Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lightweight Directory Access Protocol Objectives –This chapter will first show you how to install and use LDAP Contents –The LDAP Database Structure –Scenario.

Published byAnn Sandra Ross Modified over 7 years ago

Similar presentations

Presentation on theme: "Lightweight Directory Access Protocol Objectives –This chapter will first show you how to install and use LDAP Contents –The LDAP Database Structure –Scenario."— Presentation transcript:

1 Lightweight Directory Access Protocol Objectives –This chapter will first show you how to install and use LDAP Contents –The LDAP Database Structure –Scenario –Configuring The LDAP Server –Configuring The LDAP Client –Common LDAP administrative tasks Practical –Start ldap server & client –Login and out –Common tasks

2 The LDAP Database Structure Scenario The I.T. department in a small organization "example.com" has many Linux servers they need to administer LDAP domain ”my-site.com" for their LDAP database in which one domain component (DC) will be "example", and the other will be "com". dc=my-site, dc=com The database will only have one organizational unit simply called "People" which is the LDAP default. ou=People Each person will have attributes such as a username (User ID or UID), password, Linux "home" directory and login shell. The Linux server named "bigboy" will act as the LDAP server containing the database

3 The server & client RPMsRPMs Installed on the server ”bigboy” –openldap –openldap-clients –openldap-devel –nss_ldap –openldap-servers Server "bigboy" has a special user account named "ldapuser" that will be used to test the LDAP logins. Installed on the client ”smallfry” –openldap –openldap-clients –openldap-devel –nss_ldap

4 Configuring The LDAP Server Create a database directory –RH by defaults to putting all databases in the /var/lib/ldap directory –We'll create a dedicated ”my-site.com" directory owned by the user "ldap". Create an LDAP "root" password –Only the LDAP "root" user can create, import data, export data into an LDAP database. # mkdir /var/lib/ldap/my-site.com # chown ldap:ldap /var/lib/ldap/my-site.com # mkdir /var/lib/ldap/my-site.com # chown ldap:ldap /var/lib/ldap/my-site.com # slappasswd New password: Re-enter new password: {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ # slappasswd New password: Re-enter new password: {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ

5 Edit the /etc/openldap/slapd.conf file This is the main LDAP server configuration file –We'll now update it with the following information: dc -domain component cn –common name rootpw is pasted from the ”slappasswd run” Start the LDAP daemon database ldbm suffix "dc=my-site,dc=com" rootdn "cn=Manager,dc=my-site,dc=com" rootpw {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ directory /var/lib/ldap/my-site.com database ldbm suffix "dc=my-site,dc=com" rootdn "cn=Manager,dc=my-site,dc=com" rootpw {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ directory /var/lib/ldap/my-site.com # service ldap start

6 Convert the passwd file to LDIF format Create the "ldapuser" test account –We'll now create the "ldapuser" account we'll use for testing. Extract the desired records from /etc/passwd –We'll need to extract the "ldapuser" information from the /etc/passwd file using the "grep" –If this is your first time creating the LDAP database, you will also want to extract the information for the Linux "root" # useradd -g users ldapuser # passwd ldapuser Changing password for user ldapuser. New password: Retype new password: passwd: all authentication tokens updated successfully. # useradd -g users ldapuser # passwd ldapuser Changing password for user ldapuser. New password: Retype new password: passwd: all authentication tokens updated successfully. # grep ldapuser /etc/passwd >> /etc/openldap/passwd.ldapusers # grep root /etc/passwd > /etc/openldap/passwd.root

7 Convert the passwd file to LDIF format Find the conversion script migrate_passw.pl with locate Convert the ".ldapuser" file to LDIF –We now convert the /etc/passwd data into an LDAP Data Interchange Files (LDIF) –users: –root: # locate migrate... /usr/share/openldap/migration/migrate_passwd.pl... # locate migrate... /usr/share/openldap/migration/migrate_passwd.pl... # /usr/share/openldap/migration/migrate_passwd.pl \ /etc/openldap/passwd.ldapusers /etc/openldap/ldapusers.ldif # /usr/share/openldap/migration/migrate_passwd.pl \ /etc/openldap/passwd.ldapusers /etc/openldap/ldapusers.ldif # /usr/share/openldap/migration/migrate_passwd.pl \ /etc/openldap/passwd.root /etc/openldap/root.ldif # /usr/share/openldap/migration/migrate_passwd.pl \ /etc/openldap/passwd.root /etc/openldap/root.ldif

8 Modify the LDIF files Use vi to replace padl with example in both LDIF files –/etc/openldap/ldapusers.ldif –/etc/openldap/root.ldif –This is also example on using search and replace within vi In /etc/openldap/root.ldif we need to make root the Manager # vi /etc/openldap/ldapusers.ldif s/padl/my-site/g :wq! # vi /etc/openldap/root.ldif s/padl/my-site/g :wq! # vi /etc/openldap/ldapusers.ldif s/padl/my-site/g :wq! # vi /etc/openldap/root.ldif s/padl/my-site/g :wq! dn: uid=root,ou=People,dc=ing-steen,dc=se uid: root cn: Manager dn: uid=root,ou=People,dc=ing-steen,dc=se uid: root cn: Manager

9 Create LDIF "my-site.com" domain Create /etc/openldap/my-site.com.ldif –which should look like this: dn: dc=my-site,dc=com dc: my-site description: Root LDAP entry for my-site.com objectClass: dcObject objectClass: organizationalUnit ou: rootobject dn: ou=People, dc=my-site,dc=com ou: People description: All people in organisation objectClass: organizationalUnit dn: dc=my-site,dc=com dc: my-site description: Root LDAP entry for my-site.com objectClass: dcObject objectClass: organizationalUnit ou: rootobject dn: ou=People, dc=my-site,dc=com ou: People description: All people in organisation objectClass: organizationalUnit

10 Import the LDIF files into the database Import LDIF files to our database example.com.ldif –Root declaration in: root.ldif –Al our coming ldap users in: ldapusers.ldif First we add the my-site.com.ldif Next we add root.ldif Last we add ldapusers.ldif # ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f my-site.com.ldif # ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f my-site.com.ldif # ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f ldapusers.ldif # ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f ldapusers.ldif # ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f root.ldif # ldapadd -x -D "cn=Manager,dc=my-site,dc=com" \ -W -f root.ldif

11 Test the LDAP database First search test, all entries # ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)'

12 Configuring The LDAP Client Edit the /etc/openldap/ldap.conf configuration file –Ease up for clients by adding LDAP server and domain suffix: Edit the /etc/nsswitch.conf configuration file Instead of modifying nsswitch.conf manually you can run 1.Run /usr/bin/authconfig 2.Select LDAP 3.Give the LDAP server's IP address which in this case is 192.168.0.1 4.Give the base DN as "dc=my-site,dc=com" (no quotes). 5.Do not select TLS. (This is usally not a good idea) 6.Use MD5 and shadow passwords. HOST 192.168.0.1 BASE dc=my-site,dc=com HOST 192.168.0.1 BASE dc=my-site,dc=com passwd: files ldap shadow: files ldap passwd: files ldap shadow: files ldap

13 Testing the LDAP Client Restart SSH –So it re-reades the nsswitch.conf file Test LDAP Logins –Using ldapsearch –Using SSH or the Linux console –Exit and login with ldapuser at local console # service sshd restart # ldapsearch -x -b 'dc=my-site,dc=com'\ '(objectclass=*)' # ssh –l ldapuser 192.168.0.1

14 Common LDAP administrative tasks LDAP users changing their own passwords –LDAP users can modifytheir LDAP passwords using the regular passwd command. Modifying LDAP users by user "root” –Script usage sample, modify users at root on LDAP server $ passwd Changing password for user ldapuser. Enter login(LDAP) password: New password: Retype new password: LDAP password information changed for ldapuser passwd: all authentication tokens updated successfully. $ passwd Changing password for user ldapuser. Enter login(LDAP) password: New password: Retype new password: LDAP password information changed for ldapuser passwd: all authentication tokens updated successfully. # passwd ldapuser Changing password for user ldapuser. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@bigboy tmp]# modifyldapuser ldapuser Enter LDAP Password: modifying entry "uid=ldapuser,ou=People,dc=example,dc=com" # passwd ldapuser Changing password for user ldapuser. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@bigboy tmp]# modifyldapuser ldapuser Enter LDAP Password: modifying entry "uid=ldapuser,ou=People,dc=example,dc=com"

15 Common LDAP administrative tasks Adding new LDAP users with addldapuser script –Add the user to the database 1.Create the Linux user kalle on the LDAP server w. useradd command 2.Run the addldapuser script with the username as the only argument. The script prompts you for your LDAP "root" password. 3.Create home directories for the user on all the LDAP client Linux boxes, otherwise they will have no home. Note that it is possible to let LDAP create temporary ”home’s” for users when they login, by using ”skel” catalog Deleting LDAP users # useradd kalle # addldapuser kalle Enter LDAP Password: adding new entry "uid=ldapuser,ou=People,dc=my-site,dc=com" # useradd kalle # addldapuser kalle Enter LDAP Password: adding new entry "uid=ldapuser,ou=People,dc=my-site,dc=com" ldapdelete -x -W -D "cn=Manager,dc=my-site,dc=com" \ "uid=$1,ou=People,dc=my-site,dc=com" ldapdelete -x -W -D "cn=Manager,dc=my-site,dc=com" \ "uid=$1,ou=People,dc=my-site,dc=com"

16 Configuring Encrypted LDAP Communication Configuring the stunnel LDAP client –Edit the ldap.conf file –Create an stunnel user –Edit the /etc/stunnel/stunnel.conf configuration file HOST localhost BASE dc=my-site,dc=com HOST localhost BASE dc=my-site,dc=com # useradd stunnel # Configure stunnel to run as user "stunnel" placing temporary # files in the /usr/var/run/stunnel/ directory chroot = /home/stunnel pid = /stunnel.pid setuid = stunnel setgid = stunnel # Configure logging debug = 7 output = /var/log/messages # Use it for client mode client = yes # Service-level configuration [ldap] accept = 389 connect = 192.168.0.1:636 # Configure stunnel to run as user "stunnel" placing temporary # files in the /usr/var/run/stunnel/ directory chroot = /home/stunnel pid = /stunnel.pid setuid = stunnel setgid = stunnel # Configure logging debug = 7 output = /var/log/messages # Use it for client mode client = yes # Service-level configuration [ldap] accept = 389 connect = 192.168.0.1:636

17 Configuring Encrypted LDAP Communication Start stunnel –Check the log files Start stunnel at next boot –Add this snippet in end of /etc/rc.d/rc.local # stunnel # tail -100 /var/log/messages # Run stunnel for LDAP (RedHat file location) /usr/sbin/stunnel # Run stunnel for LDAP (RedHat file location) /usr/sbin/stunnel

18 Configuring Encrypted LDAP Communication Configuring the stunnel LDAP server –Create an stunnel user –Edit the /etc/stunnel/stunnel.conf configuration file # useradd stunnel # Configure stunnel to run as user "stunnel" placing temporary # files in the /usr/var/run/stunnel/ directory chroot = /home/stunnel/ pid = /stunnel.pid setuid = stunnel setgid = stunnel # Some debugging stuff debug = 7 output = /var/log/messages # Use it for client mode client = no cert = /usr/share/ssl/certs/stunnel.pem key = /usr/share/ssl/certs/stunnel.pem # Service-level configuration [ldap] accept = 636 connect = 389 # Configure stunnel to run as user "stunnel" placing temporary # files in the /usr/var/run/stunnel/ directory chroot = /home/stunnel/ pid = /stunnel.pid setuid = stunnel setgid = stunnel # Some debugging stuff debug = 7 output = /var/log/messages # Use it for client mode client = no cert = /usr/share/ssl/certs/stunnel.pem key = /usr/share/ssl/certs/stunnel.pem # Service-level configuration [ldap] accept = 636 connect = 389

19 Configuring Encrypted LDAP Communication Create the certificates –Go to the /usr/share/ssl/certs directory –Modify certificate file permissions The certificate needs to only be read by "root" and the "stunnel" user Start stunnel cd /usr/share/ssl/certs [root@bigboy certs]# make stunnel.pem... Common Name (eg, your name or your server's hostname) []: 192.168.0.1... cd /usr/share/ssl/certs [root@bigboy certs]# make stunnel.pem... Common Name (eg, your name or your server's hostname) []: 192.168.0.1... # chmod 640 stunnel.pem # chgrp stunnel stunnel.pem # ll /usr/share/ssl/certs -rw-r----- 1 root stunnel 2004 Jul 31 21:50 stunnel.pem # chmod 640 stunnel.pem # chgrp stunnel stunnel.pem # ll /usr/share/ssl/certs -rw-r----- 1 root stunnel 2004 Jul 31 21:50 stunnel.pem # stunnel

20 Configuring Encrypted LDAP Communication Create a home directory for the user "ldapuser” at the client –Check to see if ldapuser is not in the /etc/passwd file. –Create the home directory for ldapuser on the client! # grep ldapuser /etc/passwd # mkdir /home/ldapuser # chmod 700 /home/ldapuser/ # chown ldapuser:users /home/ldapuser/ # ll /home total 2 drwx------ 2 ldapuser users 1024 Aug 4 08:05 ldapuser # # cp /etc/skel/.* /home/ldapuser/ cp: omitting directory `/etc/skel/.' cp: omitting directory `/etc/skel/..' cp: omitting directory `/etc/skel/.kde' # chown ldapuser /home/ldapuser/.* # mkdir /home/ldapuser # chmod 700 /home/ldapuser/ # chown ldapuser:users /home/ldapuser/ # ll /home total 2 drwx------ 2 ldapuser users 1024 Aug 4 08:05 ldapuser # # cp /etc/skel/.* /home/ldapuser/ cp: omitting directory `/etc/skel/.' cp: omitting directory `/etc/skel/..' cp: omitting directory `/etc/skel/.kde' # chown ldapuser /home/ldapuser/.*

21 Test LDAP Logins on secure server Using ldapsearch on the LDAP client Using SSH or the Linux console on the LDAP client –Try to log in as user ldapuser to the LDAP client Linux system. Use the TCPdump command to verify port 636 # ldapsearch -x -b 'dc=my-site,dc=com' '(objectclass=*)' # tcpdump -n tcp port ldaps tcpdump: listening on eth0 09:20:02.281257 192.168.0.1.1345 > 192.168.9.2.ldaps: S 1665037104:1665037104(0) win 5840 (DF) 09:20:02.281356 172.16.1.200.1daps > 172.16.1.2.1345: S 1911175072:1911175072(0) ack 1665037105 win 5792 (DF)... # tcpdump -n tcp port ldaps tcpdump: listening on eth0 09:20:02.281257 192.168.0.1.1345 > 192.168.9.2.ldaps: S 1665037104:1665037104(0) win 5840 (DF) 09:20:02.281356 172.16.1.200.1daps > 172.16.1.2.1345: S 1911175072:1911175072(0) ack 1665037105 win 5792 (DF)...

22 Addons for TLS Generate keys Remove passphrase from keys In slapd.conf add entries # openssl –req –newkey rsa:1024 –x509 –days 365 keyout \ slapd_key.pem –out slapd_cert.pem # openssl rsa –in slapdd_key.pem –out slapd_key.pem # chown slapd-user.slapd-group sl*.pem # chmod 600 sl*.pem # openssl rsa –in slapdd_key.pem –out slapd_key.pem # chown slapd-user.slapd-group sl*.pem # chmod 600 sl*.pem TLSCertificateFile /usr/ssl/certs/slapd_cert.pem TLSCertificateKeyFile /usr/ssl/certs/slapd_key.pem TLSCiperSuite HIGH:MEDIUM:+SSLV2 TLSCertificateFile /usr/ssl/certs/slapd_cert.pem TLSCertificateKeyFile /usr/ssl/certs/slapd_key.pem TLSCiperSuite HIGH:MEDIUM:+SSLV2

Download ppt "Lightweight Directory Access Protocol Objectives –This chapter will first show you how to install and use LDAP Contents –The LDAP Database Structure –Scenario."

Similar presentations

Linux Users and Groups Management

Linux Users and Groups Management
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
User Accounts and Permissions Chapter IV / Part II.

User Accounts and Permissions Chapter IV / Part II.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA.

LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL 03 AUGUST 2005 LINUX SYSTEM ADMINISTRATION AND SECURITY VINEET BHARDWAJ VINAY KUMAR THOTA.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.

LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration
A short two-part talk introducing: Basic Linux/Unix system administration (CentOS/RHEL5) General Computer/Network security … for the G53SEC module. Nick.

A short two-part talk introducing: Basic Linux/Unix system administration (CentOS/RHEL5) General Computer/Network security … for the G53SEC module. Nick.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
UNIT - III. Installing Samba Windows uses Sever Message Block(SMB) to communicate with each other using sharing services like file and printer. Samba.

UNIT - III. Installing Samba Windows uses Sever Message Block(SMB) to communicate with each other using sharing services like file and printer. Samba.
1. This presentation covers :  User Interface Administration  Files System and Services Management 2.

1. This presentation covers :  User Interface Administration  Files System and Services Management 2.
SSH Keys William Stearns 6-0647.

SSH Keys William Stearns
Help session: Unix basics Keith 9/9/2011. Login in Unix lab  User name: ug0xx Password: ece321 (initial)  The password will not be displayed on the.

Help session: Unix basics Keith 9/9/2011. Login in Unix lab  User name: ug0xx Password: ece321 (initial)  The password will not be displayed on the.
Directory Server Campus Booster ID: 351 www.supinfo.com Copyright © SUPINFO. All rights reserved OpenLDAP.

Directory Server Campus Booster ID: Copyright © SUPINFO. All rights reserved OpenLDAP.
Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu 10.04 LTS comes with MIT Kerberos 1.8.1 Admin through CLI, but from.

Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu LTS comes with MIT Kerberos Admin through CLI, but from.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.

LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.
SPARCS 10 이대근 (harry). Contents  Directory Service  What is LDAP?  Installation  Configuration  ldap-utils  User authentication with LDAP.

SPARCS 10 이대근 (harry). Contents  Directory Service  What is LDAP?  Installation  Configuration  ldap-utils  User authentication with LDAP.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.

Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.

Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.

Similar presentations

Ads by Google