Author Photo

Being a Linux Enthusiast and a Fan of Open Source Software, I created Ahmer’s SysAdmin Recipes blog to share my experiences with other System Administrators. The curiosity doesn’t let me stop; therefore, I am constantly trying to learn new software tools and techniques. Whereas I also have the passion and the patience to teach the others.

I am always ready to accept new challenges and wish to explore the areas, that I haven’t worked on. Please give me your feedback and help me improve this blog.

Tuesday, 29 May 2018

Configure Remote Authentication Server using OpenLDAP 2.4

configure-remote-authentication-serverOpenLDAP is a free and open-source implementation of the Light Directory Access Protocol (LDAP). The LDAP is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an IP network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network.

In this post, I will demonstrate you how to configure a Central Remote Authentication Server using OpenLDAP v2.4 on platform RHEL 7.

 

System Specification:

For this demonstration, I have provisioned a VM with following specification. Please do not confuse these specification with the minimum system requirements for OpenLDAP.

CPU 2.4 Ghz (1 core)
Memory 1 GB
Storage 20 GB
Swap 2 GB
Operating System RHEL 7.0

I have done some initial configurations in VM, that includes setting up hostname, IP address and Yum Repository.

Hostname ldapserver.itlab.com
IP Address 192.168.116.3/24

 

Configure LDAP Server:

Login to VM with root user, and install openldap packages.

[root@ldapserver ~]# yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-devel

Create database from template.

[root@ldapserver ldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@ldapserver ldap]# slaptest -u config file testing succeeded [root@ldapserver ldap]# chown ldap:ldap /var/lib/ldap/*

Start and Enable the slapd service.

[root@ldapserver ~]# systemctl enable slapd && systemctl start slapd ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'

Allow ldaps port in Firewall.

[root@ldapserver ~]# firewall-cmd --permanent --add-service=ldaps success [root@ldapserver ~]# firewall-cmd --reload success

Configure OpenLDAP syslog.

[root@ldapserver ~]# cat >> /etc/rsyslog.conf << EOF > #LDAP Logging > local4.* /var/log/openldap.log > EOF [root@ldapserver ~]# systemctl restart rsyslog

Add required schemas to our OpenLDAP Directory.

[root@ldapserver ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" [root@ldapserver ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config"

Generate Password hash 123 for Directory Manager.

[root@ldapserver ~]# slappasswd New password: Re-enter new password: {SSHA}mNOljCtwWbG0P88Hu+jqsrkUOzjfqvak

Copy the Password hash, we will need it in later configurations. Add initial database configurations.

[root@ldapserver ldap]# mkdir ~/ldap [root@ldapserver ldap]# cd ~/ldap
[root@ldapserver ldap]# cat > db.ldif << EOF > dn: olcDatabase={2}hdb,cn=config > changetype: modify > replace: olcSuffix > olcSuffix: dc=itlab,dc=com > > dn: olcDatabase={2}hdb,cn=config > changetype: modify > replace: olcRootDN > olcRootDN: cn=ldapadm,dc=itlab,dc=com > > dn: olcDatabase={2}hdb,cn=config > changetype: modify > replace: olcRootPW > olcRootPW: {SSHA}mNOljCtwWbG0P88Hu+jqsrkUOzjfqvak > EOF [root@ldapserver ldap]# ldapmodify -Y EXTERNAL  -H ldapi:/// -f db.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config"

Since, we are planning to run this service in TLS mode, therefore, must required to create security certificates for this purpose. For simplicity, I am using Self-Signed certificates, However, you can use a Signed Certificate, if you have a Certification Authority (CA) configured for your network.

[root@ldapserver ~]# openssl req -new -x509 -nodes -out /etc/openldap/certs/ldapserver.pem -keyout /etc/openldap/certs/ldapserver.key -days 365 Generating a 2048 bit RSA private key .........................+++ ..................................................................+++ writing new private key to '/etc/openldap/certs/ldapserver.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:PK State or Province Name (full name) []:Sindh Locality Name (eg, city) [Default City]:Karachi Organization Name (eg, company) [Default Company Ltd]:XYZ Organizational Unit Name (eg, section) []:IT Lab Common Name (eg, your name or your server's hostname) []:ldapserver.itlab.com Email Address []:root@ldapserver.itlab.com [root@ldapserver ~]# cd /etc/openldap/certs [root@ldapserver certs]# chown ldap:ldap * [root@ldapserver certs]# chmod 600 ldapserver.key

Edit the following directive in /etc/sysconfig/slapd to enable service to run in TLS mode.

SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

Now, add security certificate and private key to LDAP configurations.

[root@ldapserver ~]# cd ~/ldap [root@ldapserver ldap]# cat > cert.ldif << EOF > dn: cn=config > changetype: modify > replace: olcTLSCertificateFile > olcTLSCertificateFile: /etc/openldap/certs/ldapserver.pem > > dn: cn=config > changetype: modify > replace: olcTLSCertificateKeyFile > olcTLSCertificateKeyFile: /etc/openldap/certs/ldapserver.key > > dn: cn=config > changetype: modify > replace: olcLogLevel > olcLogLevel: -1 > EOF [root@ldapserver ldap]# ldapmodify -Y EXTERNAL  -H ldapi:/// -f cert.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" modifying entry "cn=config" modifying entry "cn=config"

Create directory, LDAP Manager user, and two Organisational units for holding users and groups entries.

[root@ldapserver ldap]# cd ~/ldap [root@ldapserver ldap]# cat > base.ldif << EOF > dn: dc=itlab,dc=com > dc: itlab > objectClass: top > objectClass: domain > > dn: cn=ldapadm ,dc=itlab,dc=com > objectClass: organizationalRole > cn: ldapadm > description: LDAP Manager > > dn: ou=People,dc=itlab,dc=com > objectClass: organizationalUnit > ou: People > > dn: ou=Groups,dc=itlab,dc=com > objectClass: organizationalUnit > ou: Groups > EOF [root@ldapserver ldap]# ldapadd -x -W -D "cn=ldapadm,dc=itlab,dc=com" -f base.ldif Enter LDAP Password: adding new entry "dc=itlab,dc=com" adding new entry "cn=ldapadm ,dc=itlab,dc=com" adding new entry "ou=People,dc=itlab,dc=com" adding new entry "ou=Groups,dc=itlab,dc=com"

Define access levels for the directory.

[root@ldapserver ldap]# cd ~/ldap [root@ldapserver ldap]# cat > access.ldif << EOF > dn: olcDatabase={1}monitor,cn=config > changetype: modify > replace: olcAccess > olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=itlab,dc=com" read by * none > > changetype: modify > replace: olcAccess > olcAccess: {0}to dn.subtree="dc=itlab,dc=com" by dn.base="cn=ldapadm,dc=itlab,dc=com" manage by * read > EOF [root@ldapserver ldap]# ldapmodify -Y EXTERNAL  -H ldapi:/// -f access.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config"

Let’s create three groups. Groups ahmer & mansoor here are defined to be utilized as the Primary groups for the Users ahmer & mansoor. While group dba will be used as a suplementary group for both users.

[root@ldapserver ldap]# cd ~/ldap [root@ldapserver ldap]# cat > groups.ldif << EOF > dn: cn=ahmer,ou=Groups,dc=itlab,dc=com > cn: ahmer > objectClass: posixGroup > objectClass: top > gidNumber: 10001 > memberuid: ahmer > > dn: cn=mansoor,ou=Groups,dc=itlab,dc=com > cn: mansoor > objectClass: posixGroup > objectClass: top > gidNumber: 10002 > memberuid: mansoor > > dn: cn=dba,ou=Groups,dc=itlab,dc=com > cn: dba > objectClass: posixGroup > objectClass: top > gidNumber: 10003 > memberuid: ahmer > memberuid: mansoor > EOF [root@ldapserver ldap]# ldapadd -x -W -D "cn=ldapadm,dc=itlab,dc=com" -f groups.ldif Enter LDAP Password: adding new entry "cn=ahmer,ou=Groups,dc=itlab,dc=com" adding new entry "cn=mansoor,ou=Groups,dc=itlab,dc=com" adding new entry "cn=dba,ou=Groups,dc=itlab,dc=com"

Now create users.

[root@ldapserver ldap]# cd ~/ldap [root@ldapserver ldap]# cat > users.ldif << EOF > dn: uid=ahmer,ou=People,dc=itlab,dc=com > uid: ahmer > cn: ahmer > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > userPassword: {crypt}a > shadowLastChange: 17665 > shadowMin: 0 > shadowMax: 99999 > shadowWarning: 7 > loginShell: /bin/bash > uidNumber: 10001 > gidNumber: 10001 > homeDirectory: /home/ahmer > > dn: uid=mansoor,ou=People,dc=itlab,dc=com > uid: mansoor > cn: mansoor > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > userPassword: {crypt}a > shadowLastChange: 17665 > shadowMin: 0 > shadowMax: 99999 > shadowWarning: 7 > loginShell: /bin/bash > uidNumber: 10002 > gidNumber: 10002 > homeDirectory: /home/mansoor > EOF [root@ldapserver ldap]# ldapadd -x -W -D "cn=ldapadm,dc=itlab,dc=com" -f users.ldif Enter LDAP Password: adding new entry "uid=ahmer,ou=People,dc=itlab,dc=com" adding new entry "uid=mansoor,ou=People,dc=itlab,dc=com"

Set passwords for the users.

[root@ldapserver ldap]# ldappasswd -S -x -D "cn=ldapadm,dc=itlab,dc=com" -W "uid=ahmer,ou=People,dc=itlab,dc=com" New password: Re-enter new password: Enter LDAP Password: [root@ldapserver ldap]# ldappasswd -S -x -D "cn=ldapadm,dc=itlab,dc=com" -W "uid=mansoor,ou=People,dc=itlab,dc=com" New password: Re-enter new password: Enter LDAP Password:

We can also use an LDAP browser utility to manage our directory. Following is a screenshot of our directory at this time.

image

There are various commercial and free LDAP Directory Browsers and Admins tools are available. I used LDAPAdmin for this job.

 

Configure LDAP Client:

Now, I am going to configure a Linux client to use our LDAP directory for Remote Authentication. I have a client machine here with hostname=Desktop1, that I use for this purpose. First of all, make sure that hostname of our LDAP Directory Server must be resolvable, because we are using Hostname ldapserver.itlab.com for the Common Name in the Security Certificate.

[root@desktop1 ~]# echo 192.168.116.3 ldapserver.itlab.com ldapserver >> /etc/hosts

Now install required packages.

[root@desktop1 ~]# yum -y install openldap sssd Loaded plugins: langpacks, product-id, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast localyum                                                                                           | 4.1 kB  00:00:00 Package openldap-2.4.39-3.el7.x86_64 already installed and latest version Package sssd-1.11.2-65.el7.x86_64 already installed and latest version Nothing to do [root@desktop1 home]# systemctl start sssd && systemctl enable sssd ln -s '/usr/lib/systemd/system/sssd.service' '/etc/systemd/system/multi-user.target.wants/sssd.service'

Since, we are using LDAPS, therefore, we have to copy the Self-Signed Certificate to our client machine.

[root@desktop1 ~]# scp root@ldapserver.itlab.com:/etc/openldap/certs/ldapserver.pem /etc/openldap/cacerts/ldapserver.pem The authenticity of host 'ldapserver.itlab.com (192.168.116.3)' can't be established. ECDSA key fingerprint is 4c:7f:83:39:d1:bc:ef:4c:fd:58:82:7b:36:ff:9e:f2. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ldapserver.itlab.com,192.168.116.3' (ECDSA) to the list of known hosts. root@ldapserver.itlab.com's password: ldapserver.pem                                                                          100% 1452     1.4KB/s   00:00

Now configure Remote Authentication with LDAP on client machine.

[root@desktop1 ~]# authconfig --update --enableldap --enableldapauth --enableldaptls --ldapserver=ldaps://ldapserver.itlab.com --ldapbasedn="dc=itlab,dc=com" --enablemkhomedir

Now connect using an LDAP User.

[root@desktop1 home]# su - ahmer
Creating directory '/home/ahmer'. Last login: Mon May 28 11:28:17 PDT 2018 on pts/0 [ahmer@desktop1 ~]$ id uid=10001(ahmer) gid=10001(ahmer) groups=10001(ahmer),10003(dba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Our client machine is now configured to authenticate to the OpenLDAP remote authentication server.

Configure Remote Authentication Server using OpenLDAP 2.4


YOU MIGHT ALSO LIKE:

No comments:

Post a Comment