Lightweight Directory Access Protocol

(1)

Lightweight Directory Access Protocol

• Objectives

– Install dan menggunakan LDAP

• Contents

– Struktur database LDAP – Scenario

– Konfigurasi LDAP server – Konfigurasi LDAP client – Administrative task LDAP

• Practical

– Start ldap server & client – Login and out

– Common tasks

(2)

LDAP DATABASE Structure

• Skenario

– Departemet IT pada sebuah orgranisasi ”my-site.com” memiliki banyak linux server dan orang yang harus diadministrasi dengan baik

• Domain Component, dc=my-site, dc=com – LDAP domain ”my-site.com”

– dc=my-site, dc=com

• Organizational Unit, ou=people

– Database hanya memiliki 1 organizational unit sederhana yang disebut

”People” ( LDAP default) – ou=People

• Attributes

– Setiap orang memiliki atribut seperti username (UID),password, Linux Home direktori dan login shell

• LDAP database is usally files in directory /var/lib/ldap

– Linux server dengan nama ”bigboy” akan menjadi LDAP server dan database

(3)

The server & client RPMs

• Kebutuhan open ldap pada ”bigboy” server

– openldap - pam-ldap

– openldap-clients - tls

– nss_ldap - gnu-tls

– openldap-servers – openldap-devel

• Server ”bigboy” memiliki spesial user yang bernama ”ldapuser”

yang akan digunakan sebagai test login ldap

• Kebutuhan open ldap pada client ”smallfry”

– openldap-clients - pam-ldap

– nss_ldap - tls

– Openldap - gnu-tls

– openldap-devel

(4)

Configuring The LDAP Server

• Membuat directory database

– RH secara default menempatkan ldap direktori pada /var/lib/ldap – Buat direktori ”my-site.com” dengan kepemilikan ”ldap”

• Membuat ”LDAP” password

– Hanya LDAP root user mampu membuat, import dan export data ke sebuah LDAP Database

• Kopi password SSJA tersebut dan paste pada /etc/openldap/slapd.conf dengan tagname rootpw

# mkdir /var/lib/ldap/my-site.com

# chown ldap:ldap /var/lib/ldap/my-site.com

# chown 700 /var/lib/ldap/my-site.com

# mkdir /var/lib/ldap/my-site.com

# chown ldap:ldap /var/lib/ldap/my-site.com

# chown 700 /var/lib/ldap/my-site.com

# slappasswd New password:

Re-enter new password:

{SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ

# slappasswd New password:

Re-enter new password:

{SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ

(5)

SLAPD the stand-alone LDAP daemon

• This is the main LDAP server configuration file:

/etc/openldap/slapd.conf

– We'll now update it with the following information:

•

• database: database format, here plain ldap files

• suffix: the site fdqn (dnsdomainname)

• rootdn: The root container Manager

• rootpw: LDAP root password, is pasted from the ”slappasswd run”

• directory: where my-site.com ldap three root is found

• dc: domain component

• cn: common name

• Options like: permission, password, database type, database location and so on can be configured in this file

• Start the LDAP daemon and check /var/log/messages

database ldbm

suffix "dc=my-site,dc=com"

rootdn "cn=Manager,dc=my-site,dc=com"

rootpw {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ directory /var/lib/ldap/my-site.com

database ldbm

suffix "dc=my-site,dc=com"

rootdn "cn=Manager,dc=my-site,dc=com"

rootpw {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ directory /var/lib/ldap/my-site.com

# /etc/init.d/ldap start

(6)

Extracting local users to become ldap users

• Create the "ldapuser" test account

– We'll now create the "ldapuser" account we'll use for testing.

• Extract the desired records from /etc/passwd

– We'll need to extract the "ldapuser" information from the /etc/passwd file using the "grep”, it is possible to extract more or all users in passwd file if you like

• First time you also need root account

– If this is your first time creating the LDAP database, you will also want to extract the information for the Linux "root"

# useradd -g users ldapuser

# passwd ldapuser

Changing password for user ldapuser.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

# useradd -g users ldapuser

# passwd ldapuser

Changing password for user ldapuser.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

# grep ldapuser /etc/passwd >> /etc/openldap/passwd.ldapusers

# grep root /etc/passwd >

/etc/openldap/passwd.root

# grep root /etc/passwd >

/etc/openldap/passwd.root

(7)

Getting and setting up PADL MigrationTools

• Find the conversion script migrate_passw.pl with locate

• The migration to LDAP utilities can be downloaded here:

– SuSE and some other unixes is missing the MigrationTools

• For most comfort when migrating add your maildomain and default base in /etc/share/openldap/migration/migration_common.ph

# locate migrate

/usr/share/openldap/migration/migrate_passwd.pl

# locate migrate

/usr/share/openldap/migration/migrate_passwd.pl

# cd /usr/share/openldap/

# wget http://www.padl.com/download/MigrationTools.tgz

# tar xvfz MigrationTools.tgz ; ln -s MigrationTools-47 migration

# cd /usr/share/openldap/

# wget http://www.padl.com/download/MigrationTools.tgz

# tar xvfz MigrationTools.tgz ; ln -s MigrationTools-47 migration

# cd migration ; vi migration_common.ph

# Default DNS domain

$DEFAULT_MAIL_DOMAIN = "my-site.com";

# Default base

$DEFAULT_BASE = "dc=my-site,dc=com";

# cd migration ; vi migration_common.ph

# Default DNS domain

$DEFAULT_MAIL_DOMAIN = "my-site.com";

# Default base

$DEFAULT_BASE = "dc=my-site,dc=com";

(8)

Convert extracted users to LDIF files

• Convert the extracted users in ”passwd.ldapuser" file to LDIF

– We now convert the /etc/passwd data into an LDAP Data Interchange Files (LDIF) for previous extracted users:

• Convert the extracted root user ”passwd.root" file to LDIF

• We now have both LDIF files

– /etc/openldap/ldapusers.ldif /etc/openldap/root.ldif

• In /etc/openldap/root.ldif we need to make root the Manager

dn: uid=root,ou=People,dc=my-site,dc=com uid: root

cn: Manager

dn: uid=root,ou=People,dc=my-site,dc=com uid: root

cn: Manager

# cd /usr/share/openldap/migration/

# ./migrate_passwd.pl /etc/openldap/passwd.ldapusers \ > /etc/openldap/ldapusers.ldif

# cd /usr/share/openldap/migration/

# ./migrate_passwd.pl /etc/openldap/passwd.ldapusers \ > /etc/openldap/ldapusers.ldif

# ./migrate_passwd.pl /etc/openldap/passwd.root \

> /etc/openldap/root.ldif

# ./migrate_passwd.pl /etc/openldap/passwd.root \

> /etc/openldap/root.ldif

(9)

Create LDIF "my-site.com"

domain

• The attributes of the my-site.com domain haven't yet been defined.

• You haven't defined the OU organizational unit called People

• Create /etc/openldap/my-site.com.ldif – which should look like this:

• If you need more OU’s organizational unit’s just add them below last.

dn: dc=my-site,dc=com dc: my-site

description: Root LDAP entry for my-site.com objectClass: dcObject

objectClass: organizationalUnit ou: rootobject

dn: ou=People, dc=my-site,dc=com ou: People

description: All people in organisation objectClass: organizationalUnit

dn: dc=my-site,dc=com dc: my-site

description: Root LDAP entry for my-site.com objectClass: dcObject

objectClass: organizationalUnit ou: rootobject

dn: ou=People, dc=my-site,dc=com ou: People

description: All people in organisation

objectClass: organizationalUnit

(10)

Import the LDIF files into the database

• Import the 3 main LDIF files to our database

• First we add the organizational unit Public: my-site.com.ldif

• Next we add the root user: root.ldif

• Last we add extracted users: ldapusers.ldif

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f my-site.com.ldif

Enter LDAP Password:******

adding new entry "dc=my-site,dc=com"

adding new entry "ou=People, dc=my-site,dc=com"

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f my-site.com.ldif

adding new entry "dc=my-site,dc=com"

adding new entry "ou=People, dc=my-site,dc=com"

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f ldapusers.ldif

adding new entry "uid=ldapuser,ou=People,dc=my-site,dc=com"

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f ldapusers.ldif

adding new entry "uid=ldapuser,ou=People,dc=my-site,dc=com"

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f root.ldif

adding new entry "uid=root,ou=People,dc=my-site,dc=com"

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f root.ldif

adding new entry "uid=root,ou=People,dc=my-site,dc=com"

(11)

Test the LDAP database

• First we chat that we got the databases

• Next do a search test, all entries

– A long list will follow, you should be able finding UID: root and UID: ldapuser

**# ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)'**

# ls /var/lib/ldap/my-site.com/

. .. dn2id.dbb id2entry.dbb nextid.dbb objectClass.dbb

# ls /var/lib/ldap/my-site.com/

. .. dn2id.dbb id2entry.dbb nextid.dbb objectClass.dbb

(12)

Configuring The LDAP Client

• Edit the /etc/openldap/ldap.conf configuration file

– Eace up for clients by adding LDAP server and domain suffix:

• Edit the /etc/nsswitch.conf configuration file

• Instead of modifying nsswitch.conf manually you can run – Run yast ldap or /usr/bin/authconfig on other linuxes – Select Use LDAP

– Give the LDAP server's IP address which in this case is 192.168.0.1 – Give the base DN as "dc=my-site,dc=com" (no quotes).

– Do not select TLS. (TLS is usally a good idea in production) – Automounting means mounting home-dirs on client from server’s – (Use MD5 and shadow passwords.)

HOST 192.168.0.1

BASE dc=my-site,dc=com HOST 192.168.0.1

BASE dc=my-site,dc=com

passwd: files ldap

shadow: files ldap

passwd: files ldap

shadow: files ldap

(13)

Setup PAM on LDAP Client and test it

• Next is to add LDAP to PAM logins /etc/pam.d

– pam.d/login need some new entries (also other LDAP logins might need)

• Restart SSH

– So it re-reades the nsswitch.conf file

• Test LDAP Logins

– Using ldapsearch on the client

– Using SSH or the Linux console

• To see that client has contact with server – Create ldapuser home

• If you have automount it is not nessesary

– Exit and login with ldapuser at local console of client

• Type pwd to see where you land, if land in ”/” root it means automounting does not work

# service sshd restart

**# ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)'**

# ssh –l ldapuser 192.168.0.1

# ssh –l ldapuser 192.168.0.1 auth sufficient pam_ldap.so use_first_pass account sufficient pam_ldap.so

password required pam_ldap.so

auth sufficient pam_ldap.so use_first_pass account sufficient pam_ldap.so

password required pam_ldap.so

# mkdir /home/ldapuser

(14)

Common LDAP

administrative tasks

• LDAP users changing their own passwords

– LDAP users can modifytheir LDAP passwords using the regular passwd command.

• Modifying LDAP users by user "root”

– Script usage sample, modify users at root on LDAP server

$ passwd

Changing password for user ldapuser.

Enter login(LDAP) password:

New password:

Retype new password:

LDAP password information changed for ldapuser

passwd: all authentication tokens updated successfully.

$ passwd

Changing password for user ldapuser.

Enter login(LDAP) password:

New password:

Retype new password:

LDAP password information changed for ldapuser

passwd: all authentication tokens updated successfully^.

# passwd ldapuser

Changing password for user ldapuser.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

[root@bigboy tmp]# modifyldapuser ldapuser Enter LDAP Password:

modifying entry "uid=ldapuser,ou=People,dc=example,dc=com"

# passwd ldapuser

Changing password for user ldapuser.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

[root@bigboy tmp]# modifyldapuser ldapuser Enter LDAP Password:

modifying entry "uid=ldapuser,ou=People,dc=example,dc=com"

(15)

Common LDAP

administrative tasks

• Adding new LDAP users with addldapuser script – Add the user to the database

– Create the Linux user kalle on the LDAP server w. useradd command

– Run the addldapuser script with the username as the only argument. The script prompts you for your LDAP "root" password.

– Create home directories for the user on all the LDAP client Linux boxes, otherwise they will have no home. Note that it is possible to let LDAP create temporary ”home’s” for users when they login, by using ”skel”

catalog

• Deleting LDAP users

• Ldap Account Manager: http://lam.sourceforge.net/

# useradd kalle

# addldapuser kalle Enter LDAP Password:

adding new entry "uid=ldapuser,ou=People,dc=my-site,dc=com"

# useradd kalle

# addldapuser kalle Enter LDAP Password:

adding new entry "uid=ldapuser,ou=People,dc=my-site,dc=com"

ldapdelete -x -W -D "cn=Manager,dc=my-site,dc=com" \

"uid=$1,ou=People,dc=my-site,dc=com"

ldapdelete -x -W -D "cn=Manager,dc=my-site,dc=com" \

"uid=$1,ou=People,dc=my-site,dc=com"

(16)

Configuring the stunnel cryptated LDAP client

• Install package stunnel for general ssl tunnel support

• Configuring the stunnel LDAP client – Edit the ldap.conf file

– Modify stunnel user

– Edit the /etc/stunnel/stunnel.conf configuration file

HOST localhost

BASE dc=my-site,dc=com HOST localhost

BASE dc=my-site,dc=com

# usermod –G stunnel stunnel

# Configure stunnel to run as user "stunnel" placing temporary

# files in the /usr/var/run/stunnel/ directory chroot = /var/lib/stunnel/stunnel

pid = /var/run/stunnel.pid setuid = stunnel

setgid = nogroup

# Configure logging debug = 7

output = /var/log/messages

# Use it for client mode client = yes

# Service-level configuration [ldap]

accept = 389

connect = 192.168.0.1:636

# files in the /usr/var/run/stunnel/ directory chroot = /var/lib/stunnel/stunnel

pid = /var/run/stunnel.pid setuid = stunnel

setgid = nogroup

# Configure logging debug = 7

# Use it for client mode client = yes

accept = 389

connect = 192.168.0.1:636

(17)

Generate certificates and start stunnel client

• Creating the stunnel x509 certificates

– See doc’s at /usr/share/doc/packages/stunnel

• While creating certificate a number of questions arrives – Common Name must be FDQN

• Start stunnel

# /etc/init.d/stunnel start # /etc/init.d/stunnel start

# tail -100 /var/log/messages

# umask 077

# /usr/bin/openssl req -new -x509 -days 365 –nodes -config \

/usr/share/doc/packages/stunnel/stunnel.cnf -out /etc/stunnel/stunnel.pem \ -keyout /etc/stunnel/stunnel.pem

# umask 077

# insserv stunnel

(18)

Configuring stunnel encrypted LDAP server

• Install package stunnel for general ssl tunnel support

• Configuring the stunnel LDAP server – Modify stunnel user

– Edit the /etc/stunnel/stunnel.conf configuration file

# usermod -G stunnel

# files in the /usr/var/run/stunnel/ directory chroot = /home/stunnel/

pid = /stunnel.pid setuid = stunnel setgid = stunnel

# Some debugging stuff debug = 7

# Use it for client mode client = no

#cert = /usr/share/ssl/certs/stunnel.pem

#key = /usr/share/ssl/certs/stunnel.pem

accept = 636 connect = 389

# files in the /usr/var/run/stunnel/ directory chroot = /home/stunnel/

pid = /stunnel.pid setuid = stunnel setgid = stunnel

# Some debugging stuff debug = 7

# Use it for client mode client = no

#cert = /usr/share/ssl/certs/stunnel.pem

#key = /usr/share/ssl/certs/stunnel.pem

accept = 636 connect = 389

(19)

Generate certificates and start stunnel server

• Creating the stunnel x509 server certificates – See doc’s at /usr/share/doc/packages/stunnel

• While creating certificate a number of questions arrives – Common Name must be FDQN

• Start stunnel

– Check the log files

• Start stunnel at next boot

# /etc/init.d/stunnel start

# tail -100 /var/log/messages

# umask 077

# insserv stunnel

(20)

Configuring Encrypted LDAP Communication

• Create a home directory for the user "ldapuser” at the client or use automounting

– Check to see if ldapuser is not in the /etc/passwd file.

– Create the home directory for ldapuser on the client!

# grep ldapuser /etc/passwd

# mkdir /home/ldapuser

# chmod 700 /home/ldapuser/

# chown ldapuser:users /home/ldapuser/

# ll /home total 2

drwx--- 2 ldapuser users 1024 Aug 4 08:05 ldapuser

#

# cp /etc/skel/.* /home/ldapuser/

cp: omitting directory `/etc/skel/.' cp: omitting directory `/etc/skel/..' cp: omitting directory `/etc/skel/.kde'

# chown ldapuser /home/ldapuser/.*

# mkdir /home/ldapuser

# chmod 700 /home/ldapuser/

# chown ldapuser:users /home/ldapuser/

# ll /home total 2

drwx--- 2 ldapuser users 1024 Aug 4 08:05 ldapuser

#

# cp /etc/skel/.* /home/ldapuser/

cp: omitting directory `/etc/skel/.' cp: omitting directory `/etc/skel/..' cp: omitting directory `/etc/skel/.kde'

# chown ldapuser /home/ldapuser/.*

(21)

Test LDAP Logins on secure server

• Using ldapsearch on the LDAP client

• Using SSH or the Linux console on the LDAP client

– Try to log in as user ldapuser to the LDAP client Linux system.

• Use the TCPdump command to verify port 636

**# ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)'**

# tcpdump -n tcp port ldaps tcpdump: listening on eth0

09:20:02.281257 192.168.0.1.1345 > 192.168.9.2.ldaps: S

1665037104:1665037104(0) win 5840 <mss 1460,sackOK,timestamp 74401362 0,nop,wscale 0> (DF)

09:20:02.281356 172.16.1.200.1daps > 172.16.1.2.1345: S 1911175072:1911175072(0) ack 1665037105 win 5792 <mss

1460,sackOK,timestamp 20737195 74401362,nop,wscale 0> (DF) ...

...

# tcpdump -n tcp port ldaps tcpdump: listening on eth0

09:20:02.281257 192.168.0.1.1345 > 192.168.9.2.ldaps: S

1665037104:1665037104(0) win 5840 <mss 1460,sackOK,timestamp 74401362 0,nop,wscale 0> (DF)

09:20:02.281356 172.16.1.200.1daps > 172.16.1.2.1345: S 1911175072:1911175072(0) ack 1665037105 win 5792 <mss

1460,sackOK,timestamp 20737195 74401362,nop,wscale 0> (DF) ...

...

(22)

Addons for TLS

• Generate keys

• Remove passphrase from keys

• In slapd.conf add entries