Difference between revisions of "NAD810 LDAP LAB"

From CDOT Wiki
Jump to: navigation, search
(OpenLDAP Server configuration details:)
(e. verify the contents of ldif.ldapuser)
 
(5 intermediate revisions by 3 users not shown)
Line 3: Line 3:
 
The OpenLDAP software package is an Open Source and Free implementation of the Lightweight Directory Access Protocol (LDAP). It is gaining wide acceptance as the directory access method of the Internet and also with corporate intranets.  
 
The OpenLDAP software package is an Open Source and Free implementation of the Lightweight Directory Access Protocol (LDAP). It is gaining wide acceptance as the directory access method of the Internet and also with corporate intranets.  
  
In this lab, you set up and configure an OpenLDAP server and configure LDAP clients to use the user account information stored in the LDAP server to perform user authenication. You can use the OpenLDAP client/server to replace your NIS client/server for network user authentication.
+
In this lab, the instruction is for setting up an LDAP server with the base context of "dc=nad810,dc=com". Replace this with your own base context. After setting up the OpenLDAP server, you need to configure the LDAP clients to use the user account information stored in the LDAP server to perform user authenication on the client machine. You can use the OpenLDAP client/server to replace your NIS client/server for network user authentication.
  
 
<b>Notes: OpenLDAP Use TCP port 389 for regular communication and port 636 for encrypted transactions</b> You need to have these ports opened on your firewall.
 
<b>Notes: OpenLDAP Use TCP port 389 for regular communication and port 636 for encrypted transactions</b> You need to have these ports opened on your firewall.
Line 14: Line 14:
 
* openldap-servers
 
* openldap-servers
 
* nss_ldap
 
* nss_ldap
* migrationtools (for Fedora 10)
+
* migrationtools
Sample nsswitch configuration file for LDAP: /usr/share/doc/nss_ldap-220/nsswitch_ldap
 
  
 
+
==OpenLDAP Server configuration Summary==
===OpenLDAP Server configuration Summary===
 
 
#Create an OpenLDAP database
 
#Create an OpenLDAP database
#Create an OpenLDAP “root” password and edit the OpenLDAP main configuration file /etc/openldap/slapd.conf
+
#Create an OpenLDAP “root” password and edit the OpenLDAP database configuration file /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
#Start the OpenLDAP server daemon
+
#Start the OpenLDAP server daemon - slapd.service
#Create an LDIF file for importing to the OpenLDAP database
+
#Create a base LDIF file for importing to the OpenLDAP database
#Import an LDIF file into the OpenLDAP database
+
#Create a user account LDIF file for importing to the OpenLDAP database
 +
#Import the LDIF files into the OpenLDAP database
  
====OpenLDAP Server configuration details:====
+
==OpenLDAP Server configuration details:==
  
(1) Create an OpenLDAP database
+
===(1) Create/verify the directory for OpenLDAP database files===
 +
<pre>
 +
mkdir /var/lib/ldap/
 +
chown ldap.ldap /var/lib/ldap
 +
chmod 700 /var/lib/ldap
 +
</pre>
 +
The directory listing of /var/lib/ldap should be:
 
<pre>
 
<pre>
mkdir /var/lib/ldap/nad810.com
+
[root@localhost cn=config]# ls -ldZ /var/lib/ldap
chown ldap.ldap /var/lib/ldap/nad810.com
+
drwx------. ldap ldap system_u:object_r:slapd_db_t:s0 /var/lib/ldap
  chmod 700 /var/lib/ldap/nad810.com
 
 
</pre>
 
</pre>
  
(2)Create an OpenLDAP “root” password and edit the OpenLDAP server's main configuration file “/etc/openldap/slapd.conf”
+
===(2) Configure base content and root user "olcRootDN" and "olcRootPW" ===
 +
Configure the OpenLDAP “root” user and password by editing the OpenLDAP server's database configuration file “/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif”
  
Only the LDAP's “rootdn” user can create, import, and export data into a LDAP database. You can use the slappasswd command to create a password and use it in the LDAP configuration file:
+
Only the LDAP's “rootdn” user can create, import, and export data into a LDAP database. You can use the slappasswd command to create the password and put it in the LDAP server database configuration file mentioned above:
 
<pre>
 
<pre>
  
 
  slappasswd
 
  slappasswd
 
   
 
   
  New password: [nad810]
+
  New password: [secret]
 
   
 
   
  Re-enter new password: [nad810]
+
  Re-enter new password: [secret]
 
   
 
   
  {SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx     <-- Copy this to the slapd.conf file
+
  {SSHA}FavfvViq/edEw8x4TV6y7w1L2llXzZzz     <-- Copy this to the olcDatabase={2}hdb.ldif file
 
</pre>
 
</pre>
 
   
 
   
Add/Modify the slapd.conf to show the following (ldbm only supported up to Openldap 2.3, Openldap 2.4 only suppport bdb):
+
Add/Modify the olcDatabase={2}hdb.ldif file to have the following:
+
<pre>
database bdb
+
    olcSuffix: dc=nad810,dc=com
suffix “dc=nad810,dc=com”
+
    olcRootDN: cn=Manager,dc=nad810,dc=com
rootdn “cn=Manager,dc=nad810,dc=com”
+
    olcRootPW: {SSHA}FavfvViq/edEw8x4TV6y7w1L2llXzZzz
rootpw {SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx
+
</pre>
directory /var/lib/ldap/nad810.com
+
Do not change other lines.
password-hash {CRYPT}
 
  
(3) Start the OpenLDAP server daemon
+
===(3) Start the OpenLDAP server daemon slapd.service===
 
+
<pre>
  service ldap start
+
  systemctl start slapd.service
 +
</pre>
  
To verify that the service is working, try the following query command:
+
To verify that the OpenLDAP server daemon is running and working, try the following query command:
 
  <pre>
 
  <pre>
 
  ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
 
  ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
 
  </pre>
 
  </pre>
 
You should get something similar to the following:
 
You should get something similar to the following:
 
+
<pre>
 
 
  # extended LDIF
 
  # extended LDIF
 
  #
 
  #
Line 86: Line 90:
 
  # numResponses: 2
 
  # numResponses: 2
 
  # numEntries: 1
 
  # numEntries: 1
 +
</pre>
  
 
+
===(4)Create LDIF files for importing to the OpenLDAP database===
(4)Create an LDIF file for importing to the OpenLDAP database
+
====create the base context LDIF file for the nad810.com domain====
 
+
Create a file called "ldif.base" and add the following lines:
a. add an user called “ldapuser”
 
  useradd -g users ldapuser
 
  passwd ldapuser
 
 
 
b. extract the passwd entry of ldapuser from  /etc/passwd to a file called "entry.ldapuser"
 
  grep ldapuser /etc/passwd > /etc/openldap/entry.ldapuser
 
 
 
c. extract the passwd entry of root from /etc/passwd to a file called "entry.root"
 
  grep root /etc/passwd > /etc/openldap/entry.root
 
 
 
d. convert the entries for the "ldapuser" and "root" to LDIF format (ldif.ldapuser and ldif.root):
 
 
 
  (Note that "\" at the end of the line is used to tell the shell that
 
  the next line as a continuation of the current line)
 
 
 
  For ldapuser:
 
  /usr/share/openldap/migration/migrate_passwd.pl \
 
  /etc/openldap/entry.ldapuser /etc/openldap/ldif.ldapuser 
 
 
 
'''  For Fedora 10, replace /usr/share/openldap/migration/migrate_passwd.pl
 
                  with    /usr/share/migrationtools/migrate_passwd.pl ''' 
 
 
 
  For root:
 
  /usr/share/openldap/migration/migrate_passwd.pl \
 
  /etc/openldap/entry.root /etc/openldap/ldif.root
 
 
 
'''  For Fedora 10, replace /usr/share/openldap/migration/migrate_passwd.pl
 
                  with    /usr/share/migrationtools/migrate_passwd.pl'''
 
 
 
NesNote: here is a trick, do 'ln /usr/share/openldap/migration/migrate_passwd.pl /usr/sbin/migrate_passwd.pl', so u can call up migrate_passwd.pl in any where. :-)
 
now, u can do..
 
 
 
e. edit ldif.ldapuser (change dc=pad1 to dc=nad810)
 
 
 
  dn: uid=ldapuser,ou=People,dc=padl,dc=com
 
  uid: ldapuser
 
  cn: ldapuser
 
  objectClass: account
 
  objectClass: posixAccount
 
  objectClass: top
 
  objectClass: shadowAccount
 
  userPassword: {crypt}!!
 
  shadowLastChange: 12821
 
  shadowMax: 99999
 
  shadowWarning: 7
 
  loginShell: /bin/bash
 
  uidNumber: 501
 
  gidNumber: 100
 
  homeDirectory: /home/ldapuser
 
 
 
f. edit ldif.root (change dc=pad1 to dc=nad810)
 
  dn: uid=root,ou=People,dc=padl,dc=com
 
  uid: root
 
  cn: root
 
  objectClass: account
 
  objectClass: posixAccount
 
  objectClass: top
 
  objectClass: shadowAccount
 
  userPassword: {crypt}$1$3gRCMQww$8OCADPFZLjFr6DiFUi8Nn1
 
  shadowLastChange: 12759
 
  shadowMax: 99999
 
  shadowWarning: 7
 
  loginShell: /bin/bash
 
  uidNumber: 0
 
  gidNumber: 0
 
  homeDirectory: /root
 
  gecos: root
 
 
 
g. create an LDIF file (nad810.com.ldif) for the nad810.com domain
 
 
<pre>
 
<pre>
 
   dn: dc=nad810,dc=com
 
   dn: dc=nad810,dc=com
Line 173: Line 109:
 
</pre>
 
</pre>
 
   (Make sure that you have a blank line before the 2nd "dn:" line)
 
   (Make sure that you have a blank line before the 2nd "dn:" line)
 +
====a. add an user called “ldapuser” ====
 +
  useradd -g users ldapuser
 +
  passwd ldapuser
  
(5) Import LDIF files into the OpenLDAP database
+
====b. extract the passwd entry for ldapuser ===
 +
Run the following command to extract the password entry from /etc/passwd to a file called "entry.ldapuser" to your current working directory:
 +
<pre>
 +
  grep ldapuser /etc/passwd > entry.ldapuser
 +
</pre>
 +
====c. Convert password entry to LDIF formation====
 +
Modify the migration tools configuration file to use our base context "dc=nad810,dc=com".
 +
  Back up the file /usr/share/migrationtools/migrate_common.ph and edit:
 +
  Line 71: $DEFAULT_MAIL_DOMAIN = "padl.com"; to "nad810.com"
 +
  Line 74: $DEFAULT_BASE = "dc=padl,dc=com"; to "dc=nad810,dc=com"
 +
  Line 90: $EXTENDED_SCHEMA = 0; to 1
  
''''' NesNote: DO NOT USE "", use ''.. trust me.. @@ i wasted 2 days because of this..'''''
+
====d. convert the entries for the "ldapuser" to LDIF format (ldif.ldapuser) ====
 +
 
 +
  (Note that "\" at the end of the line is used to tell the shell that
 +
  the next line as a continuation of the current line)
 +
 
 +
    /usr/share/openldap/migration/migrate_passwd.pl entry.ldapuser ldif.ldapuser
 +
 +
====e. verify the contents of ldif.ldapuser====
 +
<pre>
 +
[root@localhost ~]# cat ldif.ldapuser
 +
dn: uid=ldapuser,ou=People,dc=nad810,dc=com
 +
uid: ldapuser
 +
cn: ldapuser
 +
sn: ldapuser
 +
mail: ldapuser@nad810.com
 +
objectClass: person
 +
objectClass: organizationalPerson
 +
objectClass: inetOrgPerson
 +
objectClass: posixAccount
 +
objectClass: top
 +
objectClass: shadowAccount
 +
userPassword: {crypt}$6$3/pjdd7S$9JiLgnXtnnO5y0ZTUXYW9mQXCA/ShjaxzjPUu3MhthGPkwQlmqIimGl8YQl3kLb4a15c81uGZ4vsXoBPFJbGl.
 +
shadowLastChange: 16769
 +
shadowMin: 0
 +
shadowMax: 99999
 +
shadowWarning: 7
 +
loginShell: /bin/bash
 +
uidNumber: 1001
 +
gidNumber: 100
 +
homeDirectory: /home/ldapuser
 +
</pre>
 +
 
 +
===(5) Import LDIF files into the OpenLDAP database===
  
 
<pre>
 
<pre>
ldapadd -x -D 'cn=Manager,dc=nad810,dc=com' -W -f /etc/openldap/nad810.com.ldif
+
  ldapadd -x -D 'cn=Manager,dc=nad810,dc=com' -W -f /etc/openldap/ldif.base
  ldapadd -x -D 'cn=Manager,dc=nad810,dc=com' -W -f /etc/openldap/ldif.root
 
 
  ldapadd -x -D 'cn=Manager,dc=nad810,dc=com' -W -f /etc/openldap/ldif.ldapuser
 
  ldapadd -x -D 'cn=Manager,dc=nad810,dc=com' -W -f /etc/openldap/ldif.ldapuser
 
</pre>
 
</pre>
Line 187: Line 167:
 
  ldapsearch -x -b 'dc=nad810,dc=com'  '(objectclass=*)'
 
  ldapsearch -x -b 'dc=nad810,dc=com'  '(objectclass=*)'
  
(6)  
+
===(6) Use the sample database configure file ===
   cp /usr/share/doc/openldap-servers-2.4.12/DB_CONFIG.example  /var/lib/ldap/nad810.com
+
   cp /usr/share/openldap-servers/DB_CONFIG.example  /var/lib/ldap/DB_CONFIG
 
+
   systemctl restart slapd.service
   mv DB_CONFIG.example DB_CONFIG
 
 
 
  service ldap restart
 
  
 
==Part 2 - Setup and configure OpenLDAP Client==
 
==Part 2 - Setup and configure OpenLDAP Client==
Line 205: Line 182:
 
====Edit the client configuration file /etc/ldap.conf====
 
====Edit the client configuration file /etc/ldap.conf====
  
Find the line starts with the word "host" and set the IP address to the appropriate value. Use 127.0.0.1 if the OpenLDAP server is running on your own machine, otherwise set it to the IP address of the OpenLDAP server
+
1.- Find the line starts with the word "'''host'''" and set the IP address to the appropriate value -> Use 127.0.0.1 if the OpenLDAP server is running on your own machine, otherwise set it to the IP address of the OpenLDAP server.
  
Find the line starts with the word "base" and set the context to your base directory. For the purpose of this lab, set it to
+
2.- Find the line starts with the word "'''base'''" and set the context to your base directory -> For the purpose of this lab, set it to:
base dc=ops535,cd=com
+
base dc=nad810,dc=com
 +
 
 +
3.- Find the line starting with "'''uri ldap://'''", if your client is the same machine than your server, leave 127.0.0.1, otherwise set it to the IP of the OpenLDAP server.
 +
 
 +
Note: The lines "'''base'''" and "'''uri ldap://'''" should be set in '''/etc/openldap/ldap.conf''' file as well.
  
 
====Edit the name service switch configuration file /etc/nsswitch.conf====
 
====Edit the name service switch configuration file /etc/nsswitch.conf====
Line 221: Line 202:
  
 
ldapsearch -x 'uid=ldapuser'
 
ldapsearch -x 'uid=ldapuser'
 
  
 
= To Complete the Lab =
 
= To Complete the Lab =

Latest revision as of 15:24, 16 November 2016

LDAP server using OpenLDAP

The OpenLDAP software package is an Open Source and Free implementation of the Lightweight Directory Access Protocol (LDAP). It is gaining wide acceptance as the directory access method of the Internet and also with corporate intranets.

In this lab, the instruction is for setting up an LDAP server with the base context of "dc=nad810,dc=com". Replace this with your own base context. After setting up the OpenLDAP server, you need to configure the LDAP clients to use the user account information stored in the LDAP server to perform user authenication on the client machine. You can use the OpenLDAP client/server to replace your NIS client/server for network user authentication.

Notes: OpenLDAP Use TCP port 389 for regular communication and port 636 for encrypted transactions You need to have these ports opened on your firewall.

Part 1 - OpenLDAP server setup and configuration

Required RPMS for the OpenLDAP server

  • openldap
  • openldap-clients (for testing the server)
  • openldap-devel (optional)
  • openldap-servers
  • nss_ldap
  • migrationtools

OpenLDAP Server configuration Summary

  1. Create an OpenLDAP database
  2. Create an OpenLDAP “root” password and edit the OpenLDAP database configuration file /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
  3. Start the OpenLDAP server daemon - slapd.service
  4. Create a base LDIF file for importing to the OpenLDAP database
  5. Create a user account LDIF file for importing to the OpenLDAP database
  6. Import the LDIF files into the OpenLDAP database

OpenLDAP Server configuration details:

(1) Create/verify the directory for OpenLDAP database files

 mkdir /var/lib/ldap/
 chown ldap.ldap /var/lib/ldap
 chmod 700 /var/lib/ldap

The directory listing of /var/lib/ldap should be:

[root@localhost cn=config]# ls -ldZ /var/lib/ldap
drwx------. ldap ldap system_u:object_r:slapd_db_t:s0  /var/lib/ldap

(2) Configure base content and root user "olcRootDN" and "olcRootPW"

Configure the OpenLDAP “root” user and password by editing the OpenLDAP server's database configuration file “/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif”

Only the LDAP's “rootdn” user can create, import, and export data into a LDAP database. You can use the slappasswd command to create the password and put it in the LDAP server database configuration file mentioned above:


 slappasswd
 
 New password: [secret]
 
 Re-enter new password: [secret]
 
 {SSHA}FavfvViq/edEw8x4TV6y7w1L2llXzZzz      <-- Copy this to the olcDatabase={2}hdb.ldif file

Add/Modify the olcDatabase={2}hdb.ldif file to have the following:

    olcSuffix: dc=nad810,dc=com
    olcRootDN: cn=Manager,dc=nad810,dc=com
    olcRootPW: {SSHA}FavfvViq/edEw8x4TV6y7w1L2llXzZzz

Do not change other lines.

(3) Start the OpenLDAP server daemon slapd.service

 systemctl start slapd.service

To verify that the OpenLDAP server daemon is running and working, try the following query command:

 ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
 

You should get something similar to the following:

 # extended LDIF
 #
 # LDAPv3
 # base <> with scope baseObject
 # filter: (objectclass=*)
 # requesting: namingContexts 
 #
 
 #
 dn:
 namingContexts: dc=nad810,dc=com
 
 # search result
 search: 2
 result: 0 Success
 
 # numResponses: 2
 # numEntries: 1

(4)Create LDIF files for importing to the OpenLDAP database

create the base context LDIF file for the nad810.com domain

Create a file called "ldif.base" and add the following lines:

   dn: dc=nad810,dc=com
   dc: nad810
   description: root LDAP entry for nad810
   objectClass: dcObject
   objectClass: organizationalUnit
   ou: rootobject

   dn: ou=People, dc=nad810, dc=com
   ou: People
   description: All people in nad810
   objectClass: organizationalUnit
  (Make sure that you have a blank line before the 2nd "dn:" line)

a. add an user called “ldapuser”

  useradd -g users ldapuser
  passwd ldapuser

=b. extract the passwd entry for ldapuser

Run the following command to extract the password entry from /etc/passwd to a file called "entry.ldapuser" to your current working directory:

   grep ldapuser /etc/passwd > entry.ldapuser

c. Convert password entry to LDIF formation

Modify the migration tools configuration file to use our base context "dc=nad810,dc=com".

  Back up the file /usr/share/migrationtools/migrate_common.ph and edit:
  Line 71: $DEFAULT_MAIL_DOMAIN = "padl.com"; to "nad810.com"
  Line 74: $DEFAULT_BASE = "dc=padl,dc=com"; to "dc=nad810,dc=com"
  Line 90: $EXTENDED_SCHEMA = 0; to 1

d. convert the entries for the "ldapuser" to LDIF format (ldif.ldapuser)

  (Note that "\" at the end of the line is used to tell the shell that 
  the next line as a continuation of the current line)
   /usr/share/openldap/migration/migrate_passwd.pl entry.ldapuser ldif.ldapuser

e. verify the contents of ldif.ldapuser

[root@localhost ~]# cat ldif.ldapuser 
dn: uid=ldapuser,ou=People,dc=nad810,dc=com
uid: ldapuser
cn: ldapuser
sn: ldapuser
mail: ldapuser@nad810.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$3/pjdd7S$9JiLgnXtnnO5y0ZTUXYW9mQXCA/ShjaxzjPUu3MhthGPkwQlmqIimGl8YQl3kLb4a15c81uGZ4vsXoBPFJbGl.
shadowLastChange: 16769
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 100
homeDirectory: /home/ldapuser

(5) Import LDIF files into the OpenLDAP database

 ldapadd -x -D 'cn=Manager,dc=nad810,dc=com' -W -f /etc/openldap/ldif.base
 ldapadd -x -D 'cn=Manager,dc=nad810,dc=com' -W -f /etc/openldap/ldif.ldapuser

To test the OpenLDAP database:

ldapsearch -x -b 'dc=nad810,dc=com'  '(objectclass=*)'

(6) Use the sample database configure file

  cp /usr/share/openldap-servers/DB_CONFIG.example  /var/lib/ldap/DB_CONFIG
  systemctl restart slapd.service

Part 2 - Setup and configure OpenLDAP Client

Required RPMS for LDAP client

  • openldap
  • openldap-clients
  • openldap-devel (optional)
  • nss_ldap

OpenLDAP Client configuration

Edit the client configuration file /etc/ldap.conf

1.- Find the line starts with the word "host" and set the IP address to the appropriate value -> Use 127.0.0.1 if the OpenLDAP server is running on your own machine, otherwise set it to the IP address of the OpenLDAP server.

2.- Find the line starts with the word "base" and set the context to your base directory -> For the purpose of this lab, set it to: base dc=nad810,dc=com

3.- Find the line starting with "uri ldap://", if your client is the same machine than your server, leave 127.0.0.1, otherwise set it to the IP of the OpenLDAP server.

Note: The lines "base" and "uri ldap://" should be set in /etc/openldap/ldap.conf file as well.

Edit the name service switch configuration file /etc/nsswitch.conf

Enable LDAP for user authentication.

NesTutorial for Dummy.. and now, config ldap client in GUI mode, lets do this..

 authconfig-tui

Test your OpenLDAP client with the ldapsearch command

ldapsearch -x 'uid=ldapuser'

To Complete the Lab

Document how to replace NIS with OpenLDAP and develop an interface to add new network users to the OpenLDAP server. Due Date: March 10, 2009