572
edits
Changes
→INVESTIGATION 4: Using Ldif Files
* Practice creating users in OpenLDAP.
* Set up linux machines to authenticate against an OpenLDAP server.
* Learn to update lDAP LDAP information with ldif files.
=== Online Resources===
You won't be asked to set up an OpenLDAP server from scratch, we don't have time for that. So you can start with a VM I made for you.
Download [https://scs.senecacollege.ca/~andrew.smith/srt210ops335/lin3vm4.qcow2 .gz the disk image here] , extract it into '''images''' directory and set it up the same way you've set up the midterm test review. by "Importing existing disk image":* You only need 512MB of RAM. * Connect it to your lab ops335 network.* Change its IP address, gateway, DNS server address, hostname (FQDN) and DOMAIN/SEARCH parameter to match your network configuration.* You may find it helpful to add a record for vm4 in your DNS, and set up ssh-keys login to vm4.
The machine doesn't have any regular users, only root. Use whatever technique works for you to reset the root password so that you can log inis '''seneca99'''.
OpenLDAP has been set up on it using [https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html this itzgeek guide]. You should read that guide even though you don't need to perform all those steps yourself.
* The admin username <code>ldaproot</code> and the password <code>seneca99ldap</code>
* An Organisation Unit named <code>People</code>, for regular users.* With one regular user <code>john</code>, whose password you should change using the '''ldappasswd ''' command.
The rest of your tasks for this section of the lab areto set up your vm1/vm2/vm3 to authenticate using the LDAP service hosted on vm4. == INVESTIGATION 2: Adding Users to LDAP ==Perform the Following steps on your LDAP server VM:* Set up all your nested VMs Before we start adding users, we need to tell the tool that is going to authenticate also against translate between normal user accounts and LDAP structure a little about our domain.*Make a backup of the '''/usr/share/migrationtools/migrate_common.ph''' to the '''/root''' directory.Modify the following parameters in lin3the '''original''' file to the values shown below:<source>$DEFAULT_MAIL_DOMAIN = "andrew. (not including aliceops";$DEFAULT_BASE = "dc=andrew, which wondc=ops";$EXTENDED_SCHEMA = 1;</source>*Add/Create a new user to this machine with your senecaID and a UID of 10000. Set their password as well.*Migrating them into LDAP will take several steps:*Extract the passwd entries of your new user from /etc/passwd to a file called ldapusers.entry<source>grep -w <your username> /etc/passwd > /root/ldapusers.entry </source>*Use the ''t let 'migrate_passwd.pl''' file to convert the user information you authenticate via a plainextracted earlier into an ldif file:<source>/usr/share/migrationtools/migrate_passwd.pl /root/ldapusers.entry /root/ldapusers.ldif</source>This should generate an ldif file similar to the following:<source>dn: uid=<your username>,ou=People,dc=andrew,dc=opsuid: <your username>cn: <your username>sn: <your username>mail: <your username>@andrew.opsobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonobjectClass: posixAccountobjectClass: topobjectClass: shadowAccountuserPassword: {crypt}$6$PBqQXRo/ugCCjBe0.ZgvmJl8U2tVjpdR8X9bh4OZ1cl3mv4xf0Hv1HSDavkxusO8R3lIuuJ7skrfqpTQpbZ6hbd3e3BGB.shadowLastChange: 17120shadowMin: 0shadowMax: 99999shadowWarning: 7loginShell: /bin/bashuidNumber: 10000gidNumber: 10000homeDirectory: /home/<your username></source> *Use the '''ldapadd''' command to enter this new information into the database (see the Itzgeek [https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-text channel7.html/2 tutorial] for an example). Use simple authentication, the distinguished name of the ldap administrator, and get prompted for a password.* Create three more Use '''ldapsearch''' to confirm that the new usershave been added to the database. You should get output similar to the following:<source># extended LDIF## LDAPv3# base <dc=andrew,dc=ops> with scope subtree# filter: (objectClass=** yoursenecausername with the UID )# requesting: ALL# # andrew.opsdn: dc=andrew,dc=opsobjectClass: topobjectClass: dcObjectobjectClass: organizationo: andrew opsdc: andrew # ldaproot, andrew.opsdn: cn=ldaproot,dc=andrew,dc=opsobjectClass: organizationalRolecn: ldaprootdescription: LDAP Manager # People, andrew.opsdn: ou=People,dc=andrew,dc=opsobjectClass: organizationalUnitou: People # <your username>, People, andrew.opsdn: uid=<your username>,ou=People,dc=andrew,dc=opsuid: <your username>cn: <your username>sn: <your username>mail: <your username>@andrew.opsobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonobjectClass: posixAccountobjectClass: topobjectClass: shadowAccountuserPassword:: e2NyeXB0fSQ2JFBCcVFYUm8vJHVnQ0NqQmUwLlpndm1KbDhVMnRWanBkUjhYOWJoNE9aMWNsM212NHhmMEh2MUhTRGF2a3h1c084UjNsSXV1Sjdza3JmcXBUUXBiWjZoYmQzZTNCR0IushadowLastChange: 17120shadowMin: 0shadowMax: 99999shadowWarning: 7loginShell: /bin/bashuidNumber: 10000gidNumber: 10000 and full name Your Full Name (replace with homeDirectory: /home/<your actual username> # search resultsearch: 2result: 0 Success # numResponses: 10# numEntries: 5</name)source>*Repeat the process to create two more users:
** jane with the UID 10001 and full name Jane Greystoke
** guest with the uid 10002 and full name Andrew's Guests
== INVESTIGATION 3: Authenticating against LDAP ==
* Read the [https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html/2 second] page of the '''Itzgeek guide''' for instructions on how to configure a CentOS machine to authenticate against an LDAP server.
* Prior to doing anything with it, backup your current configuration
* Follow those instructions for '''vm1''', '''vm2''', and '''vm3'''. Make sure that you update the IP address of your server in the arguments to the '''authconfig''' command.
* Confirm that you can log in using all three usernames on all your nested VMs (except vm4).
== INVESTIGATION 4: Using Ldif Files ==
An important capability of ldap is the ability to update the information in the database.
*Most updates will be run with specially formatted ldif files. These use the same structure as the files you created to add users, but will be shorter as they will only be changing one attribute.
*Each entry in an ldif file identifies an object to work with, and a changetype (which is an action to take on that object). Depending on the changetype, there might be an extra line for information to be changed or added.
*Write an ldif file called '''update1.ldif''' that will '''add''' the attribute '''roomNumber''' to the user with your username. Set the value of roomNumber to be the room your class takes place in (or any room number if you are taking the course online).
*Use '''ldapmodify''' to apply this file to your database, then run '''ldapsearch''' to confirm the new entry has been added.
*Write a new ldif file called '''update2.ldif''' that will '''replace''' the '''mail''' address of the user with your username so that it has your actual Seneca email address. Use '''ldapmodify''' again to apply this change to the database.
*Write a third ldif file called '''update3.ldif''' to '''delete''' the user '''john''' from the database, then apply that change using '''ldapmodify''' again.
*Use '''ldapsearch''' to confirm that these changes have taken place.
*Note that it is possible to write ldif files to make multiple changes at once, but that is beyond this course.
== COMPLETING THE LAB ==
::<span style="color:green;font-size:1.5em;">✓</span>vm4 set up.::<span style="color:green;font-size:1.5em;">✓</span>vm1/2/3 can authenticate against the LDAP database in vm4.::<span style=In"color:green;font-Class submission===size:1.5em;">✓</span>Three users created in LDAP.To be completed by faculty who use in-class submission->
== EXPLORATION QUESTIONS ==
