LDAP
This page contains information on LDAP, a database system commonly used for enterprise user management. LDAP is no longer covered in CSE330, but you may find the content here to be of interest.
Contents
What is LDAP?
LDAP is a Lightweight Directory Access Protocol. It is commonly used for getting personal and authentication information from a central server. More information for LDAP is available on the OpenLDAP website.
Your initial LDAP database
Before you start installing LDAP, lets look at what kind of information we are going to use. You can write this information to a text file to populate your LDAP database later. The structure you decide upon is also important as you have to let the LDAP server know what that structure is.
Lets assume we are creating an LDAP service for the Babylon 5 space station using files as initial entries. At the top, we need to define an organization and then we need to describe the organizational units. Our organizational unit will be Interstellar Alliance (ISA) and our subunits will be the planets belonging to this organization (Earth and Minbar for the sake of briefness). Then we will have information about people who are citizens of these planets.
We describe ISA with
dn: o=ISA objectclass: top objectClass: organization o: ISA description: Interstellar Alliance
The organization name (o) is ISA, and this entry has a distinct name (dn) of o=ISA. It is also an instance of classes top and organization. Under this organization, we need to have entries for Earth and Minbar.
dn: ou=Earth,o=ISA ou: Earth objectClass: top objectClass: organizationalUnit description: Human
dn: ou=Minbar,o=ISA ou: Minbar objectClass: top objectClass: organizationalUnit description: Minbari
Note that, dns for child nodes contain the path to reach them.
We also need an administrator for LDAP so that we can access and modify the entries later.
dn: cn=isaadmin,o=ISA objectClass: organizationalRole cn: isaadmin description: LDAP directory administrator
Then we will have the information about people.
dn: cn=John Sheridan,ou=Earth,o=ISA ou: Earth o: ISA cn: John Sheridan objectClass: top objectClass: person
objectClass: organizationalPerson objectClass: inetOrgPerson givenname: John sn: Sheridan postalAddress: Human Sector l: Babylon 5 homeDirectory: /tmp st: Babylon 5 telephoneNumber: (800)555-1212 homePhone: 800-555-1313 facsimileTelephoneNumber: 800-555-1414 userPassword: sheridan title: Commander of Babylon 5
This entry is an instance of a class derived from person, organizationalPerson,inetOrgPerson, hence its attributes are from those classes. There are several optional attributes these classes contain that are not included in the description of this particular person. If you want to use LDAP only to provide the information about the people, this description would be sufficient. But if you need to provide authentication to other systems, you need other information too. First of all, you need to inform LDAP that this entry also contains user information by adding object classes posixAccount and shadowAccount. Furthermore, you need to the give other information such as account name, user id, the groups this person belongs to, the home directory, etc.
So, a more general entry for this person could be:
dn: cn=John Sheridan,ou=Earth,o=ISA ou: Earth o: ISA cn: John Sheridan objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: organizationalPerson objectClass: inetOrgPerson givenname: John sn: Sheridan uid: starkiller postalAddress: Human Sector l: Babylon 5 uidNumber: 1025 gidNumber: 9000 homeDirectory: /tmp st: Babylon 5 telephoneNumber: (800)555-1212 homePhone: 800-555-1313 facsimileTelephoneNumber: 800-555-1414 userPassword: * title: Commander of Babylon 5
So John Sheridan has account name starkiller with UID 1025 and home directory /tmp. Notice that, we set this person's group number to 9000. But how does a client machine know a group? LDAP also serves information about groups, so you can create a group entry.
dn: cn=chargroup,o=ISA
objectClass: posixGroup
objectClass: top
cn: chargroup
userPassword: {crypt}x
gidNumber: 9000
Finally, you can repeat this for other personal.
Setting up the server
In order to use LDAP, we need slapd, ldap-utils, libldap2, libldap2-dev packages.
apt-get install slapd ldap-utils libldap2 libldap2-dev
If the installation program asks for an admin password, type a password but don't worry about it much since we will create our own admin later.
slapd is an LDAP server. It has configuration files under /etc/ldap. For now, we are interested in slapd.conf. This files include some default schema that describes object classes you can use in your entities. It also describes a default LDAP directory database.
database bdb
describes a Berkley database that is going to be used (you can select other alternatives). It also has a default suffix. If you want, you modify the lines for the default database description or you can set up your own database. Basically,you need to select a suffix for your database (usually the organization's dn) and give the dn of the LDAP administrator and its password. Finally, you need to specify the permissions.
If we continue with Babylon 5 example, remember our organization had dn: o=ISA, so that will be our suffix
suffix "o=ISA"
We would also need to inform LDAP about the administrator account so that we can access LDAP and modify it.
rootdn "cn=isaadmin,o=ISA" rootpw jms_rulez
In this example, the password was left in plain text, but you can also use encrypted passwords. We need to give the administrator the full access to modify the database:
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=isaadmin,o=ISA" write
by * read
and the others can modify their own passwords:
access to attrs=userPassword,shadowLastChange
by dn="cn=isaadmin,o=ISA" write
by anonymous auth
by self write
by * none
Actually, the last bit needs to come before the administrator access since otherwise, it will overwrite the administrator's write access.
So we are now ready to use ldap. Since we have updated slapd.conf, we need to restart slapd.
/etc/init.d/slapd restart
and we need to populate the initial database:
ldapadd -f ~/babylon5.ldif -xv -D "cn=isaadmin,o=ISA" -h 127.0.0.1 -w jms_rulez
The format is
ldapadd -f LDIF_FILE_TO_BE_USED -xv -D "admin's dn' -h HOSTNAME_FOR_LDAP_SERVER -wADMIN_PASSWORD
The -x option tells LDAP to use plain authentication and -v says verbose output.
If you have problems, you can stop slapd and use
slapadd -u -l babylon5.ldif -b o=ISA -cv
to see detailed error messages. slapadd accesses your database directory directly without going through the server. If you want to remove the LDAP directory, you can directly remove everything under /var/lib/ldap/ (the path specified in slapd.conf) and the next time you start slapd, it will create initial files (but you need to repopulate).
You can verify if your LDAP is working with
ldapsearch -x -b 'o=ISA'
ldapsearch takes other parameters to let you search for specific information. In the example, we look at all the entries that have o=ISA.
Setting up the client
First you need to install the client side packages:
apt-get install ldap-utils libpam-ldap libnss-ldap nscd
Now we need to inform Linux to look at LDAP for authentication. We do that by modifying /etc/nsswitch.conf:
passwd: ldap compat group: ldap compat shadow: ldap compat
PAM is the Linux module that handles authentications which allows you to have different authentication protocols for different programs. We need to update the authentication methods to use LDAP for account information. This is done by editing files:
/etc/pam.d/common-account
account sufficient pam_ldap.so account required pam_unix.so try_first_pass
/etc/pam.d/common-auth
auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure try_first_pass
/etc/pam.d/common-password
password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass
We also need to update /etc/ldap/ldap.conf (with your partner's information)
BASE yourbase URI ldap://yourhost rootbinddn Your admin's dn
In our example case, it will be
BASE o=ISA URI ldap://128.252.160.XXX #replace XXX with the final IP number rootbinddn cn=isaadmin,o=ISA
and then similar changes go in /etc/libnss-ldap.conf (with your partner's information)
base o=ISA host 128.252.160.xxx #replace xxx with your server's IP rootbinddn cn=isaadmin,o=ISA
Both libnss and pam_ldap get the rootbindn's password from text files so add your administrator's password there and make sure those files have 500 permissions.
/etc/libnss-ldap.secret and /etc/pam_ldap.secret
Finally you need to restart nscd
/etc/init.d/nscd restart
nscd somtimes uses a local cache which may not be updated after LDAP configuration. You could install install nscd after LDAP has been configured or disable the cache for the password file in ncsd configuration file /etc/nscd.conf
enable-cache passwd no
Now you can change the password of a user in LDAP with
password username
You can get the password file with
getent passwd
Your LDAP entries should be there.
Alternatively, you can type
getent passwd nameofauser
If you don't see anything after these commands, something is missing in your configuration. Make sure your admin password is right and URIs, bases are correct. Try to access the LDAP server by using ldapsearch:
ldapsearch -x -D 'cn=isaadmin,o=ISA' -w jms_rulez #make sure you have your parameters for -w (password) and -D (admin entity)
