Open main menu

CDOT Wiki β

Changes

OPS535-lab-ldap

13,921 bytes added, 14:02, 11 September 2019
Moving ldap lab from pdf file to wiki
[[Category: OPS535]][[Category: OPS535-Labs]][[Category: peter.callaghan]]
=OPS535 Lab 3=
==Purpose==
The OpenLDAP software package is a Free and Open Source implementation of the Lightweight Directory Access Protocol (LDAP). It is gaining wide acceptance as the directory access method of the Internet and also with corporate intranets.
In this lab, you set up and configure an OpenLDAP server to provide directory service for LDAP Clients to authenticate network users. You can use OpenLDAP server to replace NIS to centrally store network user account information for OpenLDAP client to authenticate network users.
The basic components of an LDAP server are its Object Classes and Attribute types defined in one or more Schema. To provide the necessary attribute types (ie. Field) for storing Linux (or Unix, aka Posix) user accounts, you need to include the “cosine”, “nis”, and “inetorgperson” schemata in addition to the “core” schema.
Notes: OpenLDAP Use TCP port 389 for regular network communication between clients and servers, and use port 636 for encrypted network communication between clients and servers. If you have firewalls between your LDAP server and LDAP clients, you need to open the above TCP ports on the firewall to allow LDAP traffic to get through.

Designate vm1 as your LDAP server and use vm2 and vm3 as LDAP clients

==Pre-Requisites==
The pre-lab must be complete so that your virtual machines share access to a private network.

==Investigation 1: OpenLDAP Server Setup and Configuration==
Perform the following steps on vm1:
<ol>
<li>Install the following packages
*openldap
*openldap-clients
*openldap-servers
*migrationtools
</li>
<li>Check the content of the file directory '''/etc/openldap/slapd.d/cn=config/''' for the top branch of OpenLDAP directory configuration files:
<source>
cn=schema
cn=schema.ldif
olcDatabase={0}config.ldifolcDatabase={1}monitor.ldif
olcDatabase={-1}frontend.ldif
olcDatabase={2}hdb.ldif
</source>
Examine the contents of olcDatabase={2}hbd.ldif:
<source>
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 d9b49d55
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 5a8d299a-3f2f-1036-9244-a7abff537081
creatorsName: cn=config
createTimestamp: 20161115032843Z
entryCSN: 20161115032843.258885Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20161115032843Z
</source>
</li>
<li>Verify that the directory for storing the OpenLDAP database ('''/var/lib/ldap''') is owned by ldap:ldap. If this is not the case, fix it now.</li>
<li>Verify that the core schema file ('''/etc/openldap/slapd.d/cn=config/cn=schema''') is also owned by ldap:ldap.</li>
<li>Start the ldap service ('''slapd'''), and ensure that it will automatically start when your machine boots.
Check the status of the service and ensure that it started without error before continuing.</li>
<li>Use the ldap add command to add the cosine, nis, and inetorgperson schemata to your server.
Use the authentication type '''EXTERNAL''', and '''ldapi:///''' as the host.</li>
<li>List the schema directory again. This time you should see the core schema, along with the three schemata you just added.</li>
<li>Run an ldapsearch to check that the service is running and will respond to queries:
<source>[root@rns ~]# ldapsearch -x -b '' -s base '(objectClass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=my-domain,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
</source></li>
<li>Next, you will need a password for the ldap administrator (RootDN), so that they can run commands to modify the database.
Use the slappasswd command to create one, and record the output.</li>
<li>Insert your new password into the following ldif file, and apply it to your database with the ldapmodify command.
{{Admon/important|Warning|Do not store your ldif files (or any other files) in the ldap configuration directory. Every file in that directory is automatically read as configuration for ldap.}}
<source>
# customize domain name
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=ops535,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=ops535,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}1Di4Suea6ojE2bFxJhLDScjQyQ97GSef
</source>
Make note of the field that this file will modify.<br />
As before, use the authentication type '''EXTERNAL''', and '''ldapi:///''' as the host.<br />
When you run the command you should get output similar to the following:
<source>
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"
</source>
</li>
<li>Examine the contents of your '''/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif''' file again. Your ldif file should have changed three fields. Try to identify them.</li>
<li>Create an LDIF file for the base context ops535.com entry to be added to the OpenLDAP
directory. Name the file as base.ldif.
<source>
dn: dc=ops535,dc=com
dc: ops535
description: root LDAP entry for ops535
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
</source></li>
<li>Create an LDIF file for the People container to be added to the OpenLDAP directory. Name the
file as people.ldif
<source>dn: ou=People, dc=ops535, dc=com
ou: People
description: All people in ops535
objectClass: organizationalUnit
</source>
</li>
<li>Apply those two ldif files to your database.<br />
This time you will need to use simple authentication, identify yourself with a distinguished name (use the ldap administrator whose password you just set), and get prompted for a password.</li>
<li>Create two new users ('''ldapuser1''' and '''ldapuser2''') on your machine, and set their passwords.<br />
Importing those users into your ldap database will take several steps:
<ul>
<li>Extract the passwd entries of ldapuser1 and ldapuser2 from /etc/passwd to a file called
"ldapusers.entry"
<source>
grep -w ldapuser1 /etc/passwd > /root/ldapusers.entry
grep -w ldapuser2 /etc/passwd >> /root/ldapusers.entry
</source></li>
<li>
Make a backup of the /usr/share/migrationstools/migrate_common.ph to the /root directory
and modify the following parameters in the original file to the values shown below:
<source>$DEFAULT_MAIL_DOMAIN = "ops535.com";
$DEFAULT_BASE = "dc=ops535,dc=com";
$EXTENDED_SCHEMA = 1;</source>
Note that you would '''not''' need to repeat this step when adding other users.
</li>
<li>Use the migrate_passwd.pl file to convert the user information you extracted earlier into an ldif file:
<source>/usr/share/migrationtools/migrate_passwd.pl ldapusers.entry /root/ldapusers.ldif</source>
This should generate an ldif file similar to the following:
<source>
dn: uid=ldapuser1,ou=People,dc=ops535,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@ops535.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}
$6$PBqQXRo/ugCCjBe0.ZgvmJl8U2tVjpdR8X9bh4OZ1cl3mv4xf0Hv1HSDavkxusO8R3lI
uuJ7skrfqpTQpbZ6hbd3e3BGB.
shadowLastChange: 17120
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5001
gidNumber: 5001
homeDirectory: /home/ldapuser1

dn: uid=ldapuser2,ou=People,dc=ops535,dc=com
uid: ldapuser2
cn: ldapuser2
sn: ldapuser2
mail: ldapuser2@ops535.com
objectClass: person
objectClass: organizationalPersonobjectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}
$6$VNkVk1TQ$Rgz4GnQlqPBcHhIinUqxFGnqHZmnHHrFyCQ1ZsekoRjHnaKvb84YtjfFRPL
/xcbryrQRL5eNZeP01A3AdC2lv1
shadowLastChange: 17120
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5002
gidNumber: 5002
homeDirectory: /home/ldapuser2
</source></li>
</ul>
</li>
<li>Use ldapadd to enter this new information into the database. As before use simple authentication, the distinguished name of the ldap administrator, and get prompted for a password.<li>
<li>Use ldapsearch to confirm that the new users have been added to the database.<br />
You should get output similar to the following:
<source>
# extended LDIF
#
# LDAPv3
# base <dc=ops535,dc=com> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
#

# ops535.com
dn: dc=ops535,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: ops535 com
dc: ops535

# Manager, ops535.com
dn: cn=Manager,dc=ops535,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

# People, ops535.com
dn: ou=People,dc=ops535,dc=com
objectClass: organizationalUnit
ou: People

# ldapuser1, People, ops535.com
dn: uid=ldapuser1,ou=People,dc=ops535,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@ops535.com
objectClass: personobjectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFBCcVFYUm8vJHVnQ0NqQmUwLlpndm1KbDhVMnRWanBkUjhYOWJ
oNE9aMWNsM212NHhmMEh2MUhTRGF2a3h1c084UjNsSXV1Sjdza3JmcXBUUXBiWjZoYmQzZTNCR0Iu
shadowLastChange: 17120
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5001
gidNumber: 5001
homeDirectory: /home/ldapuser1

# ldapuser2, People, ops535.com
dn: uid=ldapuser2,ou=People,dc=ops535,dc=com
uid: ldapuser2
cn: ldapuser2
sn: ldapuser2
mail: ldapuser2@ops535.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFZOa1ZrMVRRJFJnejRHblFscVBCY0hoSWluVXF4RkducUhabW5
ISHJGeUNRMVpzZWtvUmpIbmFLdmI4NFl0amZGUlBML3hjYnJ5clFSTDVlTlplUDAxQTNBZEMybHYx
shadowLastChange: 17120
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5002
gidNumber: 5002
homeDirectory: /home/ldapuser2

# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 5
</source></li>
<li>MOdify your firewall to allow incoming ldap traffic from your internal zone. Makew sure that this change persists past reboot.</li>
</ol>

==Investigation 2: Setup and Configure OpenLdap Client==
Perform the following steps on vm2:
<ol>
<li>Install the following packages
*openldap
*openldap-clients
*nss_ldap
*nss-pam-ldapd
If you would like to actually log into the client machines as an ldap user, you need to reconfigure the way the system authentication processes your login. Use the “authconfig” tool on the client machine.
Note: the ldap user does not have home directory on the client unless you provide it via NFS.</li>
<li>Prior to making any changes to how your machines handle login information, use the authconfig
--savebackup command to save your current configuration into /root/ldap/backup.</li>
<li>Use the authconfig command to configure your vm to use vm1 as the ldap server.
Note that you will to enable ldap authentication, identify the ldap server, and the base distinguished name in a single command.</li>
<li>Check the name service switch configuration file /etc/nsswitch.conf to confirm that LDAP is
enabled.</li>
<li>Test your OpenLDAP client with the ldapsearch command.
<source>ldapsearch -x 'uid=ldapuser1'</source>
You should get something similar to the following (but may not be exactly the same):
<source>
# extended LDIF
#
# LDAPv3
# base <dc=ops535,dc=com> (default) with scope subtree
# filter: uid=ldapuser1
# requesting: ALL
#

# ldapuser1, People, ops535.com
dn: uid=ldapuser1,ou=People,dc=ops535,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@ops535.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JFBCcVFYUm8vJHVnQ0NqQmUwLlpndm1KbDhVMnRWanBkUjhYOWJ
oNE9aMWNsM212NHhmMEh2MUhTRGF2a3h1c084UjNsSXV1Sjdza3JmcXBUUXBiWjZoYmQzZTNCR0Iu
shadowLastChange: 17120
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5001
gidNumber: 5001
homeDirectory: /home/ldapuser1
# search resultsearch: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
</source>
<li>Logout of the client machine, then log back in using the ldapuser1 account.</li>
<li>Repeat steps 1 through 6 on vm3.</li>
</ol>

==Investigation 3: Update LDAP Configuration==
<ol><li>Add the following user accounts to your LDAP server:
user name: your seneca id – password: pick your own
rchan – password: ops535
seneca – password: ops535</li>
<li>Run the ldapsearch command for each user, and confirm that their information is correct</li>
<li>Consult the man page on ldappasswd to find out how to change an LDAP user's password.
Change seneca's password to seneca.</li>
<li>Consult the man page on ldapdelete to find out how to remove an LDAP user. Delete ldapuser2.</li>
</ol>


==Completing the Lab==
You should now have a server providing centralized management of your user information. A service like this will make it much easier to manage and maintain users in your network. When combined with a service like NFS, this centralizes user management and make it much easier to scale your network up.

Follow the instructions on blackboard to submit the lab.

==Exploration Questions==
# What changes would you make in NFS to provide remote access to home directories?
932
edits