OpenLDAP Installation, Configuration & User Authentication


--> Introduction:
OpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol. Several common Linux distributions include OpenLDAP Software for LDAP support.
Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.
A client starts an LDAP session by connecting to an LDAP server(SLAPD -Stand-alone LDAP Daemon), called a Directory System Agent (DSA), by default on TCP port 389. The client then sends an operation request to the server, and the server sends responses in return. With some exceptions, the client does not need to wait for a response before sending the next request, and the server may send the responses in any order.
The client may request the following operations:
  • StartTLS — use the LDAPv3 Transport Layer Security (TLS) extension for a secure connection
  • Bind — authenticate and specify LDAP protocol version
  • Search — search for and/or retrieve directory entries
  • Compare — test if a named entry contains a given attribute value
  • Add a new entry
  • Delete an entry
  • Modify an entry
  • Modify Distinguished Name (DN) — move or rename an entry
  • Abandon — abort a previous request
  • Extended Operation — generic operation used to define other operations
  • Unbind — close the connection (not the inverse of Bind)

Installation:
I am working on client system now, so I had used ssh to remotely access the system. Now in that system we have to deploy the OpenLDAP server.
Installing Prerequisite:
  1. Berkeley Database: In ubuntu default configuration, OpenLDAP stores the directory inside a BDB database.
  2. OpenSSL Libraries: These provide SSL and TLS security.
  3. Cyrus SASL Library: This provide support for secure SASL authentication.
  4. Perl programming language: This can provide custom back-end scripting.
  5. iODBC database connectivity layer: OpenLDAP can store the directory in a relational database(RDBMS). The iODBC library is used to connect to RDBMS.
Installing all these prerequisite through command-line package management utilities, you can use Synaptic graphical installer too:
  1. Berkeley Database:
      $ sudo apt-get install libdb5.1-dev lib-dev
  2. OpenSSL Libraries:
      $ sudo apt-get install libssl1.0.0 libssl-dev zlib1g-dev libssl-doc
  3. Cyrus SASL Library:
      $ sudo apt-get install libsasl2-2 libsasl2-module
  4. iODBC database connectivity layer:
      $ sudo apt-get install iodbc2 libiodbc2 libiodbc2-dev
Installing OpenLDAP from source:
Download the latest version (OpenLDAP-2.4.32) of OpenLDAP form:-
Extract the downloaded .tgz file to your preferred location (like /home/user/)
$ sudo tar xvf openldap-2.4.32
Change directory to the extracted location:
$ sudo su -
# ./configure --prefix=/usr/local/openldap
# make depend
# make
# make test
# make install
*make test is optional
After installation finalizes we can now see the location of installed files which we had mentioned in the “--prefix=”, during ./configure.
Before getting started with configuring OpenLDAP servers lets make SSL/TLS certificate, which are used for the connection security. If you don't want any encryption then you can skip this task.
Creating a Certificate:
1. Run CA.pl as the root user.
$ sudo /usr/lib/ssl/misc/CA.pl -newcert
Generating a 1024 bit RSA private key
..........................++++++
........................................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Andhra Pradesh
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Raman Research Institute
Organizational Unit Name (eg, section) []:Computer
Common Name (e.g. server FQDN or YOUR name) []:example.local.net
Email Address []:example@example.local.net
Certificate is in newcert.pem, private key is in newkey.pem
2.The new private key is password protected, which means you have to re-enter the pass phrase every time you start OpenLDAP. That’s going to cause problems if you want to have OpenLDAP automatically start when the system is booted (or if you don’t want to remember yet another password). Strip out the password using the openssl command line tool.
# /usr/bin/openssl rsa -in newkey.pem act newkey1.pem
3. Move the public certificate and private key files to the locations specified by TLSCertificateFile and TLSCertificateKeyFile in slapd.conf file. (which we soon gonna edit)
# mv newcert.pem /usr/local/openldap/var/openldap-data/servercrt.pem
# mv newkey1.pem /usr/local/openldap/var/openldap-data/serverkey.pem
  • Note: /usr/local/openldap is the installed location. Which possess these directories:
  • bin etc include lib libexec sbin share var
Configuring slap – Stand-alone LDAP daemon
1. Open slap.conf file which is inside /usr/local/openldap/etc/openldap/
$ sudo vi /usr/local/openldap/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /opt/openldap-2.4.32/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
pidfile /opt/openldap-2.4.32/var/run/slapd.pid
argsfile /opt/openldap-2.4.32/var/run/slapd.args
# SSL/TLS certificates and keys location
TLSCipherSuite HIGH:MEDIUM
TLSCertificateFile /opt/openldap/var/openldap-data/servercrt.pem
TLSCertificateKeyFile /opt/openldap/var/openldap-data/serverkey.pem
# ACL - Access Control List
access to attrs=userPassword
by self write
by dn="cn=admin,dc=example,dc=local,dc=net" write
by anonymous auth
by * none
access to *
by dn="cn=admin,dc=example,dc=local,dc=net" write
by self write
by * read
#######################################################################
# BDB database definitions
#######################################################################
database monitor
database bdb
suffix "dc=example,dc=local,dc=net"
rootdn "cn=admin,dc=example,dc=local,dc=net"
rootpw ##### you can use any password and to encrypt use ldappasswd
directory /opt/openldap-2.4.32/var/openldap-data
index objectClass eq
2. Now open ldap configuration file:
$ sudo vi /usr/local/openldap/etc/openldap/ldap.conf
BASE dc=example,dc=local,dc=net
URI ldap://ldapserver // you can specify the IP of the server too..
3. Rename DB_CONFIG.example to DB_CONFIG, inside /usr/local/openldap/var/openldap-data/
$ sudo mv /usr/local/openldap/var/openldap-data/DB_CONFIG.example /usr/local/openldap/var/openldap-data/DB_CONFIG
Adding the directory structure and users using LDIF(LDAP Data Interchange Format) file:
$ sudo vi direcStrucNUser.ldif
# Root Node
dn: dc=example,dc=local,dc=net
dc: example
o: example
objectclass: top
objectclass: dcObject
objectclass: organization
# Sub-Tree: Group
dn: ou=group,dc=example,dc=local,dc=net
objectclass: organizationalUnit
objectclass: top
ou: group
# Group Node: Child 1: vsp
dn: cn=vsp,ou=group,dc=example,dc=local,dc=net
cn: vsp
gidnumber: 500
objectclass: posixGroup
objectclass: top
# Group Node: Child 2: computer
dn: cn=computer,ou=group,dc=example,dc=local,dc=net
cn: computer
gidnumber: 501
objectclass: posixGroup
objectclass: top
# Sub-Tree : people
dn: ou=people,dc=example,dc=local,dc=net
objectclass: organizationalUnit
objectclass: top
ou: people
#people node: child 1: Tushar Kant
dn: cn=Tushar Kant,ou=people,dc=example,dc=local,dc=net
cn: Tushar Kant
gidnumber: 500
givenname: Tushar
homedirectory: /home/users/tushar
loginshell: /bin/sh
mail: tushark@example..com
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Kant
uid: tushar
uidnumber: 1000
userpassword: {crypt}$1$9uIEwT.1$WAm4YMlhoweT3nOvjvIBa.
#people node: child 2: Arun Rajan
dn: cn=Arun Rajan,ou=people,dc=example,dc=local,dc=net
cn: Arun Rajan
gidnumber: 501
givenname: Arun
homedirectory: /home/users/exm1
loginshell: /bin/sh
mail: exm1@example..com
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Rajan
uid: exm1
uidnumber: 1001
userpassword: {MD5}ICy5YqxZB1uWSwcVLSNLcA==
Adding LDIF information into directory:
$ sudo slapadd -v -f /usr/local/openldap/etc/openldap/slapd.conf -l /tmp/basics.ldif
Note: slapadd requires directory to be taken off-line.
Starting and stopping the slapd daemon:
To Start:
$ cd /usr/local/openldap/libexec/
$ sudo ./slapd
To Stop:
$ sudo kill pgrep slapd
Search the added users:
$ sudo su -
# cd /usr/local/openldap/bin
# ./ldapsearch -x -W -D 'cn=admin,dc=example,dc=local,dc=net' -b 'ou=people,dc=example,dc=local,dc=net'
*ldap password is asked at this point enter the rootpw variable as defined in slapd.conf
*If every things are working fine then this command will return all the users of ou=people
Making Backup of entire database, or dumping the whole database in ldif file:
$ sudo su -
# kill pgrep slapd
# cd /usr/local/openldap/sbin
# ./slapcat -l /home/user/backup.ldifb
Encrypting or generating hashed password to be used against rootpw variable in slapd.conf
# cd /usr/local/openldap/sbin
# ./slappasswd -h {md5} -s testPassword
Adding info into directory without taking it to off-line:
# cd /usr/local/openldap/sbin
# ./ldapadd -x -W -D 'cn=admin,dc=example,dc=local,dc=net'
  • Enter the values as entered into the ldif file, don't break the formatting rules.

Configuring Clients for Authentication:
Our master server has started and its working quiet well. Now its time to configure the client or slave server.
Installing Prerequisite:
$ sudo apt-get install libpam-ldap
  • After this a series of question will be asked. You have to enter the following credentials sequentially
  • LDAP server location: ldap;//”IP of Master server”
  • Root DN: in our case its “dc=example,dc=local,dc=net”
  • Ldap version: ver 3
  • Make local root database admin? : Yes
  • Does LDAP requires login: No
  • LDAP root account : in our case its : “cn=admin,dc=example,dc=local,dc=net”
  • LDAP root password:
All these changes will reflect in /etc/ldap/ldap.config file, which will look like this
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=example,dc=local,dc=net
URI ldap://”IP of Master server”
ldap_version 3
rootbinddn cn=admin,dc=example,dc=local,dc=net
pam_password md5
Also to reconfigure using the GUI method use:
$ sudo dpkg-reconfigure ldap-auth-config
Also install nscd : Name Service cache daemon
$ sudo apt-get install nscd
Configuring our pam module:
Firstly add the host IP and name in /etc/hosts
$ sudo vi /etc/hosts
.
Make the changes as I had done
$ sudo su -
# vi /etc/nsswitch.conf
# pre_auth-client-config # passwd: ldap compat
passwd: files ldap
# pre_auth-client-config # group: ldap compat
group: files ldap
# pre_auth-client-config # shadow: ldap compat
shadow: files ldap
# vi /etc/pam.d/common-auth
auth sufficient pam_unix.so nullok_secure
auth required pam_ldap.so use_first_pass
auth required pam_permit.so
# vi /etc/pam.d/common-account
account sufficient pam_unix.so
account required pam_ldap.so
# vi /etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
# vi /etc/pam.d/common-password
password sufficient pam_unix.so obscure MD5
password required pam_ldap.so try_first_pass
password requisite pam_deny.so
password required pam_permit.so
# service nscd restart
or
# /etc/init.d/nscd restart
# vi /etc/passwd
#Append this 6 colons
+::::::
#vi /etc/shadow
#Append this 8 colons
+::::::::
# /etc/init.d/nscd restart
Now test your client:
$ id tushar
uid=1000(tushar) gid=500(vsp) groups=500(vsp)
$ id exm1
uid=1001(exm1) gid=501(computer) groups=501(computer)
$ ssh tushar@ldapclient
tushar@ldapclient's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)
* Documentation: https://help.ubuntu.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Fri Sep 21 15:40:56 2012 from localhost
$
Using PhpLdapAdmin for easy directory management:
Installation over master server:
$ ssh -X serveruser@MasterServer
$ sudo apt-get install phpldapadmin
After installation point your browser to the IP address of master server and append the phpldapadmin: /phpldapadmin
or if you are on the server itself then run it as: localhost/phpldapadmin
it wil look like this, now login with your root dn and have fun editing or creating users and groups