What is LDAP?
I am not going to define LDAP very deeply. Simply, it is a lightweight version of Directory Access Protocol (DAP), which is a part of X.500, a standard for directory service in a network.
Overview
LDAP can be used for different purposes. Some people use it for maintaining their centralized email address book, for building the domains, for authentication of users from centralized database, for querying and modifying the other directory services etc.
I am using the LDAP for building a centralized authentication database, where all remote users can authenticate.
A LDAP client connects the server by using TCP port 389. It sends the authentication request & the server sends the responses in return after authenticating the username. But all these communication is unsecured; we can secure this communication by using TLS with LDAP. The default port for the secure LDAP communication is 636. It is denoted as ldaps in URL schemes.
For more theory on LDAP you can visit LDAP wiki. Time for some practical.
OpenLDAP
I use openLDAP open source application for LDAP implementation. To download the latest versions of this application go to http://www.openldap.org/software/download/.
Installation
So many people like to use GUI & CUI tools to download & install the openLDAP package directly from the internet like yum in Fedora/Centos, apt in Debian and Add/Remove Package in Fedora or Redhat.
But I prefer to download the source package and install it manually. Manual process can be used to load the package on embedded application also but the GUI & some CUI tools can create so many problems while loading.
[root@rahul-pc~]# tar –xvf openldap-VERSION.tgz
[root@rahul-pc~]# cd openldap-VERSION
[root@rahul-pc~]#./configure
[root@rahul-pc~]# make depend
[root@rahul-pc~]# make
[root@rahul-pc~]# make test
[root@rahul-pc~]# make install
During installation of any open source package in Linux there may be some dependencies, but I didn’t find any dependency for openLDAP with my O.S. (I was using Fedora core 8).
LDAP Server Configuration
After finishing the installation of openldap package, configure the sldap.conf file in /usr/local/etc/openldap/ directory. If you used the rpm or deb package for the installation then your slapd.conf file location may be changed to /etc/openldap/ directory. But that’s not a big problem; you can give the path of your configuration file during the initialization of service.
Before starting the sldap.conf file configuration, create the LDAP “root” user password. It can be created only by root, by giving the following command.
[root@rahul-pc~]# slappasswd
New password:
Re-enter new password:
{SSHA}oph6+eOAY0S1zDzugZjQ0AGxs9FFfhrV
The above output is required to add in sldap.conf file.Edit the file sldap.conf and change the following things in the file for our scenario:
database bdb
suffix "dc=coral,dc=com"
rootdn "cn=Manager,dc=coral,dc=com"
rootpw {SSHA}oph6+eOAY0S1zDzugZjQ0AGxs9FFfhrV
Check the path of LDAP database directory in configuration file.
directory /usr/local/var/openldap-data
Now you can start the sldapd service, by giving the following command:
[root@rahul-pc~]# /usr/local/libexec/slapd –d 1
Note: “-d 1” option is used for full debugging, to test any problem in sldapd service. Debugging mode is very helpful to diagnose the problem, if any, comes on further steps.
After starting the sldapd service, you can convert the local users of server to LDAP users. In order to import all local user to LDAP or selected users to LDAP, you must convert the user info file (/etc/passwd) to the ldif (LDAP Data Interchange Files). You can do this by using migrate_passwd.pl script with openldap package. But if you are using source package to install the openldap, then you need to download this script from the given link.
http://www.padl.com/download/MigrationTools.tar.gz
To create ldif file follow the steps given below:
In first step Change the dn entry from migrate_common.ph to suite your setup. Default dn is dc=padl,dc=com & you need to change the word padl with word coral (my dn entry in sldapd.conf file)
[root@rahul-pc~]# ./migrate_passwd.pl /etc/passwd /etc/openldap/ldapuser.ldif
The ldif file looks something like this
dn: uid=root,ou=People,dc=example,dc=com
uid: root
cn: root
You also need to change the cn: root to cn:Manager in the ldif file.
Next, you have to create a *.ldif file for our domain name “coral.com”. This can be done by creating a file named “coral.com.ldif” with following entries or use some example file with the package.
dn: dc=coral,dc=com
dc: coral
description: Root LDAP entry for coral.com
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
dn: ou=People, dc=coral,dc=com
ou: People description: All people in organization
objectClass: organizationalUnit
NOTE: Two dn entries must be separated with one blank line, otherwise it can show some during the import process.
Now the only step left is to import the ldif file to LDAP. First you need to import the domain info (coral.com.ldif) & than user info (ldapusers.ldif). This is done as shown below, first domain info.
[root@rahul-pc~]# ldapadd -x -D "cn=Manager,dc=coral,dc=com" -W -f /etc/openldap/coral.com.ldif
Enter LDAP Password:
adding new entry "dc=coral,dc=com"
adding new entry "ou=People, dc=coral,dc=com"
and user info
[root@rahul-pc~]# ldapadd -x -D "cn=Manager,dc=coral,dc=com" -W -f /etc/openldap/ldapusers.ldif
Enter LDAP Password:
adding new entry "uid=naruto,ou=People,dc=coral,dc=com"
The LDAP is now configured & running. Now time to configure the LDAP client.
LDAP Client Configuration
To configure the client machine you can use the tools authconfig-tui (GUI type) or authconfig (Console based). To use authconfig-tui give the following command
[root@ldap-client~]# env LANG=C authconfig-tui
NOTE: “env LANG=C” parameter is used to avoid the jumbled output because of our command line shell’s language incompatibility.
After this command following screen will appear:
Select Use LDAP & then Next. It opens the next screen to enter the LDAP server name or IP address, enter the DN information & select OK.
Testing
Now you can test this by doing ssh on client machine IP with any ldapusers. You should ensure that the ldapusers, you are using for ssh, are not created on client machine. It will automatically go to LDAP server for authentication and connect to LDAP client.
Posts
0 comments:
Post a Comment