OpenLDAP

From Wiki
Jump to: navigation, search

Contents

Install the slapd package

Run the following from the command line:

sudo apt-get install slapd db4.2-util ldap-utils migrationtools

Enter your password for the admin entry in the LDAP directory when it is prompted.

Initial Configuration

We need to reconfigure slapd anwering:

dpkg-reconfigure slapd
Omit OpenLDAP server configuration? ... No
DNS domain name: ... casa.gg
Name of your organization: ... Whatever & Co
Admin Password: XXXXX
Confirm Password: XXXXX
OK
HDB
Do you want your database to be removed when slapd is purged? ... No
Move old database? ... Yes
Allow LDAPv2 Protocol? ... No 

You can check if your server is working by typing:

ldapsearch -x -b dc=casa,dc=gg

Populating the database

Using migrationtools we are going to be able to quickly import all existing users and groups from our local system to LDAP.

cd /usr/share/migrationtools/

We need to edit the default migrationtools' config file migrate_common.ph and replace the following parameters with:

$DEFAULT_MAIL_DOMAIN = "casa.gg";
$DEFAULT_BASE = "dc=casa,dc=gg";

Then export the values:

./migrate_group.pl /etc/group ~/group.ldif
./migrate_passwd.pl /etc/passwd ~/passwd.ldif

Unfortunately, the script does not create the Group and People nodes, so we need to create it. To do this, create a file called ~/people_group.ldif and fill it up with:

dn: ou=People, dc=casa, dc=gg
ou: People
objectclass: organizationalUnit

dn: ou=Group, dc=casa, dc=gg
ou: Group
objectclass: organizationalUnit

Now, we have our users and groups converted to LDAP's ldif format. Let import them into our LDAP database.

cd
ldapadd -x -W -D "cn=admin,dc=casa,dc=gg" -f ~/people_group.ldif
ldapadd -x -W -D "cn=admin,dc=casa,dc=gg" -f ~/group.ldif
ldapadd -x -W -D "cn=admin,dc=casa,dc=gg" -f ~/passwd.ldif

where:

   -x specify that we are not using sasl
   -W prompt for password
   -D is used to identify the administrator
   -f to specify the file where ldapadd should find the data to add


Securing the OpenLDAP server

You can follow the steps in OpenSSL to generate a new self-signed certificate:

we need to get these three files:

/etc/ldap/ssl/cacert.pem     --> ca certificate 
/etc/ldap/ssl/servercrt.pem  --> server signed certificate
/etc/ldap/ssl/serverkey.pem  --> request (key)

Then we need to modify the /etc/ldap/slapd.conf and add:

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ldap/ssl/cacert.pem 
TLSCertificateFile /etc/ldap/ssl/servercrt.pem
TLSCertificateKeyFile /etc/ldap/ssl/serverkey.pem
TLSVerifyClient never

Then to make sure that we only accept request with SSL from outside we uncomment the following line in the /etc/default/slapd

SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"

We can check that the SSL works fine by running

openssl s_client -connect 127.0.0.1:636 -showcerts

Final Configuration

Let's first configure /etc/ldap/ldap.conf, a common configuration file for all LDAP clients. This will allow us to run ldapsearch and other commands without having to list all the basic parameters by hand each time.

Enable the following two lines in /etc/ldap/ldap.conf, creating the file if necessary:

BASE	dc=casa, dc=gg
URI	ldaps://localhost:631

Then in the file /etc/ldap/slapd.conf we will make sure to change the loglevel:

loglevel        256

Search for line "index objectClass eq" and add another search index. In particular combinations, it may be possible to receive no results when the searched entries are not indexed, so this step is important:

index           objectClass eq
index           uid         eq

In order to commit this index we must run:

/etc/init.d/slapd stop
slapindex
chown openldap:openldap /var/lib/ldap/*
/etc/init.d/slapd start

Testing of the server

root@ldap:~# slapcat
...
dn: uid=libuuid,ou=People,dc=casa,dc=gg
uid: libuuid
cn: libuuid
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fE=
shadowLastChange: 15376
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/sh
uidNumber: 100
gidNumber: 101
homeDirectory: /var/lib/libuuid
structuralObjectClass: account
entryUUID: 2b68baf0-6d0e-1031-979f-e10efd81048f
creatorsName: cn=admin,dc=casa,dc=gg
createTimestamp: 20120728144215Z
entryCSN: 20120728144215.907568Z#000000#000#000000
modifiersName: cn=admin,dc=casa,dc=gg
modifyTimestamp: 20120728144215Z

Query the server

Quey the user:

root@ldap:~# ldapsearch -x -W -D cn=admin,dc=casa,dc=gg -h localhost -b "uid=gerard,ou=People,dc=casa,dc=gg"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <uid=gerard,ou=People,dc=casa,dc=gg> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# gerard, People, casa.gg
dn: uid=gerard,ou=People,dc=casa,dc=gg
uid: gerard
cn: gerard
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JGZuR0U1OXlJJFNHOXd5VldBZS5Cd3IvbGhJTkp0Q0VqZ1VEOHZ
 qYkx3PM0JtVUNsa3NlTERKUTZ0d09laVFYR04x
shadowLastChange: 15376
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/gerard
gecos: gerard,,,

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Query when an object has been modified:

root@ldap:~# ldapsearch -x -W -D cn=admin,dc=casa,dc=gg -h localhost -b "uid=gerard,ou=People,dc=casa,dc=gg" modifyTimestamp
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <uid=gerard,ou=People,dc=casa,dc=gg> with scope subtree
# filter: (objectclass=*)
# requesting: modifyTimestamp 
#

# gerard, People, casa.gg
dn: uid=gerard,ou=People,dc=casa,dc=gg
modifyTimestamp: 20120728144215Z

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Adding an account

Let's start building an ldif file for user pepito:

dn: uid=pepito,ou=People,dc=casa,dc=gg
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: pepito cn
uid: pepito uid
uidNumber: 2500
gidNumber: 2500
homeDirectory: /home/pepito
loginShell: /bin/bash
gecos: pepito
userPassword: {crypt}pepito
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

then we have to execute this file with the command:

root@ldap:~# ldapadd -x -D "cn=admin,dc=casa,dc=gg" -W -f pepito.ldif
Enter LDAP Password: 
adding new entry "uid=pepito,ou=People,dc=casa,dc=gg"

The same happens for the groups. We need to create a file like this:

dn: cn=grupdelpepito,ou=Group,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: tammysomething
userPassword: {crypt}x
gidNumber: 2500

Changing a password

We want to change the password to the user pepito. We will set up the password, newpassword

root@ldap:~# ldappasswd -s newpassword -D "cn=admin,dc=casa,dc=gg" -W -x uid=pepito,ou=People,dc=casa,dc=gg
Enter LDAP Password: 


Modify an account

Delete a user

root@ldap:~# ldapdelete -W -D cn=admin,dc=casa,dc=gg -h localhost  "uid=pepito,ou=People,dc=casa,dc=gg" 
Enter LDAP Password: 

Adding memberOf Overlay

Edited the file /etc/ldap/slapd.d/cn=config/olcDatabase\=\{0\}config.ldif and added the following:

olcRootDN: cn=admin,cn=config
olcRootPW: mypassword


root@ldap:~# cat first.ldif 
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof



root@ldap:~# cat second.ldif 
dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
root@ldap:~# ldapadd  -D "cn=admin,cn=config" -w mypassword -H ldapi:/// -f first.ldif 
adding new entry "cn=module,cn=config"

root@ldap:~# ldapadd  -D "cn=admin,cn=config" -w mypassword -H ldapi:/// -f second.ldif 
adding new entry "olcOverlay=memberof,olcDatabase={1}bdb,cn=config"

We create a test group, it has to have at least one member:

dn: cn=grupprova,ou=Group,dc=casa,dc=gg
objectclass: groupofnames
cn: grupprova
description: IT security group
# add the group members all of which are
# assumed to exist under people
member: uid=gerard,ou=People,dc=casa,dc=gg

Now the user has the memberof attribute automatically populated. This only works if we modify the groupOfNames, it does not work if we add/remove a memberof in the user:

root@ldap:~# ldapsearch -x -W -D cn=admin,dc=casa,dc=gg -h localhost -b "uid=gerard,ou=People,dc=casa,dc=gg" memberof
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <uid=gerard,ou=People,dc=casa,dc=gg> with scope subtree
# filter: (objectclass=*)
# requesting: memberof 
#

# gerard, People, casa.gg
dn: uid=gerard,ou=People,dc=casa,dc=gg
memberOf: cn=grupprova,ou=Group,dc=casa,dc=gg

# search result
search: 2
result: 0 Success

Adding memberof in a User

User pepito does is not a memberOf grup prova:

root@ldap:~# ldapsearch -x -W -D cn=admin,dc=casa,dc=gg -h localhost -b "uid=pepito,ou=People,dc=casa,dc=gg"  memberof
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <uid=pepito,ou=People,dc=casa,dc=gg> with scope subtree
# filter: (objectclass=*)
# requesting: memberof 
#

# pepito, People, casa.gg
dn: uid=pepito,ou=People,dc=casa,dc=gg

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

We need to modify the groupof names with this ldif:

dn: cn=grupprova,ou=Group,dc=casa,dc=gg
changetype: modify
add: member
member: uid=pepito,ou=People,dc=casa,dc=gg

We execute the ldapmodify:

root@ldap:~# ldapmodify  -x -D "cn=admin,dc=casa,dc=gg" -W -f grup-pepito.ldif 
Enter LDAP Password: 
modifying entry "cn=grupprova,ou=Group,dc=casa,dc=gg"

And now the user has the memberof:

root@ldap:~# ldapsearch -x -W -D cn=admin,dc=casa,dc=gg -h localhost -b "uid=pepito,ou=People,dc=casa,dc=gg"  memberof
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <uid=pepito,ou=People,dc=casa,dc=gg> with scope subtree
# filter: (objectclass=*)
# requesting: memberof 
#

# pepito, People, provaldap.gg
dn: uid=pepito,ou=People,dc=casa,dc=gg
memberOf: cn=grupprova,ou=Group,dc=casa,dc=gg

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Removing memberof from a User

The same operation but the ldif hast to have the delete: member

dn: cn=grupprova,ou=Group,dc=casa,dc=gg
changetype: modify
delete: member
member: uid=pepito,ou=People,dc=casa,dc=gg


Credits

All this information is extracted from http://www.debuntu.org/ldap-server-and-linux-ldap-clients Thanks to chantra for sharing this.

Personal tools
Namespaces
Variants
Actions
Navigation
Content
Toolbox