc/init.d/nscd restart

You should now have this kind of file in ltsp-appserv01 server.

cat /etc/ldap.conf

uri ldap://192.168.1.100/
base dc=arkki,dc=info
ldap_version 3
pam_password clear
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,nbd,news,nslcd,nx,proxy,pulse,root,rtkit,sabayon-admin,saned,speech-dispatcher,sshd,statd,sync,sys,syslog,tftp,usbmux,uucp,www-data

Try to login with example user

You can now login with example user from frontend.arkki.info.ldif file and home directory will be create on the fly to the ltsp-appserv01 server.

Use ldapscripts

sudo apt-get install ldapscripts

Add your OpenLDAP admin password to the file.

sudo sh -c "echo -n 'XXXXXXX' > /etc/ldapscripts/ldapscripts.passwd"

sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd

Here is our example file for ldapscripts.

ltsp-root@ltsp-root:~$ cat /etc/ldapscripts/ldapscripts.conf

SERVER="ldap://localhost"
BINDDN="cn=admin,dc=arkki,dc=info"

BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"

SUFFIX="dc=arkki,dc=info"
GSUFFIX="ou=Groups"
USUFFIX="ou=People"

GIDSTART="10000"
UIDSTART="10000"

USHELL="/bin/bash"
UHOMES="/opt/ltsp-users/%u"
CREATEHOMES="no"
HOMESKEL="/etc/skel"
HOMEPERMS="755"

PASSWORDGEN="cat /dev/urandom | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"

RECORDPASSWORDS="yes"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"

LOGFILE="/var/log/ldapscripts.log"

TMPDIR="/tmp"

LDAPSEARCHBIN="/usr/bin/ldapsearch"
LDAPADDBIN="/usr/bin/ldapadd"
LDAPDELETEBIN="/usr/bin/ldapdelete"
LDAPMODIFYBIN="/usr/bin/ldapmodify"
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/bin/ldappasswd"

That way we can create new user (ltsp001 (user) | ltsp (group)) for the OpenLDAP server. Remember delete log file after you have deliver password to the user (maybe via GSM).

sudo ldapadduser ltsp001 ltsp

Successfully added user ltsp001 to LDAP
Successfully set password for user ltsp001

ltsp-root@ltsp-root:~$ cat /var/log/ldapscripts_passwd.log | grep ltsp001

uid=ltsp001,ou=People,dc=arkki,dc=info : 2ESJOqiG

And we can change that password, too.

sudo ldapsetpasswd ltsp001

Changing password for user uid=ltsp001,ou=People,dc=arkki,dc=info
New Password: 
Retype New Password: 
Successfully set password for user uid=ltsp001,ou=People,dc=arkki,dc=info

Use Webmin module named 'LDAP Users and Groups' at ltsp-root server

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-LTSP-Cluster/06.png

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-LTSP-Cluster/05.png

We have added 27 new users from batch file like this one ('Run batch file').

create:ltsp003:edubuntu:10003:10000:LTSP 003:/opt/ltsp-users/ltsp003:/bin/bash:::::
create:ltsp004:edubuntu:10004:10000:LTSP 004:/opt/ltsp-users/ltsp004:/bin/bash:::::
create:ltsp005:edubuntu:10005:10000:LTSP 005:/opt/ltsp-users/ltsp005:/bin/bash:::::
create:ltsp006:edubuntu:10006:10000:LTSP 006:/opt/ltsp-users/ltsp006:/bin/bash:::::
create:ltsp007:edubuntu:10007:10000:LTSP 007:/opt/ltsp-users/ltsp007:/bin/bash:::::
create:ltsp008:edubuntu:10008:10000:LTSP 008:/opt/ltsp-users/ltsp008:/bin/bash:::::
create:ltsp009:edubuntu:10009:10000:LTSP 009:/opt/ltsp-users/ltsp009:/bin/bash:::::
create:ltsp010:edubuntu:10010:10000:LTSP 010:/opt/ltsp-users/ltsp010:/bin/bash:::::
create:ltsp011:edubuntu:10011:10000:LTSP 011:/opt/ltsp-users/ltsp011:/bin/bash:::::
create:ltsp012:edubuntu:10012:10000:LTSP 012:/opt/ltsp-users/ltsp012:/bin/bash:::::
create:ltsp013:edubuntu:10013:10000:LTSP 013:/opt/ltsp-users/ltsp013:/bin/bash:::::
create:ltsp014:edubuntu:10014:10000:LTSP 014:/opt/ltsp-users/ltsp014:/bin/bash:::::
create:ltsp015:edubuntu:10015:10000:LTSP 015:/opt/ltsp-users/ltsp015:/bin/bash:::::
create:ltsp016:edubuntu:10016:10000:LTSP 016:/opt/ltsp-users/ltsp016:/bin/bash:::::
create:ltsp017:edubuntu:10017:10000:LTSP 017:/opt/ltsp-users/ltsp017:/bin/bash:::::
create:ltsp018:edubuntu:10018:10000:LTSP 018:/opt/ltsp-users/ltsp018:/bin/bash:::::
create:ltsp019:edubuntu:10019:10000:LTSP 019:/opt/ltsp-users/ltsp019:/bin/bash:::::
create:ltsp020:edubuntu:10020:10000:LTSP 020:/opt/ltsp-users/ltsp020:/bin/bash:::::
create:ltsp021:edubuntu:10021:10000:LTSP 021:/opt/ltsp-users/ltsp021:/bin/bash:::::
create:ltsp022:edubuntu:10022:10000:LTSP 022:/opt/ltsp-users/ltsp022:/bin/bash:::::
create:ltsp023:edubuntu:10023:10000:LTSP 023:/opt/ltsp-users/ltsp023:/bin/bash:::::
create:ltsp024:edubuntu:10024:10000:LTSP 024:/opt/ltsp-users/ltsp024:/bin/bash:::::
create:ltsp025:edubuntu:10025:10000:LTSP 025:/opt/ltsp-users/ltsp025:/bin/bash:::::
create:ltsp026:edubuntu:10026:10000:LTSP 026:/opt/ltsp-users/ltsp026:/bin/bash:::::
create:ltsp027:edubuntu:10027:10000:LTSP 027:/opt/ltsp-users/ltsp027:/bin/bash:::::
create:ltsp028:edubuntu:10028:10000:LTSP 028:/opt/ltsp-users/ltsp028:/bin/bash:::::
create:ltsp029:edubuntu:10029:10000:LTSP 029:/opt/ltsp-users/ltsp029:/bin/bash:::::
create:ltsp030:edubuntu:10030:10000:LTSP 029:/opt/ltsp-users/ltsp030:/bin/bash:::::

One note about home directories

When using ldapscripts we add every user in the same group (10000). You should prevent users go to the each others home directories.

Change that.

ltsp-root@ltsp-root:~$ ls -al /opt/ltsp-users
yhteensä 16
drwxr-xr-x  4 root  root  4096 2010-11-01 23:00 .
drwxr-xr-x  5 root  root  4096 2010-11-01 18:38 ..
drwxr-xr-x 21 10000 10000 4096 2010-11-01 23:20 asmok
drwxr-xr-x 23 10001 10000 4096 2010-11-01 23:24 ltsp001

ltsp-root@ltsp-root:~$ sudo chmod 700 /opt/ltsp-users/*

ltsp-root@ltsp-root:~$ ls -al /opt/ltsp-users
yhteensä 16
drwxr-xr-x  4 root  root  4096 2010-11-01 23:00 .
drwxr-xr-x  5 root  root  4096 2010-11-01 18:38 ..
drwx------ 21 10000 10000 4096 2010-11-01 23:20 asmok
drwx------ 23 10001 10000 4096 2010-11-01 23:24 ltsp001
ltsp-root@ltsp-root:~$

Some more tests and some screenshots

At the ltsp-appserv01 server.

ldapsearch -H ldap://192.168.1.100:389/ -b dc=arkki,dc=info objectclass=* -D\
cn=admin,dc=arkki,dc=info -W -x
Enter LDAP Password: 

# extended LDIF
#
# LDAPv3
# base <dc=arkki,dc=info> with scope subtree
# filter: objectclass=*
# requesting: ALL
#

# arkki.info
dn: dc=arkki,dc=info
objectClass: top
objectClass: dcObject
objectClass: organization
o: LDAP LTSP
dc: arkki
description:: TERBUCBMVFNQIA==

# admin, arkki.info
dn: cn=admin,dc=arkki,dc=info
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9Wmh0Y2lWT3VkOHJjTHoxZmlkd1RhaERJMzl5ZEpzSk0=

# people, arkki.info
dn: ou=people,dc=arkki,dc=info
objectClass: organizationalUnit
ou: people

# groups, arkki.info
dn: ou=groups,dc=arkki,dc=info
objectClass: organizationalUnit
ou: groups

# asmok, people, arkki.info
dn: uid=asmok,ou=people,dc=arkki,dc=info
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: asmok
sn: Koskinen
givenName: Asmo
cn: Asmo Koskinen
displayName: Asmo Koskinen
uidNumber: 10000
gidNumber: 10000
gecos: Asmo Koskinen
loginShell: /bin/bash
homeDirectory: /opt/ltsp-users/asmok
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: asmo.koskinen@arkki.info
postalCode: 67100
l: Kokkola
o: LDAP LTSP
mobile: +358 xx xx xx xx
homePhone: +358 xx xx xx xx
title: LTSP User
postalAddress:: UGl0a8OkbnNpbGxhbmthdHUgMTggQSA2
initials: AK
userPassword:: e1NTSEF9eFNIN0JmKytMTGJnbEFKcGVCRFU0Q2I1NVd0NGVSb1M=

# ltsp, groups, arkki.info
dn: cn=ltsp,ou=groups,dc=arkki,dc=info
objectClass: posixGroup
cn: ltsp
gidNumber: 10000

# ltsp001, People, arkki.info
dn: uid=ltsp001,ou=People,dc=arkki,dc=info
objectClass: account
objectClass: posixAccount
cn: ltsp001
uid: ltsp001
uidNumber: 10001
gidNumber: 10000
homeDirectory: /opt/ltsp-users/ltsp001
loginShell: /bin/bash
gecos: ltsp001
description: User account
userPassword:: e1NTSEF9ZnYrKzdnQS9WK1luekFmdGdVQ1FiOHVqLzhyekR2cis=

# search result
search: 2
result: 0 Success

# numResponses: 8
# numEntries: 7

At the ltsp-root server.

ltsp-root@ltsp-root:~$ ssh asmok@ltsp-appserv01
asmok@ltsp-appserv01's password: 
Linux ltsp-appserv01 2.6.32-25-generic #45-Ubuntu SMP Sat Oct 16 19:52:42 UTC 2010 x86_64 GNU/Linux
Ubuntu 10.04.1 LTS

Welcome to Ubuntu!
 * Documentation:  https://help.ubuntu.com/

Last login: Mon Nov  1 23:20:16 2010 from ltsp-appserv01

ltsp-root@ltsp-root:~$ ssh ltsp001@ltsp-appserv01
ltsp001@ltsp-appserv01's password: 
Linux ltsp-appserv01 2.6.32-25-generic #45-Ubuntu SMP Sat Oct 16 19:52:42 UTC 2010 x86_64 GNU/Linux
Ubuntu 10.04.1 LTS

Welcome to Ubuntu!
 * Documentation:  https://help.ubuntu.com/

Last login: Mon Nov  1 23:20:35 2010 from ltsp-appserv01

LTSP-Cluster Control Center.

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-LTSP-Cluster/01.png

phpLDAPAdmin at the ltsp-root server.

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-LTSP-Cluster/02.png

Webmin OpenLDAP Client at the ltsp-appserv01 server.

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-LTSP-Cluster/03.png

Webmin OpenLDAP Server at the ltsp-root server.

http://www.arkki.info/howto/Wiki/LTSP5-openLDAP-LTSP-Cluster/04.png

UbuntuLTSP/LTSP-Cluster_NAT_OpenLDAP (last edited 2010-11-02 13:34:46 by asmok)