Difference between revisions of "NAD810 LDAP LAB"

From CDOT Wiki
Jump to: navigation, search
(OpenLDAP Server configuration details:)
(OpenLDAP Server configuration details:)
Line 28: Line 28:
  
 
(1) Create an OpenLDAP database
 
(1) Create an OpenLDAP database
 
+
<pre>
 
  mkdir /var/lib/ldap/nad810.com
 
  mkdir /var/lib/ldap/nad810.com
 
  chown ldap.ldap /var/lib/ldap/nad810.com
 
  chown ldap.ldap /var/lib/ldap/nad810.com
 
  chmod 700 /var/lib/ldap/nad810.com
 
  chmod 700 /var/lib/ldap/nad810.com
 +
</pre>
  
 
(2)Create an OpenLDAP “root” password and edit the OpenLDAP server's main configuration file “/etc/openldap/slapd.conf”
 
(2)Create an OpenLDAP “root” password and edit the OpenLDAP server's main configuration file “/etc/openldap/slapd.conf”
  
 
Only the LDAP's “rootdn” user can create, import, and export data into a LDAP database. You can use the slappasswd command to create a password and use it in the LDAP configuration file:
 
Only the LDAP's “rootdn” user can create, import, and export data into a LDAP database. You can use the slappasswd command to create a password and use it in the LDAP configuration file:
 +
<pre>
  
 
  slappasswd
 
  slappasswd
Line 44: Line 46:
 
   
 
   
 
  {SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx      <-- Copy this to the slapd.conf file
 
  {SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx      <-- Copy this to the slapd.conf file
 +
</pre>
 
   
 
   
 
Add/Modify the slapd.conf to show the following (ldbm only supported up to Openldap 2.3, Openldap 2.4 only suppport bdb):
 
Add/Modify the slapd.conf to show the following (ldbm only supported up to Openldap 2.3, Openldap 2.4 only suppport bdb):
Line 87: Line 90:
 
(4)Create an LDIF file for importing to the OpenLDAP database
 
(4)Create an LDIF file for importing to the OpenLDAP database
  
  a. add an user called “ldapuser”
+
a. add an user called “ldapuser”
 
   useradd -g users ldapuser
 
   useradd -g users ldapuser
 
   passwd ldapuser
 
   passwd ldapuser
  
  b. extract the passwd entry of ldapuser from  /etc/passwd to a file called "entry.ldapuser"
+
b. extract the passwd entry of ldapuser from  /etc/passwd to a file called "entry.ldapuser"
 
   grep ldapuser /etc/passwd > /etc/openldap/entry.ldapuser
 
   grep ldapuser /etc/passwd > /etc/openldap/entry.ldapuser
  
  c. extract the passwd entry of root from /etc/passwd to a file called "entry.root"
+
c. extract the passwd entry of root from /etc/passwd to a file called "entry.root"
 
   grep root /etc/passwd > /etc/openldap/entry.root
 
   grep root /etc/passwd > /etc/openldap/entry.root
  
  d. convert the entries for the "ldapuser" and "root" to LDIF format (ldif.ldapuser and ldif.root):
+
d. convert the entries for the "ldapuser" and "root" to LDIF format (ldif.ldapuser and ldif.root):
  
 
   (Note that "\" at the end of the line is used to tell the shell that  
 
   (Note that "\" at the end of the line is used to tell the shell that  
Line 116: Line 119:
 
                   with    /usr/share/migrationtools/migrate_passwd.pl
 
                   with    /usr/share/migrationtools/migrate_passwd.pl
  
  e. edit ldif.ldapuser (change dc=pad1 to dc=nad810)
+
e. edit ldif.ldapuser (change dc=pad1 to dc=nad810)
 +
 
 
   dn: uid=ldapuser,ou=People,dc=padl,dc=com
 
   dn: uid=ldapuser,ou=People,dc=padl,dc=com
 
   uid: ldapuser
 
   uid: ldapuser
Line 133: Line 137:
 
   homeDirectory: /home/ldapuser
 
   homeDirectory: /home/ldapuser
  
  f. edit ldif.root (change dc=pad1 to dc=nad810)
+
f. edit ldif.root (change dc=pad1 to dc=nad810)
 
   dn: uid=root,ou=People,dc=padl,dc=com
 
   dn: uid=root,ou=People,dc=padl,dc=com
 
   uid: root
 
   uid: root

Revision as of 04:01, 21 March 2009

LDAP server using OpenLDAP

The OpenLDAP software package is an Open Source and Free implementation of the Lightweight Directory Access Protocol (LDAP). It is gaining wide acceptance as the directory access method of the Internet and also with corporate intranets.

In this lab, you set up and configure an OpenLDAP server and configure LDAP clients to use the user account information stored in the LDAP server to perform user authenication. You can use the OpenLDAP client/server to replace your NIS client/server for network user authentication.

Notes: OpenLDAP Use TCP port 389 for regular communication and port 636 for encrypted transactions You need to have these ports opened on your firewall.

Part 1 - OpenLDAP server setup and configuration

Required RPMS for the OpenLDAP server

  • openldap
  • openldap-clients (for testing the server)
  • openldap-devel (optional)
  • openldap-servers
  • nss_ldap
  • migrationtools (for Fedora 10)

Sample nsswitch configuration file for LDAP: /usr/share/doc/nss_ldap-220/nsswitch_ldap


OpenLDAP Server configuration Summary

  1. Create an OpenLDAP database
  2. Create an OpenLDAP “root” password and edit the OpenLDAP main configuration file /etc/openldap/slapd.conf
  3. Start the OpenLDAP server daemon
  4. Create an LDIF file for importing to the OpenLDAP database
  5. Import an LDIF file into the OpenLDAP database

OpenLDAP Server configuration details:

(1) Create an OpenLDAP database

 mkdir /var/lib/ldap/nad810.com
 chown ldap.ldap /var/lib/ldap/nad810.com
 chmod 700 /var/lib/ldap/nad810.com

(2)Create an OpenLDAP “root” password and edit the OpenLDAP server's main configuration file “/etc/openldap/slapd.conf”

Only the LDAP's “rootdn” user can create, import, and export data into a LDAP database. You can use the slappasswd command to create a password and use it in the LDAP configuration file:


 slappasswd
 
 New password: [nad810]
 
 Re-enter new password: [nad810]
 
 {SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx      <-- Copy this to the slapd.conf file

Add/Modify the slapd.conf to show the following (ldbm only supported up to Openldap 2.3, Openldap 2.4 only suppport bdb):

database bdb
suffix “dc=nad810,dc=com”
rootdn “cn=Manager,dc=nad810,dc=com”
rootpw {SSHA}3NVLOWwqIMka3OyIYLyGrrkirD0pU0Qx
directory /var/lib/ldap/nad810.com
password-hash {CRYPT}

(3) Start the OpenLDAP server daemon

service ldap start

To verify that the service is working, try the following query command:

 ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
 

You should get something similar to the following:


# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts 
#

#
dn:
namingContexts: dc=nad810,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


(4)Create an LDIF file for importing to the OpenLDAP database

a. add an user called “ldapuser”

  useradd -g users ldapuser
  passwd ldapuser

b. extract the passwd entry of ldapuser from /etc/passwd to a file called "entry.ldapuser"

  grep ldapuser /etc/passwd > /etc/openldap/entry.ldapuser

c. extract the passwd entry of root from /etc/passwd to a file called "entry.root"

  grep root /etc/passwd > /etc/openldap/entry.root

d. convert the entries for the "ldapuser" and "root" to LDIF format (ldif.ldapuser and ldif.root):

  (Note that "\" at the end of the line is used to tell the shell that 
  the next line as a continuation of the current line)
  For ldapuser:
  /usr/share/openldap/migration/migrate_passwd.pl \
  /etc/openldap/entry.ldapuser /etc/openldap/ldif.ldapuser  
  
  For Fedora 10, replace /usr/share/openldap/migration/migrate_passwd.pl
                 with    /usr/share/migrationtools/migrate_passwd.pl
  
  For root:
  /usr/share/openldap/migration/migrate_passwd.pl \
  /etc/openldap/entry.root /etc/openldap/ldif.root
 
  For Fedora 10, replace /usr/share/openldap/migration/migrate_passwd.pl
                 with    /usr/share/migrationtools/migrate_passwd.pl

e. edit ldif.ldapuser (change dc=pad1 to dc=nad810)

  dn: uid=ldapuser,ou=People,dc=padl,dc=com
  uid: ldapuser
  cn: ldapuser
  objectClass: account
  objectClass: posixAccount
  objectClass: top
  objectClass: shadowAccount
  userPassword: {crypt}!!
  shadowLastChange: 12821
  shadowMax: 99999
  shadowWarning: 7
  loginShell: /bin/bash
  uidNumber: 501
  gidNumber: 100
  homeDirectory: /home/ldapuser

f. edit ldif.root (change dc=pad1 to dc=nad810)

  dn: uid=root,ou=People,dc=padl,dc=com
  uid: root
  cn: root
  objectClass: account
  objectClass: posixAccount
  objectClass: top
  objectClass: shadowAccount
  userPassword: {crypt}$1$3gRCMQww$8OCADPFZLjFr6DiFUi8Nn1
  shadowLastChange: 12759
  shadowMax: 99999
  shadowWarning: 7
  loginShell: /bin/bash
  uidNumber: 0
  gidNumber: 0
  homeDirectory: /root
  gecos: root
   g. create an LDIF file (nad810.com.ldif) for the nad810.com domain
   dn: dc=nad810,dc=com
   dc: nad810
   description: root LDAP entry for nad810
   objectClass: dcObject
   objectClass: organizationalUnit
   ou: rootobject

   dn: ou=People, dc=nad810, dc=com
   ou: People
   description: All people in nad810
   objectClass: organizationalUnit
  (Make sure that you have a blank line before the 2nd "dn:" line)

(5) Import LDIF files into the OpenLDAP database

ldapadd -x -D “cn=Manager,dc=nad810,dc=com” -W -f /etc/openldap/nad810.com.ldif
ldapadd -x -D “cn=Manager,dc=nad810,dc=com” -W -f /etc/openldap/ldif.root
ldapadd -x -D “cn=Manager,dc=nad810,dc=com” -W -f /etc/openldap/ldif.ldapuser

To test the OpenLDAP database:

ldapsearch -x -b 'dc=nad810,dc=com'  '(objectclass=*)'

Part 2 - Setup and configure OpenLDAP Client

Required RPMS for LDAP client

  • openldap
  • openldap-clients
  • openldap-devel (optional)
  • nss_ldap

OpenLDAP Client configuration

Edit the client configuration file /etc/ldap.conf

Find the line starts with the word "host" and set the IP address to the appropriate value. Use 127.0.0.1 if the OpenLDAP server is running on your own machine, otherwise set it to the IP address of the OpenLDAP server

Find the line starts with the word "base" and set the context to your base directory. For the purpose of this lab, set it to base dc=ops535,cd=com

Edit the name service switch configuration file /etc/nsswitch.conf

Enable LDAP for user authentication.

Test your OpenLDAP client with the ldapsearch command

ldapsearch -x 'uid=ldapuser'


To Complete the Lab

Document how to replace NIS with OpenLDAP and develop an interface to add new network users to the OpenLDAP server. Due Date: March 10, 2009