8 configuring ldap[2]

8/2/2019 8 Configuring LDAP[2]

http://slidepdf.com/reader/full/8-configuring-ldap2 1/22

Lightweight Directory Access Protocol

• Objectives

– This chapter will first show you how to install and use LDAP• Contents

– The LDAP Database Structure

– Scenario

– Configuring The LDAP Server

– Configuring The LDAP Client – Common LDAP administrative tasks

• Practical – Start ldap server & client

– Login and out

– Common tasks



The LDAP Database Structure

• Scenario

The I.T. department in a small organization "example.com" hasmany Linux servers they need to administer

LDAP domain ”my-site.com" for their LDAP database in whichone domain component (DC) will be "example", and the

other will be "com".dc=my-site, dc=com

The database will only have one organizational unit simplycalled "People" which is the LDAP default.

ou=People

Each person will have attributes such as a username (User IDor UID), password, Linux "home" directory and login shell.



The server & client RPMs

• Installed on the server ”bigboy”

– openldap – openldap-clients

– openldap-devel

– nss_ldap

– openldap-servers

• Server "bigboy" has a special user account named"ldapuser" that will be used to test the LDAP logins.

• Installed on the client ”smallfry”

– openldap– openldap-clients

– openldap-devel

– nss_ldap

http://var/www/apps/conversion/current/Local%20Settings/Temporary%20Internet%20Files/Content.IE5/linux-hn/rpm.htm

http://var/www/apps/conversion/current/Local%20Settings/Temporary%20Internet%20Files/Content.IE5/linux-hn/rpm.htm



Configuring The LDAP Server

• Create a database directory

– RH by defaults to putting all databases in the /var/lib/ldap directory – We'll create a dedicated ”my-site.com" directory owned by the user "ldap".

• Create an LDAP "root" password – Only the LDAP "root" user can create, import data, export data into an LDAP

database.

# mkdir /var/lib/ldap/my-site.com # chown ldap:ldap /var/lib/ldap/my-site.com

# mkdir /var/lib/ldap/my-site.com # chown ldap:ldap /var/lib/ldap/my-site.com

# slappasswd New password:

Re-enter new password:{SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ

# slappasswd New password:

Re-enter new password:{SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ



Edit the /etc/openldap/slapd.conf file

• This is the main LDAP server configuration file

– We'll now update it with the following information:

dc -domain component

cn –common name

rootpw is pasted from the ”slappasswd run”

• Start the LDAP daemon

database ldbm suffix "dc=my-site,dc=com"rootdn "cn=Manager,dc=my-site,dc=com"rootpw {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZdirectory /var/lib/ldap/my-site.com

database ldbm suffix "dc=my-site,dc=com"rootdn "cn=Manager,dc=my-site,dc=com"rootpw {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZdirectory /var/lib/ldap/my-site.com

# service ldap start# service ldap start



Convert the passwd file to LDIF format

• Create the "ldapuser" test account

– We'll now create the "ldapuser" account we'll use for testing.

• Extract the desired records from /etc/passwd – We'll need to extract the "ldapuser" information from the /etc/passwd file using

the "grep"

– If this is your first time creating the LDAP database, you will also want to extractthe information for the Linux "root"

# useradd -g users ldapuser# passwd ldapuserChanging password for user ldapuser.

New password:Retype new password:

passwd: all authentication tokens updated successfully.

# useradd -g users ldapuser# passwd ldapuserChanging password for user ldapuser.



# grep ldapuser /etc/passwd >> /etc/openldap/passwd.ldapusers# grep ldapuser /etc/passwd >> /etc/openldap/passwd.ldapusers

# grep root /etc/passwd > /etc/openldap/passwd.root# grep root /etc/passwd > /etc/openldap/passwd.root



Convert the passwd file to LDIF format

• Find the conversion script migrate_passw.pl with locate

• Convert the ".ldapuser " file to LDIF – We now convert the /etc/passwd data into an LDAP Data Interchange Files

(LDIF)

– users:

– root:

# locate migrate. . ./usr/share/openldap/migration/migrate_passwd.pl. . .

# locate migrate. . ./usr/share/openldap/migration/migrate_passwd.pl. . .

# /usr/share/openldap/migration/migrate_passwd.pl \

/etc/openldap/passwd.ldapusers /etc/openldap/ldapusers.ldif

# /usr/share/openldap/migration/migrate_passwd.pl \/etc/openldap/passwd.ldapusers /etc/openldap/ldapusers.ldif

# /usr/share/openldap/migration/migrate_passwd.pl \/etc/openldap/passwd.root /etc/openldap/root.ldif

# /usr/share/openldap/migration/migrate_passwd.pl \/etc/openldap/passwd.root /etc/openldap/root.ldif



Modify the LDIF files

• Use vi to replace padl with example in both LDIF files–/etc/openldap/ldapusers.ldif

– /etc/openldap/root.ldif

– This is also example on using search and replace within vi

• In /etc/openldap/root.ldif we need to make root the Manager

# vi /etc/openldap/ldapusers.ldif

s/padl/my-site/g

:wq!

# vi /etc/openldap/root.ldif

s/padl/my-site/g:wq!

# vi /etc/openldap/ldapusers.ldif

s/padl/my-site/g

:wq!

# vi /etc/openldap/root.ldif

s/padl/my-site/g:wq!

dn: uid=root,ou=People,dc=ing-steen,dc=seuid: root

cn: Manager

dn: uid=root,ou=People,dc=ing-steen,dc=se

uid: root

cn: Manager



Create LDIF "my-site.com" domain

• Create /etc/openldap/my-site.com.ldif

– which should look like this:

dn: dc=my-site,dc=com dc: my-sitedescription: Root LDAP entry for my-site.com objectClass: dcObjectobjectClass: organizationalUnit

ou: rootobject

dn: ou=People, dc=my-site,dc=com ou: Peopledescription: All people in organisationobjectClass: organizationalUnit

dn: dc=my-site,dc=com dc: my-sitedescription: Root LDAP entry for my-site.com objectClass: dcObjectobjectClass: organizationalUnit

ou: rootobject

dn: ou=People, dc=my-site,dc=com ou: Peopledescription: All people in organisationobjectClass: organizationalUnit



Import the LDIF files into the database

• Import LDIF files to our database example.com.ldif

– Root declaration in: root.ldif – Al our coming ldap users in: ldapusers.ldif

• First we add the my-site.com.ldif

• Next we add root.ldif

• Last we add ldapusers.ldif

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \-W -f my-site.com.ldif

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \-W -f my-site.com.ldif

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \-W -f ldapusers.ldif

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \-W -f ldapusers.ldif

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \-W -f root.ldif

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \-W -f root.ldif



Test the LDAP database

• First search test, all entries

# ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)'# ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)'



Configuring The LDAP Client

• Edit the /etc/openldap/ldap.conf configuration file

– Ease up for clients by adding LDAP server and domain suffix:

• Edit the /etc/nsswitch.conf configuration file

• Instead of modifying nsswitch.conf manually you can run1. Run /usr/bin/authconfig

2. Select LDAP

3. Give the LDAP server's IP address which in this case is 192.168.0.14. Give the base DN as "dc=my-site,dc=com" (no quotes).

5. Do not select TLS. (This is usally not a good idea)

6. Use MD5 and shadow passwords.

HOST 192.168.0.1BASE dc=my-site,dc=com

HOST 192.168.0.1BASE dc=my-site,dc=com

passwd: files ldapshadow: files ldap

passwd: files ldapshadow: files ldap



Testing the LDAP Client

• Restart SSH –

So it re-reades the nsswitch.conf file

• Test LDAP Logins – Using ldapsearch

– Using SSH or the Linux console

– Exit and login with ldapuser at local console

# service sshd restart# service sshd restart

# ldapsearch -x -b 'dc=my-site,dc=com'\ '(objectclass=*)'# ldapsearch -x -b 'dc=my-site,dc=com'\ '(objectclass=*)'

# ssh –l ldapuser 192.168.0.1# ssh –l ldapuser 192.168.0.1



Common LDAP administrative tasks

• LDAP users changing their own passwords –

LDAP users can modifytheir LDAP passwords using the regular passwdcommand.

• Modifying LDAP users by user "root” – Script usage sample, modify users at root on LDAP server

$ passwd

Changing password for user ldapuser.

Enter login(LDAP) password:

New password:

Retype new password:

LDAP password information changed for ldapuser


$ passwd

Changing password for user ldapuser.

Enter login(LDAP) password:

New password:

Retype new password:

LDAP password information changed for ldapuser


# passwd ldapuserChanging password for user ldapuser.


passwd: all authentication tokens updated successfully.[root@bigboy tmp]# modifyldapuser ldapuserEnter LDAP Password:

modifying entry "uid=ldapuser,ou=People,dc=example,dc=com"

# passwd ldapuserChanging password for user ldapuser.


passwd: all authentication tokens updated successfully.[root@bigboy tmp]# modifyldapuser ldapuserEnter LDAP Password:

modifying entry "uid=ldapuser,ou=People,dc=example,dc=com"



Common LDAP administrative tasks

• Adding new LDAP users with addldapuser script –

Add the user to the database1. Create the Linux user kalle on the LDAP server w. useradd command

2. Run the addldapuser script with the username as the only argument. Thescript prompts you for your LDAP "root" password.

3. Create home directories for the user on all the LDAP client Linux boxes,otherwise they will have no home. Note that it is possible to let LDAP createtemporary ”home’s” for users when they login, by using ”skel” catalog

• Deleting LDAP users

# useradd kalle# addldapuser kalleEnter LDAP Password:adding new entry "uid=ldapuser,ou=People,dc=my-site,dc=com"

# useradd kalle# addldapuser kalle

Enter LDAP Password:adding new entry "uid=ldapuser,ou=People,dc=my-site,dc=com"

ldapdelete -x -W -D "cn=Manager,dc=my-site,dc=com" \"uid=$1,ou=People,dc=my-site,dc=com"

ldapdelete -x -W -D "cn=Manager,dc=my-site,dc=com" \"uid=$1,ou=People,dc=my-site,dc=com"



Configuring Encrypted LDAP Communication

• Configuring the stunnel LDAP client – Edit the ldap.conf file

– Create an stunnel user

– Edit the /etc/stunnel/stunnel.conf configuration file

HOST localhostBASE dc=my-site,dc=com HOST localhostBASE dc=my-site,dc=com

# useradd stunnel# useradd stunnel

# Configure stunnel to run as user "stunnel" placing temporary# files in the /usr/var/run/stunnel/ directorychroot = /home/stunnel

pid = /stunnel.pid setuid = stunnelsetgid = stunnel# Configure loggingdebug = 7output = /var/log/messages# Use it for client modeclient = yes# Service-level configuration[ldap]accept = 389connect = 192.168.0.1:636

# Configure stunnel to run as user "stunnel" placing temporary# files in the /usr/var/run/stunnel/ directorychroot = /home/stunnel

pid = /stunnel.pid setuid = stunnelsetgid = stunnel# Configure loggingdebug = 7

output = /var/log/messages# Use it for client modeclient = yes# Service-level configuration[ldap]accept = 389connect = 192.168.0.1:636




• Start stunnel

– Check the log files

• Start stunnel at next boot – Add this snippet in end of /etc/rc.d/rc.local

# stunnel# stunnel

# tail -100 /var/log/messages# tail -100 /var/log/messages

# Run stunnel for LDAP (RedHat file location)/usr/sbin/stunnel

# Run stunnel for LDAP (RedHat file location)/usr/sbin/stunnel




• Configuring the stunnel LDAP server – Create an stunnel user

– Edit the /etc/stunnel/stunnel.conf configuration file

# useradd stunnel# useradd stunnel

# Configure stunnel to run as user "stunnel" placing temporary# files in the /usr/var/run/stunnel/ directory

chroot = /home/stunnel/ pid = /stunnel.pid setuid = stunnelsetgid = stunnel# Some debugging stuffdebug = 7output = /var/log/messages# Use it for client modeclient = no

cert = /usr/share/ssl/certs/stunnel.pem key = /usr/share/ssl/certs/stunnel.pem # Service-level configuration[ldap]accept = 636connect = 389

# Configure stunnel to run as user "stunnel" placing temporary# files in the /usr/var/run/stunnel/ directorychroot = /home/stunnel/

pid = /stunnel.pid setuid = stunnelsetgid = stunnel# Some debugging stuffdebug = 7output = /var/log/messages# Use it for client modeclient = no

cert = /usr/share/ssl/certs/stunnel.pem key = /usr/share/ssl/certs/stunnel.pem # Service-level configuration[ldap]accept = 636connect = 389




• Create the certificates – Go to the /usr/share/ssl/certs directory

– Modify certificate file permissions The certificate needs to only be read by"root" and the "stunnel" user

• Start stunnel

cd /usr/share/ssl/certs[root@bigboy certs]# make stunnel.pem ...Common Name (eg, your name or yourserver's hostname) []: 192.168.0.1

...

cd /usr/share/ssl/certs[root@bigboy certs]# make stunnel.pem ...Common Name (eg, your name or yourserver's hostname) []: 192.168.0.1...

# chmod 640 stunnel.pem # chgrp stunnel stunnel.pem

# ll /usr/share/ssl/certs-rw-r----- 1 root stunnel 2004 Jul 31 21:50stunnel.pem

# chmod 640 stunnel.pem # chgrp stunnel stunnel.pem # ll /usr/share/ssl/certs-rw-r----- 1 root stunnel 2004 Jul 31 21:50stunnel.pem

# stunnel# stunnel




• Create a home directory for the user "ldapuser” at theclient

– Check to see if ldapuser is not in the /etc/passwd file.

– Create the home directory for ldapuser on the client!

# grep ldapuser /etc/passwd # grep ldapuser /etc/passwd

#mkdir /home/ldapuser# chmod 700 /home/ldapuser/

# chown ldapuser:users /home/ldapuser/# ll /hometotal 2drwx------ 2 ldapuser users 1024 Aug 4 08:05 ldapuser## cp /etc/skel/.* /home/ldapuser/

cp: omitting directory `/etc/skel/.'cp: omitting directory `/etc/skel/..'cp: omitting directory `/etc/skel/.kde'# chown ldapuser /home/ldapuser/.*

# mkdir /home/ldapuser

# chmod 700 /home/ldapuser/# chown ldapuser:users /home/ldapuser/# ll /hometotal 2drwx------ 2 ldapuser users 1024 Aug 4 08:05 ldapuser## cp /etc/skel/.* /home/ldapuser/

cp: omitting directory `/etc/skel/.'cp: omitting directory `/etc/skel/..'cp: omitting directory `/etc/skel/.kde'# chown ldapuser /home/ldapuser/.*



Test LDAP Logins on secure server

• Using ldapsearch on the LDAP client

• Using SSH or the Linux console on the LDAP client – Try to log in as user ldapuser to the LDAP client Linux system.

• Use the TCPdump command to verify port 636

# ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)'# ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)'

# tcpdump -n tcp port ldapstcpdump: listening on eth009:20:02.281257 192.168.0.1.1345 > 192.168.9.2.ldaps: S1665037104:1665037104(0) win 5840 <mss 1460,sackOK,timestamp74401362 0,nop,wscale 0> (DF)09:20:02.281356 172.16.1.200.1daps > 172.16.1.2.1345: S1911175072:1911175072(0) ack 1665037105 win 5792 <mss

1460,sackOK,timestamp 20737195 74401362,nop,wscale 0> (DF)......

# tcpdump -n tcp port ldapstcpdump: listening on eth009:20:02.281257 192.168.0.1.1345 > 192.168.9.2.ldaps: S1665037104:1665037104(0) win 5840 <mss 1460,sackOK,timestamp74401362 0,nop,wscale 0> (DF)09:20:02.281356 172.16.1.200.1daps > 172.16.1.2.1345: S1911175072:1911175072(0) ack 1665037105 win 5792 <mss

1460,sackOK,timestamp 20737195 74401362,nop,wscale 0> (DF)......



Addons for TLS

• Generate keys

• Remove passphrase from keys

• In slapd.conf add entries

# openssl –req –newkey rsa:1024 –x509 –days 365 keyout \slapd_key.pem –out slapd_cert.pem # openssl –req –newkey rsa:1024 –x509 –days 365 keyout \slapd_key.pem –out slapd_cert.pem

# openssl rsa –in slapdd_key.pem –out slapd_key.pem # chown slapd-user.slapd-group sl*.pem # chmod 600 sl*.pem

# openssl rsa –in slapdd_key.pem –out slapd_key.pem # chown slapd-user.slapd-group sl*.pem

# chmod 600 sl*.pem

TLSCertificateFile /usr/ssl/certs/slapd_cert.pem

TLSCertificateKeyFile /usr/ssl/certs/slapd_key.pem TLSCiperSuite HIGH:MEDIUM:+SSLV2

TLSCertificateFile /usr/ssl/certs/slapd_cert.pem TLSCertificateKeyFile /usr/ssl/certs/slapd_key.pem

TLSCiperSuite HIGH:MEDIUM:+SSLV2

8 configuring ldap[2]

Documents