Open main menu

CDOT Wiki β

Open LDAP

Revision as of 08:54, 23 February 2016 by Msaul (talk | contribs)

LDAP RESOURCES

Online References:


OBJECTIVES

The OpenLDAP software package is an Open Source and Free implementation of the Lightweight Directory Access Protocol (LDAP). It is gaining wide acceptance as the directory access method of the Internet and also with corporate intranets.

In this lab, you set up and configure a OpenLDAP server and clients to provide network service of user authenication. You can then use the OpenLDAP client/server to replace your NIS client/server for network user authentication.


Notes: OpenLDAP Use TCP port 389 for regular communication and port 636 for encrypted transactions

INVESTIGATION 1: OpenLDAP server setup and configuration on CentOS 7

Install the following packages required for the OpenLDAP server on centos2

openldap openldap-clients openldap-devel openldap-servers nss_ldap migrationtools Reference:

Text Book Chapter 17 - OpenLDAP Documentation: file:///usr/share/doc/openldap-servers-2.3.27/guide.html Sample nsswitch configuration file for LDAP: /usr/share/doc/nss_ldap-220/nsswitch_ldap

OpenLDAP Server configuration Summary overview

Create an OpenLDAP database

Create an OpenLDAP “root” password and edit the OpenLDAP main configuration file /etc/openldap/slapd.conf

Start the OpenLDAP server daemon

Create an LDIF file for importing to the OpenLDAP database

Import an LDIF file into the OpenLDAP database

OpenLDAP Server configuration details:

      • Complete this step on centos2 ***

Only the LDAP's “rootdn” user can create, import, and export data into a LDAP database. You can use the slappasswd command to create a password and use it in the LDAP configuration file: slappasswd

New password: [enterpassword]

Re-enter new password: [enterpassword]

{SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx <-- Copy this to the configuration file as outlined below, this is sample output only. Copy what your command outputs.

Modify the configuration file (/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif). Specifically the following lines need to be added/changed to show as:

olcSuffix: dc=learnid,dc=org

olcRootDN: cn=Manager,dc=learnid,dc=org

olcRootPW: {SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx

olcDbDirectory: /var/lib/ldap {only if this doesn't exist}


Modify the configuration file (/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif). Add a password entry only using YOUR output from the slappasswd command:

olcRootPW: {SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx

Start the OpenLDAP server daemon and enable it to start on boot sudo systemctl start slapd

sudo systemctl enable slapd To verify that the service is working, try the following query command:

ldapsearch -x -b -s base '(objectclass=*)' nameingContexts

Create an LDIF file for importing to the OpenLDAP database a. add an user called “ldapuser”

useradd -g users ldapuser passwd ldapuser

b. extract the passwd entry of ldapuser from /etc/passwd to a file called "entry.ldapuser"

grep -w ldapuser /etc/passwd > /etc/openldap/entry.ldapuser

c. extract the passwd entry of root from /etc/passwd to a file called "entry.root"

grep -w root /etc/passwd > /etc/openldap/entry.root

d. Before running the migration script, edit the file “migrate_common.ph” in /usr/share/migrationtools and change the following lines to match your base domain. If you don't change these, the migration script will use the default values which are "padl.com", "dc=padl,dc=com".

Default DNS domain

$DEFAULT_MAIL_DOMAIN = "learnid.org";

Default base

$DEFAULT_BASE = "dc=learnid,dc=org";

e. Convert the entries for ldapuser and root to the LDIF format (ldif.ldapuser and ldif.root)

(Note that "\" is used to tell the shell the next line as a continuation of the current line)

For ldapuser: /usr/share/migrationtools/migrate_passwd.pl \

/etc/openldap/entry.ldapuser /etc/openldap/ldif.ldapuser

For root: /usr/share/migrationtools/migrate_passwd.pl \

/etc/openldap/entry.root /etc/openldap/ldif.root f. create an LDIF file (in /etc/openldap) for your domain (ldif.learnid.org)

dn: dc=learnid,dc=org dc: learnid description: root LDAP entry for learnid objectClass: dcObject objectClass: organizationalUnit ou: rootobject

g. create an LDIF file (in /etc/openldap) for the container People (ldif.people

dn: ou=People, dc=learnid, dc=org ou: People description: All people in learnid objectClass: organizationalUnit Before importing the user ldif files, the required Schema's must be imported with the following commands

           ldapadd -D "cn=config" -W -H ldapi:// -f /etc/openldap/schema/cosine.ldif
           
           ldapadd -D "cn=config" -W -H ldapi:// -f /etc/openldap/schema/nis.ldif

Import LDIF files into the OpenLDAP database

ldapadd -x -D “cn=Manager,dc=learnid,dc=org” -W -f /etc/openldap/ldif.learnid.org

ldapadd -x -D “cn=Manager,dc=learnid,dc=org” -W -f /etc/openldap/ldif.root

ldapadd -x -D “cn=Manager,dc=learnid,dc=org” -W -f /etc/openldap/ldif.ldapuser

To test the OpenLDAP database:

ldapsearch -x -b 'dc=learnid,dc=org' '(objectclass=*)' Part 2 - Setup and configure OpenLDAP Client *** to be completed on centos3 ***

Required RPMS for LDAP client

openldap openldap-clients nss_ldap nss-pam-ldapd OpenLDAP Client configuration

If you would like to actually log into the client machines as an ldap user, you need to reconfigure the way the system authentication processes your login. Use the “authconfig-tui” tool on the client machine.

      • Note: the ldap user does not have home directory on the client unless you provide it via NFS. ***

Configure the name service switch configuration (/etc/nsswitch.conf) file to use ldap for authentication:

passwd: files sss ldap shadow: files sss ldap group: files sss ldap

   2.  Edit the ldap configuration file to set up client configuration (/etc/openldap/ldap.conf):

BASE: dc=learnid,dc=org

To complete the lab, show the output of the "ldapsearch" command to your instructor or lab assistant.

ldapsearch -x -b 'dc=learnid,dc=org' -h ip-of-your-ldap-server 'uid=ldapuser'

COMPLETING THE LAB

Arrange proof that you can send e-mail from your VM2 machine to your Seneca College e-mail account, and than you can send and receive e-mail messages locally on your VM2 machine only. Also show your logbook notes regarding MTA information from your sent email header on your Seneca College mail account.


EXPLORATION QUESTIONS