ldap all in one,ldap configuration
TRANSCRIPT
-
7/28/2019 LDAP All in one,ldap configuration
1/31
-
7/28/2019 LDAP All in one,ldap configuration
2/31
see attributes like CN, Common Name, which takes values Barbara Jensen and Babs Jensen. Youfurther see attributes like SN, surname, which takes the value Jensen, and mail, which takes the [email protected].
You also see some objectClass attribute values. The objectClass attribute tells you what other attributetypes the entry can have. Object class definitions are found in directory schema. Schema specify all theknown object classes and attribute types available for entries in the directory. You can add schema
definitions to LDAP directories, making the LDAP entries easily extensible.
When you want to look up something in a directory, you typically know the values of one of theattributes. By analogy, if you want to look up a phone number, you already know the name of theperson or organization whose telephone number you want. If you are looking up a phone number, youalso probably have some idea where the person or organization is located. The same is the case forLDAP directories. You typically need to have some idea where the entry is located.
For example, assume you want to look up Barbara Jensens phone number in the LDAP directoryholding the entry shown previously. You need to know one of the attributes. In this case, you knowBarbaras name. You also need to know approximately where her entry is located. If you know that sheis in the directory at Example.com, and that the root of their tree starts at dc=example,dc=com, that
is enough.There are GUI tools out there for LDAP lookups, but many systems also have a command calledldapsearch. You guessed it, ldapsearch is for searching LDAP directories. Here is an
ldapsearch command that searches the entries underdc=example,dc=com for entries having
common name Barbara Jensen.
$ ldapsearch -b dc=example,dc=com "(cn=Barbara Jensen)"
The argument to the -b option is the base DN for the search. By default, the ldapsearch command
searches through all the entries in the tree below the base DN. The "(cn=Barbara Jensen)" is
called the filter, because it tells me the criteria for filtering through the entries found under the base
DN. If you have set everything up correctly, your search returns something very much like the entryshown above, except that you almost surely will not see the user password attribute and its value. Youcan also narrow the search results to see only the DN of the entry and the telephone number. You dothis by adding the attribute or attributes you want returned after the filter.
$ ldapsearch -b dc=example,dc=com "(cn=Barbara Jensen)" telephoneNumber
If everything works as expected, this search returns a partial entry.
dn: uid=bjensen, ou=People, dc=example,dc=comtelephonenumber: +1 408 555 1862
-
7/28/2019 LDAP All in one,ldap configuration
3/31
Basics of LDAP
Server Training - Server Management
Lightweight Directory Access Protocol (LDAP)
This course will help you understand the benefits of LDAP as well as implementation of LDAP. The Open
collaborative effort to develop a robust, commercial-grade, fully featured, and open source LDAP suite of adevelopment tools. The project is managed by a worldwide community of volunteers that use the Internet todevelop the OpenLDAP Suite and its related documentation.
Lesson 2
Course Difficulty
The course level is for an Experienced Linux Administrator. LDAP is not easy and in fact can be very frustprovide several LDAP courses with increasing difficulty and options. The first course is Basic LDAP use wcreation of a User Whitepages. Teh second LDAP course will be how to use the Open Source graphical too
LDAP and the third course will be the use of LDAP with Samba. The course is designed for a CentOS systUbuntu Client and Ubuntu Server.
LDAP File Locations
LDAP Commands
LDAP Logging
LDAP Server Install
tcp_wrappers with LDAP
Add System User
Set Up LDAP Client
Project: LDAP White Pages
Course Support
The course author, among others, will be available for questions in the Forum.
QuizzesThe quizzes are there to help you focus on the key points made about each distro. Caution: You will only betime and that score will be recorded. So before you take the quiz be sure you understand all of the features on. Click Here to take a Demo Test so that you can see how the questions will be formatted.
Community
Be sure to check out the Community Page with information on other courses and Community Discounts on
http://beginlinux.com/server_training/server-managment-topics/1015-basics-of-ldaphttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1318-ldap-file-locationshttp://beginlinux.com/server_training/server-managment-topics/1017-ldap-client-on-ubuntu-804http://beginlinux.com/server_training/server-managment-topics/1016-ldap-server-on-ubuntu-804http://beginlinux.com/server_training/server-managment-topics/1318-ldap-file-locationshttp://beginlinux.com/server_training/server-managment-topics/1317-ldap-commandshttp://beginlinux.com/server_training/server-managment-topics/1321-ldap-logginghttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_training/server-managment-topics/1320-tcpwrappers-with-ldaphttp://beginlinux.com/server_training/server-managment-topics/1319-add-system-userhttp://beginlinux.com/server_training/server-managment-topics/1316-set-up-ldap-clienthttp://beginlinux.com/server_training/server-managment-topics/1324-ldap-white-pageshttp://beginlinux.com/forumhttp://beginlinux.com/desktop_training/demo-testhttp://beginlinux.com/communityhttp://beginlinux.com/communityhttp://beginlinux.com/server_training/server-managment-topics/1015-basics-of-ldaphttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1318-ldap-file-locationshttp://beginlinux.com/server_training/server-managment-topics/1017-ldap-client-on-ubuntu-804http://beginlinux.com/server_training/server-managment-topics/1016-ldap-server-on-ubuntu-804http://beginlinux.com/server_training/server-managment-topics/1318-ldap-file-locationshttp://beginlinux.com/server_training/server-managment-topics/1317-ldap-commandshttp://beginlinux.com/server_training/server-managment-topics/1321-ldap-logginghttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_training/server-managment-topics/1320-tcpwrappers-with-ldaphttp://beginlinux.com/server_training/server-managment-topics/1319-add-system-userhttp://beginlinux.com/server_training/server-managment-topics/1316-set-up-ldap-clienthttp://beginlinux.com/server_training/server-managment-topics/1324-ldap-white-pageshttp://beginlinux.com/forumhttp://beginlinux.com/forumhttp://beginlinux.com/desktop_training/demo-testhttp://beginlinux.com/communityhttp://beginlinux.com/community -
7/28/2019 LDAP All in one,ldap configuration
4/31
-
7/28/2019 LDAP All in one,ldap configuration
5/31
OIDs
A globally unique OID helps define each element of the schema you are using. The OIDs are based upon a
Attributes
Attribute information is described by attributeType. The attribute name is what is specified from one piece homePhone could be an attribute name representing a person's phone number.
Object Classes
When you group attribute data you will e suing a objectclass. This means that all in the data is the object c
DIT (DIrectory Information Tree)The top of the tree is called the Base DN, this is what names the database. The importance of the Base DN come under this object. So when you name the object make sure this is the top most object you want. Thereyou can organize after you establish the base. You could organize based on regional areas. So for example you would create are based on areas that your company is involved in like, Japan, Europe, China, US, etc. Y
situation where built containers based on function. In that situation you may end up creating users multiplefunctions. No matter how you describe your functions there will be the cross over that will require a lot mocompanies may design containers based on business function. Here you may have a sales, research, shippi
LDIF (LDAP Data Intercahnge Format)LDIF is the format for storing data in the directory system. This format creates entries for your directory thLDAP Interchange Format is a plain text file that describes the organization. LDIF is a file format for entriprovides a method of mapping attributes to values and it may contain directives for the parser.
Indexing
Indexes will improve the search performance of the directory. You have a number of indexes available to uPresence - list entries that contain a specific attribute (homePhone)Equality - entries that contain specifc attribute and value (homePhone=442-345-7656)Approximate - close to search filterSubstrings - wilcard searches (homePhone=*-345-*)
-
7/28/2019 LDAP All in one,ldap configuration
6/31
In this example, the top entry is the distinguished name (DN) which looks like this in the LDIF:
dc=linux,dc=local;
# LDIF listing for the entry dn: dc=beginlinux,dc=net dn: dc=linux,dc=local objectClas
When you view this entry the standard is to have the attribute, a colon and then the value.
attribute: value
dc: linux
Understanding the distinctions between distinguished name (DN) and relative distinguished name (RDN) isthis example for fred smith his entry will look like this:
dn: cn=Fred Smith,dc=linux,dc=local
cn: Fred Smith
ou: People
-
7/28/2019 LDAP All in one,ldap configuration
7/31
The DN is dn: cn=Fred Smith,dc=linux,dc=local
This takes into account the entire directory tree structure. The RDN only takes in a part of the directory tree
RDN is cn=Fred Smith
Attributes are designed to hold values.
This data type specifies what type of information can be stored in the variable, along with certain other rulethe variable's value to the data stored in another variable of the same type.
LDAP File Locations
Server Training - Server Management
The file locations for OpenLdap are important to find and understand as it can be confusing if you arenot sure what config file is making changes to your LDAP settings. One of the major keys to havingsuccess with OpenLDAP is to verify the existence and location of the files you need to work with. Theexample below separates the files based on whether your machine is a server or a client for LDAP.Yes, it can be both server and client and then will need all of the files.
Lesson 1 /Lesson 3
Sever Configuration Files
When you install OpenLDAP, you will find a directory is created called /etc/openldap. This directorywill contain the necessary files for the configuration of your LDAP server. The main file forconfiguring the server is slapd.conf.
/etc/openldap/slapd.conf
This is the configuration file for the server.
/etc/openldap/schema
Contains LDAP definitions and can be added to the slapd.conf file with:
include /etc/openldap/schema/some_schemaThere is a specific redhat directory which is included in Red Hat or CentOS versions.README cosine.schema java.schema openldap.schemacorba.schema dyngroup.schema misc.schema redhat
core.schema inetorgperson.schema nis.schema
The slapd.conf file configures which schemas will be used. Here is a listing of the default schemas.
include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schema
http://beginlinux.com/server_training/server-managment-topics/1318-ldap-file-locationshttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1015-basics-of-ldaphttp://beginlinux.com/server_training/server-managment-topics/1317-ldap-commandshttp://beginlinux.com/server_training/server-managment-topics/1317-ldap-commandshttp://beginlinux.com/server_training/server-managment-topics/1318-ldap-file-locationshttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1015-basics-of-ldaphttp://beginlinux.com/server_training/server-managment-topics/1317-ldap-commands -
7/28/2019 LDAP All in one,ldap configuration
8/31
/var/lib/ldap
It is important that this directory be owned by ldap as this is where the database files will be located.
Client Configuration Files
/etc/ldap.conf
If the nss_ldap package is installed, which it will be, it creates this file used by the PAM and NSSmodules. This can easily be confused with the /etc/openldap file of the same name.
/etc/openldap/ldap.conf
This is the configuration file for the client applications. This file will be the primary file for setting upthe client to connect to your LDAP server.
LDAP CommandsServer Training - Server Management
There are several basic commands to run LDAP. Each of these commands is installed in the /usr/sbindirectory and must be run as root.
Lesson 2 / Lesson 4
Important: The slap commands need to be run when the directory is off, so be sure to shut downLDAP before you run those commands. If you want to use commands while the directory is online usethe ldap commands.
slapd - this is the LDAP server daemon
slurpd - the daemon that synchronizes with other LDAP servers
slapadd - this program is used to add ldif files into LDAP
Example:# slapadd -l users.ldif
slappasswd - it will create a password that can be used with ldapmodify, or rootpw. You have to copyand paste the password into your file.
# slappasswdNew password:Re-enter new password:{SSHA}6i0fOQCvnjtbPi47I+1RWcRsOoLjUDNR
slapcat retrieves entries from LDAP directoryslapindex reindexes the slapd directory
http://beginlinux.com/server_training/server-managment-topics/1317-ldap-commandshttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1318-ldap-file-locationshttp://beginlinux.com/server_training/server-managment-topics/1321-ldap-logginghttp://beginlinux.com/server_training/server-managment-topics/1317-ldap-commandshttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1318-ldap-file-locationshttp://beginlinux.com/server_training/server-managment-topics/1321-ldap-logging -
7/28/2019 LDAP All in one,ldap configuration
9/31
ldapadd adds entries to LDAP
Example:ldapadd -x -D "cn=admin,dc=linux,dc=local" -W -f users.ldif
ldapdelete deletes entries
ldapmodify modifies LDAP entriesThe "-W" is an option that will request your password.
Example:ldapmodify -D "cn=admin,dc=linux,dc=local" -W -x -v -f /etc/openldap/users.ldif
ldapsearch search for entriesThis example will search for all entries.
Example:
# ldapsearch -x -b "dc=linux,dc=local" "(objectclass=*)"
ldapcompare create comparison parametersldapwhoami run whoamildapmodrdn modifies RDN entries
ldap Command s
Options Description
-d integer debugging level-D binddn the DN to use for binding to the LDAP server
-f filename point to file that had LDIF entries-H URI points to LDAP URI-I interactive mode for SASL-k enable Kerberos 4 authentication-K eanble only first stop of Kerberos 4 authentication-M enable Manager DSA IT control-n does not perform search-O security_properties defines SASL security properties-P [2\3] protocol version-Q suppress SASl messages-R sasl_realm define realm
-U username username for SASL authentication-v verbose-w password specify password-W prompt for password-x simple authentication-Xid define SASL authorization identity-y passwdfile read password for simple bind from filename-Y sasl_mechanism SASL mechanisim to use-Z issue StartTLS request
-
7/28/2019 LDAP All in one,ldap configuration
10/31
Options Specific to ldapsearch
-a[never\always\search\find] how to handle aliases-A return attribute names but not values-b basedn define base DN-F prefix URL prefix
-l limit time limit (seconds) for search-L print resultin LDIF format-LL print without comments-LLL print without comments or version-s [sub\base\one] define scope-S attribute sort resutls by value-u include user-friendly names-z limit max entries to return
LDAP Logging
Server Training - Server ManagementConfigure Logging
You certainly want to look at the logging aspect as it is essential for troubleshooting. I hate to say itbut you will have problems and this will make it easier.
Lesson 3 /Lesson 5
The logging options should be placed in the slapd.conf file. The directive for logging is represented bya number representing the type of information that should be saved. Here are the options:
-1 all
0 no logging1 trace function calls2 packet-handling debugging4 heavy trace debuggin8 connection management16 packets sent and received32 search filter processing64 configuration file processing256 statistics of connections512 print entry debugging
If you wanted to log each of these you add them together and you get an integer that you place afterthe directive.
loglevel 296
Edit /etc/syslog.confAdd these lines for logging and restart syslog.# LDAP Logginglocal4.debug /var/log/slapd.log
http://beginlinux.com/server_training/server-managment-topics/1321-ldap-logginghttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1317-ldap-commandshttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_training/server-managment-topics/1321-ldap-logginghttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1317-ldap-commandshttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-install -
7/28/2019 LDAP All in one,ldap configuration
11/31
# service syslog reload
LDAP Server InstallServer Training - Server Management
LDAP Server Installation and Configuration
The LDAP server can be a little tricky when you set it up so be careful to watch file locations andspelling so that you do not cause yourself more trouble than you need. Set up a basic LDAP that isworking correctly before you start with a secure method of communication, like TLS.
Lesson 4 /Lesson 6
Install with yum
yum install openldap-servers
The clients package is not needed on the server if that is all it will do is be a server. Note: Thenss_ldap package, installed by default, contains libnss_ldap and pam_ldap, both which you will needfor the client. The pam_ldap will help with integration of LDAP and email, SSH, FTP, Samba, etc.
Configuration of LDAP
Whenever you need to create passwords use the slappasswd application which will create an encryptedpassword for you. Create your user and then add the password to the LDAP user.
Create a root Password:slappasswd
New password:Re-enter new password:{SSHA}qFOeJuRxMW6PBy+xSLhkyzdYKAUFcbfj
For linuxtrained, if you needed to create a new password for admin user you would use slappasswdand then copy the password that was created and insert it in your /etc/openldap/slapd.conf.# rootdn directive for specifying a superuser on the database. This is needed# for syncrepl.rootdn "cn=admin,dc=linux,dc=local"
rootpw {SSHA}k1wLLf+cCUArjAt2BuFGe6OYdSiayIZd
Preparation for Starting
Before starting LDAP you must set your database type for Database #1, the suffix for your domain, setyour rootdn, rootdn password and the directory location for you files. Note that linuxtrained.net is thedomain that is used here.Edit /etc/openldap/slapd.conf and make the necessary changes.
database bdb
http://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1321-ldap-logginghttp://beginlinux.com/server_training/server-managment-topics/1320-tcpwrappers-with-ldaphttp://beginlinux.com/server_training/server-managment-topics/1320-tcpwrappers-with-ldaphttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1321-ldap-logginghttp://beginlinux.com/server_training/server-managment-topics/1320-tcpwrappers-with-ldap -
7/28/2019 LDAP All in one,ldap configuration
12/31
suffix "dc=linuxt,dc=local"rootdn "cn=admin,dc=linuxt,dc=local"rootpw {SSHA}k1wLLf+cCUArjAt2BuFGe6OYdSiayIZddirectory "/var/lib/ldap"
Before you can add your init.ltif you need to remove the old directories if you had old entries.# rm -rf /var/lib/ldap/*
Create a /var/lib/ldap/DB_CONFIG file with these settings:
set_cachesize 0 15000000 1set_lg_regionmax 262144set_lg_bsize 2097152set_flags DB_LOG_AUTOREMOVE
Configure your init.ltif
Here are the three files you will need to add to get a basic setup.
init.ldif
dn: dc=linux,dc=localdc: linuxobjectClass:dcObjectobjectClass: organizationalUnitou: Linux Dot Local
dn: ou=People,dc=linux,dc=localou: PeopleobjectClass: organizationalUnit
usrs.ldif
dn: uid=joe,ou=people,dc=linux,dc=localobjectClass: inetOrgPersoncn: Joe Smithsn: Smithuid: joeuserPassword: linux99telephoneNumber: 123-222-0033
-
7/28/2019 LDAP All in one,ldap configuration
13/31
homePhone: 124-131-2256mail:[email protected]: This is a test of LDAP.
admin.ldif
dn: cn=admin,ou=people,dc=linux,dc=localobjectclass: personcn: adminsn: adminuserPassword: linux99Here is the init.ltif File
Add the init.ltif file to LDAP system
# slapadd -l init.ldif
# slapadd -l users.ldif
# slapadd -l admin.ldif
Note that this program must be run as root, however, the server, due to security concerns, runs as theldap user. Therefore, once you add an ldif file you must change the ownership of the /var/lib/ldapdirectory.
Change Permissions
chown -R ldap:ldap /var/lib/ldap/
Now Start LDAPservice ldap start
tcp_wrappers with LDAP
Server Training - Server Management
Modify tcp_wrappers
If you are using tcp_wrappers, which you should be, you will need to provide an entry so that yourslapd server is available.
Lesson 5 /Lesson 7
Edit tcp_wrappers /etc/hosts.allow
SLAPD: ALL
Once you test an tcp_wrappers is working then you can add specific IP Addresses and subnets for/etc/hosts.allow so that you can increase security.SLAPD: 127.0.0.1 12.32.34.32
mailto:[email protected]://beginlinux.com/server_training/server-managment-topics/1320-tcpwrappers-with-ldaphttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_training/server-managment-topics/1319-add-system-userhttp://beginlinux.com/server_training/server-managment-topics/1319-add-system-usermailto:[email protected]://beginlinux.com/server_training/server-managment-topics/1320-tcpwrappers-with-ldaphttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_training/server-managment-topics/1319-add-system-user -
7/28/2019 LDAP All in one,ldap configuration
14/31
You can allow an entire subnet by leaving a "dot" at the end for example this will allow all machineson a subnet:
SLAPD: 127.0.0.1 192.168.3.
Whatever you do be sure to allow the localhost which is 127.0.0.1.
Edit /etc/hosts.deny
ALL: ALL
What that does is deny everything except what you allow in the /etc/hosts.allow.
Firewall Set Up
Make sure you have allowed port 389 tcp on your firewall. Here is an example of the lokkit firewallwhich is the default.
Start the LDAP Server
# /etc/init.d/slapd start
Verify that the server started by checking port 389 which is the default port. You should see thesystem listening on the port 389.
netstat -auntYou should see the port listening like so.Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
-
7/28/2019 LDAP All in one,ldap configuration
15/31
Add System User
Server Training - Server Management
At times you will be adding LDAP to an existing server that has users already created. This script willhelp you add those users to your LDAP directory. Be sure to verify that the users were createdcorrectly once it is complete.
Lesson 6 / Lesson 8
Add System User with a Script
Note you will need to change the script for your domain and administrator.
#!/bin/bashgrep $1 /etc/passwd > /tmp/changeldappasswd.tmp
/usr/share/openldap/migration/migrate_passwd.pl \
/tmp/changeldappasswd.tmp /tmp/changeldappasswd.ldif.tmp
cat /tmp/changeldappasswd.ldif.tmp | sed s/padl/example/ \> /tmp/changeldappasswd.ldif
ldapadd -x -D "cn=admin,dc=linuxt,dc=local" -W -f \/tmp/changeldappasswd.ldif
rm -f /tmp/changeldappasswd.*
You will be prompted for the password to create for the user.
Then to verify you can search the database for information on the user you added.ldapsearch -x -b "dc=linuxt,dc=local" "(objectclass=*)"
# sue, People, linuxtrained.netdn: uid=sue,ou=People,dc=linuxt,dc=localuid: suecn: sue
objectClass: accountobjectClass: posixAccountobjectClass: topobjectClass: shadowAccountuserPassword:: e2NyeXB0fSEhshadowLastChange: 14407shadowMax: 99999shadowWarning: 7loginShell: /bin/bash
http://beginlinux.com/server_training/server-managment-topics/1319-add-system-userhttp://beginlinux.com/server_training/server-managment-topics/1319-add-system-userhttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1319-add-system-userhttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1320-tcpwrappers-with-ldaphttp://beginlinux.com/server_training/server-managment-topics/1316-set-up-ldap-client -
7/28/2019 LDAP All in one,ldap configuration
16/31
uidNumber: 504gidNumber: 504homeDirectory: /home/sue
Set Up LDAP Client
Server Training - Server ManagementThese client programs will need to be installed on each workstation that will access the LDAP server.
Lesson 7 / Lesson 9
yum install openldap-clients
PAM
PAM or Pluggable Authentication Modules are used to centralize authentication of programs on the
system. The pam_ldap module is used to connect LDAP with console logins, POP, IMAP andSamba. This module will allow users to have access to everything on the network which they haverights to including a proxy server connection. Pam advantages include a common authenticationprocess, flexible options for authentication and a library that allows additional development.
If you want to have standard PAM-enabled application sto use LDAP authentication you will need toenable LDAP support using the authconfig-tui.
Execute the authconfig-tui from the command line:
Select the Use of LDAP and then Next.
http://beginlinux.com/server_training/server-managment-topics/1316-set-up-ldap-clienthttp://beginlinux.com/server_traininghttp://beginlinux.com/server_traininghttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1316-set-up-ldap-clienthttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1319-add-system-userhttp://beginlinux.com/server_training/server-managment-topics/1324-ldap-white-pages -
7/28/2019 LDAP All in one,ldap configuration
17/31
Set up the Server IP Address and the the Base DN.
The great thing about authconfig-tui is that it will modify the /etc/pam.d/system-auth and from thisconfiguration file add a line to each of the other file so that you do not need to make modificationsmanually.
/etc/pam.d/system-auth#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth required pam_env.soauth sufficient pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uid >= 500 quietauth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quietaccount [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtokpassword sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revokesession required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession required pam_unix.sosession optional pam_ldap.so
Notice how in this example one line is included so it works with the system-auth which is set up forLDAP./etc/pam.d/sshd
#%PAM-1.0auth include system-auth
-
7/28/2019 LDAP All in one,ldap configuration
18/31
account required pam_nologin.soaccount include system-authpassword include system-authsession optional pam_keyinit.so force revokesession include system-authsession required pam_loginuid.so
You will not need to edit the nsswitch.conf file and add ldap to the programs listened to for passwordsas this will be done by authconfig-tui. Here is the default:passwd: filesshadow: filesgroup: filesLook for these lines in the /etc/nsswitch.conf file and note the ldap that is added.. Here the files allowsfor a check of the password in /etc/passwd first and then to check in LDAP.passwd: files ldapshadow: files ldapgroup: files ldap
There are several important configuration files you will need to know the location of.
/etc/openldap/ldap.conf- all client applications are configured here
# LDAP Defaults## See ldap.conf(5) for details
# This file should be world readable but not world writable.BASE dc=linux,dc=local
URI ldap://192.168.5.102#SIZELIMIT 12
#TIMELIMIT 15#DEREF never
If this is working correctly when you use this command:getent passwd
You should see similar /etc/passwd like output:---cut---mike:x:1000:1000:mike,,,:/home/mike:/bin/bashsnort:x:112:124:Snort IDS:/var/log/snort:/bin/falsepostfix:x:113:125::/var/spool/postfix:/bin/falseIt should list the accounts in /etc/passwd first and then any posixAccount objects.
Testing with ldapsearch
You should be able to run a ldapsearch command and get a return from the LDAP server of theinformation that you request.# ldapsearch -x -b "dc=linux,dc=local" 'uid=bob'# extended LDIF#
-
7/28/2019 LDAP All in one,ldap configuration
19/31
# LDAPv3# base with scope subtree# filter: uid=bob# requesting: ALL#
# bob, linux.localdn: uid=bob,dc=linux,dc=localcn: Bob Greenuid: bobuidNumber: 504loginShell: /bin/shhomeDirectory: /home/bobgidNumber: 100userPassword:: e2NyeXB0fU5EMlZYZWNlV1lEaWM=objectClass: posixAccountobjectClass: shadowAccount
objectClass: personshadowLastChange: 14423gecos: Bob Greensn: Bob Green
# search resultsearch: 2result: 0 Success
# numResponses: 2# numEntries: 1
Troubleshooting a Non-booting Client
With Centos when you have the LDAP client set up you may see the client stop at:
Starting system message bus :dbus
If this occurs edit the /etc/ldap.conf file and modify the bind_policy to soft.
bind_policy soft
It will start slow but it will boot.
-
7/28/2019 LDAP All in one,ldap configuration
20/31
What is LDAP
Lightweight Directory Access Protocol
Based on X.500
Directory service (RFC1777)
Stores attribute based data
Data generallly read more than written to No transactions
No rollback
Hierarchical data structure
Entries are in a tree-like structure called Directory Information Tree (DIT)
Hierachial
Flat
Client-server model
Consistant view of data
Answers request
Refer to server with answer
Referrals
Client requests information
Server 1 returns referral to server 2
Client resends request to server 2
Server 2 returns information to client
Global View
Based on entries
Collection of attributes
Has a distinguished name (DN) - like domain name
Acroynms
LDAPLightweight Directory Access Protocol
DNDistinguish Name
RDNRelative Distinuished Name
DITDirectory Information Tree
LDIF
-
7/28/2019 LDAP All in one,ldap configuration
21/31
LDAP Data Interchange FormatOID
Object Identifier
LDIF
LDAP Data Interchange Format
Represents LDAP entries in text
Human readable format
Allows easy modification of data
ldbmcat converts ldbm database to ldif
ldif2ldbm converts ldif back to ldbm database
Example extract
dn: uid=bmarshal,ou=People,dc=pisoftware,dc=comuid: bmarshal
cn: Brad Marshallobjectclass: accountobjectclass: posixAccountobjectclass: toploginshell: /bin/bashuidnumber: 500gidnumber: 120homedirectory: /mnt/home/bmarshalgecos: Brad Marshall,,,,userpassword: {crypt}KDnOoUYN7Neac
Schema Set of rules that describes what kind of data is stored
Helps maintain consistancy and quality of data
Reduces duplication of data
Object class attribute determines schema rules the entry must follow
Schema contains the following:
Required attributes
Allowed attributes
How to compare attributes
Limit what the attributes can store - ie, restrict to integer etc Restrict what information is stored - ie, stops duplication etc
Attribute abbreviations
See RFC2256
uidUser id
-
7/28/2019 LDAP All in one,ldap configuration
22/31
cnCommon Name
snSurname
lLocation
ou Organisational Unito
Organisationdc
Domain Componentst
Statec
Country
Search Filters
Criteria for attributes that must be fulfilled for entry to be returned
Base dn = base object entry search is relative to
Prefix notation
Standards
RFC 1960: LDAP String Representation of Search Filters
RFC 2254: LDAPv3 Search Filters
Operators
& = and
| = or
! = not
~= = approx equal
>= = greater than or equal
-
7/28/2019 LDAP All in one,ldap configuration
23/31
::= [ ":" ] ::= a string as defined in RFC 1485 ::= NULL | ::=
| [ "," ] ::= a string as defined in RFC 1777 ::= "base" | "one" | "sub" ::= a string as defined in RFC 1558
Explanations:
DNDistinguished name
Attribute listList of attributes you want returned
Scopebase = base object searchone = one level searchsub = subtree search
FilterStandard LDAP search filter
Examples:
ldap://foo.bar.com/dc=bar,dc=com
ldap://argle.bargle.com/dc=bar,dc=com??sub?uid=barney
ldap://ldap.bedrock.com/dc=bar,dc=com?cn?sub?uid=barney
LDAP command line tools
ldapadd, ldapmodifyUsed to add or modify ldap entries$ ldapmodify -r -D 'cn=foo,dc=bar,dc=com' -W < /tmp/user.ldif
ldapdeleteUsed to delete entries$ ldapdelete -D 'cn=foo,dc=bar,dc=com' -W 'cn=user,dc=bar,dc=com'
ldapsearchUsed to search ldap servers$ ldapsearch -L -D 'cn=foo,dc=bar,dc=com''objectclass=posixAccount'
Installing and Configuring LDAP
Servers
Slapd
University of Michigan
-
7/28/2019 LDAP All in one,ldap configuration
24/31
Openldap
Netscape Directory Server
Microsoft Active Directory (AD)
Novell Directory Services (NDS)
Sun Directory Services (SDS)
Lucent's Internet Directory Server (IDS)
Openldap
LDAP Server architecture
LDAP daemon called slapd
Choice of databases
LDBM - high performance disk based db
SHELL - db interface to unix commands
PASSWORD - simple password file db SQL - mapping sql to ldap (in OpenLDAP 2.x)
Multiple database instances
Access control
Threaded
Replication
LDAP Architecture
Replication daemon called slurpd
Frees slapd from worrying about hosts being down etc
Communicates with slapd through text file
Replication Architecture
Replication
Increases:
Reliability - if one copy of the directory is down
Availability - more likely to find an available server
Performance - can use a server closer to you Speed - can take more queries as replicas are added
Temporary inconsistances are ok
Having replicas close to clients is important - network going down is same as server going
down
Removes single point of failure
-
7/28/2019 LDAP All in one,ldap configuration
25/31
Replication Options
a. All modifications go to the master LDAP server
b. Using referrals
1. Client sends modification to replica
2. Replica returns referral to master3. Client resubmits modification to master4. Master returns results to client5. Master updates replica with change
c. Using chaining
1. Client sends modification to replica2. Replica forwards request to master3. Master returns result to replica4. Replica forwards result to client5. Master updates replica
Example slapd.conf
## See slapd.conf(5) for details on configuration options.# This file should NOT be world readable.#include /etc/openldap/slapd.at.confinclude /etc/openldap/slapd.oc.confschemacheck off
pidfile /var/run/slapd.pidargsfile /var/run/slapd.args
defaultaccess read
access to attr=userpasswordby self writeby * read
access to *by self writeby dn=".+" readby * read
#######################################################################
# ldbm database definitions#######################################################################
database ldbmsuffix "dc=pisoftware, dc=com"rootdn "cn=Manager, dc=pisoftware, dc=com"rootpw {crypt}lAn4J@KmNp9replica host=cox.staff.plugged.com.au:389
binddn="cn=Manager,dc=pisoftware,dc=com"bindmethod=simple credentials=secretreplogfile /var/lib/openldap/replication.log
-
7/28/2019 LDAP All in one,ldap configuration
26/31
# cleartext passwords, especially for the rootdn, should# be avoid. See slapd.conf(5) for details.directory /var/lib/openldap/
slapd.conf ACLs
LDAP Applications
Application Architecture
Using Multiple Applications
System Authentication
Uses RFC2307
Migration
Used PADLs MigrationTools
Script Migrates
migrate_fstab.pl /etc/fstab
migrate_group.pl /etc/group
migrate_hosts.pl /etc/hostsmigrate_networks.pl /etc/networks
migrate_passwd.pl /etc/passwd
migrate_protocols.pl /etc/protocols
migrate_rpc.pl /etc/rpc
migrate_services.pl /etc/services
These scripts are called on the appropriate file in /etc in the following manner:
# ./migrate_passwd.pl /etc/passwd ./passwd.ldif
The migration tools also provide scripts to automatically migrate all configuration to LDAP, using
migrate_all_{online,offline}.sh. See the README distributed with the package for more details.
Example LDIF
dn: uid=bmarshal,ou=People,dc=pisoftware,dc=comuid: bmarshalcn: Brad Marshallobjectclass: accountobjectclass: posixAccount
-
7/28/2019 LDAP All in one,ldap configuration
27/31
objectclass: toploginshell: /bin/bashuidnumber: 500gidnumber: 120homedirectory: /mnt/home/bmarshalgecos: Brad Marshall,,,,userpassword: {crypt}aknbKIfeaxs
dn: cn=sysadmin,ou=Group,dc=pisoftware,dc=comobjectclass: posixGroupobjectclass: topcn: sysadmingidnumber: 160memberuid: bmarshalmemberuid: dwoodmemberuid: jparker
Installation
Install from PADL
pam_ldap
nss_ldap
/etc/ldap.conf
BASE dc=foo,dc=comHOST ldap.server.compam_crypt local
/etc/nsswitch.conf
Add ldap to the passwd, shadow and group entries in /etc/nsswitch.conf. Be aware of the effects ofputting it first or last.
/etc/pam.d
Need similar for every app you want to use ldap
/etc/pam.d/ssh
From RedHat 6.2
#%PAM-1.0auth sufficient /lib/security/pam_ldap.soauth required /lib/security/pam_pwdb.so shadow nullok try_first_passauth required /lib/security/pam_nologin.soaccount sufficient /lib/security/pam_ldap.soaccount required /lib/security/pam_pwdb.sopassword required /lib/security/pam_cracklib.sopassword sufficient /lib/security/pam_ldap.so
http://www.padl.com/http://www.padl.com/http://www.padl.com/pam_ldap.htmlhttp://www.padl.com/nss_ldap.htmlhttp://www.padl.com/http://www.padl.com/pam_ldap.htmlhttp://www.padl.com/nss_ldap.html -
7/28/2019 LDAP All in one,ldap configuration
28/31
password required /lib/security/pam_pwdb.so shadow nullok use_authtoksession sufficient /lib/security/pam_ldap.sosession required /lib/security/pam_pwdb.so
Apache user auth
Download mod_auth_ldap.tar.gz fromhttp://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html
Install either as a DSO or by compiling in - see webpage for more details
Add the following to httpd.conf
Options Indexes FollowSymLinksAllowOverride Noneorder allow,denyallow from allAuthName "RCS Staff only"AuthType Basic
LDAP_Server ldap.server.comLDAP_Port 389Base_DN "dc=server,dc=com"UID_Attr uid#require valid-userrequire user foo bar doe#require roomnumber "C119 Center Building"#require group cn=sysadmin,ou=Group,dc=server,dc=com
Squid ACLs
Compile ldap_auth.c from http://www.uia.ua.ac.be/u/dbruyne/squid-ldap/
Add the following to squid.conf:
authenticate_program /usr/local/squid/bin/ldap_authauthenticate_options ldap.yourdomain.com 389 dc=yourdomain,dc=com uidauthenticate_children 2
Restart squid
-
7/28/2019 LDAP All in one,ldap configuration
29/31
LDAP (Lightweight Directory Access Protocol) has a reputation for being complicated, but I hope todispel that myth and explain exactly how LDAP works in this simple introduction of some of the basicconcepts..
What is LDAP?
LDAP is a lightweight protocol for accessing directory servers. Okay, so what is a directory server? It'sa hierarchical object orientated database. If that makes you want to run away screaming, don't worry,it'll get worse before it gets better.
Only joking. This guide should make learning LDAP easy. Let's go through that description bit by bit,starting at the end. It's a database, which means we can store data in it. If you've used relationaldatabases, like mysql, then it won't look like anything you're used to, but like a relational database, itallows you to store your data in a user defined structural way.
The second part of our description was object orientated. In LDAP our database is a collection ofobjects. Like in OO programming, objects are instances of a particular class. A class defines the set ofattributes that an object may contain. Classes can inherit from other classes to add additional attributes.
LDAP has some differences from the usual OO semantics, which will be explained in the next section.The final part of our description was hierarchical. Every object in LDAP can contain one or more sub-objects. The result is a tree with the trunk being the root of the directory and the branches and leavesbeing the objects in the directory. In this way we can build up our database into an easy to navigate,structured database.
Lightweight? Lightweight? What crack are you on?
Sometimes you wonder how anyone could describe this complicated mess as lightweight. Thelightweight is in reference to the previous leading standard for directory services, called X.500. Theproblem with X.500 was that it required the use of the OSI network stack and couldn't use TCP/IP. It
was also rather more complicated. LDAP only uses 9 of the operations that X.500 supported, and canuse the simpler TCP/IP networking stack.
Objects and Classes
As I mentioned, data stored in LDAP is stored in objects. These objects contain a number of attributes,which are basically a set of key/value pairs. Because data in LDAP is structured, objects can onlycontain valid keys, and which keys are valid is dependant on what class the object is. Classes in LDAPcan define mandatory attributes and optional attributes and their type.
To confuse matters (and this is where LDAP deviates from most OO systems) objects can have more
than one class and there are several types of class.The first type is the structural class. An object must have one and only one structural class. Structuralclasses tend to map to physical objects like a person or a network. Once an object has been created thestructural class can not be changed without destroying the object and creating it again.
Auxiliary classes define additional attributes to complement structural classes. Objects may have manyauxiliary classes and can be added and removed after the object has been created.
Finally there are abstract classes, which can not be used directly by objects, but can be used by otherclasses through inheritance.
-
7/28/2019 LDAP All in one,ldap configuration
30/31
Classes are assigned to objects using the objectClass attribute. LDAP defines some basic classes,
types and comparison methods by default, but you are free to define your own.
Examples
It's well and good me telling you all this, but it probably won't make sense until I show you some
examples. A common use for LDAP is an address book, so you could use the person class, which isstructural. It defines sn and cn as mandatory attributes and userPassword, telephoneNumber,
seeAlso and description as optional fields. A couple of those attributes probably need
explaining. sn is surname and cn is common name, which we can use to store the person's full name.
The dashed line in the image marks the mandatory and optional attributes.
But what if we wanted to store addresses in the object too? Well if we had used theorganizationalPerson, which inherits from the person class, but adds title, street,
postalAddress and postalCode. The class adds several more attributes too. Because it inherits
from person we still have sn and cn. There is an even more comprehensive class called
inetOrgPerson.
Another common use for LDAP is authentication of user accounts. For this, we can use theposixAccount class. This is an auxiliary class and adds cn, uid, uidNumber, gidNumber and
homeDirectory mandatory attributes and userPassword, loginShell, gecos and
description as optional attributes. Because posixAccount is auxiliary, we can add it to our
person object for people we want to be able to authenticate.
Distinguished Names
One very important aspect I have omitted to mention is the dn or distinguished name. This is a unique
name used to refer to a particular object in the tree. It's made up from the dn of the parent object and aunique key/value pair from the sub-objects. For example if you stored your address book underou=People,dc=example,dc=com, a common location, my details would have a dn of
cn=David Pashley,ou=People,dc=example,dc=com and Bill Gates would have a dn of
cn=Bill Gates,ou=People,dc=example,dc=com. As you can see each level in the
hierarchy is separated by commas. It is possible to have multi-attribute distinguished names by puttinga + between the attributes. Distinguished names are not actually attributes of objects.
Database Layout
I should explain that ou is an organizational unit and dc is domain component. In our database we arestoring all our objects below dc=example,dc=com and is called the base dn because it is the base
of our database. While you don't need to use a unique base dn for your database, it is common practiceto do so and is more important if you intend to make your database publicly available. Originallydatabases used to be based on your location (o=Catnip,l=Brighton,st=Sussex,c=uk), but it
is much more common now to use a DNS domain that you own as the basedn(dc=catnip,dc=org,dc=uk).
Earlier we used ou in a dn. This is merely a class for grouping our data into sections for administrative
-
7/28/2019 LDAP All in one,ldap configuration
31/31
ease. There are no rules that force you to organise your database in any particular way, but there areseveral common ways of laying out databases. The actual layout of the directory tends to not be thatimportant to applications using the directory as they can do recursive queries for the objects they areinterested in. We could have our address book in ou=People,dc=example,dc=com and a list of
computers in ou=Computers,dc=example,dc=com. If we had a very simple database we could
easily mix both into one location and have people and computers as sub-objects of
dc=example,dc=com. Alternatively, if we had a very large authentication database, we could go theother way and split the people into several organizational units mirroring their departments, so wecould have the sales department in ou=Sales,dc=example,dc=com and marketing in
ou=marketing,dc=example,dc=com. Using this scheme you could delegate control for the
sales tree to the Sales Manager and the marketing tree to the Marketing Manager, which may not bepossible with other schemes.