05 Network authentication

OpenLDAP Server

The Lightweight Directory Access Protocol, or LDAP, is a protocol for querying and modifying a X.500-based directory service running over TCP/IP. The current LDAP version is LDAPv3, as

defined in RFC45101, and the LDAP implementation used in Ubuntu is OpenLDAP, currently at version 2.4.25 (Oneiric).

So this protocol accesses LDAP directories.

Here are some key concepts and terms:

• A LDAP directory is a tree of data entries that is hierarchical in nature and is called the Directory

Information Tree (DIT).

• An entry consists of a set of attributes.

• An attribute has a type (a name/description) and one or more values.

• Every attribute must be defined in at least one objectClass.

• Attributes and objectclasses are defined in schemas (an objectclass is actually considered as a

special kind of attribute).

• Each entry has a unique identifier: it's Distinguished Name (DN or dn). This consists of it's Relative

Distinguished Name (RDN) followed by the parent entry's DN.

• The entry's DN is not an attribute. It is not considered part of the entry itself.

For example, below we have a single entry consisting of 11 attributes.

• • It's DN is "cn=JohnDoe,dc=example,dc=com";

  • it's RDN is "cn=John Doe";

  • and it's parent DN is "dc=example,dc=com".

dn: cn=John Doe,dc=example,dc=com

cn: John Doe

givenName: John

sn: Doe

telephoneNumber: +1 888 555 6789

telephoneNumber: +1 888 555 1232

mail: john@example.com

manager: cn=Larry Smith,dc=example,dc=com

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: person

objectClass: top

The above entry is in LDIF format (LDAP Data Interchange Format). Any information that you feed into your DIT must also be in such a format. It is defined in RFC28492.

Although this guide will describe how to use it for central authentication, LDAP is good for anything that involves a large number of access requests to a mostly-read, attribute-based (name:value) backend. Examples include an address book, a list of email addresses, and a mail server's configuration.

Installation

Install the OpenLDAP server daemon and the traditional LDAP management utilities. These are found in packages slapd and ldap-utils respectively.

The installation of slapd will create a working configuration. In particular, it will create a database instance that you can use to store your data.

Domain Suffix

However, the suffix (or base DN) of this instance will be determined from the domain name of the localhost.

If you want something different, edit /etc/hosts and replace the domain name with one that will give you the suffix you desire.

For instance, if you want a suffix of dc=example,dc=com then your file would have a line similar to this:

127.0.1.1 hostname.example.com hostname

You can revert the change after package installation.

Proceed with the install:

sudo apt-get install slapd ldap-utils

LDAP root user

During the install you were prompted to define administrative credentials.

These are LDAP- based credentials for the rootDN of your database instance. By default, this user's DN is

cn=admin,dc=example,dc=com.

Included Schemas

Some classical schemas (cosine, nis, inetorgperson) come built-in with slapd nowadays. There is also an included "core" schema, a pre-requisite for any schema to work.

Post install configuration

Using webmin we will create:

an organizational unit named Groups to contain the groups

an organizational unit named Users to contain the user accounts

a sample group with groupid=5000

a sample user with userid=10000 with a base group of 5000

Find the LDAP under the Servers Menu

OpenLDAP Configuration

You can change the settings including the admin password

Manage Schema

In this section you will find the list of installed schemas. You can voew and change the existing schemas, but you should be carefull when modifying the schema,

Explore the content of core schema by clicking view and see the included object attributes in this schema.

Create OUs, the sample group and sample user

Go in the Browse Database Section

Under the section Child Objects -> Add new sub-object

Create an OrganizationalUnit named Groups

Create an OrganizationalUnit named Users

Create a sample users group

Enter in the OrgranizationalUnit Groups and choose Add a new sub-object

Webmin LDAP Users and Groups Module

Managing LDAP Users and Groups using Webmin LDAP Users and Groups Module

This module is installed by default but must be configured in order to be able to connect to the ldap server and manage the users and groups in a ldap directory.

To configure the webmin ldap users and groups module :

• 1. On the module's main page, click on the Module Config link.

  2. In the LDAP server host field, enter the hostname of your LDAP server. If it is running on the same machine, enter localhost.

  3. If the LDAP server is using encryption, change the LDAP server uses TLS? option to Yes.

  4. In the Bind to LDAP server as field, enter the full DN of the administrative user for your LDAP server. This might be something like cn=admin,dc=my-domain,dc=com.

  5. In the Credentials for bind name above field, enter the password for the above administrative DN.

  6. In the Base for users field, enter the DN under which all users can be found and which new users should be created. This is typically something like ou=Users,dc=my-domain,dc=com .

  7. Similarly, in the Base for groups field, enter the DN under which groups are found and which new groups should be created. This is typically something like ou=Groups,dc=my-domain,dc=com .

  8. Click the Save button.

Assuming that all your settings are correct, the module should now display a list of existing users and groups, with links to add new ones.

After the configuration the module will show a list of users and groups that are already in the ldap directory. We can add or modify users and groups from here.

Try to add a new user named student1 with a password of student1:

LDAP Client

Configuring the LDAP client on LINUX

This module allows you to configure a Linux system as a client of an existing LDAP server. For this to work, your system must first have the packages require to act as a client installed - specifically the NSS LDAP client library, and the PAM client library. The actual package names differ depending on your distribution, but on Debian and Ubuntu they are libnss-ldap and libpam-ldap respectively. On Redhat and Fedora systems, they are both in the nss_ldap package

Installing the ldap client

student@ubuntu:~$ sudo apt-get install libnss-ldap

[sudo] password for student:

student@ubuntu:~$ sudo apt-get install libpam-ldap

After the installation of the LDAP Client you must configure the module

LDAP Server Configuration

Here you enter the ip or the name of the ldap server and how should the ldap client connect to it.

Under protocol choose Standard

LDAP Search Bases

In this section you define where should the client search for objects once connected to the server.

Services using LDAP

You must set LDAP as a second data source for each of the following services:

• Unix Users

• Unix Groups

• Unix shadow passwords

LDAP Browser

Under the LDAP browser you will be able to browse the content of the ldap directory

Authenticating against ldap database using ssh

student@ubuntu:~$ ssh alban@localhost

alban@localhost's password:

Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-25-generic i686)

* Documentation: https://help.ubuntu.com/

The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.

$ ls

examples.desktop MyDesktop MyDocuments

$

Connecting to the LDAP Server from another system

Connecting to the LDAP Server using a ldap browser using JXplorer ( http://www.jxplorer.org/ ) a LDAP browser compatible with Windows, Linux, Mac etc since it is based on LVM.

C'instalimi i Openldap

Per te verifikuar sherbimet qe jane ne ekzekutim ne Ubuntu mund te perdorim komanden service --status-all. Komanda do te shfaqe te gjithe sherbimet ne ekzekutim dhe qe ndodhen ne /etc/init.d/.

service --status-all

C'instalimi i paketes se utiliteteve ldap-utils

root@ubuntu:/# apt-get remove --purge ldap-utils

Reading package lists... Done

Building dependency tree

Reading state information... Done

The following packages were automatically installed and are no longer required:

linux-headers-3.5.0-23 linux-headers-3.5.0-23-generic

Use 'apt-get autoremove' to remove them.

The following packages will be REMOVED:

ldap-utils*

0 upgraded, 0 newly installed, 1 to remove and 88 not upgraded.

After this operation, 671 kB disk space will be freed.

Do you want to continue [Y/n]? Y

(Reading database ... 200889 files and directories currently installed.)

Removing ldap-utils ...

Processing triggers for man-db ...

root@ubuntu:/#

C'instalimi i slapd

root@ubuntu:/# apt-get remove --purge slapd

Reading package lists... Done

Building dependency tree

Reading state information... Done

The following packages were automatically installed and are no longer required:

linux-headers-3.5.0-23 libodbc1 linux-headers-3.5.0-23-generic

Use 'apt-get autoremove' to remove them.

The following packages will be REMOVED:

slapd*

0 upgraded, 0 newly installed, 1 to remove and 88 not upgraded.

After this operation, 4,162 kB disk space will be freed.

Do you want to continue [Y/n]? Y

(Reading database ... 200864 files and directories currently installed.)

Removing slapd ...

* Stopping OpenLDAP slapd [ OK ]

Purging configuration files for slapd ...

Removing slapd configuration... done.

Processing triggers for man-db ...

Processing triggers for ureadahead ...

Processing triggers for ufw ...

Processing triggers for libc-bin ...

ldconfig deferred processing now taking place

root@ubuntu:/#

Verifikime pas c'instalimit

Sherbimi slapd

service --status-all

Skedari slapd ne /etc/init.d/

root@ubuntu:/etc/init.d# ls -l sl*

ls: cannot access sl*: No such file or directory

root@ubuntu:/etc/init.d#

Te fshijme skedaret e konfigurimit dhe te database ne /etc/

root@ubuntu:/etc# rm -r ld*

root@ubuntu:/etc# ls -l ld*

ls: cannot access ld*: No such file or directory

root@ubuntu:/etc#

Instalimi i OpenLDAP nga terminali

Nese po instaloni ne nje sistem ku eshte c'instaluar nje kopje e ldap sigurohuni se pari qe skedaret e konfigurimit dhe database i ldap eshte fshire perpara se te filloni procesin e instalimit. Nese skedaret e konfigurimit nuk jane fshire instalimi i ri do te kete te njejtat konfigurime. Nese skedaret jane fshire ne menyre te pjesshme atehere mund te ndodhe qe te kete probleme me procesin e instalimit ose te mirefunksionimit te serverit.

Nese c'instalimi eshte bere duke perdorur opsionin --purge atehere skedaret e konfigurimit jane fshire dhe instalohet nje kopje e paster e openldap.

Fomain Suffix

Emri i domain do te merret nga emri i gjate i serverit ku po instalohet serveri ldap.

Per te percaktuar nje emer domain te sakte eshte e nevojshme qe ne /etc/hosts te vendosim dy versione te emrit te serverit, i pari version i gjate me praprashtese domain i dyti pa praprashtese domain. Per shembull nese duam qe domain te quhet

dc=shembull,dc=local atehere duhet te modifikojme emrin e serverit tone (ubuntu) si me poshte

127.0.1.1 ubuntu.shembull.local ubuntu

Ky konfigurim mund te modifikohet me vone.

Kujdes:

Nuk mund te vendosim prapashtese domain per emrin localhost

Instalojme paketat

sudo apt-get install slapd ldap-utils

Administratori i LDAP

Gjate instalimit do t'Ju kerkohet te vendosni fjalekalimin e administratorit te LDAP

Si default ky perdorues ka DN :

cn=admin,dc=shembull,dc=local

Pas instalimi

Sherbimi slapd

Pas instalimit krijohet nje service me emrin slapd.

service --status-all

Gjithashtu ne /etc/init.d/ krijohet nje skedar me emrin e sherbimit slapd

root@ubuntu:/etc/init.d# ls sl* -l

-rwxr-xr-x 1 root root 5173 Oct 17 21:45 slapd

root@ubuntu:/etc/init.d#

Database i konfigurimit

Procesi i instalimit dy DITs, LDIF format (LDAP Data Interchange Format):

• njeri per slapd-config

• dhe tjetri per te dhenat specifike te domain per shembull (dc=example,dc=com)

Me poshte po paraqesim nje permbajtje skematike te database(DIT) te slapd-config .

Ky database eshte sipas formatit LDIF dhe ndodhet ne /etc/ldap/slapd.d:

• • 1. /etc/ldap/slapd.d/ ├── cn=config │ ├── cn=module{0}.ldif │ ├── cn=schema │ │ ├── cn={0}core.ldif │ │ ├── cn={1}cosine.ldif │ │ ├── cn={2}nis.ldif │ │ └── cn={3}inetorgperson.ldif │ ├── cn=schema.ldif │ ├── olcBackend={0}hdb.ldif │ ├── olcDatabase={0}config.ldif │ ├── olcDatabase={-1}frontend.ldif │ └── olcDatabase={1}hdb.ldif └── cn=config.ldif

       1. • • 1. Nuk duhet modifikuar database i slapd-config ne menyre manuale. Per modifikimin e databaze te konfigurimit duhen bere ndryshime nepermjet utiliteteve te protokollit LDAP .

Per te pare permbajtjen e database duke perdorur utilitetet e ldap:

root@ubuntu:/etc# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn

dn: cn=config

dn: cn=module{0},cn=config

dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

dn: olcBackend={0}hdb,cn=config

dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config

dn: olcDatabase={1}hdb,cn=config

root@ubuntu:/etc#

Shpjegimi i komandes

root@ubuntu:/etc# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn

Komanda ldapsearch lidhet me serverin e ldap dhe kerkon per objekte ne te.

Opsionet e komandes:

• • -Q , Quiet Mode, nuk shfaq prompt

  • -L , Rezultatet shfaqen ne LDAP Data Interchange Format ldif(5), nje -L detyron output ne formain LDIFv1, nje L e dyte nuk lejon komentet ne output ndersa nje L e trete nuk lejeon afishimin e versionit te LDIF

  • -Y , EXTERNAL percakton menyren e autentikimit

  • -H , percakton URI e serverit

  • -b , percakton basen ku do te filloje kerkimi (cn=config)

  • dn, percakton qe do te afishohet vetem distinguished name

Shpjegimi i permbajtjes se database

• • cn=config: global settings

  • cn=module{0},cn=config: modul qe ngarkohet ne menyre dinamike

  • cn=schema,cn=config: permban skema te sistemit

  • cn={0}core,cn=schema,cn=config: skema core

  • cn={1}cosine,cn=schema,cn=config: skema cosine

  • cn={2}nis,cn=schema,cn=config: skema nis

  • cn={3}inetorgperson,cn=schema,cn=config: skema inetorgperson

  • olcBackend={0}hdb,cn=config: 'hdb' backend storage type

  • olcDatabase={-1}frontend,cn=config: frontend database, default settings for other databases

  • olcDatabase={0}config,cn=config: slapd configuration database (cn=config)

  • olcDatabase={1}hdb,cn=config: your database instance (dc=examle,dc=com)

Ndersa nese do te shikonim databasen e krijuar per domain endri.local

root@ubuntu:/etc# ldapsearch -x -LLL -H ldap:/// -b dc=endri,dc=local dn

dn: dc=endri,dc=local

dn: cn=admin,dc=endri,dc=local

root@ubuntu:/etc#

-x Use simple authentication

Testi me i fundit ku kerkuam per permbajtjen e bazes se te dhenave te domain tone dhe vume re qe ka nje objekt per admin tregon qe ldap eshte instaluar ne rregull dhe jemi gati te popullojme database.

Te popullojme database e LDAP

Do te shtojme disa objekte ne database tone:

• • Nje njesi organizative te quajtur Users, per te ruajtur perdoruesit

  • Nje njesi organizative te quajtur Groups per te ruajtur grupet

  • Nje grup me emrin ictstudents

  • Nje perdorues me emrin john

Per kete do te krijojme nje skedar LDIF me emrin add_content.ldif

dn: ou=Users,dc=endri,dc=local objectClass: organizationalUnit ou: Users dn: ou=Groups,dc=endri,dc=local objectClass: organizationalUnit ou: Groups dn: cn=ictstudents,ou=Groups,dc=endri,dc=local objectClass: posixGroup cn: ictstudents gidNumber: 5000 dn: uid=john,ou=Users,dc=endri,dc=local objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 10000 gidNumber: 5000 userPassword: johnldap gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john

Te importojme kete skedar ne database e ldap

root@ubuntu:/home/student# ldapadd -x -D cn=admin,dc=endri,dc=local -W -f add_content.ldif

Enter LDAP Password:

adding new entry "ou=Users,dc=endri,dc=local"

adding new entry "ou=Groups,dc=endri,dc=local"

adding new entry "cn=ictstudents,ou=Groups,dc=endri,dc=local"

adding new entry "uid=john,ou=Users,dc=endri,dc=local"

root@ubuntu:/home/student#

Tani mund te verifikojme qe objektet jane shtuar ne database nepermjet komandes ldpasearch

root@ubuntu:/home/student# ldapsearch -x -LLL -b dc=endri,dc=local 'uid=john' cn gidNumber

dn: uid=john,ou=Users,dc=endri,dc=local

cn: John Doe

gidNumber: 5000

root@ubuntu:/home/student#

komanda ldapadd merr si argument emrin e nje skedari ldif dhe importon objektet ne database.

Nese objektet ekzistojne ben modifikimin e tyre.

Opsionet e komandes:

• • -x , simple authentication (current credentials)

  • -D, bindDN perdor Distinguished Name per tu lidhur me LDAP

  • -f, file merri te dhenat nga nje skedar ldif

  • -W, prompt for simpe authentication