LDAP

From CSE330 Wiki
Jump to: navigation, search

This page contains information on LDAP, a database system commonly used for enterprise user management. LDAP is no longer covered in CSE330, but you may find the content here to be of interest.

What is LDAP?

LDAP is a Lightweight Directory Access Protocol. It is commonly used for getting personal and authentication information from a central server. More information for LDAP is available on the OpenLDAP website.

Your initial LDAP database

Before you start installing LDAP, lets look at what kind of information we are going to use. You can write this information to a text file to populate your LDAP database later. The structure you decide upon is also important as you have to let the LDAP server know what that structure is.

Lets assume we are creating an LDAP service for the Babylon 5 space station using files as initial entries. At the top, we need to define an organization and then we need to describe the organizational units. Our organizational unit will be Interstellar Alliance (ISA) and our subunits will be the planets belonging to this organization (Earth and Minbar for the sake of briefness). Then we will have information about people who are citizens of these planets.

We describe ISA with

dn: o=ISA
objectclass: top
objectClass: organization
o: ISA
description: Interstellar Alliance

The organization name (o) is ISA, and this entry has a distinct name (dn) of o=ISA. It is also an instance of classes top and organization. Under this organization, we need to have entries for Earth and Minbar.

dn: ou=Earth,o=ISA
ou: Earth
objectClass: top
objectClass: organizationalUnit
description: Human
dn: ou=Minbar,o=ISA
ou: Minbar
objectClass: top
objectClass: organizationalUnit
description: Minbari

Note that, dns for child nodes contain the path to reach them.

We also need an administrator for LDAP so that we can access and modify the entries later.

dn: cn=isaadmin,o=ISA
objectClass: organizationalRole
cn: isaadmin
description: LDAP directory administrator

Then we will have the information about people.

dn: cn=John Sheridan,ou=Earth,o=ISA
ou: Earth
o: ISA
cn: John Sheridan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
givenname: John
sn: Sheridan
postalAddress: Human Sector
l: Babylon 5
homeDirectory: /tmp
st: Babylon 5
telephoneNumber: (800)555-1212
homePhone: 800-555-1313
facsimileTelephoneNumber: 800-555-1414
userPassword: sheridan
title: Commander of Babylon 5 

This entry is an instance of a class derived from person, organizationalPerson,inetOrgPerson, hence its attributes are from those classes. There are several optional attributes these classes contain that are not included in the description of this particular person. If you want to use LDAP only to provide the information about the people, this description would be sufficient. But if you need to provide authentication to other systems, you need other information too. First of all, you need to inform LDAP that this entry also contains user information by adding object classes posixAccount and shadowAccount. Furthermore, you need to the give other information such as account name, user id, the groups this person belongs to, the home directory, etc.

So, a more general entry for this person could be:

dn: cn=John Sheridan,ou=Earth,o=ISA
ou: Earth
o: ISA
cn: John Sheridan
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: inetOrgPerson
givenname: John
sn: Sheridan
uid: starkiller
postalAddress: Human Sector
l: Babylon 5
uidNumber: 1025
gidNumber: 9000
homeDirectory: /tmp
st: Babylon 5
telephoneNumber: (800)555-1212
homePhone: 800-555-1313
facsimileTelephoneNumber: 800-555-1414
userPassword: *
title: Commander of Babylon 5

So John Sheridan has account name starkiller with UID 1025 and home directory /tmp. Notice that, we set this person's group number to 9000. But how does a client machine know a group? LDAP also serves information about groups, so you can create a group entry.

dn: cn=chargroup,o=ISA
objectClass: posixGroup
objectClass: top
cn: chargroup
userPassword: {crypt}x
gidNumber: 9000

Finally, you can repeat this for other personal.

Setting up the server

In order to use LDAP, we need slapd, ldap-utils, libldap2, libldap2-dev packages.

apt-get install slapd  ldap-utils  libldap2 libldap2-dev

If the installation program asks for an admin password, type a password but don't worry about it much since we will create our own admin later.

slapd is an LDAP server. It has configuration files under /etc/ldap. For now, we are interested in slapd.conf. This files include some default schema that describes object classes you can use in your entities. It also describes a default LDAP directory database.

database bdb

describes a Berkley database that is going to be used (you can select other alternatives). It also has a default suffix. If you want, you modify the lines for the default database description or you can set up your own database. Basically,you need to select a suffix for your database (usually the organization's dn) and give the dn of the LDAP administrator and its password. Finally, you need to specify the permissions.

If we continue with Babylon 5 example, remember our organization had dn: o=ISA, so that will be our suffix

suffix "o=ISA"

We would also need to inform LDAP about the administrator account so that we can access LDAP and modify it.

rootdn          "cn=isaadmin,o=ISA"
rootpw          jms_rulez

In this example, the password was left in plain text, but you can also use encrypted passwords. We need to give the administrator the full access to modify the database:

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=isaadmin,o=ISA" write
        by * read

and the others can modify their own passwords:

access to attrs=userPassword,shadowLastChange
       by dn="cn=isaadmin,o=ISA" write
       by anonymous auth
       by self write
       by * none

Actually, the last bit needs to come before the administrator access since otherwise, it will overwrite the administrator's write access.

So we are now ready to use ldap. Since we have updated slapd.conf, we need to restart slapd.

/etc/init.d/slapd restart

and we need to populate the initial database:

ldapadd -f ~/babylon5.ldif -xv  -D "cn=isaadmin,o=ISA"  -h 127.0.0.1  -w jms_rulez

The format is

ldapadd -f LDIF_FILE_TO_BE_USED -xv -D "admin's dn' -h HOSTNAME_FOR_LDAP_SERVER -wADMIN_PASSWORD

The -x option tells LDAP to use plain authentication and -v says verbose output.

If you have problems, you can stop slapd and use

slapadd  -u -l babylon5.ldif -b o=ISA -cv

to see detailed error messages. slapadd accesses your database directory directly without going through the server. If you want to remove the LDAP directory, you can directly remove everything under /var/lib/ldap/ (the path specified in slapd.conf) and the next time you start slapd, it will create initial files (but you need to repopulate).

You can verify if your LDAP is working with

ldapsearch -x -b 'o=ISA'

ldapsearch takes other parameters to let you search for specific information. In the example, we look at all the entries that have o=ISA.

Setting up the client

First you need to install the client side packages:

apt-get install ldap-utils libpam-ldap libnss-ldap nscd

Now we need to inform Linux to look at LDAP for authentication. We do that by modifying /etc/nsswitch.conf:

passwd:     ldap compat
group:      ldap compat
shadow:     ldap compat

PAM is the Linux module that handles authentications which allows you to have different authentication protocols for different programs. We need to update the authentication methods to use LDAP for account information. This is done by editing files:

/etc/pam.d/common-account

account sufficient    pam_ldap.so
account required    pam_unix.so try_first_pass

/etc/pam.d/common-auth

auth sufficient        pam_ldap.so
auth required        pam_unix.so nullok_secure try_first_pass

/etc/pam.d/common-password

password sufficient    pam_ldap.so
password required    pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass

We also need to update /etc/ldap/ldap.conf (with your partner's information)

BASE  yourbase
URI   ldap://yourhost
rootbinddn  Your admin's dn

In our example case, it will be

BASE  o=ISA
URI   ldap://128.252.160.XXX  #replace XXX with the final IP number
rootbinddn  cn=isaadmin,o=ISA

and then similar changes go in /etc/libnss-ldap.conf (with your partner's information)

base o=ISA
host 128.252.160.xxx #replace xxx with your server's IP
rootbinddn  cn=isaadmin,o=ISA

Both libnss and pam_ldap get the rootbindn's password from text files so add your administrator's password there and make sure those files have 500 permissions.

/etc/libnss-ldap.secret and /etc/pam_ldap.secret

Finally you need to restart nscd

/etc/init.d/nscd restart

nscd somtimes uses a local cache which may not be updated after LDAP configuration. You could install install nscd after LDAP has been configured or disable the cache for the password file in ncsd configuration file /etc/nscd.conf

enable-cache passwd no

Now you can change the password of a user in LDAP with

password username 

You can get the password file with

getent passwd

Your LDAP entries should be there.

Alternatively, you can type

 getent passwd nameofauser

If you don't see anything after these commands, something is missing in your configuration. Make sure your admin password is right and URIs, bases are correct. Try to access the LDAP server by using ldapsearch:

ldapsearch -x -D 'cn=isaadmin,o=ISA' -w jms_rulez #make sure you have your parameters for -w (password) and -D (admin entity)