LDAP Server & Client : How to Setup OpenLDAP Server and Authenticate Client Workstation

How to Setup OpenLDAP Server and Authenticate Client Workstation

LDAP or lightweight directory access protocol allows anyone to locate and connect to organizations, peoples and other resources like files and devices in a network (public/private). LDAP follows X.500 standard, a standard for directory service in a network that typically uses usual client/server paradigm. LDAP is lighter because in its initial version it did not include security features. The primary use of directory services is storing users and object data in a central system and make this data available to other applications mainly for authentication or as an address book and we can accomplish this using an OpenLDAP Server. This articles covers how to Setup OpenLDAP server and authenticate client workstation using Lightweight directory access protocol in Ubuntu 16.04
This articles covers how to Setup OpenLDAP server and authenticate client workstation using Lightweight directory access protocol in Ubuntu 16.04.

Uses of LDAP

→LDAP keeps users and other network objects in a central database.
→LDAP stores information such as plain textual information, images, binary data, public key certificates in the central database.
→LDAP provide authentication and authorization services like login management.
→LDAP can also store DNS records in its database.
→LDAP can be used like yellow pages directory service for any organization.

LDAP terminology

LDAP terminologies are parts of the X.500 Directory Specification, which defines nodes in a LDAP directory.
CN             commonName
L                localityName
ST              stateOrProvinceName
O               organizationName
OU             organizationalUnitName
C               countryName
STREET     streetAddress
DC             domainComponent
UID            userid
DN             Distinguished name
The last one i.e DN (Distinguished Name) is a series of comma-separated key/value pairs used to identify entries uniquely in the directory hierarchy. The DN is actually the entry's fully qualified name. e.g The string  "CN=India,OU=Distribution Groups, DC=gp, DC=gl, DC=linoxide, DC=com" is a path from an hierarchical structure called Directory Information Tree and should be read from right (root) to left (leaf).
In this article, we will setup OpenLDAP server in Ubuntu 16 and configure an OpenLDAP client which will retrieve login credentials from the server and authenticate the users.

 IP Address
OpenLDAP Server
 10.0.0.196
OpenLDAP client
 10.0.0.33

Install OpenLDAP Server

Install OpenLDAP and its utilities using apt-get and enable it during start-up. While installing, it will ask to provide admin password.
# sudo apt-get update
# apt-get install slapd ldap-utils
# systemctl enable slapd
Using netstat, check if the slapd is running in the port no 389
# netstat -pltn
Ubuntu 16 shipped with firewall UFW by default. If UFW is enabled then open the port no 389 using following commands.
# sudo ufw allow tcp/389
# sudo ufw reload
The OpenLDAP package have been installed and now we are going to reconfigure all the defaults those are shipped with ubuntu. Execute the following command to bring up package configuration tool.
# sudo dpkg-reconfigure slapd
The package configuration tool will ask a series of question for re-configuring OpenLDAP
→Omit OpenLDAP server configuration? <No>
→DNS domain name: linoxide.com
→Organization name: linoxide
→Enter password and confirm it: password
→Database backend to use: HDB
→Do you want the database to be removed when slapd is purged? <No>
→Move old database? <Yes>
→Allow LDAPv2 protocol? <No>
Restart OpenLDAP
# systemctl restart slapd
You can change the admin password for OpenLDAP at later stage using the following command.
# ldappassword
At this stage, we have installed and reconfigured OpenLDAP server. To find the entry for admin in the OpenLDAP database, we will use ldapsearch command. ldapsearch will prompt for admin password that we have provided during reconfiguration of OpenLDAP.
# ldapsearch -x -W -D cn=admin,dc=linoxide,dc=com -b dc=linoxide,dc=com -LLL
Enter LDAP Password:
dn: dc=linoxide,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: linoxide
dc: linoxide
dn: cn=admin,dc=linoxide,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9MkdIK2p1enlxQ3hFNmtMSE56TUE5NzZzOFQxVGdxSUE=

Add organizational unit (OU)

To add OU, we will create a LDIF (LDAP Data Interchange Format)  file which is the standard text format designed to exchange information from LDAP server. Add an organizational unit by the name 'groups'.
# vi ou_group.ldif
dn: ou=groups,dc=linoxide,dc=com
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: groups
We will use ldapadd to add the above organizational unit.
# ldapadd -W -D "cn=admin,dc=linoxide,dc=com" -f ou_group.ldif

Modify organizational unit (OU)

To modify an organizational unit, create a ldif file with the following content. In this example, we are adding an entry for postal code to the existing OU.
# vi modify_ou.ldif
dn: ou=groups,dc=linoxide,dc=com
changetype: modify
add: postalCode
postalCode: 788109
-
Use ldapmodify to modify the the OU
# ldapmodify -x -W -D "cn=admin,dc=linoxide,dc=com" -f modify_ou.ldif
Enter LDAP Password:
modifying entry "ou=groups,dc=linoxide,dc=com"

Delete organizational unit (OU)

To delete an organizational unit, use ldapdelete specifying the distinguished name for the OU
# ldapdelete -W -D "cn=admin,dc=linoxide,dc=com" "ou=groups,dc=linoxide,dc=com"
Enter LDAP Password:

Add groups

To add a posix group, we will create a LDIF file for it.
# vi irc_users.ldif
dn: cn=ircusers,ou=groups,dc=linoxide,dc=com
objectClass: posixGroup
objectClass: top
cn: ircusers
gidNumber: 4000
Use ldapadd command like before to add the group
# ldapadd -x -W -D "cn=admin,dc=linoxide,dc=com" -f irc_users.ldif
Enter LDAP Password:
adding new entry "cn=ircusers,ou=groups,dc=linoxide,dc=com"

Modify groups

Define the ldif file for modifying groups, we will add 'description' for the existing ircusers group.
# vi modify_irc_users.ldif
dn: cn=ircusers,ou=groups,dc=linoxide,dc=com
changetype: modify
add: description
description: Groups under OU
Use ldapmodify to modify the the the group
# ldapmodify -x -W -D "cn=admin,dc=linoxide,dc=com" -f modify_irc_users.ldif
Enter LDAP Password:
modifying entry "cn=ircusers,ou=groups,dc=linoxide,dc=com"

Delete groups

To delete a group use ldapdelete specifying distinguished name for the group.
# ldapdelete -W -D "cn=admin,dc=linoxide,dc=com" "cn=ircusers,ou=groups,dc=linoxide,dc=com"
Enter LDAP Password:

Add user

At first generate the SSHA password for the user using slappasswd
# slappasswd -h {SSHA} -s mypass
{SSHA}d9NeiNx4RLSEtXNuMxq7+jWK/5yxwCWT
Next create a ldif file for a user
# vi mike_user.ldif
dn: uid=mike,ou=groups,dc=linoxide,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: mike
sn: smith
givenName: mike
cn: mike
uidNumber: 4000
gidNumber: 4000
userPassword: {SSHA}d9NeiNx4RLSEtXNuMxq7+jWK/5yxwCWT
loginShell: /bin/bash
homeDirectory: /home/mike
Make sure to provide correct group id number (gidNumber) which is 4000 in our case. Add the above user using ldapadd command.
# ldapadd -x -W -D "cn=admin,dc=linoxide,dc=com" -f mike_user.ldif
Enter LDAP Password:
adding new entry "uid=mike,ou=users,dc=linoxide,dc=com"

Delete user

To delete an user use ldapdelete command
# ldapdelete -W -D "cn=admin,dc=linoxide,dc=com" "uid=mike,ou=groups,dc=linoxide,dc=com"
Check if the entry has been deleted using following command.
# ldapsearch -x -b "dc=linoxide,dc=com"

Modify user

To modify an user, create a ldif file and then use ldapmodify to achieve it.
# vi modify_mike.ldif
dn: uid=mike,ou=groups,dc=linoxide,dc=com
changetype: modify
replace: smith
sn: smt
-
add: title
title: Grand Poobah
-
add: jpegPhoto
jpegPhoto: /tmp/smith.png
Now execute the ldapmodify command
# ldapmodify -x -W -D "cn=admin,dc=linoxide,dc=com" -f modify_mike.ldif
Enter LDAP Password:
modifying entry "uid=mike,ou=users,dc=linoxide,dc=com"

Search OpenLDAP database

From the server itself, you can now check to see if you can read the database. The command below will dump entire directory.
# ldapsearch -x -LLL -H ldap:/// -b dc=linoxide,dc=com
dn: dc=linoxide,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: linoxide
dc: linoxide
dn: cn=admin,dc=linoxide,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
dn: ou=groups,dc=linoxide,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
dn: ou=users,dc=linoxide,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
dn: cn=dbagrp,ou=groups,dc=linoxide,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 678
cn: dbagrp
dn: cn=ircusers,ou=groups,dc=linoxide,dc=com
objectClass: posixGroup
objectClass: top
cn: ircusers
gidNumber: 4000
dn: uid=mike,ou=users,dc=linoxide,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: mike
sn: smith
givenName: mike
cn: mike
uidNumber: 4000
gidNumber: 4000
loginShell: /bin/bash
homeDirectory: /home/mike

Using phpMyAdmin

We have created/edited/searched OU, groups, users through command line. However you can do the same using a web interface called phpldapadmin. The phpldapadmin is shipped along with ubuntu by default. Use apt-get to install it.
# sudo apt-get install phpldapadmin
Edit the config file for phpldapadmin to reflect the directory structure that we have created earlier.
# vi /etc/phpldapadmin/config.php
$servers->setValue('server','name','My LDAP Server');
$servers->setValue('server','host','LDAP-SERVER-IP');
$servers->setValue('server','base',array('dc=linoxide,dc=com'));
$servers->setValue('login','auth_type','session');
$servers->setValue('login','bind_id','cn=admin,dc=linoxide,dc=com');
You can now access phpldapadmin through http://LDAP-SERVER-IP/phpldapadmin. Login with user as default directory structure and password as 'password'. To password protect the phpldapadmin location, create an user using apache utils htpasswd.
# sudo htpasswd -c /etc/apache2/htpasswd ldapadminuser
New password:
Re-type new password:
Adding password for user ldapadminuser
Append the following section in apache's main configuration file /etc/apache2/apache2.conf
# vi /etc/apache2/apache2.conf
<Location /phpldapadmin>
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/apache2/htpasswd
Require valid-user
</Location>
Restart Apache
# systemctl restart apache2
Refresh the phpldapadmin page, you will see the password prompt that you configured using htpasswd utils.

Install OpenLDAP client

We will install few packages in the client machine to make authentication function correctly with an OpenLDAP server.
# apt-get install ldap-auth-client nscd
You will be asked a series of questions similar to what was asked during server configuration.
→ LDAP server Uniform Resource Identifier: ldap://10.0.0.196
→ Distinguished name of the search base: dc=linoxide,dc=com
→LDAP version: 3
→Make local root Database admin: <Yes>
→Does the LDAP database require login? <No>
→LDAP account for root: cn=admin,dc=linoxide,dc=com
→LDAP root account password: password
You can always change the configuration by executing the following command in the terminal.
#  sudo dpkg-reconfigure ldap-auth-config

Configure OpenLDAP client

We need to edit the file /etc/nsswitch.conf to inform the authentication files about the presence of a OpenLDAP server. Edit /etc/nsswitch.conf file and modify the lines that starts with passwd, group, shadow to look like the below.
# vi /etc/nsswitch.conf
passwd:         ldap compat
group:            ldap compat
shadow:         ldap compat
Edit  /etc/pam.d/common-session and the following line at the end of the file.
# vi /etc/pam.d/common-session
....................
....................
session required        pam_mkhomedir.so skel=/etc/skel umask=0022
Setup nss using auth-client-config with ldap
# auth-client-config -t nss -p lac_ldap
# cd /usr/share/pam-configs/
# vi mkhomedir
Name: Create home directory on login for Linoxide
Default: yes
Priority: 0
Session-Type: Additional
Session-Interactive-Only: yes
Session:
required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
The last line of the above file will create a home directory on the client machine when an LDAP user logs in and does not have a home directory. Now update the pam authentication.
# pam-auth-update
Enable the line that says "Create home directory on login......" and select 'Ok'. Restart nscd.
# /etc/init.d/nscd restart
[ ok ] Restarting nscd (via systemctl): nscd.service.
List the entry of password file using getent. The list will include the LDAP user 'mike' which we have created earlier in the server.
# getent passwd
mike:x:4000:4000:mike:/home/mike:/bin/bash
If you have not installed SSH earlier then install it using SSH.
# apt-get install ssh
Make sure you have set the the following to yes in /etc/ssh/sshd_config
PermitRootLogin yes
UsePAM yes
Connect to the LDAP server using SSH
# ssh mike@10.0.0.33
Another way to get the shell of mike is by using sudo in the client machine.
# su - mike
mike@ip-10-0-0-33:~$
While configuring OpenLDAP server, we have created the LDAP administrator with distinguished name "cn=admin,dc=linoxide,dc=com" This value admin matched with the admin group that is there in Ubuntu by default. The LDAP users that we have created to the admin group will have access to the sudo command since there is an entry for it in the /etc/sudoers file like below-
%admin ALL=(ALL) ALL
To revoke access to sudo for the admin group, comment the above line by placing a hash in the beginning of the line. You can also grant sudo access to specific user by adding %user ALL=(ALL) ALL to /etc/sudoers file.

Conclusion

The advantages of using OpenLDAP server is that information of an entire organization can be placed in a central repository. LDAP can be used as a central directory accessible from anywhere on the network rather than managing users of each group separately. Also LDAP supports Secure Sockets Layer (SSL) and Transport Layer Security  (TLS), so the sensitive data can be protected from prying eyes. Browse OpenLDAP documentation to know more about OpenLDAP administration.

Comments

Post a Comment

Popular posts from this blog

How to Set Up IP and Port-Based Virtual Hosting (Vhosts) With Apache Web Server on CentOS 7

Image
How to Set Up IP and Port-Based Virtual Hosting (Vhosts) With Apache Web Server on CentOS 7 Table of Contents Introduction Requirements Set up multiple IP addresses on a single network interface Set up multiple instances of Apache Create the directory structure Create test web pages for each virtual host Set up ownership and permissions Create virtual host files Allow Apache through the firewall Test the virtual hosts Introduction Virtual hosting is a method for hosting multiple websites on a single machine. There are two types of virtual hosting:  Name-based virtual hosting  and  IP-based virtual hosting . IP-based virtual hosting is a technique to apply different directives based on the IP address and port a request is received on. You can assign a separate IP for each website on a single server using IP-based virtual hosting. This is mainly used to host different websites on different ports or IP addresses. In this article we will be creating: ...
Read more

Configure a Postfix Relay through Gmail on CentOS 7

Configure a Postfix Relay through Gmail on CentOS 7 Table of Contents Introduction Requirements Install Packages Configure Postfix Configure Postfix SASL Credentials Test the Relay Troubleshoot Delivery Issues Introduction Postfix is a flexible mail server that is available on most Linux distribution. Though a full feature mail server, Postfix can also be used as a simple relay host to another mail server, or smart host. This tutorial will describe how to configure Postfix as a relay through Gmail. Simple Authentication and Security Layer (SASL) is a standard authentication framework supported by many services including Postfix. Requirements CentOS 7 or Red Hat Enterprise Linux 7 Valid Gmail or Google App credentials Install Packages Make sure Postfix, the SASL authentication framework, and  mailx  are all installed. yum -y install postfix cyrus-sasl-plain mailx Postfix will need to be restarted before the SASL framework will be detected. sys...
Read more

Gateway to Gateway - Intro to Configure IPsec VPN (Gateway-to-Gateway ) using Strongswan

Image
Intro to Configure IPsec VPN (Gateway-to-Gateway ) using Strongswan Strongswan supports Gateway-to-Gateway (site-to-site) and Road warrior  types of VPN. In first type, network traffic is encrypted/decrypted on the gateway (entrance/exit) of an organization. However in Road warrior case, traffic encrypted from the end client (machine) to remote end gateway. In this article, we will explain creation of  tunnel between two sites of an organization to secure the communication. Strongswan based VPN server/gateway placement is shown in the following figure. We want to secure communication between 10.1.0.0/16 and 11.1.0.0/16 networks of organization. As shown in the above figure, we are interested to secure the communication from A to B and vice versa. It is important to make sure the routing of Strongswan based VPN Gateways in the organization network. We assume that machine from  office A can ping a machine in the network of B office . This will ensure th...
Read more