ldap all in one,ldap configuration

Upload: reddybathina

Post on 03-Apr-2018

268 views

Category:

Documents


1 download

TRANSCRIPT

  • 7/28/2019 LDAP All in one,ldap configuration

    1/31

  • 7/28/2019 LDAP All in one,ldap configuration

    2/31

    see attributes like CN, Common Name, which takes values Barbara Jensen and Babs Jensen. Youfurther see attributes like SN, surname, which takes the value Jensen, and mail, which takes the [email protected].

    You also see some objectClass attribute values. The objectClass attribute tells you what other attributetypes the entry can have. Object class definitions are found in directory schema. Schema specify all theknown object classes and attribute types available for entries in the directory. You can add schema

    definitions to LDAP directories, making the LDAP entries easily extensible.

    When you want to look up something in a directory, you typically know the values of one of theattributes. By analogy, if you want to look up a phone number, you already know the name of theperson or organization whose telephone number you want. If you are looking up a phone number, youalso probably have some idea where the person or organization is located. The same is the case forLDAP directories. You typically need to have some idea where the entry is located.

    For example, assume you want to look up Barbara Jensens phone number in the LDAP directoryholding the entry shown previously. You need to know one of the attributes. In this case, you knowBarbaras name. You also need to know approximately where her entry is located. If you know that sheis in the directory at Example.com, and that the root of their tree starts at dc=example,dc=com, that

    is enough.There are GUI tools out there for LDAP lookups, but many systems also have a command calledldapsearch. You guessed it, ldapsearch is for searching LDAP directories. Here is an

    ldapsearch command that searches the entries underdc=example,dc=com for entries having

    common name Barbara Jensen.

    $ ldapsearch -b dc=example,dc=com "(cn=Barbara Jensen)"

    The argument to the -b option is the base DN for the search. By default, the ldapsearch command

    searches through all the entries in the tree below the base DN. The "(cn=Barbara Jensen)" is

    called the filter, because it tells me the criteria for filtering through the entries found under the base

    DN. If you have set everything up correctly, your search returns something very much like the entryshown above, except that you almost surely will not see the user password attribute and its value. Youcan also narrow the search results to see only the DN of the entry and the telephone number. You dothis by adding the attribute or attributes you want returned after the filter.

    $ ldapsearch -b dc=example,dc=com "(cn=Barbara Jensen)" telephoneNumber

    If everything works as expected, this search returns a partial entry.

    dn: uid=bjensen, ou=People, dc=example,dc=comtelephonenumber: +1 408 555 1862

  • 7/28/2019 LDAP All in one,ldap configuration

    3/31

    Basics of LDAP

    Server Training - Server Management

    Lightweight Directory Access Protocol (LDAP)

    This course will help you understand the benefits of LDAP as well as implementation of LDAP. The Open

    collaborative effort to develop a robust, commercial-grade, fully featured, and open source LDAP suite of adevelopment tools. The project is managed by a worldwide community of volunteers that use the Internet todevelop the OpenLDAP Suite and its related documentation.

    Lesson 2

    Course Difficulty

    The course level is for an Experienced Linux Administrator. LDAP is not easy and in fact can be very frustprovide several LDAP courses with increasing difficulty and options. The first course is Basic LDAP use wcreation of a User Whitepages. Teh second LDAP course will be how to use the Open Source graphical too

    LDAP and the third course will be the use of LDAP with Samba. The course is designed for a CentOS systUbuntu Client and Ubuntu Server.

    LDAP File Locations

    LDAP Commands

    LDAP Logging

    LDAP Server Install

    tcp_wrappers with LDAP

    Add System User

    Set Up LDAP Client

    Project: LDAP White Pages

    Course Support

    The course author, among others, will be available for questions in the Forum.

    QuizzesThe quizzes are there to help you focus on the key points made about each distro. Caution: You will only betime and that score will be recorded. So before you take the quiz be sure you understand all of the features on. Click Here to take a Demo Test so that you can see how the questions will be formatted.

    Community

    Be sure to check out the Community Page with information on other courses and Community Discounts on

    http://beginlinux.com/server_training/server-managment-topics/1015-basics-of-ldaphttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1318-ldap-file-locationshttp://beginlinux.com/server_training/server-managment-topics/1017-ldap-client-on-ubuntu-804http://beginlinux.com/server_training/server-managment-topics/1016-ldap-server-on-ubuntu-804http://beginlinux.com/server_training/server-managment-topics/1318-ldap-file-locationshttp://beginlinux.com/server_training/server-managment-topics/1317-ldap-commandshttp://beginlinux.com/server_training/server-managment-topics/1321-ldap-logginghttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_training/server-managment-topics/1320-tcpwrappers-with-ldaphttp://beginlinux.com/server_training/server-managment-topics/1319-add-system-userhttp://beginlinux.com/server_training/server-managment-topics/1316-set-up-ldap-clienthttp://beginlinux.com/server_training/server-managment-topics/1324-ldap-white-pageshttp://beginlinux.com/forumhttp://beginlinux.com/desktop_training/demo-testhttp://beginlinux.com/communityhttp://beginlinux.com/communityhttp://beginlinux.com/server_training/server-managment-topics/1015-basics-of-ldaphttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1318-ldap-file-locationshttp://beginlinux.com/server_training/server-managment-topics/1017-ldap-client-on-ubuntu-804http://beginlinux.com/server_training/server-managment-topics/1016-ldap-server-on-ubuntu-804http://beginlinux.com/server_training/server-managment-topics/1318-ldap-file-locationshttp://beginlinux.com/server_training/server-managment-topics/1317-ldap-commandshttp://beginlinux.com/server_training/server-managment-topics/1321-ldap-logginghttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_training/server-managment-topics/1320-tcpwrappers-with-ldaphttp://beginlinux.com/server_training/server-managment-topics/1319-add-system-userhttp://beginlinux.com/server_training/server-managment-topics/1316-set-up-ldap-clienthttp://beginlinux.com/server_training/server-managment-topics/1324-ldap-white-pageshttp://beginlinux.com/forumhttp://beginlinux.com/forumhttp://beginlinux.com/desktop_training/demo-testhttp://beginlinux.com/communityhttp://beginlinux.com/community
  • 7/28/2019 LDAP All in one,ldap configuration

    4/31

  • 7/28/2019 LDAP All in one,ldap configuration

    5/31

    OIDs

    A globally unique OID helps define each element of the schema you are using. The OIDs are based upon a

    Attributes

    Attribute information is described by attributeType. The attribute name is what is specified from one piece homePhone could be an attribute name representing a person's phone number.

    Object Classes

    When you group attribute data you will e suing a objectclass. This means that all in the data is the object c

    DIT (DIrectory Information Tree)The top of the tree is called the Base DN, this is what names the database. The importance of the Base DN come under this object. So when you name the object make sure this is the top most object you want. Thereyou can organize after you establish the base. You could organize based on regional areas. So for example you would create are based on areas that your company is involved in like, Japan, Europe, China, US, etc. Y

    situation where built containers based on function. In that situation you may end up creating users multiplefunctions. No matter how you describe your functions there will be the cross over that will require a lot mocompanies may design containers based on business function. Here you may have a sales, research, shippi

    LDIF (LDAP Data Intercahnge Format)LDIF is the format for storing data in the directory system. This format creates entries for your directory thLDAP Interchange Format is a plain text file that describes the organization. LDIF is a file format for entriprovides a method of mapping attributes to values and it may contain directives for the parser.

    Indexing

    Indexes will improve the search performance of the directory. You have a number of indexes available to uPresence - list entries that contain a specific attribute (homePhone)Equality - entries that contain specifc attribute and value (homePhone=442-345-7656)Approximate - close to search filterSubstrings - wilcard searches (homePhone=*-345-*)

  • 7/28/2019 LDAP All in one,ldap configuration

    6/31

    In this example, the top entry is the distinguished name (DN) which looks like this in the LDIF:

    dc=linux,dc=local;

    # LDIF listing for the entry dn: dc=beginlinux,dc=net dn: dc=linux,dc=local objectClas

    When you view this entry the standard is to have the attribute, a colon and then the value.

    attribute: value

    dc: linux

    Understanding the distinctions between distinguished name (DN) and relative distinguished name (RDN) isthis example for fred smith his entry will look like this:

    dn: cn=Fred Smith,dc=linux,dc=local

    cn: Fred Smith

    ou: People

  • 7/28/2019 LDAP All in one,ldap configuration

    7/31

    The DN is dn: cn=Fred Smith,dc=linux,dc=local

    This takes into account the entire directory tree structure. The RDN only takes in a part of the directory tree

    RDN is cn=Fred Smith

    Attributes are designed to hold values.

    This data type specifies what type of information can be stored in the variable, along with certain other rulethe variable's value to the data stored in another variable of the same type.

    LDAP File Locations

    Server Training - Server Management

    The file locations for OpenLdap are important to find and understand as it can be confusing if you arenot sure what config file is making changes to your LDAP settings. One of the major keys to havingsuccess with OpenLDAP is to verify the existence and location of the files you need to work with. Theexample below separates the files based on whether your machine is a server or a client for LDAP.Yes, it can be both server and client and then will need all of the files.

    Lesson 1 /Lesson 3

    Sever Configuration Files

    When you install OpenLDAP, you will find a directory is created called /etc/openldap. This directorywill contain the necessary files for the configuration of your LDAP server. The main file forconfiguring the server is slapd.conf.

    /etc/openldap/slapd.conf

    This is the configuration file for the server.

    /etc/openldap/schema

    Contains LDAP definitions and can be added to the slapd.conf file with:

    include /etc/openldap/schema/some_schemaThere is a specific redhat directory which is included in Red Hat or CentOS versions.README cosine.schema java.schema openldap.schemacorba.schema dyngroup.schema misc.schema redhat

    core.schema inetorgperson.schema nis.schema

    The slapd.conf file configures which schemas will be used. Here is a listing of the default schemas.

    include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schema

    http://beginlinux.com/server_training/server-managment-topics/1318-ldap-file-locationshttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1015-basics-of-ldaphttp://beginlinux.com/server_training/server-managment-topics/1317-ldap-commandshttp://beginlinux.com/server_training/server-managment-topics/1317-ldap-commandshttp://beginlinux.com/server_training/server-managment-topics/1318-ldap-file-locationshttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1015-basics-of-ldaphttp://beginlinux.com/server_training/server-managment-topics/1317-ldap-commands
  • 7/28/2019 LDAP All in one,ldap configuration

    8/31

    /var/lib/ldap

    It is important that this directory be owned by ldap as this is where the database files will be located.

    Client Configuration Files

    /etc/ldap.conf

    If the nss_ldap package is installed, which it will be, it creates this file used by the PAM and NSSmodules. This can easily be confused with the /etc/openldap file of the same name.

    /etc/openldap/ldap.conf

    This is the configuration file for the client applications. This file will be the primary file for setting upthe client to connect to your LDAP server.

    LDAP CommandsServer Training - Server Management

    There are several basic commands to run LDAP. Each of these commands is installed in the /usr/sbindirectory and must be run as root.

    Lesson 2 / Lesson 4

    Important: The slap commands need to be run when the directory is off, so be sure to shut downLDAP before you run those commands. If you want to use commands while the directory is online usethe ldap commands.

    slapd - this is the LDAP server daemon

    slurpd - the daemon that synchronizes with other LDAP servers

    slapadd - this program is used to add ldif files into LDAP

    Example:# slapadd -l users.ldif

    slappasswd - it will create a password that can be used with ldapmodify, or rootpw. You have to copyand paste the password into your file.

    # slappasswdNew password:Re-enter new password:{SSHA}6i0fOQCvnjtbPi47I+1RWcRsOoLjUDNR

    slapcat retrieves entries from LDAP directoryslapindex reindexes the slapd directory

    http://beginlinux.com/server_training/server-managment-topics/1317-ldap-commandshttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1318-ldap-file-locationshttp://beginlinux.com/server_training/server-managment-topics/1321-ldap-logginghttp://beginlinux.com/server_training/server-managment-topics/1317-ldap-commandshttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1318-ldap-file-locationshttp://beginlinux.com/server_training/server-managment-topics/1321-ldap-logging
  • 7/28/2019 LDAP All in one,ldap configuration

    9/31

    ldapadd adds entries to LDAP

    Example:ldapadd -x -D "cn=admin,dc=linux,dc=local" -W -f users.ldif

    ldapdelete deletes entries

    ldapmodify modifies LDAP entriesThe "-W" is an option that will request your password.

    Example:ldapmodify -D "cn=admin,dc=linux,dc=local" -W -x -v -f /etc/openldap/users.ldif

    ldapsearch search for entriesThis example will search for all entries.

    Example:

    # ldapsearch -x -b "dc=linux,dc=local" "(objectclass=*)"

    ldapcompare create comparison parametersldapwhoami run whoamildapmodrdn modifies RDN entries

    ldap Command s

    Options Description

    -d integer debugging level-D binddn the DN to use for binding to the LDAP server

    -f filename point to file that had LDIF entries-H URI points to LDAP URI-I interactive mode for SASL-k enable Kerberos 4 authentication-K eanble only first stop of Kerberos 4 authentication-M enable Manager DSA IT control-n does not perform search-O security_properties defines SASL security properties-P [2\3] protocol version-Q suppress SASl messages-R sasl_realm define realm

    -U username username for SASL authentication-v verbose-w password specify password-W prompt for password-x simple authentication-Xid define SASL authorization identity-y passwdfile read password for simple bind from filename-Y sasl_mechanism SASL mechanisim to use-Z issue StartTLS request

  • 7/28/2019 LDAP All in one,ldap configuration

    10/31

    Options Specific to ldapsearch

    -a[never\always\search\find] how to handle aliases-A return attribute names but not values-b basedn define base DN-F prefix URL prefix

    -l limit time limit (seconds) for search-L print resultin LDIF format-LL print without comments-LLL print without comments or version-s [sub\base\one] define scope-S attribute sort resutls by value-u include user-friendly names-z limit max entries to return

    LDAP Logging

    Server Training - Server ManagementConfigure Logging

    You certainly want to look at the logging aspect as it is essential for troubleshooting. I hate to say itbut you will have problems and this will make it easier.

    Lesson 3 /Lesson 5

    The logging options should be placed in the slapd.conf file. The directive for logging is represented bya number representing the type of information that should be saved. Here are the options:

    -1 all

    0 no logging1 trace function calls2 packet-handling debugging4 heavy trace debuggin8 connection management16 packets sent and received32 search filter processing64 configuration file processing256 statistics of connections512 print entry debugging

    If you wanted to log each of these you add them together and you get an integer that you place afterthe directive.

    loglevel 296

    Edit /etc/syslog.confAdd these lines for logging and restart syslog.# LDAP Logginglocal4.debug /var/log/slapd.log

    http://beginlinux.com/server_training/server-managment-topics/1321-ldap-logginghttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1317-ldap-commandshttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_training/server-managment-topics/1321-ldap-logginghttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1317-ldap-commandshttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-install
  • 7/28/2019 LDAP All in one,ldap configuration

    11/31

    # service syslog reload

    LDAP Server InstallServer Training - Server Management

    LDAP Server Installation and Configuration

    The LDAP server can be a little tricky when you set it up so be careful to watch file locations andspelling so that you do not cause yourself more trouble than you need. Set up a basic LDAP that isworking correctly before you start with a secure method of communication, like TLS.

    Lesson 4 /Lesson 6

    Install with yum

    yum install openldap-servers

    The clients package is not needed on the server if that is all it will do is be a server. Note: Thenss_ldap package, installed by default, contains libnss_ldap and pam_ldap, both which you will needfor the client. The pam_ldap will help with integration of LDAP and email, SSH, FTP, Samba, etc.

    Configuration of LDAP

    Whenever you need to create passwords use the slappasswd application which will create an encryptedpassword for you. Create your user and then add the password to the LDAP user.

    Create a root Password:slappasswd

    New password:Re-enter new password:{SSHA}qFOeJuRxMW6PBy+xSLhkyzdYKAUFcbfj

    For linuxtrained, if you needed to create a new password for admin user you would use slappasswdand then copy the password that was created and insert it in your /etc/openldap/slapd.conf.# rootdn directive for specifying a superuser on the database. This is needed# for syncrepl.rootdn "cn=admin,dc=linux,dc=local"

    rootpw {SSHA}k1wLLf+cCUArjAt2BuFGe6OYdSiayIZd

    Preparation for Starting

    Before starting LDAP you must set your database type for Database #1, the suffix for your domain, setyour rootdn, rootdn password and the directory location for you files. Note that linuxtrained.net is thedomain that is used here.Edit /etc/openldap/slapd.conf and make the necessary changes.

    database bdb

    http://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1321-ldap-logginghttp://beginlinux.com/server_training/server-managment-topics/1320-tcpwrappers-with-ldaphttp://beginlinux.com/server_training/server-managment-topics/1320-tcpwrappers-with-ldaphttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1321-ldap-logginghttp://beginlinux.com/server_training/server-managment-topics/1320-tcpwrappers-with-ldap
  • 7/28/2019 LDAP All in one,ldap configuration

    12/31

    suffix "dc=linuxt,dc=local"rootdn "cn=admin,dc=linuxt,dc=local"rootpw {SSHA}k1wLLf+cCUArjAt2BuFGe6OYdSiayIZddirectory "/var/lib/ldap"

    Before you can add your init.ltif you need to remove the old directories if you had old entries.# rm -rf /var/lib/ldap/*

    Create a /var/lib/ldap/DB_CONFIG file with these settings:

    set_cachesize 0 15000000 1set_lg_regionmax 262144set_lg_bsize 2097152set_flags DB_LOG_AUTOREMOVE

    Configure your init.ltif

    Here are the three files you will need to add to get a basic setup.

    init.ldif

    dn: dc=linux,dc=localdc: linuxobjectClass:dcObjectobjectClass: organizationalUnitou: Linux Dot Local

    dn: ou=People,dc=linux,dc=localou: PeopleobjectClass: organizationalUnit

    usrs.ldif

    dn: uid=joe,ou=people,dc=linux,dc=localobjectClass: inetOrgPersoncn: Joe Smithsn: Smithuid: joeuserPassword: linux99telephoneNumber: 123-222-0033

  • 7/28/2019 LDAP All in one,ldap configuration

    13/31

    homePhone: 124-131-2256mail:[email protected]: This is a test of LDAP.

    admin.ldif

    dn: cn=admin,ou=people,dc=linux,dc=localobjectclass: personcn: adminsn: adminuserPassword: linux99Here is the init.ltif File

    Add the init.ltif file to LDAP system

    # slapadd -l init.ldif

    # slapadd -l users.ldif

    # slapadd -l admin.ldif

    Note that this program must be run as root, however, the server, due to security concerns, runs as theldap user. Therefore, once you add an ldif file you must change the ownership of the /var/lib/ldapdirectory.

    Change Permissions

    chown -R ldap:ldap /var/lib/ldap/

    Now Start LDAPservice ldap start

    tcp_wrappers with LDAP

    Server Training - Server Management

    Modify tcp_wrappers

    If you are using tcp_wrappers, which you should be, you will need to provide an entry so that yourslapd server is available.

    Lesson 5 /Lesson 7

    Edit tcp_wrappers /etc/hosts.allow

    SLAPD: ALL

    Once you test an tcp_wrappers is working then you can add specific IP Addresses and subnets for/etc/hosts.allow so that you can increase security.SLAPD: 127.0.0.1 12.32.34.32

    mailto:[email protected]://beginlinux.com/server_training/server-managment-topics/1320-tcpwrappers-with-ldaphttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_training/server-managment-topics/1319-add-system-userhttp://beginlinux.com/server_training/server-managment-topics/1319-add-system-usermailto:[email protected]://beginlinux.com/server_training/server-managment-topics/1320-tcpwrappers-with-ldaphttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1322-ldap-server-installhttp://beginlinux.com/server_training/server-managment-topics/1319-add-system-user
  • 7/28/2019 LDAP All in one,ldap configuration

    14/31

    You can allow an entire subnet by leaving a "dot" at the end for example this will allow all machineson a subnet:

    SLAPD: 127.0.0.1 192.168.3.

    Whatever you do be sure to allow the localhost which is 127.0.0.1.

    Edit /etc/hosts.deny

    ALL: ALL

    What that does is deny everything except what you allow in the /etc/hosts.allow.

    Firewall Set Up

    Make sure you have allowed port 389 tcp on your firewall. Here is an example of the lokkit firewallwhich is the default.

    Start the LDAP Server

    # /etc/init.d/slapd start

    Verify that the server started by checking port 389 which is the default port. You should see thesystem listening on the port 389.

    netstat -auntYou should see the port listening like so.Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN

  • 7/28/2019 LDAP All in one,ldap configuration

    15/31

    Add System User

    Server Training - Server Management

    At times you will be adding LDAP to an existing server that has users already created. This script willhelp you add those users to your LDAP directory. Be sure to verify that the users were createdcorrectly once it is complete.

    Lesson 6 / Lesson 8

    Add System User with a Script

    Note you will need to change the script for your domain and administrator.

    #!/bin/bashgrep $1 /etc/passwd > /tmp/changeldappasswd.tmp

    /usr/share/openldap/migration/migrate_passwd.pl \

    /tmp/changeldappasswd.tmp /tmp/changeldappasswd.ldif.tmp

    cat /tmp/changeldappasswd.ldif.tmp | sed s/padl/example/ \> /tmp/changeldappasswd.ldif

    ldapadd -x -D "cn=admin,dc=linuxt,dc=local" -W -f \/tmp/changeldappasswd.ldif

    rm -f /tmp/changeldappasswd.*

    You will be prompted for the password to create for the user.

    Then to verify you can search the database for information on the user you added.ldapsearch -x -b "dc=linuxt,dc=local" "(objectclass=*)"

    # sue, People, linuxtrained.netdn: uid=sue,ou=People,dc=linuxt,dc=localuid: suecn: sue

    objectClass: accountobjectClass: posixAccountobjectClass: topobjectClass: shadowAccountuserPassword:: e2NyeXB0fSEhshadowLastChange: 14407shadowMax: 99999shadowWarning: 7loginShell: /bin/bash

    http://beginlinux.com/server_training/server-managment-topics/1319-add-system-userhttp://beginlinux.com/server_training/server-managment-topics/1319-add-system-userhttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1319-add-system-userhttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1320-tcpwrappers-with-ldaphttp://beginlinux.com/server_training/server-managment-topics/1316-set-up-ldap-client
  • 7/28/2019 LDAP All in one,ldap configuration

    16/31

    uidNumber: 504gidNumber: 504homeDirectory: /home/sue

    Set Up LDAP Client

    Server Training - Server ManagementThese client programs will need to be installed on each workstation that will access the LDAP server.

    Lesson 7 / Lesson 9

    yum install openldap-clients

    PAM

    PAM or Pluggable Authentication Modules are used to centralize authentication of programs on the

    system. The pam_ldap module is used to connect LDAP with console logins, POP, IMAP andSamba. This module will allow users to have access to everything on the network which they haverights to including a proxy server connection. Pam advantages include a common authenticationprocess, flexible options for authentication and a library that allows additional development.

    If you want to have standard PAM-enabled application sto use LDAP authentication you will need toenable LDAP support using the authconfig-tui.

    Execute the authconfig-tui from the command line:

    Select the Use of LDAP and then Next.

    http://beginlinux.com/server_training/server-managment-topics/1316-set-up-ldap-clienthttp://beginlinux.com/server_traininghttp://beginlinux.com/server_traininghttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1316-set-up-ldap-clienthttp://beginlinux.com/server_traininghttp://beginlinux.com/server_training/server-managment-topicshttp://beginlinux.com/server_training/server-managment-topics/1319-add-system-userhttp://beginlinux.com/server_training/server-managment-topics/1324-ldap-white-pages
  • 7/28/2019 LDAP All in one,ldap configuration

    17/31

    Set up the Server IP Address and the the Base DN.

    The great thing about authconfig-tui is that it will modify the /etc/pam.d/system-auth and from thisconfiguration file add a line to each of the other file so that you do not need to make modificationsmanually.

    /etc/pam.d/system-auth#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth required pam_env.soauth sufficient pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uid >= 500 quietauth sufficient pam_ldap.so use_first_pass

    auth required pam_deny.so

    account required pam_unix.so broken_shadow

    account sufficient pam_succeed_if.so uid < 500 quietaccount [default=bad success=ok user_unknown=ignore] pam_ldap.so

    account required pam_permit.so

    password requisite pam_cracklib.so try_first_pass retry=3password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtokpassword sufficient pam_ldap.so use_authtok

    password required pam_deny.so

    session optional pam_keyinit.so revokesession required pam_limits.so

    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession required pam_unix.sosession optional pam_ldap.so

    Notice how in this example one line is included so it works with the system-auth which is set up forLDAP./etc/pam.d/sshd

    #%PAM-1.0auth include system-auth

  • 7/28/2019 LDAP All in one,ldap configuration

    18/31

    account required pam_nologin.soaccount include system-authpassword include system-authsession optional pam_keyinit.so force revokesession include system-authsession required pam_loginuid.so

    You will not need to edit the nsswitch.conf file and add ldap to the programs listened to for passwordsas this will be done by authconfig-tui. Here is the default:passwd: filesshadow: filesgroup: filesLook for these lines in the /etc/nsswitch.conf file and note the ldap that is added.. Here the files allowsfor a check of the password in /etc/passwd first and then to check in LDAP.passwd: files ldapshadow: files ldapgroup: files ldap

    There are several important configuration files you will need to know the location of.

    /etc/openldap/ldap.conf- all client applications are configured here

    # LDAP Defaults## See ldap.conf(5) for details

    # This file should be world readable but not world writable.BASE dc=linux,dc=local

    URI ldap://192.168.5.102#SIZELIMIT 12

    #TIMELIMIT 15#DEREF never

    If this is working correctly when you use this command:getent passwd

    You should see similar /etc/passwd like output:---cut---mike:x:1000:1000:mike,,,:/home/mike:/bin/bashsnort:x:112:124:Snort IDS:/var/log/snort:/bin/falsepostfix:x:113:125::/var/spool/postfix:/bin/falseIt should list the accounts in /etc/passwd first and then any posixAccount objects.

    Testing with ldapsearch

    You should be able to run a ldapsearch command and get a return from the LDAP server of theinformation that you request.# ldapsearch -x -b "dc=linux,dc=local" 'uid=bob'# extended LDIF#

  • 7/28/2019 LDAP All in one,ldap configuration

    19/31

    # LDAPv3# base with scope subtree# filter: uid=bob# requesting: ALL#

    # bob, linux.localdn: uid=bob,dc=linux,dc=localcn: Bob Greenuid: bobuidNumber: 504loginShell: /bin/shhomeDirectory: /home/bobgidNumber: 100userPassword:: e2NyeXB0fU5EMlZYZWNlV1lEaWM=objectClass: posixAccountobjectClass: shadowAccount

    objectClass: personshadowLastChange: 14423gecos: Bob Greensn: Bob Green

    # search resultsearch: 2result: 0 Success

    # numResponses: 2# numEntries: 1

    Troubleshooting a Non-booting Client

    With Centos when you have the LDAP client set up you may see the client stop at:

    Starting system message bus :dbus

    If this occurs edit the /etc/ldap.conf file and modify the bind_policy to soft.

    bind_policy soft

    It will start slow but it will boot.

  • 7/28/2019 LDAP All in one,ldap configuration

    20/31

    What is LDAP

    Lightweight Directory Access Protocol

    Based on X.500

    Directory service (RFC1777)

    Stores attribute based data

    Data generallly read more than written to No transactions

    No rollback

    Hierarchical data structure

    Entries are in a tree-like structure called Directory Information Tree (DIT)

    Hierachial

    Flat

    Client-server model

    Consistant view of data

    Answers request

    Refer to server with answer

    Referrals

    Client requests information

    Server 1 returns referral to server 2

    Client resends request to server 2

    Server 2 returns information to client

    Global View

    Based on entries

    Collection of attributes

    Has a distinguished name (DN) - like domain name

    Acroynms

    LDAPLightweight Directory Access Protocol

    DNDistinguish Name

    RDNRelative Distinuished Name

    DITDirectory Information Tree

    LDIF

  • 7/28/2019 LDAP All in one,ldap configuration

    21/31

    LDAP Data Interchange FormatOID

    Object Identifier

    LDIF

    LDAP Data Interchange Format

    Represents LDAP entries in text

    Human readable format

    Allows easy modification of data

    ldbmcat converts ldbm database to ldif

    ldif2ldbm converts ldif back to ldbm database

    Example extract

    dn: uid=bmarshal,ou=People,dc=pisoftware,dc=comuid: bmarshal

    cn: Brad Marshallobjectclass: accountobjectclass: posixAccountobjectclass: toploginshell: /bin/bashuidnumber: 500gidnumber: 120homedirectory: /mnt/home/bmarshalgecos: Brad Marshall,,,,userpassword: {crypt}KDnOoUYN7Neac

    Schema Set of rules that describes what kind of data is stored

    Helps maintain consistancy and quality of data

    Reduces duplication of data

    Object class attribute determines schema rules the entry must follow

    Schema contains the following:

    Required attributes

    Allowed attributes

    How to compare attributes

    Limit what the attributes can store - ie, restrict to integer etc Restrict what information is stored - ie, stops duplication etc

    Attribute abbreviations

    See RFC2256

    uidUser id

  • 7/28/2019 LDAP All in one,ldap configuration

    22/31

    cnCommon Name

    snSurname

    lLocation

    ou Organisational Unito

    Organisationdc

    Domain Componentst

    Statec

    Country

    Search Filters

    Criteria for attributes that must be fulfilled for entry to be returned

    Base dn = base object entry search is relative to

    Prefix notation

    Standards

    RFC 1960: LDAP String Representation of Search Filters

    RFC 2254: LDAPv3 Search Filters

    Operators

    & = and

    | = or

    ! = not

    ~= = approx equal

    >= = greater than or equal

  • 7/28/2019 LDAP All in one,ldap configuration

    23/31

    ::= [ ":" ] ::= a string as defined in RFC 1485 ::= NULL | ::=

    | [ "," ] ::= a string as defined in RFC 1777 ::= "base" | "one" | "sub" ::= a string as defined in RFC 1558

    Explanations:

    DNDistinguished name

    Attribute listList of attributes you want returned

    Scopebase = base object searchone = one level searchsub = subtree search

    FilterStandard LDAP search filter

    Examples:

    ldap://foo.bar.com/dc=bar,dc=com

    ldap://argle.bargle.com/dc=bar,dc=com??sub?uid=barney

    ldap://ldap.bedrock.com/dc=bar,dc=com?cn?sub?uid=barney

    LDAP command line tools

    ldapadd, ldapmodifyUsed to add or modify ldap entries$ ldapmodify -r -D 'cn=foo,dc=bar,dc=com' -W < /tmp/user.ldif

    ldapdeleteUsed to delete entries$ ldapdelete -D 'cn=foo,dc=bar,dc=com' -W 'cn=user,dc=bar,dc=com'

    ldapsearchUsed to search ldap servers$ ldapsearch -L -D 'cn=foo,dc=bar,dc=com''objectclass=posixAccount'

    Installing and Configuring LDAP

    Servers

    Slapd

    University of Michigan

  • 7/28/2019 LDAP All in one,ldap configuration

    24/31

    Openldap

    Netscape Directory Server

    Microsoft Active Directory (AD)

    Novell Directory Services (NDS)

    Sun Directory Services (SDS)

    Lucent's Internet Directory Server (IDS)

    Openldap

    LDAP Server architecture

    LDAP daemon called slapd

    Choice of databases

    LDBM - high performance disk based db

    SHELL - db interface to unix commands

    PASSWORD - simple password file db SQL - mapping sql to ldap (in OpenLDAP 2.x)

    Multiple database instances

    Access control

    Threaded

    Replication

    LDAP Architecture

    Replication daemon called slurpd

    Frees slapd from worrying about hosts being down etc

    Communicates with slapd through text file

    Replication Architecture

    Replication

    Increases:

    Reliability - if one copy of the directory is down

    Availability - more likely to find an available server

    Performance - can use a server closer to you Speed - can take more queries as replicas are added

    Temporary inconsistances are ok

    Having replicas close to clients is important - network going down is same as server going

    down

    Removes single point of failure

  • 7/28/2019 LDAP All in one,ldap configuration

    25/31

    Replication Options

    a. All modifications go to the master LDAP server

    b. Using referrals

    1. Client sends modification to replica

    2. Replica returns referral to master3. Client resubmits modification to master4. Master returns results to client5. Master updates replica with change

    c. Using chaining

    1. Client sends modification to replica2. Replica forwards request to master3. Master returns result to replica4. Replica forwards result to client5. Master updates replica

    Example slapd.conf

    ## See slapd.conf(5) for details on configuration options.# This file should NOT be world readable.#include /etc/openldap/slapd.at.confinclude /etc/openldap/slapd.oc.confschemacheck off

    pidfile /var/run/slapd.pidargsfile /var/run/slapd.args

    defaultaccess read

    access to attr=userpasswordby self writeby * read

    access to *by self writeby dn=".+" readby * read

    #######################################################################

    # ldbm database definitions#######################################################################

    database ldbmsuffix "dc=pisoftware, dc=com"rootdn "cn=Manager, dc=pisoftware, dc=com"rootpw {crypt}lAn4J@KmNp9replica host=cox.staff.plugged.com.au:389

    binddn="cn=Manager,dc=pisoftware,dc=com"bindmethod=simple credentials=secretreplogfile /var/lib/openldap/replication.log

  • 7/28/2019 LDAP All in one,ldap configuration

    26/31

    # cleartext passwords, especially for the rootdn, should# be avoid. See slapd.conf(5) for details.directory /var/lib/openldap/

    slapd.conf ACLs

    LDAP Applications

    Application Architecture

    Using Multiple Applications

    System Authentication

    Uses RFC2307

    Migration

    Used PADLs MigrationTools

    Script Migrates

    migrate_fstab.pl /etc/fstab

    migrate_group.pl /etc/group

    migrate_hosts.pl /etc/hostsmigrate_networks.pl /etc/networks

    migrate_passwd.pl /etc/passwd

    migrate_protocols.pl /etc/protocols

    migrate_rpc.pl /etc/rpc

    migrate_services.pl /etc/services

    These scripts are called on the appropriate file in /etc in the following manner:

    # ./migrate_passwd.pl /etc/passwd ./passwd.ldif

    The migration tools also provide scripts to automatically migrate all configuration to LDAP, using

    migrate_all_{online,offline}.sh. See the README distributed with the package for more details.

    Example LDIF

    dn: uid=bmarshal,ou=People,dc=pisoftware,dc=comuid: bmarshalcn: Brad Marshallobjectclass: accountobjectclass: posixAccount

  • 7/28/2019 LDAP All in one,ldap configuration

    27/31

    objectclass: toploginshell: /bin/bashuidnumber: 500gidnumber: 120homedirectory: /mnt/home/bmarshalgecos: Brad Marshall,,,,userpassword: {crypt}aknbKIfeaxs

    dn: cn=sysadmin,ou=Group,dc=pisoftware,dc=comobjectclass: posixGroupobjectclass: topcn: sysadmingidnumber: 160memberuid: bmarshalmemberuid: dwoodmemberuid: jparker

    Installation

    Install from PADL

    pam_ldap

    nss_ldap

    /etc/ldap.conf

    BASE dc=foo,dc=comHOST ldap.server.compam_crypt local

    /etc/nsswitch.conf

    Add ldap to the passwd, shadow and group entries in /etc/nsswitch.conf. Be aware of the effects ofputting it first or last.

    /etc/pam.d

    Need similar for every app you want to use ldap

    /etc/pam.d/ssh

    From RedHat 6.2

    #%PAM-1.0auth sufficient /lib/security/pam_ldap.soauth required /lib/security/pam_pwdb.so shadow nullok try_first_passauth required /lib/security/pam_nologin.soaccount sufficient /lib/security/pam_ldap.soaccount required /lib/security/pam_pwdb.sopassword required /lib/security/pam_cracklib.sopassword sufficient /lib/security/pam_ldap.so

    http://www.padl.com/http://www.padl.com/http://www.padl.com/pam_ldap.htmlhttp://www.padl.com/nss_ldap.htmlhttp://www.padl.com/http://www.padl.com/pam_ldap.htmlhttp://www.padl.com/nss_ldap.html
  • 7/28/2019 LDAP All in one,ldap configuration

    28/31

    password required /lib/security/pam_pwdb.so shadow nullok use_authtoksession sufficient /lib/security/pam_ldap.sosession required /lib/security/pam_pwdb.so

    Apache user auth

    Download mod_auth_ldap.tar.gz fromhttp://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html

    Install either as a DSO or by compiling in - see webpage for more details

    Add the following to httpd.conf

    Options Indexes FollowSymLinksAllowOverride Noneorder allow,denyallow from allAuthName "RCS Staff only"AuthType Basic

    LDAP_Server ldap.server.comLDAP_Port 389Base_DN "dc=server,dc=com"UID_Attr uid#require valid-userrequire user foo bar doe#require roomnumber "C119 Center Building"#require group cn=sysadmin,ou=Group,dc=server,dc=com

    Squid ACLs

    Compile ldap_auth.c from http://www.uia.ua.ac.be/u/dbruyne/squid-ldap/

    Add the following to squid.conf:

    authenticate_program /usr/local/squid/bin/ldap_authauthenticate_options ldap.yourdomain.com 389 dc=yourdomain,dc=com uidauthenticate_children 2

    Restart squid

  • 7/28/2019 LDAP All in one,ldap configuration

    29/31

    LDAP (Lightweight Directory Access Protocol) has a reputation for being complicated, but I hope todispel that myth and explain exactly how LDAP works in this simple introduction of some of the basicconcepts..

    What is LDAP?

    LDAP is a lightweight protocol for accessing directory servers. Okay, so what is a directory server? It'sa hierarchical object orientated database. If that makes you want to run away screaming, don't worry,it'll get worse before it gets better.

    Only joking. This guide should make learning LDAP easy. Let's go through that description bit by bit,starting at the end. It's a database, which means we can store data in it. If you've used relationaldatabases, like mysql, then it won't look like anything you're used to, but like a relational database, itallows you to store your data in a user defined structural way.

    The second part of our description was object orientated. In LDAP our database is a collection ofobjects. Like in OO programming, objects are instances of a particular class. A class defines the set ofattributes that an object may contain. Classes can inherit from other classes to add additional attributes.

    LDAP has some differences from the usual OO semantics, which will be explained in the next section.The final part of our description was hierarchical. Every object in LDAP can contain one or more sub-objects. The result is a tree with the trunk being the root of the directory and the branches and leavesbeing the objects in the directory. In this way we can build up our database into an easy to navigate,structured database.

    Lightweight? Lightweight? What crack are you on?

    Sometimes you wonder how anyone could describe this complicated mess as lightweight. Thelightweight is in reference to the previous leading standard for directory services, called X.500. Theproblem with X.500 was that it required the use of the OSI network stack and couldn't use TCP/IP. It

    was also rather more complicated. LDAP only uses 9 of the operations that X.500 supported, and canuse the simpler TCP/IP networking stack.

    Objects and Classes

    As I mentioned, data stored in LDAP is stored in objects. These objects contain a number of attributes,which are basically a set of key/value pairs. Because data in LDAP is structured, objects can onlycontain valid keys, and which keys are valid is dependant on what class the object is. Classes in LDAPcan define mandatory attributes and optional attributes and their type.

    To confuse matters (and this is where LDAP deviates from most OO systems) objects can have more

    than one class and there are several types of class.The first type is the structural class. An object must have one and only one structural class. Structuralclasses tend to map to physical objects like a person or a network. Once an object has been created thestructural class can not be changed without destroying the object and creating it again.

    Auxiliary classes define additional attributes to complement structural classes. Objects may have manyauxiliary classes and can be added and removed after the object has been created.

    Finally there are abstract classes, which can not be used directly by objects, but can be used by otherclasses through inheritance.

  • 7/28/2019 LDAP All in one,ldap configuration

    30/31

    Classes are assigned to objects using the objectClass attribute. LDAP defines some basic classes,

    types and comparison methods by default, but you are free to define your own.

    Examples

    It's well and good me telling you all this, but it probably won't make sense until I show you some

    examples. A common use for LDAP is an address book, so you could use the person class, which isstructural. It defines sn and cn as mandatory attributes and userPassword, telephoneNumber,

    seeAlso and description as optional fields. A couple of those attributes probably need

    explaining. sn is surname and cn is common name, which we can use to store the person's full name.

    The dashed line in the image marks the mandatory and optional attributes.

    But what if we wanted to store addresses in the object too? Well if we had used theorganizationalPerson, which inherits from the person class, but adds title, street,

    postalAddress and postalCode. The class adds several more attributes too. Because it inherits

    from person we still have sn and cn. There is an even more comprehensive class called

    inetOrgPerson.

    Another common use for LDAP is authentication of user accounts. For this, we can use theposixAccount class. This is an auxiliary class and adds cn, uid, uidNumber, gidNumber and

    homeDirectory mandatory attributes and userPassword, loginShell, gecos and

    description as optional attributes. Because posixAccount is auxiliary, we can add it to our

    person object for people we want to be able to authenticate.

    Distinguished Names

    One very important aspect I have omitted to mention is the dn or distinguished name. This is a unique

    name used to refer to a particular object in the tree. It's made up from the dn of the parent object and aunique key/value pair from the sub-objects. For example if you stored your address book underou=People,dc=example,dc=com, a common location, my details would have a dn of

    cn=David Pashley,ou=People,dc=example,dc=com and Bill Gates would have a dn of

    cn=Bill Gates,ou=People,dc=example,dc=com. As you can see each level in the

    hierarchy is separated by commas. It is possible to have multi-attribute distinguished names by puttinga + between the attributes. Distinguished names are not actually attributes of objects.

    Database Layout

    I should explain that ou is an organizational unit and dc is domain component. In our database we arestoring all our objects below dc=example,dc=com and is called the base dn because it is the base

    of our database. While you don't need to use a unique base dn for your database, it is common practiceto do so and is more important if you intend to make your database publicly available. Originallydatabases used to be based on your location (o=Catnip,l=Brighton,st=Sussex,c=uk), but it

    is much more common now to use a DNS domain that you own as the basedn(dc=catnip,dc=org,dc=uk).

    Earlier we used ou in a dn. This is merely a class for grouping our data into sections for administrative

  • 7/28/2019 LDAP All in one,ldap configuration

    31/31

    ease. There are no rules that force you to organise your database in any particular way, but there areseveral common ways of laying out databases. The actual layout of the directory tends to not be thatimportant to applications using the directory as they can do recursive queries for the objects they areinterested in. We could have our address book in ou=People,dc=example,dc=com and a list of

    computers in ou=Computers,dc=example,dc=com. If we had a very simple database we could

    easily mix both into one location and have people and computers as sub-objects of

    dc=example,dc=com. Alternatively, if we had a very large authentication database, we could go theother way and split the people into several organizational units mirroring their departments, so wecould have the sales department in ou=Sales,dc=example,dc=com and marketing in

    ou=marketing,dc=example,dc=com. Using this scheme you could delegate control for the

    sales tree to the Sales Manager and the marketing tree to the Marketing Manager, which may not bepossible with other schemes.