Setup LDAP

Using LDAP now… and no,  it is not a drug.  I started to set up LDAP on my home network to get a better understanding of this service. I'm getting there but it takes time.
Using: Fedora 6, openldap. And the Thunderbird email client to look up my email addresses.

Install and configure ldap

# yum install openldap openldap-clients openldap-servers
# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# slappassw
New password:
Re-enter new password:
{SSHA}5WcnZ/3lXJXf72pyS5Nv2z3sjNVrpm2m

# vi /etc/openldap/slapd.conf

database        bdb suffix          "dc=r71,dc=nl" rootdn          "cn=Manager,dc=r71,dc=nl" rootpw          {SSHA}5WcnZ/3lXJXf72pyS5Nv2z3sjNVrpm2m

# service ldap start
# chkconfig –level 3 ldap on
# grep root:x: /etc/passwd > /etc/openldap/passwd.root
# grep roderick /etc/passwd > /etc/openldap/passwd.ldapusers
# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.root /etc/openldap/root.ldif

# cat /etc/openldap/root.ldif

dn: uid=root,ou=People,dc=r71,dc=nl uid: root cn: Manager

# /usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.ldapusers /etc/openldap/ldapusers.ldif
# vi /etc/openldap/r71.nl.ldif

dn: dc=r71,dc=nl objectClass: dcObject objectClass: organization o: R71 dc: r71 dn:ou=People,dc=r71,dc=nl objectClass: organizationalUnit ou: People dn:ou=contacts,ou=people,dc=r71,dc=nl associatedDomain: r71.nl ou: contacts ou: people objectClass: organizationalUnit objectClass: domainRelatedObject

# ldapadd -x -D "cn=Manager,dc=r71,dc=nl" -W -f /etc/openldap/r71.nl.ldif
# ldapsearch -x -b 'dc=r71,dc=nl'

# ldapadd -x -D "cn=Manager,dc=r71,dc=nl" -W -f /etc/openldap/root.ldif
# ldapadd -x -D "cn=Manager,dc=r71,dc=nl" -W -f /etc/openldap/ldapusers.ldif

Backup ldap database
# slapcat -l <filename> -f <slapdconfigfile>

Open port 389 in ipconfig.

Setting up slapd (ssl connection for ldap)

You can create a self-signed cert for the server as follows:

Open port 636 in ipconfig.

# cd /etc/pki/tls/certs
# rm slapd.pem
(if there's one there, it'll probably have localhost.localdomain as the cn and therefore be practically useless)
# make ldap.r71.nl.pem
(fill in the stuff, use your url for the servername like ldap.r71.nl)
# chown root:ldap ldap.r71.nl.pem
# chmod 640 ldap.r71.nl.pem
# openssl s_client -connect your.ldap.server:636 | tee logfile

# vi /etc/openldap/slapd.conf 

TLSCertificateFile /etc/pki/tls/certs/ldap.r71.nl.pem TLSCertificateKeyFile /etc/pki/tls/certs/ldap.r71.nl.pem

Setup secure authentication from a LDAP client (another FC6 server)

Scenario is log in on another linux server and authenticate using the LDAP server you configured.
Log in on the Linux server you want to configure as a client and use the following steps:

• Install the package
  # yum install nss_ldap
• copy the slapd.pem file from your ldap server to the client
  # scp root@ldapserver:/etc/pki/tls/certs/ldap.r71.nl.pem /etc/openldap/cacerts/ldap.r71.nl.pem
• Set the correct rights otherwise the login procedure will hang
  # chmod 644 /etc/openldap/cacerts/ldap.r71.nl.pem
• Start configuring the cliens authentication procedure
  # authconfig-tui
  Select 'Use LDAP'
  Leave 'Use MD5 Passwords' and 'Use Shadow Passwords' as is
  Select 'Use LDAP Authentication'
• Selext 'next' button
• Select TLS
  Server: ldap://ldap.r71.nl
  Base DN: dc=r71,dc=nl

When you finished the setup:

• logout as root
• login using as a different username and to be sure you are using LDAP use an account that doesn't exist on the local machine
• You get the error message /home/username does not exist. That is correct. You can solve this by creating it (and chmod 777) or use NFS to create a network folder
• When using TLS I got this message: "id: cannot find name for user ID 500"
  If you have run authconfig, edit /etc/pam.d/system-auth:
  account     required      /lib/security/$ISA/pam_unix.so
  to:
  account     sufficient      /lib/security/$ISA/pam_unix.so

When you configured your ldap server to authenticate using ldap then you might get a problem during boot time. Boot will hang at "starting system message bus". The ldap server is searched at that point in the boot procedure. It takes a while for it to time out. In FC6 this takes about 5 minutes. But this can take up to 40 minutes in other distributions as I read on some forums. You can change this back to authenticate using files the files again by using the command # authconfig-tui or edit the /etc/nsswitch.conf file and remove the ldap entries (using a rescue disk).

Thunderbird configuration

Go to Tools > Options > Composition > Addressing and create a new ldap directory entry (Base DN: dc=r71,dc=nl).
Restart Thunderbird. The LDAP server is configured properly when from the address book you can see entries (actually you do not see initially any entry, but when you use the search function, entries are shown)

I encountered a problem in Thunderbird v1.5 that email addresses were not automaticaly completed when I start typing in the To: field. I ended up going into Tools > Account Settings > Composition and Addressing, and changed my Addressing option to "Use a different LDAP server", instead of the global ldap server preferences. The "different LDAP Sever" is the one I defined in Tools > Options > Composition > Addressing > Directory Server…. Restart Thunderbird.

Setting up Cyrus Imapd to authenticate using ldap

Work in progress….

http://www.openldap.org/faq/data/cache/428.html 

# vi /etc/sysconfig/saslauthd

# Directory in which to place saslauthd's listening socket, pid file, and so # on.  This directory must already exist. SOCKETDIR=/var/run/saslauthd # Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list # of which mechanism your installation was compiled with the ablity to use. #MECH=pam MECH=ldap # Additional flags to pass to saslauthd on the command line.  See saslauthd(8) # for the list of accepted flags. #FLAGS= FLAGS="-O /etc/saslauthd.conf"

# vi /etc/saslauthd.conf

ldap_servers: ldap://ldap.r71.nl/ ldap_search_base: ou=people,dc=r71,dc=nl ldap_filter: (uid=%u)

# testsaslauthd -u root -p password (This one works)
# testsaslauthd -u roderick -p password  (This one is NOT working right now, don't know why)
 

Apache and LDAP autentication for a web url (Apache and FC6)

Work in progress….

# vi /etc/httpd/conf/httpd.conf 

LoadModule auth_ldap_module modules/mod_auth_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so Alias /tmp "/tmp" <Directory "/tmp">     Options Indexes MultiViews FollowSymLinks     AllowOverride None     Order allow,deny     Allow from all </Directory> <Location "/tmp">       AuthName "R71 Staff Only"       AuthType Basic       AuthLDAPURL ldap://ldap.r71.nl:389/ou=people,dc=r71,dc=nl       require valid-user       AuthBasicProvider ldap       AuthzLDAPAuthoritative Off </Location>

 http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html

Links

Logging in from Linux or Windows using LDAP
http://www.erikberg.com/notes/auth.html

Examples LDIF files
http://www.linuxjournal.com/node/8119/print

Setup:
http://fedoranews.org/mediawiki/index.php/How_to_setup_and_maintain_OpenLDAP_server_for_your_network
http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP.html
http://www.howtoforge.com/linux_ldap_authentication
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS#Adding_new_LDAP_users

 

Work in progress….

dn: dc=example,dc=com
dc: example
o: Organization
objectClass: dcObject
objectClass: organization
description: My Organization
—-
dn: ou=people,dc=example,dc=com
ou: people
description: All employess of the Oraganization
objectclass: organizationalunit
—-
dn: uid=test,ou=people,dc=example,dc=com
uid: test
cn: test
sn: test
userPassword: secret
objectClass: inetOrgPerson
—-