Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

Install And Configure OpenLDAP On CentOS 5


This tutorial describes OpenLDAP installation on a computer running Red Hat, Fedora, CentOS or any distribution based on the package installer “yum.”

If you use a distribution with another package installer we install the same packages but with the installer for (aptitude for Debian-based distros).

 

1) LDAP installation (as root)

[root@kike ~]# yum install openldap-servers openldap-clients nss_ldap

2) Copy the directory DB_CONFIG.example

[root@kike ~]# cd /etc/openldap/

[root@kike ~]# cp DB_CONFIG.example /var/lib/ldap/DB_CONFIG

 

3) Create a password for LDAP

[root@kike openldap]# slappasswd

New password:

Re-enter new password:

{SSHA}V7IS3vYe8P0/IcOvJmfEdjY1LXuWPV3U

Copy the output of this command (the password SSHA) and add it to sldap.conf:

/etc/openldap/slapd.conf

At first all we modify what is in bold:

database bdb

suffix "dc=ldap-kike,dc=com,dc=uy"
rootdn "cn=Manager,dc=ldap-kike,dc=com,dc=uy"

# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg

rootpw {SSHA}V7IS3vYe8P0/IcOvJmfEdjY1LXuWPV3U

Notes: In the tag “database” select bdb corresponding to the default OpenLDAP data storage format (you can choose MySQL, PostgreSQL or other database formats despite not being recommended at the official site of the OpenLDAP Project http://www.openldap.org/doc/admin24/backends.html).

In suffix we use the domain that will serve LDAP (in this case ldap-kike.com.uy).

Rootdn contains the name that is authenticated in OpenLDAP (Manager here but can be modified to any desired name).

Rootpw is the password of the administrator user (Manager in the example).

 

4) We are ready to start the server:

[root@kike openldap]# service ldap start

Checking configuration files for slapd: config file testing succeeded [ OK ]

Starting slapd: [ OK ]

 

5) All the information to be loaded is introduced into ldif format files.

http://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format

 

6) Create a file to initialize the LDAP database

In this case I call the file ldap-init.ldif, and it contains:

[root@kike openldap]# cat ldap-init.ldif

dn: dc=ldap-kike,dc=com,dc=uy
objectclass: dcObject
objectclass: organization
o: Servidor LDAP ldap-kike
dc: ldap-kike
dn: cn=Manager,dc=ldap-kike,dc=com,dc=uy
objectclass: organizationalRole
cn: Manager

 

7) Initialize the database with the following command

[root@kike openldap]# /usr/bin/ldapadd -a -x -D ‘cn=Manager,dc=ldap-kike,dc=com,dc=uy’ -W -f ldap-init.ldif

Enter LDAP Password:

adding new entry “dc=ldap-kike,dc=com,dc=uy”

adding new entry “cn=Manager,dc=ldap-kike,dc=com,dc=uy”

 

8) Display the contents of the database

[root@kike openldap]# ldapsearch -h 127.0.0.1 -x -b “dc=ldap-kike,dc=com,dc=uy”

Returns something like this:

# extended LDIF
#
# LDAPv3
# base

# ldap-kike.com.uy
dn: dc=ldap-kike,dc=com,dc=uy
objectClass: dcObject
objectClass: organization
o: Servidor LDAP ldap-kike
dc: ldap-kike
# Manager, ldap-kike.com.uy
dn: cn=Manager,dc=ldap-kike,dc=com,dc=uy
objectClass: organizationalRole
cn: Manager
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2

 

9) The command authconfig-tui

We will configure the files /etc/nsswitch.conf, /etc/ldap.conf, pam and others. This will run in a console and opens a text menu where you configure LDAP authentication support and complete the information (default options are marked with *).

 

10) Create a user in the LDAP directory.

We also use a ldif formatted file.

[root@kike openldap]# cat user.ldif

dn: uid=usuario1,dc=ldap-kike,dc=com,dc=uy
uid: usuario1
cn: usuario1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$TEDFGNB3$m24Mo06Q06EXMop7INKrC/
shadowLastChange: 14335
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/usuario1
gecos: usuario1

In this case, the userPassword is generated in this way:

[root@kike openldap]# openssl passwd -1 -salt TEDFGNB345RTErea

Password:

$1$TEDFGNB3$m24Mo06Q06EXMop7INKrC/

The parameter -1 is MD5 and salt are random characters.

 

11) We also add the LDAP directory with ldapadd command

[root@kike openldap]# ldapadd -a -x -D ‘cn=Manager,dc=ldap-kike,dc=com,dc=uy’ -W -f user.ldif

Verify that the user is walking with the id command:

[root@kike openldap]# id usuario1

uid=10000(usuario1) gid=10000 groups=10000

12) To add a group also use an ldif formatted file (in this case group.ldif)

[root@kike openldap]# cat group.ldif

dn: cn=users,dc=ldap-kike,dc=com,dc=uy
objectClass: posixGroup
gidNumber: 10000
cn: users
memberUid: usuario1
description: Grupo Users

 

13) We also add to LDAP ldapadd as follows:

[root@kike openldap]# ldapadd -a -x -D ‘cn=Manager,dc=ldap-kike,dc=com,dc=uy’ -W -f group.ldif

To test if successfully added:

[root@kike openldap]# id usuario1

uid=10000(usuario1) gid=10000(users) groups=10000(users)

We see that the user is in group “users.”

 

14) Now create the user home and copy files from skel.

[root@kike openldap]# mkdir /home/usuario1

[root@kike openldap]# rsync -a /etc/skel/ /home/usuario1

[root@kike openldap]# chown -R usuario1.users /home/usuario1

[root@kike openldap]# chmod 700 /home/usuario1

[root@kike openldap]# ls -la /home/usuario1

total 20
drwx—— 2 users 4096 Jan 15 15:37 .
drwxr-xr-x 4 root root 4096 Jan 15 15:37 ..
-rw-r–r– 1 usuario1 users 33 Dec 29 2010 .bash_logout
-rw-r–r– 1 usuario1 users 176 Dec 29 2010 .bash_profile
-rw-r–r– 1 usuario1 users 124 Dec 29 2010 .bashrc

 

15) Log a user

Once completed we will check if everything works fine. In the example the OpenLDAP server is running on a computer with the IP address 192.168.150.24, and we attempt a connection to that computer from another with the command ssh (double check that the sshd daemon is running on the server where you installed openldap).

$ ssh -l usuario1 192.168.150.24

usuario1@192.168.150.24?s password:

Last login: Sat Jan 15 21:24:50 2010 from 192.168.150.207

[usuario1@kike ~]$ id

uid=10000(usuario1) gid=10000(users) grupos=10000(users)

[usuario1@kike ~]$ pwd

/home/usuario1

The user is logged on the server authenticated by the OpenLDAP server.

 

16) If you need to add another user CAREFULLY edit the file user.ldif used previously.

[root@kike openldap]# cat user.ldif

dn: uid=usuario2,dc=ldap-kike,dc=com,dc=uy
uid: usuario2
cn: usuario2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$TEDFGNB3$ogOvJKTt/CviC47q/dBon1
shadowLastChange: 14335
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 10000
homeDirectory: /home/usuario2
gecos: usuario2

Add it to the LDAP database:

[root@kike openldap]# ldapadd -x -D ‘cn=Manager,dc=ldap-kike,dc=com,dc=uy’ -W -f user.ldif

Enter LDAP Password:

adding new entry “uid=usuario2,dc=ldap-kike,dc=com,dc=uy”

Then we create the home and will copy the files from skel, change permissions as we did with the other user.

 

17) To add the user to the group users:

# cat group.ldif

dn: cn=users,dc=ldap-kike,dc=com,dc=uy
objectClass: posixGroup
gidNumber: 10000
cn: users
memberUid: usuario1
memberUid: usuario2
description: Grupo Users

 

18) To update the LDAP database using the command ldapmodify

[root@kike openldap]# ldapmodify -x -D ‘cn=Manager,dc=ldap-kike,dc=com,dc=uy’ -W -f group.ldif

Enter LDAP Password:

modifying entry “cn=users,dc=ldap-kike,dc=com,dc=uy”

Ok, check the data with ldapsearch:

[root@kike openldap]# ldapsearch -h 127.0.0.1 -x -b “dc=ldap-kike,dc=com,dc=uy”

……

……

We verify that everything is working properly:

[root@kike openldap]# id usuario2

uid=10001(usuario2) gid=10000(users) groups=10000(users)

 

19) Basic LDAP Security

With ACLs we can add minimum security controls to restrict access to the LDAP database, so that users cannot see the passwords of other users (shadow style).

Add to the file sldap.conf:

access to attrs=userPassword
by dn="cn=Manager,dc=ldap-kike,dc=com,dc=uy" write
by self write
by anonymous auth
by * none
access to dn.base="" by * read
access to *
by dn="cn=Manager,dc=ldap-kike,dc=com,dc=uy" write
by * read

Restart LDAP:

[root@kike openldap]# service ldap restart

Now, if we run:

ldapsearch -h 127.0.0.1 -x -b “dc=ldap-kike,dc=com,dc=uy”

We are NOT able to observe all user passwords, only you, if you authenticate to LDAP.

ldapsearch -h 127.0.0.1 -x -b “dc=ldap-kike,dc=com,dc=uy” -D “uid=usuario2,dc=ldap-kike,dc=com,dc=uy” -W

# usuario1, ldap-kike.com.uy
dn: uid=usuario1,dc=ldap-kike,dc=com,dc=uy
uid: usuario1
cn: usuario1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 14335
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/usuario1
gecos: usuario1
# usuario2, ldap-kike.com.uy
dn: uid=usuario2,dc=ldap-kike,dc=com,dc=uy
uid: usuario2
cn: usuario2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJFRFREZHTkIzJG9nT3ZKS1R0L0N2aUM0N3EvZEJvbjE=
shadowLastChange: 14335
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/usuario2
gecos: usuario2

 

TASKS TO BE CARRIED OUT:

It would be interesting to use an LDAP replica server so you can serve the user in case of fall of the devil or the computer fails.

Comments

comments