Lightweight Directory Access Protocol

Objectives
This chapter will first show you how to install and use LDAP

Contents
The LDAP Database Structure Scenario Configuring The LDAP Server Configuring The LDAP Client Common LDAP administrative tasks

Practical
Start ldap server & client Login and out Common tasks

The LDAP Database Structure

Scenario The I.T. department in a small organization "example.com" has many Linux servers they need to administer LDAP domain my-site.com" for their LDAP database in which one domain component (DC) will be "example", and the other will be "com". dc=my-site, dc=com The database will only have one organizational unit simply called "People" which is the LDAP default. ou=People Each person will have attributes such as a username (User ID or UID), password, Linux "home" directory and login shell.

The server & client RPMs

Installed on the server bigboy
openldap openldap-clients openldap-devel nss_ldap openldap-servers

Server "bigboy" has a special user account named "ldapuser" that will be used to test the LDAP logins. Installed on the client smallfry
openldap openldap-clients openldap-devel nss_ldap

Configuring The LDAP Server

Create a database directory
RH by defaults to putting all databases in the /var/lib/ldap directory We'll create a dedicated my-site.com" directory owned by the user "ldap". # mkdir /var/lib/ldap/my-site.com # mkdir /var/lib/ldap/my-site.com # chown ldap:ldap /var/lib/ldap/my-site.com # chown ldap:ldap /var/lib/ldap/my-site.com

Create an LDAP "root" password

Only the LDAP "root" user can create, import data, export data into an LDAP database. # slappasswd # slappasswd New password: New password: Re-enter new password: Re-enter new password: {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ

Edit the /etc/openldap/slapd.conf file

This is the main LDAP server configuration file
We'll now update it with the following information: database database suffix suffix rootdn rootdn rootpw rootpw directory directory ldbm ldbm "dc=my-site,dc=com" "dc=my-site,dc=com" "cn=Manager,dc=my-site,dc=com" "cn=Manager,dc=my-site,dc=com" {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ /var/lib/ldap/my-site.com /var/lib/ldap/my-site.com

dc -domain component cn common name rootpw is pasted from the slappasswd run

Start the LDAP daemon

# service ldap start # service ldap start

Convert the passwd file to LDIF format

Create the "ldapuser" test account
We'll now create the "ldapuser" account we'll use for testing. # useradd -g users ldapuser # useradd -g users ldapuser # passwd ldapuser # passwd ldapuser Changing password for user ldapuser. Changing password for user ldapuser. New password: New password: Retype new password: Retype new password: passwd: all authentication tokens updated successfully. passwd: all authentication tokens updated successfully.

Extract the desired records from /etc/passwd

We'll # grep need to extract the "ldapuser" information from the /etc/passwd file using # grep ldapuser /etc/passwd >> /etc/openldap/passwd.ldapusers ldapuser /etc/passwd >> /etc/openldap/passwd.ldapusers the "grep"

If this is your first time creating the LDAP database, you will also want to extract the # grep root the Linux "root" > /etc/openldap/passwd.root information for /etc/passwd > /etc/openldap/passwd.root # grep root /etc/passwd

Convert the passwd file to LDIF format

Find the conversion script migrate_passw.pl with locate
# locate migrate # locate migrate . . . . . . /usr/share/openldap/migration/migrate_passwd.pl /usr/share/openldap/migration/migrate_passwd.pl . . . . . .

Convert the ".ldapuser" file to LDIF

We now convert the /etc/passwd data into an LDAP Data Interchange Files (LDIF) users: # /usr/share/openldap/migration/migrate_passwd.pl \ # /usr/share/openldap/migration/migrate_passwd.pl \ /etc/openldap/passwd.ldapusers /etc/openldap/ldapusers.ldif /etc/openldap/passwd.ldapusers /etc/openldap/ldapusers.ldif root: # /usr/share/openldap/migration/migrate_passwd.pl \ # /usr/share/openldap/migration/migrate_passwd.pl \ /etc/openldap/passwd.root /etc/openldap/root.ldif /etc/openldap/passwd.root /etc/openldap/root.ldif

Modify the LDIF files

Use vi to replace padl with example in both LDIF files
/etc/openldap/ldapusers.ldif /etc/openldap/root.ldif # vi /etc/openldap/ldapusers.ldif # vi /etc/openldap/ldapusers.ldif s/padl/my-site/g s/padl/my-site/g :wq! :wq! # vi /etc/openldap/root.ldif # vi /etc/openldap/root.ldif s/padl/my-site/g s/padl/my-site/g :wq! :wq! This is also example on using search and replace within vi

In /etc/openldap/root.ldif we need to make root the Manager

dn: uid=root,ou=People,dc=ing-steen,dc=se dn: uid=root,ou=People,dc=ing-steen,dc=se uid: root uid: root cn: Manager cn: Manager

Create LDIF "my-site.com" domain

Create /etc/openldap/my-site.com.ldif
which should look like this: dn: dc=my-site,dc=com dn: dc=my-site,dc=com dc: my-site dc: my-site description: Root LDAP entry for my-site.com description: Root LDAP entry for my-site.com objectClass: dcObject objectClass: dcObject objectClass: organizationalUnit objectClass: organizationalUnit ou: rootobject ou: rootobject dn: ou=People, dc=my-site,dc=com dn: ou=People, dc=my-site,dc=com ou: People ou: People description: All people in organisation description: All people in organisation objectClass: organizationalUnit objectClass: organizationalUnit

Import the LDIF files into the database

Import LDIF files to our database example.com.ldif
Root declaration in: root.ldif Al our coming ldap users in: ldapusers.ldif

First we add the my-site.com.ldif

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ # ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f my-site.com.ldif -W -f my-site.com.ldif

Next we add root.ldif

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ # ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f root.ldif -W -f root.ldif

Last we add ldapusers.ldif

# ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ # ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f ldapusers.ldif -W -f ldapusers.ldif

Test the LDAP database

First search test, all entries
# ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)' # ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)'

Configuring The LDAP Client

Edit the /etc/openldap/ldap.conf configuration file
Ease up for clients by adding LDAP server and domain suffix: HOST 192.168.0.1 HOST 192.168.0.1 BASE dc=my-site,dc=com BASE dc=my-site,dc=com

Edit the /etc/nsswitch.conf configuration file

passwd: files ldap passwd: files ldap shadow: files ldap shadow: files ldap

Instead of modifying nsswitch.conf manually you can run

1. 2. 3. 4. 5. 6. Run /usr/bin/authconfig Select LDAP Give the LDAP server's IP address which in this case is 192.168.0.1 Give the base DN as "dc=my-site,dc=com" (no quotes). Do not select TLS. (This is usally not a good idea) Use MD5 and shadow passwords.

Testing the LDAP Client

# service sshd restart # service sshd restart So it re-reades the nsswitch.conf file

Restart SSH

Test LDAP Logins

Using ldapsearch # ldapsearch -x -b 'dc=my-site,dc=com'\ '(objectclass=*)' # ldapsearch -x -b 'dc=my-site,dc=com'\ '(objectclass=*)' Using SSH or the Linux console # ssh l ldapuser 192.168.0.1 # ssh l ldapuser 192.168.0.1 Exit and login with ldapuser at local console

Common LDAP administrative tasks

LDAP users changing their own passwords
LDAP users can modifytheir LDAP passwords using the regular passwd command.
$$ passwd passwd Changing password for user ldapuser. Changing password for user ldapuser. Enter login(LDAP) password: Enter login(LDAP) password: New password: New password: Retype new password: Retype new password: LDAP password information changed for ldapuser LDAP password information changed for ldapuser passwd: all authentication tokens updated successfully.. passwd: all authentication tokens updated successfully

Modifying LDAP users by user "root

Script usage sample, modify users at root on LDAP server
## passwd ldapuser passwd ldapuser Changing password for user ldapuser. Changing password for user ldapuser. New password: New password: Retype new password: Retype new password: passwd: all authentication tokens updated successfully. passwd: all authentication tokens updated successfully. [root@bigboy tmp]# modifyldapuser ldapuser [root@bigboy tmp]# modifyldapuser ldapuser Enter LDAP Password: Enter LDAP Password: modifying entry "uid=ldapuser,ou=People,dc=example,dc=com" modifying entry "uid=ldapuser,ou=People,dc=example,dc=com"

Common LDAP administrative tasks

Adding new LDAP users with addldapuser script
Add the user to the database 1. Create the Linux user kalle on the LDAP server w. useradd command 2. Run the addldapuser script with the username as the only argument. The script prompts you for your LDAP "root" password. # useradd kalle # useradd kalle # addldapuser kalle # addldapuser kalle Enter LDAP Password: Enter LDAP Password: adding new entry "uid=ldapuser,ou=People,dc=my-site,dc=com" adding new entry "uid=ldapuser,ou=People,dc=my-site,dc=com" 3. Create home directories for the user on all the LDAP client Linux boxes, otherwise they will have no home. Note that it is possible to let LDAP create temporary homes for users when they login, by using skel catalog

Deleting LDAP users

ldapdelete -x -W -D "cn=Manager,dc=my-site,dc=com" \ ldapdelete -x -W -D "cn=Manager,dc=my-site,dc=com" \ "uid=$1,ou=People,dc=my-site,dc=com" "uid=$1,ou=People,dc=my-site,dc=com"

Configuring Encrypted LDAP Communication

Configuring the stunnel LDAP client
Edit the ldap.conf file HOST localhost HOST localhost BASE dc=my-site,dc=com BASE dc=my-site,dc=com # useradd stunnel # useradd stunnel

Create an stunnel user

Edit the /etc/stunnel/stunnel.conf configuration file

## Configure stunnel to run as user "stunnel" placing temporary Configure stunnel to run as user "stunnel" placing temporary ## files in the /usr/var/run/stunnel/ directory files in the /usr/var/run/stunnel/ directory chroot == /home/stunnel chroot /home/stunnel pid == /stunnel.pid pid /stunnel.pid setuid == stunnel setuid stunnel setgid == stunnel setgid stunnel ## Configure logging Configure logging debug == 77 debug output == /var/log/messages output /var/log/messages ## Use it for client mode Use it for client mode client == yes client yes ## Service-level configuration Service-level configuration [ldap] [ldap] accept == 389 accept 389 connect == 192.168.0.1:636 connect 192.168.0.1:636

Configuring Encrypted LDAP Communication

Start stunnel
Check the log files # stunnel # stunnel # tail -100 /var/log/messages # tail -100 /var/log/messages

Start stunnel at next boot

Add this snippet in end of /etc/rc.d/rc.local
## Run stunnel for LDAP (RedHat file location) Run stunnel for LDAP (RedHat file location) /usr/sbin/stunnel /usr/sbin/stunnel

Configuring Encrypted LDAP Communication

Configuring the stunnel LDAP server
Create an stunnel user # useradd stunnel # useradd stunnel

Edit the /etc/stunnel/stunnel.conf configuration file

## Configure stunnel to run as user "stunnel" placing temporary Configure stunnel to run as user "stunnel" placing temporary ## files in the /usr/var/run/stunnel/ directory files in the /usr/var/run/stunnel/ directory chroot == /home/stunnel/ chroot /home/stunnel/ pid == /stunnel.pid pid /stunnel.pid setuid == stunnel setuid stunnel setgid == stunnel setgid stunnel ## Some debugging stuff Some debugging stuff debug == 77 debug output == /var/log/messages output /var/log/messages ## Use it for client mode Use it for client mode client == no client no cert == /usr/share/ssl/certs/stunnel.pem cert /usr/share/ssl/certs/stunnel.pem key == /usr/share/ssl/certs/stunnel.pem key /usr/share/ssl/certs/stunnel.pem ## Service-level configuration Service-level configuration [ldap] [ldap] accept == 636 accept 636 connect == 389 connect 389

Configuring Encrypted LDAP Communication

Create the certificates
Go to the /usr/share/ssl/certs directory cd /usr/share/ssl/certs cd /usr/share/ssl/certs [root@bigboy certs]# make stunnel.pem [root@bigboy certs]# make stunnel.pem ... ... Common Name (eg, your name or your Common Name (eg, your name or your server's hostname) []: 192.168.0.1 server's hostname) []: 192.168.0.1 ... ... Modify certificate file permissions The certificate needs to only be read by "root" and the "stunnel" user # chmod 640 stunnel.pem # chmod 640 stunnel.pem # chgrp stunnel stunnel.pem # chgrp stunnel stunnel.pem # ll /usr/share/ssl/certs # ll /usr/share/ssl/certs -rw-r----- 1 root stunnel -rw-r----- 1 root stunnel 2004 Jul 31 21:50 2004 Jul 31 21:50 stunnel.pem stunnel.pem

Start stunnel

# stunnel # stunnel

Configuring Encrypted LDAP Communication

Create a home directory for the user "ldapuser at the client
Check to see if ldapuser is not in the /etc/passwd file. # grep ldapuser /etc/passwd # grep ldapuser /etc/passwd Create the home directory for ldapuser on the client!
# mkdir /home/ldapuser # mkdir /home/ldapuser # chmod 700 /home/ldapuser/ # chmod 700 /home/ldapuser/ # chown ldapuser:users /home/ldapuser/ # chown ldapuser:users /home/ldapuser/ # ll /home # ll /home total 2 total 2 drwx-----2 ldapuser users 1024 Aug 4 08:05 ldapuser drwx-----2 ldapuser users 1024 Aug 4 08:05 ldapuser # # # cp /etc/skel/.* /home/ldapuser/ # cp /etc/skel/.* /home/ldapuser/ cp: omitting directory `/etc/skel/.' cp: omitting directory `/etc/skel/.' cp: omitting directory `/etc/skel/..' cp: omitting directory `/etc/skel/..' cp: omitting directory `/etc/skel/.kde' cp: omitting directory `/etc/skel/.kde' # chown ldapuser /home/ldapuser/.* # chown ldapuser /home/ldapuser/.*

Test LDAP Logins on secure server

Using ldapsearch on the LDAP client
# ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)' # ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)'

Using SSH or the Linux console on the LDAP client

Try to log in as user ldapuser to the LDAP client Linux system.

Use the TCPdump command to verify port 636

# tcpdump -n tcp port ldaps # tcpdump -n tcp port ldaps tcpdump: listening on eth0 tcpdump: listening on eth0 09:20:02.281257 192.168.0.1.1345 > 192.168.9.2.ldaps: S 09:20:02.281257 192.168.0.1.1345 > 192.168.9.2.ldaps: S 1665037104:1665037104(0) win 5840 <mss 1460,sackOK,timestamp 1665037104:1665037104(0) win 5840 <mss 1460,sackOK,timestamp 74401362 0,nop,wscale 0> (DF) 74401362 0,nop,wscale 0> (DF) 09:20:02.281356 172.16.1.200.1daps > 172.16.1.2.1345: S 09:20:02.281356 172.16.1.200.1daps > 172.16.1.2.1345: S 1911175072:1911175072(0) ack 1665037105 win 5792 <mss 1911175072:1911175072(0) ack 1665037105 win 5792 <mss 1460,sackOK,timestamp 20737195 74401362,nop,wscale 0> (DF) 1460,sackOK,timestamp 20737195 74401362,nop,wscale 0> (DF) ... ... ... ...

Addons for TLS

Generate keys
# openssl req newkey rsa:1024 x509 days 365 keyout \ # openssl req newkey rsa:1024 x509 days 365 keyout \ slapd_key.pem out slapd_cert.pem slapd_key.pem out slapd_cert.pem

Remove passphrase from keys

# openssl rsa in slapdd_key.pem out slapd_key.pem # openssl rsa in slapdd_key.pem out slapd_key.pem # chown slapd-user.slapd-group sl*.pem # chown slapd-user.slapd-group sl*.pem # chmod 600 sl*.pem # chmod 600 sl*.pem

In slapd.conf add entries

TLSCertificateFile /usr/ssl/certs/slapd_cert.pem TLSCertificateFile /usr/ssl/certs/slapd_cert.pem TLSCertificateKeyFile /usr/ssl/certs/slapd_key.pem TLSCertificateKeyFile /usr/ssl/certs/slapd_key.pem TLSCiperSuite HIGH:MEDIUM:+SSLV2 TLSCiperSuite HIGH:MEDIUM:+SSLV2