OpenLDAP Installation, Configuration & User Authentication
OpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol. Several common Linux distributions include OpenLDAP Software for LDAP support.
Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.
A client starts an LDAP session by connecting to an LDAP server(SLAPD -Stand-alone LDAP Daemon), called a Directory System Agent (DSA), by default on TCP port 389. The client then sends an operation request to the server, and the server sends responses in return. With some exceptions, the client does not need to wait for a response before sending the next request, and the server may send the responses in any order.
The client may request the following operations:
- StartTLS — use the LDAPv3 Transport Layer Security (TLS) extension for a secure connection
- Bind — authenticate and specify LDAP protocol version
- Search — search for and/or retrieve directory entries
- Compare — test if a named entry contains a given attribute value
- Add a new entry
- Delete an entry
- Modify an entry
- Modify Distinguished Name (DN) — move or rename an entry
- Abandon — abort a previous request
- Extended Operation — generic operation used to define other operations
- Unbind — close the connection (not the inverse of Bind)
**Installation:**
I am working on client system now, so I had used **ssh** to remotely access the system. Now in that system we have to deploy the OpenLDAP server.
**Installing Prerequisite:**
1. Berkeley Database: In ubuntu default configuration, OpenLDAP stores the directory inside a BDB database.
2. OpenSSL Libraries: These provide SSL and TLS security.
3. Cyrus SASL Library: This provide support for secure SASL authentication.
4. Perl programming language: This can provide custom back-end scripting.
5. iODBC database connectivity layer: OpenLDAP can store the directory in a relational database(RDBMS). The iODBC library is used to connect to RDBMS.
**Installing all these prerequisite through command-line package management utilities, you can use Synaptic graphical installer too:**
1. Berkeley Database:
**$ sudo apt-get install libdb5.1-dev lib-dev**
2. OpenSSL Libraries:
**$ sudo apt-get install libssl1.0.0 libssl-dev zlib1g-dev libssl-doc**
3. Cyrus SASL Library:
**$ sudo apt-get install libsasl2-2 libsasl2-module**
4. iODBC database connectivity layer:
**$ sudo apt-get install iodbc2 libiodbc2 libiodbc2-dev**
**Installing OpenLDAP from source:**
Download the latest version (OpenLDAP-2.4.32) of OpenLDAP form:-
[http://www.openldap.org/software/download/](http://www.openldap.org/software/download/)
Extract the downloaded .tgz file to your preferred location (like /home/user/)
**$ sudo tar xvf openldap-2.4.32**
Change directory to the extracted location:
**$ sudo su -**
**\# ./configure --prefix=/usr/local/openldap**
**\# make depend**
**\# make**
**\# make test **
**\# make install **
\*make test is optional
After installation finalizes we can now see the location of installed files which we had mentioned in the “--prefix=”, during ./configure.
Before getting started with configuring OpenLDAP servers lets make SSL/TLS certificate, which are used for the connection security. If you don't want any encryption then you can skip this task.
**Creating a Certificate:**
**1.** Run CA.pl as the root user.
**$ sudo /usr/lib/ssl/misc/CA.pl -newcert**
Generating a 1024 bit RSA private key
..........................++++++
........................................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase: **
Verifying - Enter PEM pass phrase: **
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) \[AU\]:**IN**
State or Province Name (full name) \[Some-State\]:**Andhra Pradesh**
Locality Name (eg, city) \[\]:**Bangalore**
Organization Name (eg, company) \[Internet Widgits Pty Ltd\]:**Raman Research Institute**
Organizational Unit Name (eg, section) \[\]:**Computer**
Common Name (e.g. server FQDN or YOUR name) \[\]:**example.local.net**
Email Address \[\]:**[email protected]**
Certificate is in newcert.pem, private key is in newkey.pem
**2.**The new private key is password protected, which means you have to re-enter the pass phrase every time you start OpenLDAP. That’s going to cause problems if you want to have OpenLDAP automatically start when the system is booted (or if you don’t want to remember yet another password). Strip out the password using the openssl command line tool.
**\# /usr/bin/openssl rsa -in newkey.pem act newkey1.pem**
**3.** Move the public certificate and private key files to the locations specified by TLSCertificateFile and TLSCertificateKeyFile in slapd.conf file. (which we soon gonna edit)
**\# mv newcert.pem /usr/local/openldap/var/openldap-data/servercrt.pem**
**\# mv newkey1.pem /usr/local/openldap/var/openldap-data/serverkey.pem**
- Note: /usr/local/openldap is the installed location. Which possess these directories:
- **bin etc include lib libexec sbin share var**
**Configuring slap – Stand-alone LDAP daemon**
**1. Open slap.conf file which is inside /usr/local/openldap/etc/openldap/**
**$ sudo vi /usr/local/openldap/etc/openldap/slapd.conf**
\#
\# See slapd.conf(5) for details on configuration options.
\# This file should NOT be world readable.
\#
include /opt/openldap-2.4.32/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
pidfile /opt/openldap-2.4.32/var/run/slapd.pid
argsfile /opt/openldap-2.4.32/var/run/slapd.args
\# SSL/TLS certificates and keys location
TLSCipherSuite HIGH:MEDIUM
TLSCertificateFile /opt/openldap/var/openldap-data/servercrt.pem
TLSCertificateKeyFile /opt/openldap/var/openldap-data/serverkey.pem
\# ACL - Access Control List
access to attrs=userPassword
by self write
by dn="cn=admin,dc=example,dc=local,dc=net" write
by anonymous auth
by \* none
access to \*
by dn="cn=admin,dc=example,dc=local,dc=net" write
by self write
by \* read
\#######################################################################
\# BDB database definitions
\#######################################################################
database monitor
database bdb
suffix "dc=example,dc=local,dc=net"
rootdn "cn=admin,dc=example,dc=local,dc=net"
rootpw ##### you can use any password and to encrypt use ldappasswd
directory /opt/openldap-2.4.32/var/openldap-data
index objectClass eq
**2.** Now open ldap configuration file:
**$ sudo vi /usr/local/openldap/etc/openldap/ldap.conf**
BASE dc=example,dc=local,dc=net
URI ldap://ldapserver // you can specify the IP of the server too..
**3. Rename DB\_CONFIG.example to DB\_CONFIG, inside /usr/local/openldap/var/openldap-data/**
**$ sudo mv /usr/local/openldap/var/openldap-data/DB\_CONFIG.example /usr/local/openldap/var/openldap-data/DB\_CONFIG**
**Adding the directory structure and users using LDIF(LDAP Data Interchange Format) file:**
**$ sudo vi direcStrucNUser.ldif**
\# Root Node
dn: dc=example,dc=local,dc=net
dc: example
o: example
objectclass: top
objectclass: dcObject
objectclass: organization
\# Sub-Tree: Group
dn: ou=group,dc=example,dc=local,dc=net
objectclass: organizationalUnit
objectclass: top
ou: group
\# Group Node: Child 1: vsp
dn: cn=vsp,ou=group,dc=example,dc=local,dc=net
cn: vsp
gidnumber: 500
objectclass: posixGroup
objectclass: top
\# Group Node: Child 2: computer
dn: cn=computer,ou=group,dc=example,dc=local,dc=net
cn: computer
gidnumber: 501
objectclass: posixGroup
objectclass: top
\# Sub-Tree : people
dn: ou=people,dc=example,dc=local,dc=net
objectclass: organizationalUnit
objectclass: top
ou: people
\#people node: child 1: Tushar Kant
dn: cn=Tushar Kant,ou=people,dc=example,dc=local,dc=net
cn: Tushar Kant
gidnumber: 500
givenname: Tushar
homedirectory: /home/users/tushar
loginshell: /bin/sh
mail: [email protected]
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Kant
uid: tushar
uidnumber: 1000
userpassword: {crypt}$1$9uIEwT.1$WAm4YMlhoweT3nOvjvIBa.
\#people node: child 2: Arun Rajan
dn: cn=Arun Rajan,ou=people,dc=example,dc=local,dc=net
cn: Arun Rajan
gidnumber: 501
givenname: Arun
homedirectory: /home/users/exm1
loginshell: /bin/sh
mail: [email protected]
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Rajan
uid: exm1
uidnumber: 1001
userpassword: {MD5}ICy5YqxZB1uWSwcVLSNLcA==
**Adding LDIF information into directory:**
**$ sudo slapadd -v -f /usr/local/openldap/etc/openldap/slapd.conf -l /tmp/basics.ldif**
Note: slapadd requires directory to be taken off-line.
**Starting and stopping the slapd daemon:**
**To Start:**
**$ cd /usr/local/openldap/libexec/**
**$ sudo ./slapd**
**To Stop:**
**$ sudo kill `pgrep slapd`**
**Search the added users:**
**$ sudo su -**
**\# cd /usr/local/openldap/bin**
**\# ./ldapsearch -x -W -D 'cn=admin,dc=example,dc=local,dc=net' -b 'ou=people,dc=example,dc=local,dc=net' **
**\***ldap password is asked at this point enter the rootpw variable as defined in slapd.conf
**\***If every things are working fine then this command will return all the users of ou=people
**Making Backup of entire database, or dumping the whole database in ldif file:**
**$ sudo su -**
**\# kill `pgrep slapd`**
**\# cd /usr/local/openldap/sbin**
**\# ./slapcat -l /home/user/backup.ldifb**
**Encrypting or generating hashed password to be used against rootpw variable in slapd.conf**
**\# cd /usr/local/openldap/sbin**
**\# ./slappasswd -h {md5} -s testPassword**
**Adding info into directory without taking it to off-line:**
**\# cd /usr/local/openldap/sbin**
**\# ./ldapadd -x -W -D 'cn=admin,dc=example,dc=local,dc=net'**
- Enter the values as entered into the ldif file, don't break the formatting rules.
**Configuring Clients for Authentication:**
Our master server has started and its working quiet well. Now its time to configure the client or slave server.
**Installing Prerequisite:**
$ sudo apt-get install libpam-ldap
- After this a series of question will be asked. You have to enter the following credentials sequentially
- LDAP server location: **ldap;//”IP of Master server”**
- Root DN: in our case its “**dc=example,dc=local,dc=net”**
- Ldap version: **ver 3**
- Make local root database admin? : **Yes**
- Does LDAP requires login: **No**
- LDAP root account : in our case its : “**cn=admin,dc=example,dc=local,dc=net”**
- LDAP root password: **
All these changes will reflect in /etc/ldap/ldap.config file, which will look like this
\#
\# LDAP Defaults
\#
\# See ldap.conf(5) for details
\# This file should be world readable but not world writable.
BASE dc=example,dc=local,dc=net
URI ldap://”IP of Master server”
ldap\_version 3
rootbinddn cn=admin,dc=example,dc=local,dc=net
pam\_password md5
Also to reconfigure using the GUI method use:
**$ sudo dpkg-reconfigure ldap-auth-config**
Also install nscd : Name Service cache daemon
**$ sudo apt-get install nscd**
**Configuring our pam module:**
Firstly add the host IP and name in /etc/hosts
**$ sudo vi /etc/hosts**
Make the changes as I had done
**$ sudo su -**
**\# vi /etc/nsswitch.conf**
\# pre\_auth-client-config # passwd: ldap compat
passwd: files ldap
\# pre\_auth-client-config # group: ldap compat
group: files ldap
\# pre\_auth-client-config # shadow: ldap compat
shadow: files ldap
**\# vi /etc/pam.d/common-auth**
auth sufficient pam\_unix.so nullok\_secure
auth required pam\_ldap.so use\_first\_pass
auth required pam\_permit.so
**\# vi /etc/pam.d/common-account**
account sufficient pam\_unix.so
account required pam\_ldap.so
**\# vi /etc/pam.d/common-session**
session required pam\_unix.so
session required pam\_mkhomedir.so skel=/etc/skel/ umask=0022
**\# vi /etc/pam.d/common-password**
password sufficient pam\_unix.so obscure MD5
password required pam\_ldap.so try\_first\_pass
password requisite pam\_deny.so
password required pam\_permit.so
**\# service nscd restart **
**or**
**\# /etc/init.d/nscd restart**
**\# vi /etc/passwd**
**\#**Append this 6 colons
+::::::
**\#vi /etc/shadow**
**\#**Append this 8 colons
+::::::::
**\# /etc/init.d/nscd restart**
**Now test your client:**
**$ id tushar**
**uid=1000(tushar) gid=500(vsp) groups=500(vsp)**
**$ id exm1**
**uid=1001(exm1) gid=501(computer) groups=501(computer)**
**$ ssh tushar@ldapclient **
**tushar@ldapclient's password:**
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)
\* Documentation: https://help.ubuntu.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/\*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Fri Sep 21 15:40:56 2012 from localhost
**$**
**Using PhpLdapAdmin for easy directory management:**
**Installation over master server:**
**$ ssh -X serveruser@MasterServer**
**$ sudo apt-get install phpldapadmin**
After installation point your browser to the IP address of master server and append the phpldapadmin: **/phpldapadmin **
**or** if you are on the server itself then run it as: **localhost/phpldapadmin**
**it wil look like this, now login with your root dn and have fun editing or creating users and groups**
[](http://4.bp.blogspot.com/-83i2WmWysVw/UYzoU1BZMGI/AAAAAAAAAGQ/-nXQ_daRZJw/s1600/Screenshot+from+2012-09-21+15:52:40.png)
[](http://1.bp.blogspot.com/-JcAL_P5daVs/UYzoUgAhzNI/AAAAAAAAAGM/EAAugrI02uQ/s1600/Screenshot+from+2012-09-21+15:58:20.png)
Leave a comment