Thursday, June 2, 2016

[Quick Install - LDAP Server n Client]: LDAP Server and Client Configuration

LDAP Server and Client Configuration

LDAP stands for 'Lightweight Access Protocol'. It’s a database which can be access over internet or intranet, whether you know domain or IP or not. LDAP database can access by many servers over a network. LDAP is also a database of Users, Groups, Services and Resources, which provides a centralized authentication service.

Before starting an LDAP session, a client needs to connect to the server known as the Directory System Agent, by defaultwhich is set to TCP port 389. As connection is established, the client and server exchange the packets of data.



What is SSL and TLS?
SSL (Secure Sockets Layer) certificates are an integral part of website security. When you visit a website with SSL the site’s SSL certificate enables you to encrypt the data you send, such as credit card information, names or addresses so it can’t be accessed by hackers.

TLS (Transport Layer Security) is just an updated, more secure, version of SSL. This is also a cryptographic protocol like SSL that provides communications security over a computer network.

OVERVIEW

LDAP SERVER CONFIGURATION:
  1. Install openldap-servers package
  2. Check IP & hostname
  3. Modify olcDatabasev bdb.ldif file
  4. Modify olcDatabasev monitor.ldif file
  5. Create Database Cache
  6. Update Database
  7. Create certificate for TLS (Transport Layer Security)
  8. Provide ownership of ldap group to your certificate & test configuration
  9. Restart ldap
  10. Copy certificate to FTP document root
  11. Make soft link from FTP document root to HTTP document root
  12. Stop IPTables and disable Firewalls
  13. Install migrationtools package to migrate users
  14. Make changes in Migrate_common.ph
  15. Redirect output of ./migrate-base.pl to /root/base.ldif
  16. Create directory /home/guests
  17. Create Users
  18. Redirect these users from /etc/passwd to /root/users
  19. Redirect passwords for all these users from /etc/shadow to /root/passwords
  20. Redirect home groups for all these users from /etc/group to /root/groups
  21. Make changes in Migrate_password.ph
  22. Run script ./migrate_password.pl  /root/users
  23. Run script ./migrate_group.pl  /root/groups
  24. Update base.ldif, users.ldif and group.ldif files to LDAP Server
LDAP CLIENT CONFIGURATION:
  1. Check IP and hostname
  2. Access Ldap server & provide details
  3. Switch to ldapusers
ACCESS HOME DIRECTORY FROM LDAP SERVER:
  1. ACCESS LDAP SERVER and share home directory of ldap users via NFS server
  2. Restart NFS service
  3. ACCESS LDAP CLIENT and make auto-mounting
  4. Reload auto-mounting service
This tutorial describes how to install and configure an OpenLDAP server and an OpenLDAP client.

OPENLDAP SERVER:
Step1: Install openldap-servers package.
# yum install openldap* -y
This will install four packages:
1.      openldap-devel
2.      openldap-servers
3.      openldap-clients
4.      cyrus-sasl-devel
# service slapd start

Step2: Check IP of PC on which you want to install OpenLDAP. For example we can take 192.168.10.130

Step3. Check Hostname. Here, we are using “ldap.example.com” and make an entry in /etc/hosts
# vi /etc/hosts
192.168.10.130  ldap.example.com  ldap

We are done by installation. Now we will configure LDAP Server by using ldif files under /etc/openldap/slapd.d directory.

Step4: Modify olcDatabase bdb.ldif file:
# vi /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
<< Go to line number 5 and provide your domain >>
olcSuffix: dc=example,dc=com
<< Go to line number 10 and provide your domain >>
olcRootDN: cn=Manager,dc=example,dc=com

NOTE: Do not set the cn of your root user to "root" (cn=root,dc=acme,dc=com)

<<We must make an entry for LDAP password. For this open another tab and use command “slappasswd” to create ldap password. This will provide a string. Copy that string and put in the last of this file. Also provide Certificate and Certificate Key file path>>

olcRootPW: {SSHA}uZLLxBTnVabGZCzBDulyvOJw/GauoADg
olcTLSCertificateFile: /etc/pki/tls/certs/example.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/examplekey.pem
:wq

Step5: Now we will provide monitoring privileges:
# vi /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}monitor.ldif
In line number 4 change cn=Manager,dc=example,dc=com
:wq
Step6: Now its time for the Database cache:
First copy DB_CONFIG.example file to /var/lib/ldap
# cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap:ldap /var/lib/ldap/

Step7: Update Database:
# updatedb

Step8: Now we will setup a certificate for TLS. For this first edit /etc/sysconfig/ldap:
# vi /etc/sysconfig/ldap
<<Go to Line Number 20 and change SLAPD_LDAPS from no to yes.>>
SLAPD_LDAPS=yes

Now create certificate by using openssl command and active it for 365 days:
# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/example.pem -keyout /etc/pki/tls/certs/examplekey.pem -days 365

<< openssl: crytographic toolkit for SSL & TLS n/w protocols >>
<< req: activates the parts of openssl that deals with certificate requests >>
<< -new: generate new request >>
<< -x509: certificate display and signing utility >>
<< -nodes: stores private key without protecting it with a passphrase >>
<< -out *.pem: stores certificate request in a file *.pem >>
<< -keyout *key.pem: stores private key in a file *key.pem >>
<< days: certificate activation days >>

This will ask for below mentioned details to create your certificate, like:
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Maharashtra
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:Mumbai.inc
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ldap.example.com
Email Address []:root@ldap.example.com

You can verify both files:
# ll /etc/pki/tls/certs/example*
-rw-r--r--. 1 root root 1704 May 26 16:34 /etc/pki/tls/certs/examplekey.pem
-rw-r--r--. 1 root root 1448 May 26 16:34 /etc/pki/tls/certs/example.pem

Step9: Provide ownership of ldap group:
# chown -R root:ldap /etc/pki/tls/certs/example*

Verify:
# ll /etc/pki/tls/certs/example*
-rw-r--r--. 1 root ldap 1704 May 26 16:34 /etc/pki/tls/certs/examplekey.pem
-rw-r--r--. 1 root ldap 1448 May 26 16:34 /etc/pki/tls/certs/example.pem

Step10: Test your configuration:
# slaptest -u
config file testing succeeded

Step11: Restart LDAP service and make configuration on
# service slapd restart
# chkconfig slapd on

Step12: Now copy example.pem certificate to FTP default document root:
# cp -rvf /etc/pki/tls/certs/example.pem /var/ftp/pub/
`/etc/pki/tls/certs/example.pem' -> `/var/ftp/pub/example.pem'

# service vsftpd restart
# chkconfig vsftpd on

Step13: Create its soft link to default document root of HTTP:
# ln -s /var/ftp/pub/ /var/www/html/

Verify:
# ll /var/www/html/
total 0
lrwxrwxrwx. 1 root root 13 May 26 16:50 pub -> /var/ftp/pub/

# Service httpd restart
# chkconfig httpd on

Step14: Stop iptables and disable Firewalls:
# service iptables stop
# chkconfig iptables off

# system-config-firewall   <<to disable Firewall>>

Step15: Organizations will often migrate to or from LDAP engines, as they grow and acquire new companies and need to migrate users into the same LDAP engine. So, now we will migrate the users:
# yum install migrationtools -y

Step16: Edit migrate_common.ph from directory:
# cd /usr/share/migrationtools
vi migrate_common.ph

<<Change cn=Group to cn=Groups at line number 61>>
$NAMINGCONTEXT{'group'}             = "cn=Groups";

<<Change your Default DNS Domain at line number 71>>
$DEFAULT_MAIL_DOMAIN = "example.com";

<<Change Default Base at line number 74>>
$DEFAULT_BASE = "dc=example,dc=com";

<<Change Extended Schema at from 0 to 1 in line number 90>>
$EXTENDED_SCHEMA = 1;
:wq

Step17: Redirect migrate.base.pl to /root/base.ldif
./migrate_base.pl > /root/base.ldif

Step18: Now create a directory /home/guests for ldap users:
# mkdir /home/guests

Step19: Now, create users, here I am creating 5 users for ldap;
# useradd -d /home/guests/ldapuser1 ldapuser1
# useradd -d /home/guests/ldapuser2 ldapuser2
# useradd -d /home/guests/ldapuser3 ldapuser3
# useradd -d /home/guests/ldapuser4 ldapuser4
# useradd -d /home/guests/ldapuser5 ldapuser5

# passwd ldapuser1
# passwd ldapuser2
# passwd ldapuser3
# passwd ldapuser4
# passwd ldapuser5

Step20: Redirect all these users from /etc/passwd to /root/users
# getent passwd | tail -n 5 > /root/users

Step21: Redirect passwords for all these users from /etc/shadow to /root/passwords
# getent shadow | tail -n 5 > /root/passwords

Step22: Redirect home groups for all these users from /etc/group to /root/groups
# getent group | tail -n 5 > /root/groups

Step23: Now, make all these changes in file “migrate_password.pl”
# vi  migrate_password.pl
In Line number 188 replace /etc/shadow to /root/passwords

Step24: Run the script command:
# ./migrate_passwd.pl /root/users
<<Here, you can check the details of your users like uid, domain and cn etc>>

Redirect this output to ldif file, because ldap understands configuration file ended with *.ldif.
# ./migrate_passwd.pl /root/users > /root/users.ldif

Step25: Run the script command:
# ./migrate_group.pl /root/groups
<<Here, you can check group details>>

Redirect this output to ldif file, because ldap understands configuration file ended with *.ldif.
# ./migrate_group.pl /root/users > /root/groups.ldif

Now we have three ldif files in /root location
# ll /root/*.ldif

-rw-r--r--. 1 root root 2061 May 26 17:20 /root/base.ldif
-rw-r--r--. 1 root root  690 May 26 17:48 /root/groups.ldif
-rw-r--r--. 1 root root 2750 May 26 17:45 /root/users.ldif

Step26: Finally, we will update these files to LDAP Server:
Upload base.ldif:
# ldapadd -x -W -D ”cn=Manager,dc=example,dc=com” -f /root/base.ldif

Upload users.ldif:
# ldapadd -x -W -D ”cn=Manager,dc=example,dc=com” -f /root/users.ldif

Now upload groups.ldif:
# ldapadd -x -W -D ”cn=Manager,dc=example,dc=com” -f /root/groups.ldif

<<You can check your ldap>>
# ldapsearch -x -b "dc=example,dc=com"

<<LDAP SERVER IS CONFIGURED NOW>>

OPENLDAP CLIENT:

Go to client machine in your network to use LDAP Server and its users.

Step1: Check IP of PC from which you want to access ldap server. For example we can take 192.168.10.133

Step2: Hostname must be different from the hostname of server, like;
# hostname
redhat.panacia.com

Step3: Verify user:
# su – ldapuser1
su: user ldapuser1 does not exist

Step4: Finally access ldap server by using one of below commands:
# system-config-authentication
OR
# authconfig -gtk

This will open a window. In Identity and Aithentication tab:
1.      User account Database: LDAP
2.      LDAP Search Base DN: dc=example,dc=com
3.      LDAP Server: ldap://ldap.example.com
4.      Check Check box in TLS to encrypt selections
5.      Click on Download CA Certificate and provide Certificate URL: http://ldap.example.com/pub/example.pem
<<you can check certificate by using same url in browser>>
6.   Authentication Method: LDAP Password
7.      Finally hit on Apply, this will show output:
Starting sssd:                                             [  OK  ]

Step5: You can check all five users by:
# getent passwd ldapuser1
ldapuser1:*:502:502::/home/guests/ldapuser1:/bin/bash
getent passwd ldapuser2
ldapuser2:*:503:503::/home/guests/ldapuser2:/bin/bash
# getent passwd ldapuser3
ldapuser3:*:504:504::/home/guests/ldapuser3:/bin/bash
# getent passwd ldapuser4
ldapuser4:*:505:505::/home/guests/ldapuser4:/bin/bash
# getent passwd ldapuser5
ldapuser5:*:506:506::/home/guests/ldapuser5:/bin/bash

Step6: Now, switch to your ldapuser
# su - ldapuser1
su: warning: cannot change directory to /home/guests/ldapuser1: No such file or directory
-bash-4.1$

Here, you can see that your ldapuser1 can login but it's not have home directory yet. So, if you want to access home directory from ldap server; AGAIN GO BACK TO LDAP SERVER and share home directories via NFS server:

Step7: Install NFS server;
# yum install nfs* -y
# service nfs start

Step8: Share home directory and restart NFS service:
# vi /etc/exports
/home/guests    192.168.10.0/255.255.255.0(rw,sync)

# Service nfs restart
# chkconfig nfs on

<<Verify mounting>>
# showmount -e ldap.example.com
Export list for ldap.example.com:
/home/guests    192.168.10.0/255.255.255.0

Step9:  GO BACK TO LDAP CLIENT and make auto-mounting:
<<Go to auto.master file and make entry>>
# vi /etc/auto.master
/home/guests    /etc/auto.guests

<<Go to auto.guests file and make entry>>
# vi /etc/auto.guests
*       -rw     ldap.example.com:/home/guests/&

Step10: Reload autofs service:
# service autofs reload

Step11: Now again access ldap server by user ldapuser1:
# su - ldapuser1
[ldapuser1@redhat ~]$
# su - ldapuser2
[ldapuser2@redhat ~]$
# su - ldapuser3
[ldapuser3@redhat ~]$
# su - ldapuser4
[ldapuser4@redhat ~]$
# su - ldapuser5
[ldapuser5@redhat ~]$

No comments: