Tuesday, 24 June 2014

LDAP SERVER Introduction & Configurations


Introduction

As times change and servers become cheap, an enterprise can easily have 500+ UNIX servers. Using LDAP to synchronize Users, Groups, Hosts, Mounts, and others across an enterprise can greatly reduce the administrative overhead.
This tutorial explains how you can set up centralised LDAP authentication for a network, covering the setting of the server. Whilst based on CentOS 6.4, it may also apply to other versions.
Lightweight Directory Access Protocol (LDAP) is a network protocol for accessing and manipulating information stored in a directory.
The protocol is well-suited to serving information that must be highly available and accessible, but does not change frequently. Common applications include:
  • Centralization of user and group information as part of Single Sign On (SSO).
  • Authenticate users in a web application.
  • Create a shared address directory for mail agents.
OpenLDAP Software is a free, open source implementation of the LDAP. Developed by the OpenLDAP Project.

Prerequisites

  • It is assumed you have already installed Linux with networking enabled and, although not mandatory but advised, configured a static IP.

Disable SElinux

Be aware that by disabling SELinux you will be removing a security mechanism on your system.
SElinux takes a long time to learn and configure, and when there is another job to do – it is simply an obstruction. Disabling remains the best option until the selinux-policy maintainers and other package maintainers can actually create a working solution between them.
I haven’t tried installing with selinux enabled so I don’t know if this is really necessary but I think phpldapadmin won’t work properly otherwise.
As we need to run lots of commands on the LDAP server, it’s easier to to this as root.
  • If you’re not yet root, become so.
[user@server ~]$ su -
  • Check the status of SELinux
[root@server ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
  • Disable SELinux
[root@localhost ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=disabled # change enforcing to disabled
# SELINUXTYPE= can take one of these two values:
# targeted – Targeted processes are protected,
# mls – Multi Level Security protection.
SELINUXTYPE=targeted
  • Restart the server
[root@localhost ~]# reboot
  • Check SELinux status again
[root@localhost ~]# sestatus
SELinux status: disabled

Configure the Firewall

  • Add the following to your iptables configuration to allow access through firewall.
[root@server ~]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
  • Restart the iptables service.
[root@server ~]# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
  • Confirm configuration
[root@server ~]# iptables -L
CHAIN INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ldap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ldaps
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
...
  • If you dont need the firewall, you could just stop the service.
[root@server ~]# service iptables stop
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]

[root@server ~]# service iptables status
iptables: Firewall is not running.
  • Stop Firewall on startup
[root@server ~]# chkconfig iptables off

Installation

  • Install the required packages.
[root@server ~]# yum install openldap-servers openldap-clients pam_ldap nss-pam-ldapd autofs
openldap-servers: This package contains the slapd (LDAP server), additional backends, configuration files, schema definitions required for operation, and database maintenance tools.
openldap-clients: This package contains ldap command-line (ldapsearch, ldapadd etc)
pam_ldap: is a module for Linux-PAM that authenticates PAM-enabled services to LDAP.
nss-pam-ldapd: uses a directory server to look up name service information (users, groups, etc.) on behalf of a lightweight nsswitch module.
autofs: is a daemon which automatically mounts filesystems when you use them, and unmounts them later when you are not using them. This can include network filesystems, CD-ROMs, floppies, and so forth.

Backend configuration

  • There is an all-powerful root LDAP user which will populate our directory. Rather than publishing this password in cleartext with in the configuration file, we want to encrypt it. To do so, we run the slappasswd command, which will encrypt our password and return the value. We need to copy that into {2\}bdb.ldif file
  • Copy the output of slappasswd command into a new file called ldappassword
    [root@server ~]# slappasswd | tee ldappassword
    New password: ****
    Re-enter new password: ****
    {SSHA}2Gv8HLL8SB5pMTbMB3b5AFAE4A5sDPPE
  • Open and edit the ldappassword file
    [root@server ~]# vi ldappassword
    New password: # remove this line
    Re-enter new password: # remove this line
    olcRootPW: {SSHA}2Gv8HLL8SB5pMTbMB3b5AFAE4A5sDPPE # add olcRootPW: before the password
  • Copy the content of a ldappassword to {2}bdb.ldif
    [root@server ~]# cat ldappassword >> /etc/openldap/slapd.d/cn\=config/olcDatabase={2\}bdb.ldif
  • Open and edit the bdb file
    [root@server ~]# vi /etc/openldap/slapd.d/cn\=config/olcDatabase={2\}bdb.ldif
    ...
    olcDatabase: {2}bdb
    olcSuffix: dc=my-domain,dc=com
    olcAddContentAcl: FALSE
    olcLastMod: TRUE
    olcMaxDerefDepth: 15
    olcReadOnly: FALSE
    olcRootDN: cn=Manager,dc=my-domain,dc=com
    olcRootPW: {SSHA}2Gv8HLL8SB5pMTbMB3b5AFAE4A5sDPPE # cut this line from the end of the document
    # to below olcRootDN: (yy and p commands in vi)
    olcSyncUseSubentry: FALSE
    olcMonitoring: TRUE
    ...
  • Remove the ldappassword file
    [root@server ~]# rm ldappassword
    rm: remove regular file 'ldappassword'? y

Berkeley DataBase

Previously, OpenLDAP was previously managed via a single configuration file (/etc/openldap/slapd.conf), however these days the configuration for LDAP is stored inside the LDAP server itself! As such, the configuration is done by editing LDIF files under the /etc/openldap/slapd.d/ directory.
For the purposes of this how to, our domain is company.local and our LDAP server is server.company.local – replace this with your server details instead!
  • Configure the database
[root@server ~]# vi /etc/openldap/slapd.d/cn\=config/olcDatabase={2\}bdb.ldif
In this file substitute “dc=my-domain,dc=com” with your domain, in this example I’ll use dc=company,dc=local
olcSuffix: dc=my-domain,dc=com
Would be changed to read:olcSuffix: dc=company,dc=local
Here’s a vi expression that substitutes them quickly (you can also change them manually):
:%s/dc=my-domain,dc=com/dc=company,dc=local/g
To allow users to modify their passwords, you will have to add the
following after the last olcDbIndex line, again replace the
domain name with yours.

...
olcDbIndex: loginShell pres,eq
olcDbIndex: sn pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbIndex: memberUID pres,eq,sub
olcDbIndex: nisMapName pres,eq,sub
olcDbIndex: nisMapEntry pres,eq,sub
olcAccess: to attrs=userPassword by self write by anonymous auth by
dn.base="cn=Manager,dc=company,dc=local" write by * none # This is all one line
olcAccess: to * by self write by dn.base="cn=Manager,dc=company,dc=local" write by * read
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
...

Monitoring privileges

  • Configure the monitoring privileges
[root@server ~]# vi /etc/openldap/slapd.d/cn\=config/olcDatabase={1\}monitor.ldif
Substitute the default domain name. This will set the root account of your LDAP Server, I use Manager for my account name.
Once again, use Vim to replace the required entry.
:%s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=company,dc=local/g
Or replace it yourself.

Basic LDAP configuration

Back at the terminal, copy a default DB_CONFIG file which sets cache and tuning options for the Berkley database backend (this also needs to be writeable by the ldap user).
  • Copy default config file to /var/lib/ldap.
[root@server ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
  • Change the ownership of /var/lib/ldap to ldap.ldap
[root@server ~]# chown -R ldap:ldap /var/lib/ldap/

Logging

OpenLDAP supports very detailed and configurable logging with its loglevel directive.
  • Create a folder to store log files in
[root@server ~]# mkdir /var/log/slapd
[root@server ~]# chmod 755 /var/log/slapd/
[root@server ~]# chown ldap:ldap /var/log/slapd/
  • Redirect all log files through rsyslog
[root@server ~]# vi /etc/rsyslog.conf
...
# Save boot messages also to boot.log
local7.*                     /var/log/boot.log
local4.*                     /var/log/slapd/slapd.log
...
  • Restart the rsyslog service
[root@server ~]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]

Start the service

  • Start the LDAP service
[root@server ~]# service slapd start
Starting slapd: [ OK ]
  • Test the config file
[root@server ~]# slaptest -u
config file testing succeeded
  • Tell CentOS to start the LDAP server on bootup.
[root@server ~]# chkconfig slapd on

TLS encryption

By default, LDAP communications between client and server applications are not encrypted. This means that it would be possible to use a network monitoring device or software and view the communications traveling between LDAP client and server computers. This is especially problematic when an LDAP simple bind is used because credentials (username and password) is passed over the network unencrypted. This could quickly lead to the compromise of credentials.
Because we are using LDAP for authentication across a network, we want to encrypt the traffic.
  • Make a directory to hold the certificates
[root@server ~]# mkdir /etc/openldap/cacerts
  • Next, we need to tell LDAP where to find the certificate and key for encryption (which we will create in a later step).
[root@server ~]# ldapmodify -Y EXTERNAL -H ldapi:/// << EOF
dn: cn=config
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/cacerts/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.key
EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
  • Enable LDAP Secure (LDAPS).
[root@server ~]# vi /etc/sysconfig/ldap
...
# Run slapd with -h "... ldap:/// ..."
# yes/no, default: yes
SLAPD_LDAP=yes

# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=yes

# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=yes # uncomment and change from no to yes
...

Generating Certificates

  • Now that we have told LDAP to run on secure port we need to generate SSL keys and configure the LDAP service to use them!
[root@server ~]# cd /etc/pki/tls/certs
[root@server ~]# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -aegs128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
.................................................+++
.......................+++
e is 65537 (0x10001)
Enter pass phrase: ****
Verifying - Enter pass phrase: ****
[root@server ~]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key: ****
writing RSA key
[root@server ~]# make server.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will
be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
# The following is just an example. You should enter your own responses.
Country Name (2 letter code) [XX]: EE
State or Province Name (full name) []: Tartu
Locality Name (eg, city) [Default City]: Tartu
Organization Name (eg, company) [Default Company Ltd]: Company
Organizational Unit Name (eg, section) []: Section
Common Name (eg, your name or your server's hostname) []: server.company.local
Email Address []: user@company.local

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ****
An optional company name []: company
[root@server ~]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Signature ok
subject=/C=EE/ST=Tartu/L=Tartu/O=Company/OU=Section/CN=server.company.local/emailAddress=user@company.local
Getting Private key
  • Give permissions to files and move them to /etc/openldap/cacerts/
[root@server ~]# chmod 400 server.*
[root@server ~]# cp /etc/pki/tls/certs/server.* /etc/openldap/cacerts/
[root@server ~]# chown ldap. /etc/openldap/cacerts/*
  • Test LDAP by performing a search
[root@server ~]# ldapsearch -x -b "dc=company,dc=local"
# extended LDIF
#
# LDAPv3
# base dc=company,dc=local with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

Configure the overlays

Overlays are dynamically configurable modules that provide additional functionality to OpenLDAP.

Sudo

Sudo allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command and per-host basis.
  • Copy the sudo Schema into the LDAP schema repository
[root@server ~]# cp -f /usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP /etc/openldap/schema/sudo.schema
  • Restore file default SELinux security contexts.
[root@server ~]# restorecon /etc/openldap/schema/sudo.schema
  • Create a conversion folder and file for sudo schema
[root@server ~]# mkdir /etc/sudoWork
[root@server ~]# echo "include /etc/openldap/schema/sudo.schema" > /etc/sudoWork/sudoSchema.conf
  • Convert the Schema to LDIF file
[root@server ~]# slapcat -f /etc/sudoWork/sudoSchema.conf -F /tmp/ -n0 -s "cn={0}sudo,cn=schema,cn=config" > /etc/sudoWork/sudo.ldif
  • Remove invalid data.
[root@server ~]# sed -i "s/{0}sudo/sudo/g" /etc/sudoWork/sudo.ldif
  • Remove last 8 (invalid) lines.
[root@server ~]# head -n-8 /etc/sudoWork/sudo.ldif > /etc/sudoWork/sudo2.ldif
  • Load the schema ldif into the LDAP server
[root@server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/sudoWork/sudo2.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
Adding new entry "cn=sudo,cn=schema,cn=config"
  • Add index to sudoers db
[root@server ~]# ldapadd -Y EXTERNAL -H ldapi:/// << EOF
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: sudoUser eq
EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}bdb,cn=config"

AutoFS

Autofs is used for automatically mounting directories on an as-needed basis. Auto-mounts are mounted only as they are accessed, and are unmounted after a period of inactivity. Because of this, automounting NFS/Samba shares conserves bandwidth and offers better overall performance compared to static mounts via fstab. Read more about mounting directories here.
  • Copy the autofs Schema into the LDAP schema repository
[root@server ~]# cp -f /usr/share/doc/autofs-5.0.5/autofs.schema /etc/openldap/schema/autofs.schema
  • Restore file default SELinux security contexts.
[root@server ~]# restorecon /etc/openldap/schema/autofs.schema
  • Create a conversion folder and file for autofs schema
[root@server ~]# mkdir /etc/sudoWork2/
[root@server ~]# echo "include /etc/openldap/schema/core.schema" > /etc/sudoWork2/autofsSchema.conf
[root@server ~]# rpm -ql autofs | grep -i schema | sed 's/^/include /g' >> /etc/sudoWork2/autofsSchema.conf
  • Convert the Schema to LDIF file
[root@server ~]# slapcat -f /etc/sudoWork2/autofsSchema.conf -F /tmp/ -n0 -s "cn={1}autofs,cn=schema,cn=config" > /etc/sudoWork2/autofs.ldif
  • Remove invalid data.
[root@server ~]# sed -i "s/{1}autofs/autofs/g" /etc/sudoWork2/autofs.ldif
  • Remove last 8 (invalid) lines.
[root@server ~]# head -n-8 /etc/sudoWork2/autofs.ldif > /etc/sudoWork2/autofs2.ldif
  • Load the schema ldif into the LDAP server
[root@server ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/sudoWork2/autofs2.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=autofs,cn=schema,cn=config"

Modules area

[root@server ~]# ldapadd -Y EXTERNAL -H ldapi:/// << EOF
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib64/openldap/ # /usr/lib/openldap/ if 32 bit OS
EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module{0},cn=config"

Auditlog overlay

The Audit Logging overlay can be used to record all changes on a given backend database to a specified log file. Changes are logged as standard LDIF, with an additional comment header giving the timestamp of the change and the identity of the user making the change.
[root@server ~]# ldapadd -Y EXTERNAL -H ldapi:/// << EOF
dn: cn=module{0},cn=config
changetype:modify
add: olcModuleLoad
olcModuleLoad: auditlog.la

dn: olcOverlay=auditlog,olcDatabase={2}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /var/log/slapd/auditlog.log
EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"
adding new entry "olcOverlay=auditlog,olcDatabase={2}bdb,cn=config"

Password Policy overlay

The key abilities of the password policy overlay are as follows:
  • Enforce a minimum length for new passwords.
  • Make sure passwords are not changed too frequently.
  • Cause passwords to expire, provide warnings before they need to be changed, and allow a fixed number of 'grace' logins to allow them to be changed after they have expired.
  • Maintain a history of passwords to prevent password re-use.
  • Prevent password guessing by locking a password for a specified period of time after repeated authentication failures.
  • Force a password to be changed at the next authentication.
  • Set an administrative lock on an account.
  • Support multiple password policies on a default or a per-object basis.
[root@server ~]# ldapadd -Y EXTERNAL -H ldapi:/// << EOF
dn: cn=module{0},cn=config
changetype:modify
add: olcModuleLoad
olcModuleLoad: ppolicy.la

dn: olcOverlay=ppolicy,olcDatabase={2}bdb,cn=config
olcOverlay: ppolicy
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyDefault: cn=ppolicy,ou=ldapconf,dc=company,dc=local
EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"
adding new entry "olcOverlay=ppolicy,olcDatabase={2}bdb,cn=config"

Dynamic group overlay

Groups are a quick way of giving users common access to certain features or functionality within an LDAP directory. Groups can be configured statically (each member has to be invidually defined and subsequently maintained if their status or group membership changes) or dynamically whereby groups can be created using an LDAP search. This can be very efficient where memership of groups is extremely large or constantly changing.
[root@server ~]# ldapadd -Y EXTERNAL -H ldapi:/// << EOF
dn: cn=module{0},cn=config
changetype:modify
add: olcModuleLoad
olcModuleLoad: dynlist.la

dn: olcOverlay=dynlist,olcDatabase={2}bdb,cn=config
olcOverlay: dynlist
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcDlAttrSet: groupOfURLs memberURL
EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"

adding new entry "olcOverlay=dynlist,olcDatabase={2}bdb,cn=config"

Populating LDAP with sample users and groups

We should now have a basic LDAP server running, configured for our domain. However we do not have any users or groups configured yet. Now we need to set up our base, authentication and group files.
Data is entered into the LDAP server via plain text LDIF (LDAP Data Interchange Format) files.

Basic directory tree

We need to create a template which creates the base structure of our directory (company.local), which we will import into LDAP database first.
The following section outlines a basic directory tree that is intended to be very compatible with POSIX accounts (for use on *nix systems), address books, and classic accounts (for web applications). This configuration is a starting point; the applications of LDAP are virtually limitless.
The LDAP directory manipulation tools support a standard file format know as LDAP Directory Interchange Format (LDIF). We will use this format to create the initial directory structure.
Start by creating a file base.ldif:
[root@server ~]# vi /etc/openldap/schema/base.ldif
dn: dc=company,dc=local
objectClass: top
objectClass: organization
objectClass: dcObject
o: Mikamis Ldapserver
dc: company

# Create the ou=ldapconf container.
# This container will later be used for autofs, sudo and password policy to name a few.
dn: ou=ldapconf,dc=company,dc=local
objectClass: top
objectClass: organizationalUnit
ou: LDAPconf
Now that we have the base for our LDAP structure, we can import that information into our LDAP database (use the password you created above):
[root@server ~]# ldapadd -x -W -D "cn=Manager,dc=company,dc=local" -f /etc/openldap/schema/base.ldif
Enter LDAP Password: ******
adding new entry "dc=company,dc=local"

adding new entry "ou=ldapconf,dc=company,dc=local"
If you saw the above, then it worked! If you get an error about authentication issues stop the service and start it again.

Password Policy

Create a LDIF file with following content:
[root@server ~]# vi /etc/openldap/schema/passwordpolicy.ldif
dn: cn=ppolicy,ou=ldapconf,dc=company,dc=local
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: ppolicy
pwdAttribute: 2.5.4.35
# AllowUserChange controls whether users are allowed to change their own passwords.
pwdAllowUserChange: TRUE
# If the value of CheckQuality is 1 and the supplied password is in cleartext
# then a user supplied function if defined - will be called to check the password quality.
pwdCheckQuality: 1
# MaxAge defines the maximum time - in seconds - a password is valid
pwdMaxAge: 7776002
# ExpireWarning controls whether and when a warning message of password expiration will be returned
# on a bind attempt - in seconds
pwdExpireWarning: 1209600
# FailureCountInterval controls when the count of consecutive password failures is reset.
pwdFailureCountInterval: 30
# GraceAuthNLimit defines the number of times a user is allowed to log in using an expired password.
pwdGraceAuthNLimit: 5
# InHistory controls the number of passwords that are stored in a list of previously used passwords.
# New password is checked against the history list and rejected if present.
pwdInHistory: 4
# Lockout controls the action taken when an account has had more consecutive failed bind attempts
# with invalid passwords than is defined by pwdMaxFailure
pwdLockout: TRUE
# LockoutDuration controls how long an account remains locked.
pwdLockoutDuration: 900
# MaxFailure controls how many consecutive password failures are allowed
# before the action defined by pwdLockout is taken.
pwdMaxFailure: 5
# MinLength controls the minimum length of the password supplied. Shorter passwords will be rejected.
pwdMinLength: 6
# If MustChange the attribute value is TRUE
# then the user MUST change their password when the account is unlocked.
pwdMustChange: FALSE
# If SafeModify value is TRUE the user will be asked for a password when modifying the password value.
pwdSafeModify: FALSE
To import the policy run the following command:
[root@server ~]# ldapadd -x -W -D "cn=Manager,dc=company,dc=local" -f /etc/openldap/schema/passwordpolicy.ldif
Enter LDAP Password: ****
Adding new entry "cn=ppolicy,ou=ldapconf,dc=company,dc=local"

Sudoers configuration

Create a LDIF file with following content:
[root@server ~]# vi /etc/openldap/schema/sudoers.ldif
# Create the sudoers ou to hold our sudoers configuration.
dn: ou=sudoers,ou=ldapconf,dc=company,dc=local
objectClass: top
objectClass: organizationalUnit
ou: sudoers

dn: cn=defaults,ou=sudoers,ou=ldapconf,dc=company,dc=local
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOptions
# sudo will run the command in a minimal environment containing the basic variables.
sudoOption: env_reset
# sudo will ignore "." or "" (both denoting current directory) in the PATH environment variable.
sudoOption: ignore_dot
# If set, mail will be sent to the mailto user if the invoking user is not in the sudoers file.
sudoOption: !mail_no_user
# syslog is being used for logging and defaults to auth.
sudoOption: syslog=auth
# Number of minutes that can elapse before sudo will ask for a passwd again.
sudoOption: timestamp_timeout=10
# root is allowed to run sudo too. Disabling this prevents users from “chaining” sudo commands
sudoOption: !root_sudo

dn: cn=sysadmin,ou=sudoers,ou=ldapconf,dc=company,dc=local
objectClass: top
objectClass: sudoRole
cn: sysadmin
sudoCommand: ALL
sudoHost: ALL
# users must authenticate themselves before they may run commands.
sudoOption: !authenticate
sudoRunAs: root
sudoUser: %sysadmin
syslog is being used for logging and defaults to auth.
Now we can add it to our LDAP server.
[root@server ~]# ldapadd -x -W -D "cn=Manager,dc=company,dc=local" -f /etc/openldap/schema/sudoers.ldif
Enter LDAP Password: ****
Adding new entry "ou=sudoers,ou=ldapconf,dc=company,dc=local"

Adding new entry "cn=defaults,ou=sudoers,ou=ldapconf,dc=company,dc=local"

Adding new entry "cn=sysadmin,ou=sudoers,ou=ldapconf,dc=company,dc=local"

AutoFS configuration

Create a LDIF file with following content:
[root@server ~]# vi /etc/openldap/schema/autofs.ldif
# Create the container for autofs configs.
dn: ou=autofs,ou=ldapconf,dc=company,dc=local
ou: AutoFS
objectClass: top
objectClass: organizationalUnit
description: Automount maps

# Create the auto.master map container.
dn: ou=auto.master,ou=autofs,ou=ldapconf,dc=company,dc=local
ou: auto.master
objectClass: top
objectClass: automountMap

# Create the /home mountpoint.
dn: cn=/home,ou=auto.master,ou=autofs,ou=ldapconf,dc=company,dc=local
cn: /home
objectClass: top
objectClass: automount
automountInformation: ldap:ou=auto.home,ou=autofs,ou=ldapconf,dc=company,dc=local rsize=8192,wsize=8192

# Create the auto.home map container.
dn: ou=auto.home,ou=autofs,ou=ldapconf,dc=company,dc=local
ou: auto.home
objectClass: top
objectClass: automountMap

# Create the value for the auto.home map.
dn: cn=/,ou=auto.home,ou=autofs,ou=ldapconf,dc=company,dc=local
objectClass: automount
objectClass: top
cn: /
automountInformation: nfs.company.local:/home/
To import the configuration run the following command:
[root@server ~]# ldapadd -x -W -D "cn=Manager,dc=company,dc=local" -f /etc/openldap/schema/autofs.ldif
Enter LDAP Password:
Adding new entry "ou=autofs,ou=ldapconf,dc=company,dc=local"

Adding new entry "ou=auto.master,ou=autofs,ou=ldapconf,dc=company,dc=local

Adding new entry "cn=/home,ou=auto.master,ou=autofs,ou=ldapconf,dc=company,dc=local"

Adding new entry "ou=auto.home,ou=autofs,ou=ldapconf,dc=company,dc=local"

Adding new entry "cn=/,ou=auto.home,ou=autofs,ou=ldapconf,dc=comapny,dc=local"

Adding new groups

Let's now add a few groups. We will create the following groups :
  • ldapuser: static group to group all users together.
  • all: dynamic group to group all users together.
  • sysadmin: dynamic group to group all system administrators togehter.
Of course, I encourage you to change this group list to fit your organization's needs. Create another LDIF file with the following data.
If a UID is defined in the LDAP directory and also on the local system, unexpected behaviors can result. To avoid collisions between local UIDs and the UIDs of users defined in the LDAP directory, it is generally advisable to assign UIDs to LDAP users in a non-standard range such as 5000-10000 (local UIDs start at 1000 by default).
[root@server ~]# vi /etc/openldap/schema/groups.ldif
# This container will be used to store all groups in.
dn: ou=groups,dc=company,dc=local
objectClass: top
objectClass: organizationalUnit
ou: groups

# Container for static groups
dn: ou=posixgroups,ou=groups,dc=company,dc=local
objectClass: top
objectClass: organizationalUnit
ou: posixGroups

# Central group for static UNIX users
dn: cn=ldapuser,ou=posixgroups,ou=groups,dc=company,dc=local
objectClass: top
objectClass: posixGroup
cn: ldapuser
gidNumber: 10000

# Container for dynamic groups
dn: ou=accessgroups,ou=groups,dc=company,dc=local
objectClass: top
objectClass: organizationalUnit
ou: accessgroups

# Central group for dynamic UNIX users
dn: cn=all,ou=accessgroups,ou=groups,dc=company,dc=local
objectClass: groupOfURLs
cn: all
memberURL: ldap:///ou=people,dc=company,dc=local??one?(gidNumber=10000)

# Dynamic group for sysadmin users
dn: cn=sysadmin,ou=accessgroups,ou=groups,dc=company,dc=local
objectClass: groupOfURLs
cn: sysadmin
memberURL: ldap:///ou=people,dc=company,dc=local??one?(description=sysadmin)
  • Import the Groups to the LDAP server
[root@server ~]# ldapadd -x -W -D "cn=Manager,dc=company,dc=local" -f /etc/openldap/schema/groups.ldif
Enter LDAP Password: ****
Adding new entry "ou=groups,dc=company,dc=local"

Adding new entry "ou=posixgroups,ou=groups,dc=company,dc=local"

Adding new entry "cn=ldapuser,ou=posixgroups,ou=groups,dc=company,dc=local"

Adding new entry "ou=accessgroups,ou=groups,dc=company,dc=local"

Adding new entry "cn=all,ou=accessgroups,ou=groups,dc=company,dc=local"

Adding new entry "cn=sysadmin,ou=accessgroups,ou=groups,dc=company,dc=local"

Adding a new user

To add a user, simply create an ldif file with contents like so:
[root@server ~]# vi /etc/openldap/schema/people.ldif
dn: ou=people,dc=company,dc=local
objectClass: top
objectClass: organizationalUnit
ou: people

dn: uid=mihkel,ou=people,dc=company,dc=local
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: shadowAccount
cn: Mihkel M
gidNumber: 10000
homeDirectory: /home/mihkel
sn: mihkel
uid: mihkel
uidNumber: 5000
userPassword: password
description: sysadmin
gecos: Mihkel M
loginShell: /bin/bash
shadowLastChange: 15861
shadowMax: 90
shadowWarning: 14
  • Import the user(s) to the LDAP server.
[root@server ~]# ldapadd -x -W -D "cn=Manager,dc=company,dc=local" -f /etc/openldap/schema/people.ldif
Enter LDAP Password:
adding new entry "ou=people,dc=company,dc=local"

adding new entry "uid=mihkel,ou=people,dc=company,dc=local"

LDAP server replication

LDAP services can quickly become a critical dependency of core services such as authentication, authorization, and mail. High availability is important in such scenarios. The availability of LDAP services can be greatly improved with redundant LDAP servers.
Redundancy in OpenLDAP is effected with a master-slave replication scheme. The master is the authoritative source of information about the LDAP directory. Each slave replicates the information in the master and serves it to clients on request.
(tutorial not yet ready)

OpenLDAP autoinstall script

(tutorial not yet ready)

phpLDAPadmin

phpLDAPadmin is a web-based LDAP client. It provides easy, multi-language administration for your LDAP server. Its hierarchical tree-viewer and advanced search functionality make it intuitive to browse and administer your LDAP directory. Since it is a web application, this LDAP browser works on many platforms, making your LDAP server easily manageable from any location.
  • Install wget
[root@server ~]# yum install wget
  • Add EPEL repository from Fedora project.
[root@server ~]# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

[root@server ~]# rpm -Uvh epel-release-6-8.noarch.rpm
  • Install phpldapadmin
[root@server ~]# yum install phpldapadmin
  • Disable automatic login mechanism
[root@server ~]# vi +398 /etc/phpldapadmin/config.php
# Uncomment the following (line 397)
$servers->setValue('login','attr','dn');
# Comment out the following (line 398)
//$servers->setValue('login','attr','uid');
  • Setup HTTPD service
[root@server ~]# chkconfig httpd on
[root@server ~]# service httpd restart
  • Log in to phpLDAPadmin
http://localhost/ldapadmin
un: cn=Manager,dc=company,dc=local
pw: (Password you entered in slappasswd earlier)

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)