Open main menu

CDOT Wiki β

Changes

OPS535-lab-ldap

6,825 bytes added, 14:50, 21 July 2023
m
Protected "OPS535-lab-ldap": OER transfer ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite))
==Pre-Requisites==
The pre-lab must be complete so that your virtual machines share access to a private network. Lab 1 must be complete so each machine has a well configured firewall. Make sure each machine is fully updated. ==References==* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-sssd-to-use-ldap-and-require-tls-authentication_configuring-authentication-and-authorization-in-rhel* https://www.golinuxcloud.com/configure-openldap-with-tls-certificates/* https://www.golinuxcloud.com/ldap-client-rhel-centos-8* https://kifarunix.com/configure-sssd-for-openldap-authentication-on-centos-8/
==Investigation 1: OpenLDAP Server Setup and Configuration==
{{Admon/important|Warning|Make a backup before you start this lab. It is very difficult to recover this service if you make a mistake in configuration.}}Perform the following steps on vm1:
<ol>
<li>Install yum-utils</li>
<li>Install the symas ldap repo (who now maintain a version of it available for Centos 8:
<ul><li>yum-config-manager --add-repo=https://repo.symas.com/configs/SOFL/rhel8/sofl.repo</li></ul></li>
<li>Install the following packages
*openldap
*symas-openldap-clients*symas-openldap-servers*migrationtoolsperl
</li>
<li>In older releases a package called 'migrationtools' was available that contained a number of perl scripts used to convert information from other sources (e.g. /etc/passwd) into ldif files. Since it is no longer part of standard repos in Centos 8, download the copy I have provided on blackboard and extract it to /usr/share/migrationtools.</li>
<li>Check the content of the file directory '''/etc/openldap/slapd.d/cn=config/''' for the top branch of OpenLDAP directory configuration files:
<source>
cn=schema
cn=schema.ldif
olcDatabase={0}config.ldifolcDatabaseldifolcDatabase={1}monitor.ldif
olcDatabase={-1}frontend.ldif
olcDatabase={2}hdbmdb.ldif
</source>
Examine the contents of olcDatabase={2}hbdmbd.ldif:
<source>
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfigolcMdbConfigolcDatabase: {2}hdbmdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfigolcMdbConfig
entryUUID: 5a8d299a-3f2f-1036-9244-a7abff537081
creatorsName: cn=config
<li>Start the ldap service ('''slapd'''), and ensure that it will automatically start when your machine boots.
Check the status of the service and ensure that it started without error before continuing.</li>
<li>Use the ldap add command to add the cosine, nis, and inetorgperson schemata to your server'''in that order'''.
Use the authentication type '''EXTERNAL''', and '''ldapi:///''' as the host.</li>
<li>List the schema directory again. This time you should see the core schema, along with the three schemata you just added.</li>
<source>
# customize domain name
dn: olcDatabase={2}hdbmdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ops535,dc=com
dn: olcDatabase={2}hdbmdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ops535,dc=com
dn: olcDatabase={2}hdbmdb,cn=config
changetype: modify
add: olcRootPW
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdbmdb,cn=config"
modifying entry "olcDatabase={2}hdbmdb,cn=config"
modifying entry "olcDatabase={2}hdbmdb,cn=config"
</source>
</li>
<li>Examine the contents of your '''/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdbmdb.ldif''' file again. Your ldif file should have changed three fields. Try to identify them.</li>
<li>Create an LDIF file for the base context ops535.com entry to be added to the OpenLDAP
directory. Name the file as base.ldif.
<li>
Before we start adding users, we need to provide the migration tools some information about our domain.
 
Before you change anything, make a backup of the /usr/share/migrationstools/migrate_common.ph to the /root directory.
Modify the following parameters in the original file to the values shown below:
# numEntries: 5
</source></li>
<li>MOdify Create an ldif file called group.ldif that will add an organizational unit with the distinguished name '''ou=Group, dc=ops535, dc=com'''.It will act as an organizer for group information.</li><li>Use the /etc/group file and migrate_group.pl to create an ldif file that will add the group entries for ldapuser1 and ldapuser2 to your database.</li><li>Add the group entries for ldapuser1 and ldapuser2 to your database.Use ldapsearch to confirm that they have been added.</li><li>Modify your firewall to allow incoming ldap traffic from your internal zone. Makew Make sure that this change persists past reboot.</li>
</ol>
==Investigation 2: Modifying OpenLDAP Server Configuration to use TLS=={{Admon/important|Warning|This is a good time to make another backup of VM1.}}In this investigation we will modify the OpenLDAP server we just created to use TLS to encrypt the data it provides, you should notice that many of these steps are similar to the process of modifying postfix and apache servers to use TLS. Perform these steps on vm1.<ol><li>Install the openssl package</li><li>Run the following commands to create a self-signed TLS certificate for your server (make sure you replace the values with ones from your machine):{{Admon/important|Warning|As you run these commands, read the output carefully. If you encounter any errors you must resolve them before continuing to the next command.}}<source>openssl genrsa -des3 -out ca.key 4096openssl req -new -x509 -days 365 -key ca.key -out ca.cert.pemopenssl genrsa -out vm1.pcallagh.ops.key 4096openssl req -new -key vm1.pcallagh.ops.key -out vm1.pcallagh.ops.csropenssl x509 -req -in vm1.pcallagh.ops.csr -CA ca.cert.pem -CAkey ca.key -out vm1.pcallagh.ops.crt -CAcreateserial -days 365 -sha256</source></li><li>Copy the certificate, the private key, and the certificte authority file to an appropriate directory (make sure the directory and the files in it are owned by the ldap account and that the directory has permissions set to 0700 and the files have 0600):<source>cp ldap.pcallagh.ops.crt ldap.pcallagh.ops.key ca.cert.pem /etc/openldap/certs/</source></li><li>Write an ldif file and add the following values to '''dn: cn=config''' (again making sure to put in values from your own machine):<source>olcTLSCertificateFile: /etc/openldap/certs/vm1.pcallagh.ops.crtolcTLSCertificateKeyFile: /etc/openldap/certs/vm1.pcallagh.ops.keyolcTLSCACertificateFile: /etc/openldap/certs/ca.cert.pem</source>{{Admon/important|Warning|Read the output of the ldapmodify command carefully. If you encounter any errors you must resolve them before continuing to the next command.}}</li><li>You can use slapcat to ensure they are set correctly:<source>slapcat -b "cn=config" | egrep "Certificate(Key)?File"</source></li><li>Update /etc/openldap/ldap.conf to locate your CACERT, and to indicate that ldaps is now allowed:<ul><li>Set the URI parameter to ldaps://vm1.<yourdomain>.ops. It is suggested you also include ldapi:/// so local connections are allowed.</li><li>Set TLSCACERT to the absolute path of your certificate authority file (e.g. /etc/openldap/certs/ca.cert.pem).</li><li>Set TLSCACERTDIR to the directory your certificate authority file is in (e.g. /etc/openldap/certs).</li></ul></li><li>Update your firewall to permanently allow ldaps instead of ldap.</li><li>Double check that you can still use ldapsearch before continuing to the next investigation.</li></ol> ==Investigation 3: Setup and Configure OpenLdap ClientThrough SSSD ==
Perform the following steps on vm2:
<ol>
<li>Install yum-utils</li>
<li>Install the symas ldap repo
<li>Install the following packages
*symas-openldap-clients*openldapsssd*sssd-clientsldap*nss_ldapsssd-tools*nssopenssl-pam-ldapdperl</li><li>If you would like to actually log into the client machines as an ldap user, you need to reconfigure the way the system authentication processes your login. Use To do this, you will use the “authconfig” authselect tool on the client machine.<br />
Note: the ldap user does not have home directory on the client unless you provide it via NFS.</li>
<li>Prior to making any changes to how your machines handle login information, use Copy the server's signed certificate onto the authconfigclient:*openssl s_client -connect <hostname or ip address of your ldap server>:636 -showcerts < /dev/null | openssl x509 -savebackup command to save your current configuration into text > /etc/rootopenldap/ldapcerts/backupcacert.crt</li><li>Use Set up the authconfig command to configure your vm SSSD service to use vm1 as ldap for authentication.<ul><li>Start by adding the ldap serverfollowing settings to /etc/sssd/sssd.conf<br />Note that you will may have to enable create /etc/sssd/sssd.conf yourself. Make sure the file is owned by root:root and that the permissions are 0600.<source>[sssd]services = nss, pamconfig_file_version = 2domains = default [sudo] [nss]homedir_substring = /home [pam]offline_credentials_expiration = 60 [domain/default]ldap_id_use_start_tls = Truecache_credentials = Trueldap_search_base = <The Base DN from your ldap server>id_provider = ldapauth_provider = ldapchpass_provider = ldapaccess_provider = ldapldap_uri = ldaps://<HOSTNAME or IP ADDRESS of your ldap server>ldap_chpass_uri = ldaps://<HOSTNAME or IP ADDRESS of your ldap authentication, identify server>ldap_tls_reqcert = allowldap_tls_cacert = <The absolute path of the certificate you copied over from the server>ldap_tls_cacertdir = <The absolute path to the directory the ldap server's certificate is in>ldap_search_timeout = 50ldap_network_timeout = 60ldap_access_order = filterldap_access_filter = (objectClass=posixAccount)</source></li><li>Now direct sssd to use those changes by running 'authselect select sssd --force'. you need the --force option to make it make changes to several files.</li><li>Test your configuration with 'sssctl config-check' and fix any errors it identifies</li><li>Once your configuration passes the sssctl check, start and the base distinguished name in a single commandenable sssd.</li></ul></li><li>Check Test that your machine is connected to the name service switch configuration file ldap server by searching for the ldapuser 1 account:<source>id ldapuser1</source>You should get something similar to the following (but may not be exactly the same):<source>uid=1002(ldapuser1) gid=1002(ldapuser1) groups=1002(ldapuser1)</source></li><li>If you want to be able to use commands like ldapsearch from this machine, you will also need to configure ldap in /etc/nsswitchopenldap/ldap.conf . This configuration file should already exist, you just need to confirm that modify the parameters to identify the LDAP isserver and location of its certificate.<ul><li>BASE <base DC from your ldap server></li><li>URI ldaps://<hostname or ip address of your ldap server></li>enabled<li>TLS_CACERT <the absolute path of the certificate you downloaded from the server earlier.></li><li>TLS_CACERTDIR <the directory you saved the certificate in></li></ul></li> 
<li>Test your OpenLDAP client with the ldapsearch command.
<source>ldapsearch -x 'uid=ldapuser1'</source>
You should get something results similar to the following (but may not be exactly the same):
<source>
# extended LDIF
# numResponses: 2
# numEntries: 1
</source></li>
<li>Logout of the client machine, then log back in using the ldapuser1 account.</li>
<li>Repeat steps 1 through 6 7 on vm3.</li>
</ol>
==Investigation 34: Update LDAP Configuration==<ol><li>Add the following user accounts to your LDAP server:<br/>user name: your seneca id – password: pick your own<br/>rchan – password: ops535<br/>
seneca – password: ops535</li>
<li>Run the ldapsearch command for each user, and confirm that their information is correct</li>
<li>Consult the man page on ldapdelete to find out how to remove an LDAP user. Delete ldapuser2.</li>
</ol>
 
==Completing the Lab==