Difference between revisions of "OPS335-Lab-ldap"

From CDOT Wiki
Jump to: navigation, search
(COMPLETING THE LAB)
m (INVESTIGATION 1: Connecting a Client Machine to an LDAP server)
 
(45 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
* Practice creating users in OpenLDAP.
 
* Practice creating users in OpenLDAP.
 
* Set up linux machines to authenticate against an OpenLDAP server.
 
* Set up linux machines to authenticate against an OpenLDAP server.
* Learn to update lDAP information with ldif files.
+
* Learn to update LDAP information with ldif files.
  
 
=== Online Resources===
 
=== Online Resources===
Line 24: Line 24:
 
You won't be asked to set up an OpenLDAP server from scratch, we don't have time for that. So you can start with a VM I made for you.
 
You won't be asked to set up an OpenLDAP server from scratch, we don't have time for that. So you can start with a VM I made for you.
  
Download [https://scs.senecacollege.ca/~andrew.smith/srt210/lin3.qcow2 the disk image here] and set it up the same way you've set up the midterm test review. You only need 512MB of RAM. Connect it to your lab network.
+
Download [https://scs.senecacollege.ca/~andrew.smith/ops335/vm4.qcow2.gz the disk image here], extract it into '''images''' directory and set it up by "Importing existing disk image":
 +
* You only need 512MB of RAM.
 +
* Connect it to your ops335 network.
 +
* Change its IP address, gateway, DNS server address, hostname (FQDN) and DOMAIN/SEARCH parameter to match your network configuration.
 +
* You may find it helpful to add a record for vm4 in your DNS, and set up ssh-keys login to vm4.
  
The machine doesn't have any regular users, only root. Use whatever technique works for you to reset the root password so that you can log in.
+
The '''root''' password is '''seneca99'''.
  
 
OpenLDAP has been set up on it using [https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html this itzgeek guide]. You should read that guide even though you don't need to perform all those steps yourself.
 
OpenLDAP has been set up on it using [https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html this itzgeek guide]. You should read that guide even though you don't need to perform all those steps yourself.
  
My OpenLDAP server (lin3) has been set up with:
+
This OpenLDAP server (vm4) has been set up with:
* The Domain Components dc=andrew.dc=ops.
+
* The Domain Components <code>dc=andrew,dc=ops</code>.
 
* The admin username <code>ldaproot</code> and the password <code>seneca99ldap</code>
 
* The admin username <code>ldaproot</code> and the password <code>seneca99ldap</code>
* An Organisation Unit named People, for regular users.
+
* An Organisation Unit named <code>People</code>, for regular users.
* With one regular user <code>john</code>, whose password you should change using the ldappasswd command.
+
* With one regular user <code>john</code>, whose password you should change using the '''ldappasswd''' command.
  
The rest of your tasks for this section of the lab are:
+
The rest of your tasks for this section of the lab are to set up your vm1/vm2/vm3 to authenticate using the LDAP service hosted on vm4.
* Set up all your VMs to authenticate using the LDAP service hosted on lin3.
 
  
 
== INVESTIGATION 2: Adding Users to LDAP ==
 
== INVESTIGATION 2: Adding Users to LDAP ==
 
Perform the Following steps on your LDAP server VM:
 
Perform the Following steps on your LDAP server VM:
 
*Before we start adding users, we need to tell the tool that is going to translate between normal user accounts and LDAP structure a little about our domain.
 
*Before we start adding users, we need to tell the tool that is going to translate between normal user accounts and LDAP structure a little about our domain.
*Mmake a backup of the /usr/share/migrationstools/migrate_common.ph to the /root directory.
+
*Make a backup of the '''/usr/share/migrationtools/migrate_common.ph''' to the '''/root''' directory.
Modify the following parameters in the original file to the values shown below:
+
Modify the following parameters in the '''original''' file to the values shown below:
 
<source>$DEFAULT_MAIL_DOMAIN = "andrew.ops";
 
<source>$DEFAULT_MAIL_DOMAIN = "andrew.ops";
 
$DEFAULT_BASE = "dc=andrew,dc=ops";
 
$DEFAULT_BASE = "dc=andrew,dc=ops";
 
$EXTENDED_SCHEMA = 1;</source>
 
$EXTENDED_SCHEMA = 1;</source>
#Add a new user to this machine with your username and a UID of 10000.  Set their password as well.
+
*Add/Create a new user to this machine with your senecaID and a UID of 10000.  Set their password as well.
#Migrating them into LDAP will take several steps:
+
*Migrating them into LDAP will take several steps:
*Extract the passwd entries of your new user from /etc/passwd to a file called
+
*Extract the passwd entries of your new user from /etc/passwd to a file called ldapusers.entry
"ldapusers.entry"
 
 
<source>
 
<source>
 
grep -w <your username> /etc/passwd > /root/ldapusers.entry
 
grep -w <your username> /etc/passwd > /root/ldapusers.entry
  
 
</source>
 
</source>
*Use the migrate_passwd.pl file to convert the user information you extracted earlier into an ldif file:
+
*Use the '''migrate_passwd.pl''' file to convert the user information you extracted earlier into an ldif file:
<source>/usr/share/migrationtools/migrate_passwd.pl ldapusers.entry /root/ldapusers.ldif</source>
+
<source>/usr/share/migrationtools/migrate_passwd.pl /root/ldapusers.entry /root/ldapusers.ldif</source>
 
This should generate an ldif file similar to the following:
 
This should generate an ldif file similar to the following:
 
<source>
 
<source>
Line 83: Line 85:
 
</source>
 
</source>
  
*Use the ldapadd command to enter this new information into the database.  As before use simple authentication, the distinguished name of the ldap administrator, and get prompted for a password.</li>
+
*Use the '''ldapadd''' command to enter this new information into the database (see the Itzgeek [https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html/2 tutorial] for an example)Use simple authentication, the distinguished name of the ldap administrator, and get prompted for a password.
Use ldapsearch to confirm that the new users have been added to the database.<br />
+
* Use '''ldapsearch''' to confirm that the new users have been added to the database. You should get output similar to the following:
You should get output similar to the following:
 
 
<source>
 
<source>
 
# extended LDIF
 
# extended LDIF
Line 103: Line 104:
 
dc: andrew
 
dc: andrew
  
# Manager, andrew.ops
+
# ldaproot, andrew.ops
dn: cn=Manager,dc=andrew,dc=ops
+
dn: cn=ldaproot,dc=andrew,dc=ops
 
objectClass: organizationalRole
 
objectClass: organizationalRole
cn: Manager
+
cn: ldaproot
description: Directory Manager
+
description: LDAP Manager
  
 
# People, andrew.ops
 
# People, andrew.ops
Line 146: Line 147:
 
** jane with the UID 10001 and full name Jane Greystoke
 
** jane with the UID 10001 and full name Jane Greystoke
 
** guest with the uid 10002 and full name Andrew's Guests
 
** guest with the uid 10002 and full name Andrew's Guests
* Confirm that you can log in using all three usernames on all your nested VMs (except lin3).
 
  
== INVESTIGATION 3: Using Ldif Files ==
+
== INVESTIGATION 3: Authenticating against LDAP ==
 +
* Read the [https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html/2 second] page of the '''Itzgeek guide''' for instructions on how to configure a CentOS machine to authenticate against an LDAP server.
 +
* Prior to doing anything with it, backup your current configuration
 +
* Follow those instructions for '''vm1''', '''vm2''', and '''vm3'''. Make sure that you update the IP address of your server in the arguments to the '''authconfig''' command.
 +
* Confirm that you can log in using all three usernames on all your nested VMs (except vm4).
 +
 
 +
== INVESTIGATION 4: Using Ldif Files ==
 
An important capability of ldap is the ability to update the information in the database.
 
An important capability of ldap is the ability to update the information in the database.
 
*Most updates will be run with specially formatted ldif files.  These use the same structure as the files you created to add users, but will be shorter as they will only be changing one attribute.
 
*Most updates will be run with specially formatted ldif files.  These use the same structure as the files you created to add users, but will be shorter as they will only be changing one attribute.
 
*Each entry in an ldif file identifies an object to work with, and a changetype (which is an action to take on that object).  Depending on the changetype, there might be an extra line for information to be changed or added.
 
*Each entry in an ldif file identifies an object to work with, and a changetype (which is an action to take on that object).  Depending on the changetype, there might be an extra line for information to be changed or added.
*Write an ldif file called update1.ldif that will add the attribute roomNumber to the user with your username.  Set the value of roomNumber to be the room your class takes place in.
+
*Write an ldif file called '''update1.ldif''' that will '''add''' the attribute '''roomNumber''' to the user with your username.  Set the value of roomNumber to be the room your class takes place in (or any room number if you are taking the course online).
*Use ldapmodify to apply this file to your database, then run a search to confirm the new entry has been added.
+
*Use '''ldapmodify''' to apply this file to your database, then run '''ldapsearch''' to confirm the new entry has been added.
*Write a new ldif file called update2.ldif that will replace the email address of the user with your username so that it has your actual Seneca email address.  Use ldapmodify again to apply this change to the database.
+
*Write a new ldif file called '''update2.ldif''' that will '''replace''' the '''mail''' address of the user with your username so that it has your actual Seneca email address.  Use '''ldapmodify''' again to apply this change to the database.
*Write a third ldif file called update3.ldif to delete the user john from the database, then apply that change using ldapmodify again.
+
*Write a third ldif file called '''update3.ldif''' to '''delete''' the user '''john''' from the database, then apply that change using '''ldapmodify''' again.
*Use ldapsearch to confirm that these changes have taken place.
+
*Use '''ldapsearch''' to confirm that these changes have taken place.
 
*Note that it is possible to write ldif files to make multiple changes at once, but that is beyond this course.
 
*Note that it is possible to write ldif files to make multiple changes at once, but that is beyond this course.
 +
 +
'''Record steps, commands, and your observations in all INVESTIGATIONS here in your OPS335 lab log-book'''
 +
 +
{{Admon/important |Backup your VMs!|You MUST perform a '''full backup''' of ALL of your VMs whenever you complete your '''OPS335 labs''' or when working on your '''OPS335 assignments'''. You should be using the dump or rsync command, and you should use  the Bash shell script that you were advised to create in order to backup all of your VMs.}}
  
 
== COMPLETING THE LAB ==
 
== COMPLETING THE LAB ==
 
You have now learned how to connect a client machine to an existing LDAP server for centralized authentication, as well as how to update the information held in that server.
 
You have now learned how to connect a client machine to an existing LDAP server for centralized authentication, as well as how to update the information held in that server.
  
'''Depending on your professor you will either be asked to submit the lab in class, or online. Follow the appropriate set of instructions below'''
+
===Online Submission===
 +
 
 +
Follow the instructions for lab 8 on blackboard.
 +
<!--
 +
===Andrew's sections===
  
===Online Submission (Peter Callaghan's sections only)===
+
You may choose to:
 +
* Submit screenshots of your work on Blackboard, in which case you don't need to come to the lab.
 +
* Or come to the lab, show me your work, and talk to me about it. I want to hear what you've learned and answer any questions you have.
  
Follow the instructions for lab X on blackboard.
+
You'll get the same grade regardless of how you choose to submit your work.
  
===In-Class submission===
+
::<span style="color:green;font-size:1.5em;">&#x2713;</span>vm4 set up.
To be completed by faculty who use in-class submission
+
::<span style="color:green;font-size:1.5em;">&#x2713;</span>vm1/2/3 can authenticate against the LDAP database in vm4.
 +
::<span style="color:green;font-size:1.5em;">&#x2713;</span>Three users created in LDAP.
 +
-->
  
 
== EXPLORATION QUESTIONS ==
 
== EXPLORATION QUESTIONS ==

Latest revision as of 09:23, 12 April 2021

OBJECTIVE & PREPARATION

  • Learn some fundamental concepts and terminology used with LDAP.
  • Practice creating users in OpenLDAP.
  • Set up linux machines to authenticate against an OpenLDAP server.
  • Learn to update LDAP information with ldif files.

Online Resources

We'll use OpenLDAP in this course.

The purpose of LDAP the way it's used most of the time is relatively intuitive, but the implementation details will take longer to understand.

LDAP is a generic directory access protocol, but we'll look at it specifically as a server containing user credentials that can be used for authorization on multiple machines.

You should read as much of the OpenLDAP Administration Guide as you can handle. You'll find that parts of it make no sense at first, but as you get more practice with the software and the concepts they become easier to understand. As a minimum, read:

  • The introduction.
  • The quick start guide.
  • The configuration layout part of "Configuring slapd".
  • There is a glossary at the end of the guide. It's not complete and it doesn't have any details, but it's a good place to look when you get confused by weird-looking shorthands like dc, dn, or cn.

INVESTIGATION 1: Connecting a Client Machine to an LDAP server

You won't be asked to set up an OpenLDAP server from scratch, we don't have time for that. So you can start with a VM I made for you.

Download the disk image here, extract it into images directory and set it up by "Importing existing disk image":

  • You only need 512MB of RAM.
  • Connect it to your ops335 network.
  • Change its IP address, gateway, DNS server address, hostname (FQDN) and DOMAIN/SEARCH parameter to match your network configuration.
  • You may find it helpful to add a record for vm4 in your DNS, and set up ssh-keys login to vm4.

The root password is seneca99.

OpenLDAP has been set up on it using this itzgeek guide. You should read that guide even though you don't need to perform all those steps yourself.

This OpenLDAP server (vm4) has been set up with:

  • The Domain Components dc=andrew,dc=ops.
  • The admin username ldaproot and the password seneca99ldap
  • An Organisation Unit named People, for regular users.
  • With one regular user john, whose password you should change using the ldappasswd command.

The rest of your tasks for this section of the lab are to set up your vm1/vm2/vm3 to authenticate using the LDAP service hosted on vm4.

INVESTIGATION 2: Adding Users to LDAP

Perform the Following steps on your LDAP server VM:

  • Before we start adding users, we need to tell the tool that is going to translate between normal user accounts and LDAP structure a little about our domain.
  • Make a backup of the /usr/share/migrationtools/migrate_common.ph to the /root directory.

Modify the following parameters in the original file to the values shown below:

$DEFAULT_MAIL_DOMAIN = "andrew.ops";
$DEFAULT_BASE = "dc=andrew,dc=ops";
$EXTENDED_SCHEMA = 1;
  • Add/Create a new user to this machine with your senecaID and a UID of 10000. Set their password as well.
  • Migrating them into LDAP will take several steps:
  • Extract the passwd entries of your new user from /etc/passwd to a file called ldapusers.entry
grep -w <your username> /etc/passwd > /root/ldapusers.entry
  • Use the migrate_passwd.pl file to convert the user information you extracted earlier into an ldif file:
/usr/share/migrationtools/migrate_passwd.pl /root/ldapusers.entry /root/ldapusers.ldif

This should generate an ldif file similar to the following:

dn: uid=<your username>,ou=People,dc=andrew,dc=ops
uid: <your username>
cn: <your username>
sn: <your username>
mail: <your username>@andrew.ops
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}
$6$PBqQXRo/ugCCjBe0.ZgvmJl8U2tVjpdR8X9bh4OZ1cl3mv4xf0Hv1HSDavkxusO8R3lI
uuJ7skrfqpTQpbZ6hbd3e3BGB.
shadowLastChange: 17120
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/<your username>
  • Use the ldapadd command to enter this new information into the database (see the Itzgeek tutorial for an example). Use simple authentication, the distinguished name of the ldap administrator, and get prompted for a password.
  • Use ldapsearch to confirm that the new users have been added to the database. You should get output similar to the following:
# extended LDIF
#
# LDAPv3
# base <dc=andrew,dc=ops> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
#

# andrew.ops
dn: dc=andrew,dc=ops
objectClass: top
objectClass: dcObject
objectClass: organization
o: andrew ops
dc: andrew

# ldaproot, andrew.ops
dn: cn=ldaproot,dc=andrew,dc=ops
objectClass: organizationalRole
cn: ldaproot
description: LDAP Manager

# People, andrew.ops
dn: ou=People,dc=andrew,dc=ops
objectClass: organizationalUnit
ou: People

# <your username>, People, andrew.ops
dn: uid=<your username>,ou=People,dc=andrew,dc=ops
uid: <your username>
cn: <your username>
sn: <your username>
mail: <your username>@andrew.ops
objectClass: personobjectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFBCcVFYUm8vJHVnQ0NqQmUwLlpndm1KbDhVMnRWanBkUjhYOWJ
oNE9aMWNsM212NHhmMEh2MUhTRGF2a3h1c084UjNsSXV1Sjdza3JmcXBUUXBiWjZoYmQzZTNCR0Iu
shadowLastChange: 17120
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/<your username>

# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 5
  • Repeat the process to create two more users:
    • jane with the UID 10001 and full name Jane Greystoke
    • guest with the uid 10002 and full name Andrew's Guests

INVESTIGATION 3: Authenticating against LDAP

  • Read the second page of the Itzgeek guide for instructions on how to configure a CentOS machine to authenticate against an LDAP server.
  • Prior to doing anything with it, backup your current configuration
  • Follow those instructions for vm1, vm2, and vm3. Make sure that you update the IP address of your server in the arguments to the authconfig command.
  • Confirm that you can log in using all three usernames on all your nested VMs (except vm4).

INVESTIGATION 4: Using Ldif Files

An important capability of ldap is the ability to update the information in the database.

  • Most updates will be run with specially formatted ldif files. These use the same structure as the files you created to add users, but will be shorter as they will only be changing one attribute.
  • Each entry in an ldif file identifies an object to work with, and a changetype (which is an action to take on that object). Depending on the changetype, there might be an extra line for information to be changed or added.
  • Write an ldif file called update1.ldif that will add the attribute roomNumber to the user with your username. Set the value of roomNumber to be the room your class takes place in (or any room number if you are taking the course online).
  • Use ldapmodify to apply this file to your database, then run ldapsearch to confirm the new entry has been added.
  • Write a new ldif file called update2.ldif that will replace the mail address of the user with your username so that it has your actual Seneca email address. Use ldapmodify again to apply this change to the database.
  • Write a third ldif file called update3.ldif to delete the user john from the database, then apply that change using ldapmodify again.
  • Use ldapsearch to confirm that these changes have taken place.
  • Note that it is possible to write ldif files to make multiple changes at once, but that is beyond this course.

Record steps, commands, and your observations in all INVESTIGATIONS here in your OPS335 lab log-book

Important.png
Backup your VMs!
You MUST perform a full backup of ALL of your VMs whenever you complete your OPS335 labs or when working on your OPS335 assignments. You should be using the dump or rsync command, and you should use the Bash shell script that you were advised to create in order to backup all of your VMs.

COMPLETING THE LAB

You have now learned how to connect a client machine to an existing LDAP server for centralized authentication, as well as how to update the information held in that server.

Online Submission

Follow the instructions for lab 8 on blackboard.

EXPLORATION QUESTIONS