Lightweight Directory Access Protocol

• Objectives– This chapter will first show you how to install and use LDAP

• Contents– The LDAP Database Structure

– Scenario

– Configuring The LDAP Server

– Configuring The LDAP Client

– Common LDAP administrative tasks

• Practical– Start ldap server & client

– Login and out

– Common tasks

The LDAP Database Structure

• ScenarioThe I.T. department in a small organization ”my-site.com" has many Linux servers

and people they need to administer

• Domain Component, dc=my-site, dc=comLDAP domain ”my-site.com" for their LDAP database in which one domain

component (DC) will be "example", and the other will be "com".

dc=my-site, dc=com

• Organizational Unit, ou=peopleThe database will only have one organizational unit simply called "People" which

is the LDAP default.

ou=People

• AttributesEach person will have attributes such as a username (User ID or UID), password,

Linux "home" directory and login shell.

• LDAP database is usally files in directory /var/lib/ldapThe Linux server named "bigboy" will act as the LDAP server containing the

database

The server & client RPMs

• Installed on the server ”bigboy”– openldap - pam-ldap– openldap-clients - tls– nss_ldap - gnu-tls– openldap-servers– openldap-devel

• Server "bigboy" has a special user account named "ldapuser" that will be used to test the LDAP logins.

• It is a very good idea to have a up to date DNS as well

• Installed on the client ”smallfry”– openldap-clients - pam-ldap– nss_ldap - tls– Openldap - gnu-tls– openldap-devel

Configuring The LDAP Server• Create a database directory

– RH by defaults to putting all databases in the /var/lib/ldap directory– We'll create a dedicated ”my-site.com" directory owned by the user "ldap".

• Create an LDAP "root" password– Only the LDAP "root" user can create, import data, export data into an LDAP

database.

• The ”password” {SSHA}… need to be copied and pasted as it is into file /etc/openldap/slapd.conf as seen on next page, it’s tagname is rootpw

# mkdir /var/lib/ldap/my-site.com# chown ldap:ldap /var/lib/ldap/my-site.com# chown 700 /var/lib/ldap/my-site.com

# mkdir /var/lib/ldap/my-site.com# chown ldap:ldap /var/lib/ldap/my-site.com# chown 700 /var/lib/ldap/my-site.com

# slappasswdNew password: Re-enter new password: {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ

# slappasswdNew password: Re-enter new password: {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ

SLAPD the stand-alone LDAP daemon• This is the main LDAP server configuration file: /etc/openldap/slapd.conf

– We'll now update it with the following information:

database: database format, here plain ldap files

suffix: the site fdqn (dnsdomainname)

rootdn: The root container Manager

rootpw: LDAP root password, is pasted from the ”slappasswd run”

directory: where my-site.com ldap three root is found

dc: domain component

cn: common name

• Options like: permission, password, database type, database location and so on can be configured in this file

• Start the LDAP daemon and check /var/log/messages

database        ldbmsuffix          "dc=my-site,dc=com"rootdn          "cn=Manager,dc=my-site,dc=com"rootpw          {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZdirectory       /var/lib/ldap/my-site.com

database        ldbmsuffix          "dc=my-site,dc=com"rootdn          "cn=Manager,dc=my-site,dc=com"rootpw          {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZdirectory       /var/lib/ldap/my-site.com

# /etc/init.d/ldap start# /etc/init.d/ldap start

Extracting local users to become ldap users

• Create the "ldapuser" test account– We'll now create the "ldapuser" account we'll use for testing.

• Extract the desired records from /etc/passwd– We'll need to extract the "ldapuser" information from the /etc/passwd file using

the "grep”, it is possible to extract more or all users in passwd file if you like

• First time you also need root account– If this is your first time creating the LDAP database, you will also want to extract

the information for the Linux "root"

# useradd -g users ldapuser# passwd ldapuserChanging password for user ldapuser.New password: Retype new password: passwd: all authentication tokens updated successfully.

# useradd -g users ldapuser# passwd ldapuserChanging password for user ldapuser.New password: Retype new password: passwd: all authentication tokens updated successfully.

# grep ldapuser /etc/passwd >> /etc/openldap/passwd.ldapusers# grep ldapuser /etc/passwd >> /etc/openldap/passwd.ldapusers

# grep root /etc/passwd > /etc/openldap/passwd.root

# grep root /etc/passwd > /etc/openldap/passwd.root

Getting and setting up PADL MigrationTools

• Find the conversion script migrate_passw.pl with locate

• The migration to LDAP utilities can be downloaded here:– SuSE and some other unixes is missing the MigrationTools

• For most comfort when migrating add your maildomain and default base in /etc/share/openldap/migration/migration_common.ph

# locate migrate/usr/share/openldap/migration/migrate_passwd.pl

# locate migrate/usr/share/openldap/migration/migrate_passwd.pl

# cd /usr/share/openldap/# wget http://www.padl.com/download/MigrationTools.tgz# tar xvfz MigrationTools.tgz ; ln -s MigrationTools-47 migration

# cd /usr/share/openldap/# wget http://www.padl.com/download/MigrationTools.tgz# tar xvfz MigrationTools.tgz ; ln -s MigrationTools-47 migration

# cd migration ; vi migration_common.ph

# Default DNS domain

$DEFAULT_MAIL_DOMAIN = "my-site.com";

# Default base

$DEFAULT_BASE = "dc=my-site,dc=com";

# cd migration ; vi migration_common.ph

# Default DNS domain

$DEFAULT_MAIL_DOMAIN = "my-site.com";

# Default base

$DEFAULT_BASE = "dc=my-site,dc=com";

Convert extracted users to LDIF files

• Convert the extracted users in ”passwd.ldapuser" file to LDIF

– We now convert the /etc/passwd data into an LDAP Data Interchange Files (LDIF) for previous extracted users:

• Convert the extracted root user ”passwd.root" file to LDIF

• We now have both LDIF files/etc/openldap/ldapusers.ldif /etc/openldap/root.ldif

• In /etc/openldap/root.ldif we need to make root the Managerdn: uid=root,ou=People,dc=my-site,dc=comuid: rootcn: Manager

dn: uid=root,ou=People,dc=my-site,dc=comuid: rootcn: Manager

# cd /usr/share/openldap/migration/# ./migrate_passwd.pl /etc/openldap/passwd.ldapusers \ > /etc/openldap/ldapusers.ldif

# cd /usr/share/openldap/migration/# ./migrate_passwd.pl /etc/openldap/passwd.ldapusers \ > /etc/openldap/ldapusers.ldif

# ./migrate_passwd.pl /etc/openldap/passwd.root \ > /etc/openldap/root.ldif

# ./migrate_passwd.pl /etc/openldap/passwd.root \ > /etc/openldap/root.ldif

Create LDIF "my-site.com" domain• The attributes of the my-site.com domain haven't yet been defined.

• You haven't defined the OU organizational unit called People

• Create /etc/openldap/my-site.com.ldif– which should look like this:

• If you need more OU’s organizational unit’s just add them below last.

dn: dc=my-site,dc=comdc: my-sitedescription: Root LDAP entry for my-site.comobjectClass: dcObjectobjectClass: organizationalUnitou: rootobject  dn: ou=People, dc=my-site,dc=comou: Peopledescription: All people in organisationobjectClass: organizationalUnit

dn: dc=my-site,dc=comdc: my-sitedescription: Root LDAP entry for my-site.comobjectClass: dcObjectobjectClass: organizationalUnitou: rootobject  dn: ou=People, dc=my-site,dc=comou: Peopledescription: All people in organisationobjectClass: organizationalUnit

Import the LDIF files into the database

• Import the 3 main LDIF files to our database

• First we add the organizational unit Public: my-site.com.ldif

• Next we add the root user: root.ldif

• Last we add extracted users: ldapusers.ldif

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \      -W -f my-site.com.ldifEnter LDAP Password:******adding new entry "dc=my-site,dc=com"adding new entry "ou=People, dc=my-site,dc=com"

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \      -W -f my-site.com.ldifEnter LDAP Password:******adding new entry "dc=my-site,dc=com"adding new entry "ou=People, dc=my-site,dc=com"

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \      -W -f ldapusers.ldifEnter LDAP Password:******adding new entry "uid=ldapuser,ou=People,dc=my-site,dc=com"

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \      -W -f ldapusers.ldifEnter LDAP Password:******adding new entry "uid=ldapuser,ou=People,dc=my-site,dc=com"

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \      -W -f root.ldifEnter LDAP Password:******adding new entry "uid=root,ou=People,dc=my-site,dc=com"

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \      -W -f root.ldifEnter LDAP Password:******adding new entry "uid=root,ou=People,dc=my-site,dc=com"

Test the LDAP database

• First we chat that we got the databases

• Next do a search test, all entries– A long list will follow, you should be able finding UID: root and UID: ldapuser

# ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)'# ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)'

# ls /var/lib/ldap/my-site.com/. .. dn2id.dbb id2entry.dbb nextid.dbb objectClass.dbb

# ls /var/lib/ldap/my-site.com/. .. dn2id.dbb id2entry.dbb nextid.dbb objectClass.dbb

Configuring The LDAP Client

• Edit the /etc/openldap/ldap.conf configuration file– Eace up for clients by adding LDAP server and domain suffix:

• Edit the /etc/nsswitch.conf configuration file

• Instead of modifying nsswitch.conf manually you can run1. Run yast ldap or /usr/bin/authconfig on other linuxes

2. Select Use LDAP

3. Give the LDAP server's IP address which in this case is 192.168.0.1

4. Give the base DN as "dc=my-site,dc=com" (no quotes).

5. Do not select TLS. (TLS is usally a good idea in production)

6. Automounting means mounting home-dirs on client from server’s

7. (Use MD5 and shadow passwords.)

HOST 192.168.0.1BASE dc=my-site,dc=com

HOST 192.168.0.1BASE dc=my-site,dc=com

passwd: files ldapshadow: files ldap

passwd: files ldapshadow: files ldap

Setup PAM on LDAP Client and test it• Next is to add LDAP to PAM logins /etc/pam.d

– pam.d/login need some new entries (also other LDAP logins might need)

• Restart SSH– So it re-reades the nsswitch.conf file

• Test LDAP Logins– Using ldapsearch on the client

– Using SSH or the Linux console

To see that client has contact with server

– Create ldapuser home

If you have automount it is not nessesary

– Exit and login with ldapuser at local console of client

Type pwd to see where you land, if land in ”/” root it means automounting does not work

# service sshd restart# service sshd restart

# ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)'# ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)'

# ssh –l ldapuser 192.168.0.1# ssh –l ldapuser 192.168.0.1

auth sufficient pam_ldap.so use_first_passaccount sufficient pam_ldap.sopassword required pam_ldap.so

auth sufficient pam_ldap.so use_first_passaccount sufficient pam_ldap.sopassword required pam_ldap.so

# mkdir /home/ldapuser# mkdir /home/ldapuser

Common LDAP administrative tasks

• LDAP users changing their own passwords– LDAP users can modifytheir LDAP passwords using the regular passwd

command.

• Modifying LDAP users by user "root”– Script usage sample, modify users at root on LDAP server

$ passwdChanging password for user ldapuser.Enter login(LDAP) password: New password: Retype new password: LDAP password information changed for ldapuserpasswd: all authentication tokens updated successfully.

$ passwdChanging password for user ldapuser.Enter login(LDAP) password: New password: Retype new password: LDAP password information changed for ldapuserpasswd: all authentication tokens updated successfully.

# passwd ldapuserChanging password for user ldapuser.New password: Retype new password: passwd: all authentication tokens updated successfully.[root@bigboy tmp]# modifyldapuser ldapuser Enter LDAP Password: modifying entry "uid=ldapuser,ou=People,dc=example,dc=com"

# passwd ldapuserChanging password for user ldapuser.New password: Retype new password: passwd: all authentication tokens updated successfully.[root@bigboy tmp]# modifyldapuser ldapuser Enter LDAP Password: modifying entry "uid=ldapuser,ou=People,dc=example,dc=com"

Common LDAP administrative tasks• Adding new LDAP users with addldapuser script

– Add the user to the database1. Create the Linux user kalle on the LDAP server w. useradd command2. Run the addldapuser script with the username as the only argument. The

script prompts you for your LDAP "root" password.

3. Create home directories for the user on all the LDAP client Linux boxes, otherwise they will have no home. Note that it is possible to let LDAP create temporary ”home’s” for users when they login, by using ”skel” catalog

• Deleting LDAP users

• Ldap Account Manager: http://lam.sourceforge.net/

# useradd kalle# addldapuser kalleEnter LDAP Password: adding new entry "uid=ldapuser,ou=People,dc=my-site,dc=com"

# useradd kalle# addldapuser kalleEnter LDAP Password: adding new entry "uid=ldapuser,ou=People,dc=my-site,dc=com"

ldapdelete -x -W -D "cn=Manager,dc=my-site,dc=com" \"uid=$1,ou=People,dc=my-site,dc=com"

ldapdelete -x -W -D "cn=Manager,dc=my-site,dc=com" \"uid=$1,ou=People,dc=my-site,dc=com"

Configuring the stunnel cryptated LDAP client

• Install package stunnel for general ssl tunnel support

• Configuring the stunnel  LDAP client– Edit the ldap.conf file

– Modify stunnel user

– Edit the /etc/stunnel/stunnel.conf configuration file

HOST localhostBASE dc=my-site,dc=com

HOST localhostBASE dc=my-site,dc=com

# usermod –G stunnel stunnel# usermod –G stunnel stunnel

# Configure stunnel to run as user "stunnel" placing temporary # files in the /usr/var/run/stunnel/ directorychroot = /var/lib/stunnel/stunnelpid = /var/run/stunnel.pidsetuid = stunnelsetgid = nogroup# Configure loggingdebug = 7output = /var/log/messages# Use it for client modeclient = yes# Service-level configuration[ldap]accept  = 389connect = 192.168.0.1:636

# Configure stunnel to run as user "stunnel" placing temporary # files in the /usr/var/run/stunnel/ directorychroot = /var/lib/stunnel/stunnelpid = /var/run/stunnel.pidsetuid = stunnelsetgid = nogroup# Configure loggingdebug = 7output = /var/log/messages# Use it for client modeclient = yes# Service-level configuration[ldap]accept  = 389connect = 192.168.0.1:636

Generate certificates and start stunnel client

• Creating the stunnel x509 certificates– See doc’s at /usr/share/doc/packages/stunnel

• While creating certificate a number of questions arrives– Common Name must be FDQN

• Start stunnel

– Check the log files

• Start stunnel at next boot

# /etc/init.d/stunnel start# /etc/init.d/stunnel start

# tail -100 /var/log/messages# tail -100 /var/log/messages

# umask 077# /usr/bin/openssl req -new -x509 -days 365 –nodes -config \ /usr/share/doc/packages/stunnel/stunnel.cnf -out /etc/stunnel/stunnel.pem \ -keyout /etc/stunnel/stunnel.pem

# umask 077# /usr/bin/openssl req -new -x509 -days 365 –nodes -config \ /usr/share/doc/packages/stunnel/stunnel.cnf -out /etc/stunnel/stunnel.pem \ -keyout /etc/stunnel/stunnel.pem

# insserv stunnel# insserv stunnel

Configuring stunnel encrypted LDAP server

• Install package stunnel for general ssl tunnel support

• Configuring the stunnel  LDAP server– Modify stunnel user

– Edit the /etc/stunnel/stunnel.conf configuration file

# usermod -G stunnel# usermod -G stunnel

# Configure stunnel to run as user "stunnel" placing temporary # files in the /usr/var/run/stunnel/ directorychroot = /home/stunnel/pid = /stunnel.pidsetuid = stunnelsetgid = stunnel# Some debugging stuffdebug = 7output = /var/log/messages# Use it for client modeclient  = no#cert = /usr/share/ssl/certs/stunnel.pem#key =  /usr/share/ssl/certs/stunnel.pem# Service-level configuration[ldap]accept  =  636connect =  389

# Configure stunnel to run as user "stunnel" placing temporary # files in the /usr/var/run/stunnel/ directorychroot = /home/stunnel/pid = /stunnel.pidsetuid = stunnelsetgid = stunnel# Some debugging stuffdebug = 7output = /var/log/messages# Use it for client modeclient  = no#cert = /usr/share/ssl/certs/stunnel.pem#key =  /usr/share/ssl/certs/stunnel.pem# Service-level configuration[ldap]accept  =  636connect =  389

Generate certificates and start stunnel server

• Creating the stunnel x509 server certificates– See doc’s at /usr/share/doc/packages/stunnel

• While creating certificate a number of questions arrives– Common Name must be FDQN

• Start stunnel

– Check the log files

• Start stunnel at next boot

# /etc/init.d/stunnel start# /etc/init.d/stunnel start

# tail -100 /var/log/messages# tail -100 /var/log/messages

# umask 077# /usr/bin/openssl req -new -x509 -days 365 –nodes -config \ /usr/share/doc/packages/stunnel/stunnel.cnf -out /etc/stunnel/stunnel.pem \ -keyout /etc/stunnel/stunnel.pem

# umask 077# /usr/bin/openssl req -new -x509 -days 365 –nodes -config \ /usr/share/doc/packages/stunnel/stunnel.cnf -out /etc/stunnel/stunnel.pem \ -keyout /etc/stunnel/stunnel.pem

# insserv stunnel# insserv stunnel

Configuring Encrypted LDAP Communication

• Create a home directory for the user "ldapuser” at the client or use automounting– Check to see if ldapuser is not in the /etc/passwd file.

– Create the home directory for ldapuser on the client!

# grep ldapuser /etc/passwd# grep ldapuser /etc/passwd

# mkdir /home/ldapuser# chmod 700 /home/ldapuser/# chown ldapuser:users /home/ldapuser/# ll /hometotal 2drwx------    2 ldapuser users        1024 Aug  4 08:05 ldapuser## cp /etc/skel/.* /home/ldapuser/cp: omitting directory `/etc/skel/.'cp: omitting directory `/etc/skel/..'cp: omitting directory `/etc/skel/.kde'# chown ldapuser /home/ldapuser/.*

# mkdir /home/ldapuser# chmod 700 /home/ldapuser/# chown ldapuser:users /home/ldapuser/# ll /hometotal 2drwx------    2 ldapuser users        1024 Aug  4 08:05 ldapuser## cp /etc/skel/.* /home/ldapuser/cp: omitting directory `/etc/skel/.'cp: omitting directory `/etc/skel/..'cp: omitting directory `/etc/skel/.kde'# chown ldapuser /home/ldapuser/.*

Test LDAP Logins on secure server

• Using ldapsearch on the LDAP client

• Using SSH or the Linux console on the LDAP client– Try to log in as user ldapuser to the LDAP client Linux system.

• Use the TCPdump command to verify port 636

# ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)'# ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)'

# tcpdump -n tcp port ldapstcpdump: listening on eth009:20:02.281257 192.168.0.1.1345 > 192.168.9.2.ldaps: S 1665037104:1665037104(0) win 5840 <mss 1460,sackOK,timestamp 74401362 0,nop,wscale 0> (DF)09:20:02.281356 172.16.1.200.1daps > 172.16.1.2.1345: S 1911175072:1911175072(0) ack 1665037105 win 5792 <mss 1460,sackOK,timestamp 20737195 74401362,nop,wscale 0> (DF)......

# tcpdump -n tcp port ldapstcpdump: listening on eth009:20:02.281257 192.168.0.1.1345 > 192.168.9.2.ldaps: S 1665037104:1665037104(0) win 5840 <mss 1460,sackOK,timestamp 74401362 0,nop,wscale 0> (DF)09:20:02.281356 172.16.1.200.1daps > 172.16.1.2.1345: S 1911175072:1911175072(0) ack 1665037105 win 5792 <mss 1460,sackOK,timestamp 20737195 74401362,nop,wscale 0> (DF)......

Addons for TLS

• Generate keys

• Remove passphrase from keys

• In slapd.conf add entries

# openssl –req –newkey rsa:1024 –x509 –days 365 keyout \ slapd_key.pem –out slapd_cert.pem

# openssl –req –newkey rsa:1024 –x509 –days 365 keyout \ slapd_key.pem –out slapd_cert.pem

# openssl rsa –in slapdd_key.pem –out slapd_key.pem# chown slapd-user.slapd-group sl*.pem# chmod 600 sl*.pem

# openssl rsa –in slapdd_key.pem –out slapd_key.pem# chown slapd-user.slapd-group sl*.pem# chmod 600 sl*.pem

TLSCertificateFile /usr/ssl/certs/slapd_cert.pemTLSCertificateKeyFile /usr/ssl/certs/slapd_key.pemTLSCiperSuite HIGH:MEDIUM:+SSLV2

TLSCertificateFile /usr/ssl/certs/slapd_cert.pemTLSCertificateKeyFile /usr/ssl/certs/slapd_key.pemTLSCiperSuite HIGH:MEDIUM:+SSLV2