Setup LDAP PDF Print E-mail
Tuesday, 13 February 2007 00:22

Using LDAP now... and no,  it is not a drug.  I started to set up LDAP on my home network to get a better understanding of this service. I'm getting there but it takes time.
Using: Fedora 6, openldap. And the Thunderbird email client to look up my email addresses.

Install and configure ldap

# yum install openldap openldap-clients openldap-servers
# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# slappassw
New password:
Re-enter new password:
{SSHA}5WcnZ/3lXJXf72pyS5Nv2z3sjNVrpm2m

# vi /etc/openldap/slapd.conf

database        bdb
suffix          "dc=r71,dc=nl"
rootdn          "cn=Manager,dc=r71,dc=nl"
rootpw          {SSHA}5WcnZ/3lXJXf72pyS5Nv2z3sjNVrpm2m

# service ldap start
# chkconfig --level 3 ldap on
# grep root:x: /etc/passwd > /etc/openldap/passwd.root
# grep roderick /etc/passwd > /etc/openldap/passwd.ldapusers
# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.root /etc/openldap/root.ldif

# cat /etc/openldap/root.ldif

dn: uid=root,ou=People,dc=r71,dc=nl
uid: root
cn: Manager

# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.ldapusers /etc/openldap/ldapusers.ldif
# vi /etc/openldap/r71.nl.ldif

dn: dc=r71,dc=nl
objectClass: dcObject
objectClass: organization
o: R71
dc: r71

dn:ou=People,dc=r71,dc=nl
objectClass: organizationalUnit
ou: People

dn:ou=contacts,ou=people,dc=r71,dc=nl
associatedDomain: r71.nl
ou: contacts
ou: people
objectClass: organizationalUnit
objectClass: domainRelatedObject 

# ldapadd -x -D "cn=Manager,dc=r71,dc=nl" -W -f /etc/openldap/r71.nl.ldif
# ldapsearch -x -b 'dc=r71,dc=nl'

# ldapadd -x -D "cn=Manager,dc=r71,dc=nl" -W -f /etc/openldap/root.ldif
# ldapadd -x -D "cn=Manager,dc=r71,dc=nl" -W -f /etc/openldap/ldapusers.ldif

Backup ldap database
# slapcat -l <filename> -f <slapdconfigfile>

Open port 389 in ipconfig.

Setting up slapd (ssl connection for ldap)

You can create a self-signed cert for the server as follows:

Open port 636 in ipconfig.

# cd /etc/pki/tls/certs
# rm slapd.pem
(if there's one there, it'll probably have localhost.localdomain as the cn and therefore be practically useless)
# make ldap.r71.nl.pem
(fill in the stuff, use your url for the servername like ldap.r71.nl)
# chown root:ldap ldap.r71.nl.pem
# chmod 640 ldap.r71.nl.pem
# openssl s_client -connect your.ldap.server:636 | tee logfile

# vi /etc/openldap/slapd.conf 

TLSCertificateFile /etc/pki/tls/certs/ldap.r71.nl.pem
TLSCertificateKeyFile /etc/pki/tls/certs/ldap.r71.nl.pem

Setup secure authentication from a LDAP client (another FC6 server)

Scenario is log in on another linux server and authenticate using the LDAP server you configured.
Log in on the Linux server you want to configure as a client and use the following steps:

  • Install the package
    # yum install nss_ldap
  • copy the slapd.pem file from your ldap server to the client
    # scp root@ldapserver:/etc/pki/tls/certs/ldap.r71.nl.pem /etc/openldap/cacerts/ldap.r71.nl.pem
  • Set the correct rights otherwise the login procedure will hang
    # chmod 644 /etc/openldap/cacerts/ldap.r71.nl.pem
  • Start configuring the cliens authentication procedure
    # authconfig-tui
    Select 'Use LDAP'
    Leave 'Use MD5 Passwords' and 'Use Shadow Passwords' as is
    Select 'Use LDAP Authentication'
  • Selext 'next' button
  • Select TLS
    Server: ldap://ldap.r71.nl
    Base DN: dc=r71,dc=nl

When you finished the setup:

  • logout as root
  • login using as a different username and to be sure you are using LDAP use an account that doesn't exist on the local machine
  • You get the error message /home/username does not exist. That is correct. You can solve this by creating it (and chmod 777) or use NFS to create a network folder
  • When using TLS I got this message: "id: cannot find name for user ID 500"
    If you have run authconfig, edit /etc/pam.d/system-auth:
    account     required      /lib/security/$ISA/pam_unix.so
    to:
    account     sufficient      /lib/security/$ISA/pam_unix.so

When you configured your ldap server to authenticate using ldap then you might get a problem during boot time. Boot will hang at "starting system message bus". The ldap server is searched at that point in the boot procedure. It takes a while for it to time out. In FC6 this takes about 5 minutes. But this can take up to 40 minutes in other distributions as I read on some forums. You can change this back to authenticate using files the files again by using the command # authconfig-tui or edit the /etc/nsswitch.conf file and remove the ldap entries (using a rescue disk).

Thunderbird configuration

Go to Tools > Options > Composition > Addressing and create a new ldap directory entry (Base DN: dc=r71,dc=nl).
Restart Thunderbird. The LDAP server is configured properly when from the address book you can see entries (actually you do not see initially any entry, but when you use the search function, entries are shown)

I encountered a problem in Thunderbird v1.5 that email addresses were not automaticaly completed when I start typing in the To: field. I ended up going into Tools > Account Settings > Composition and Addressing, and changed my Addressing option to "Use a different LDAP server", instead of the global ldap server preferences. The "different LDAP Sever" is the one I defined in Tools > Options > Composition > Addressing > Directory Server.... Restart Thunderbird.

Setting up Cyrus Imapd to authenticate using ldap

Work in progress....

http://www.openldap.org/faq/data/cache/428.html 

# vi /etc/sysconfig/saslauthd

# Directory in which to place saslauthd's listening socket, pid file, and so
# on.  This directory must already exist.
SOCKETDIR=/var/run/saslauthd

# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
#MECH=pam
MECH=ldap

# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
#FLAGS=
FLAGS="-O /etc/saslauthd.conf"

# vi /etc/saslauthd.conf

ldap_servers: ldap://ldap.r71.nl/
ldap_search_base: ou=people,dc=r71,dc=nl
ldap_filter: (uid=%u)

# testsaslauthd -u root -p password (This one works)
# testsaslauthd -u roderick -p password  (This one is NOT working right now, don't know why)
 

Apache and LDAP autentication for a web url (Apache and FC6)

Work in progress....

# vi /etc/httpd/conf/httpd.conf 

LoadModule auth_ldap_module modules/mod_auth_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

Alias /tmp "/tmp"

<Directory "/tmp">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<Location "/tmp">
      AuthName "R71 Staff Only"
      AuthType Basic
      AuthLDAPURL ldap://ldap.r71.nl:389/ou=people,dc=r71,dc=nl
      require valid-user
      AuthBasicProvider ldap
      AuthzLDAPAuthoritative Off
</Location>

 http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html

Links

Logging in from Linux or Windows using LDAP
http://www.erikberg.com/notes/auth.html

Examples LDIF files
http://www.linuxjournal.com/node/8119/print

Setup:
http://fedoranews.org/mediawiki/index.php/How_to_setup_and_maintain_OpenLDAP_server_for_your_network
http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP.html
http://www.howtoforge.com/linux_ldap_authentication
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS#Adding_new_LDAP_users

 

Work in progress....

dn: dc=example,dc=com
dc: example
o: Organization
objectClass: dcObject
objectClass: organization
description: My Organization
----
dn: ou=people,dc=example,dc=com
ou: people
description: All employess of the Oraganization
objectclass: organizationalunit
----
dn: uid=test,ou=people,dc=example,dc=com
uid: test
cn: test
sn: test
userPassword: secret
objectClass: inetOrgPerson
----

< Prev   Next >
 

Add comment


Security code
Refresh

More KB Articles