Difference between revisions of "Quick LDAP setup for authentication"
From Notes_Wiki
(Created page with "<yambe:breadcrumb>OpenLDAP|OpenLDAP</yambe:breadcrumb> =Quick LDAP setup for authentication= It is recommended that administrators make themselves aware of various details of...") |
m |
||
| (7 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[LDAP servers]] > [[OpenLDAP]] > [[Quick LDAP setup for authentication]] | |||
It is recommended that administrators make themselves aware of various details of LDAP configuration. However in case of urgency if a simple test setup is required for authentication testing then following steps can be used to setup an openLDAP server very quickly: | It is recommended that administrators make themselves aware of various details of LDAP configuration. However in case of urgency if a simple test setup is required for authentication testing then following steps can be used to setup an openLDAP server very quickly: | ||
| Line 25: | Line 24: | ||
#Maximum amount of real time to be spent for answering a single query in seconds | #Maximum amount of real time to be spent for answering a single query in seconds | ||
timelimit 10 | timelimit 10 | ||
| Line 31: | Line 31: | ||
#Ensure that only the same dn can see its own password | #Ensure that only the same dn can see its own password | ||
access to attrs=userPassword | access to attrs=userPassword | ||
by self write | by self write | ||
by anonymous auth | by anonymous auth | ||
by * none | by * none | ||
#Allow users to update their telephone number | |||
access to attrs=telephoneNumber | |||
by self write | |||
by * read | |||
#Allow users to update their address. Another field postalAddress is still readonly. | |||
access to attrs=gecos | |||
by self write | |||
by * read | |||
#Allow users to update their shadowLastChange when they change password. | |||
access to attrs=shadowLastChange | |||
by self write | |||
by anonymous auth | |||
by * read | |||
#Allow all other attributes to be read by everyone anonymously. | |||
#Apart from password, telephoneNumber, gecos and shadowLastChange user cannot modify any of his own entries | |||
#We definitely do not want users modifying uidNumber, gidNumber, loginShell or homeDirectory etc. | |||
#Allow all other attributes to be read by everyone anonymously | #Allow all other attributes to be read by everyone anonymously | ||
access to * | access to * | ||
by * read | |||
by * read | |||
| Line 47: | Line 67: | ||
rootdn "cn=root,dc=sbarjatiya,dc=com" | rootdn "cn=root,dc=sbarjatiya,dc=com" | ||
#Ideally this should be generated using slappasswd | #Ideally this should be generated using slappasswd | ||
rootpw | rootpw ldaprootpasswd | ||
directory /var/lib/ldap | directory /var/lib/ldap | ||
| Line 71: | Line 91: | ||
mkdir /var/lib/ldap | mkdir /var/lib/ldap | ||
chown -R ldap:ldap /var/lib/ldap | chown -R ldap:ldap /var/lib/ldap | ||
service slapd stop | service slapd stop | ||
rm /etc/openldap/slapd.d -rf | rm /etc/openldap/slapd.d -rf | ||
mkdir /etc/openldap/slapd.d | mkdir /etc/openldap/slapd.d | ||
| Line 99: | Line 119: | ||
</pre> | </pre> | ||
*Add organization units for people, groups and hosts. | *Add organization units for people, groups and hosts. | ||
*Add users using LDIF file (Example <dn> uid=saurabh,ou=people,dc=sbarjatiya,dc=com, <gn> Saurabh, <sn> Barjatiya, <cn> Saurabh Barjatiya, <mail> saurabh@ | *Add users using LDIF file (Example <dn> uid=saurabh,ou=people,dc=sbarjatiya,dc=com, <gn> Saurabh, <sn> Barjatiya, <cn> Saurabh Barjatiya, <mail> saurabh@example.com, <display_name> Saurabh Barjatiya, <telephone> 99999 88888, <postal_address> Hyderabad, India <uid> saurabh, <uid_number> 1001, <gid_number> 1001, <home_dir> /home/saurabh, <login_shell> /bin/bash, <gecos> Hyderabad, India <secret> is secret:) | ||
<pre> | <pre> | ||
dn: <dn> | dn: <dn> | ||
| Line 121: | Line 141: | ||
userPassword: <secret> | userPassword: <secret> | ||
shadowLastChange: 0 | shadowLastChange: 0 | ||
shadowMax: | shadowMax: -1 | ||
shadowWarning: 99999 | shadowWarning: 99999 | ||
</pre> | </pre> | ||
| Line 154: | Line 174: | ||
< | |||
==Converting quick-server to LDAPS for security== | |||
To convert quick-server setup using above steps to LDAPS use: | |||
*Create ca certificate, server certificate and client certificate using [[easy-rsa]] | |||
*cp ca.crt ldap.sbarjatiya.com.crt ldap.sbarjatiya.com.key /etc/openldap/certs | |||
*chown -R ldap:ldap /etc/openldap/certs | |||
*chmod 755 /etc/openldap/certs/ca.crt | |||
*rm -rf /etc/openldap/slapd.d/* | |||
*Add following to /etc/openldap/slapd.conf before database entry | |||
<pre> | |||
security tls=1 | |||
security ssf=1 update_ssf=112 simple_bind=64 | |||
TLSVerifyClient allow | |||
TLSCACertificateFile /etc/openldap/certs/ca.crt | |||
TLSCertificateFile /etc/openldap/certs/ldap.sbarjatiya.com.crt | |||
TLSCertificateKeyFile /etc/openldap/certs/ldap.sbarjatiya.com.key | |||
</pre> | |||
*Edit /etc/sysconfig/ldap and change values to | |||
<pre> | |||
SLAPD_LDAP=no | |||
SLAPD_LDAPI=no | |||
SLAPD_LDAPS=yes | |||
</pre> | |||
*Edit /etc/openldap/ldap.conf and update to | |||
<pre> | |||
BASE dc=rekall,dc=com | |||
URI ldaps://ldap.sbarjatiya.com/ | |||
#HOST ldap2.rekall.com | |||
TLS_CACERT /etc/openldap/certs/ca.crt | |||
</pre> | |||
*Edit /etc/hosts and add server-IP to server FQDN entry. This is absolute must if LDAP FQDN cannot be converted to IP using DNS. | |||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[LDAP servers]] > [[OpenLDAP]] > [[Quick LDAP setup for authentication]] | |||
Latest revision as of 15:05, 13 March 2022
Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Quick LDAP setup for authentication
It is recommended that administrators make themselves aware of various details of LDAP configuration. However in case of urgency if a simple test setup is required for authentication testing then following steps can be used to setup an openLDAP server very quickly:
- yum -y install openldap-servers openldap-clients openldap
- Create /etc/openldap/slapd.conf file with following contents:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#Assume base to be basedn unless specified otherwise
defaultsearchbase "dc=sbarjatiya,dc=com"
#Disconnect idle users after 30 seconds
idleTimeout 30
#Maximum number of entries to return in a search query
sizelimit 100
#Maximum amount of real time to be spent for answering a single query in seconds
timelimit 10
##ACL configuration
#Ensure that only the same dn can see its own password
access to attrs=userPassword
by self write
by anonymous auth
by * none
#Allow users to update their telephone number
access to attrs=telephoneNumber
by self write
by * read
#Allow users to update their address. Another field postalAddress is still readonly.
access to attrs=gecos
by self write
by * read
#Allow users to update their shadowLastChange when they change password.
access to attrs=shadowLastChange
by self write
by anonymous auth
by * read
#Allow all other attributes to be read by everyone anonymously.
#Apart from password, telephoneNumber, gecos and shadowLastChange user cannot modify any of his own entries
#We definitely do not want users modifying uidNumber, gidNumber, loginShell or homeDirectory etc.
#Allow all other attributes to be read by everyone anonymously
access to *
by * read
#Database configuration
database bdb
suffix "dc=sbarjatiya,dc=com"
rootdn "cn=root,dc=sbarjatiya,dc=com"
#Ideally this should be generated using slappasswd
rootpw ldaprootpasswd
directory /var/lib/ldap
#By default for all attributes index for equality, presence
index default eq,pres
#For uid index for equality
index uid eq
#For names, email index for equal, sub-string, and approximate matches
index cn,gn,sn,mail eq,sub,approx
#For ou index for equality
index ou eq
#For telephone number index for equality
index telephonenumber eq
#Checkpoint after every MB of data or every 5 minutes
checkpoint 1024 5
- Replace defaultsearchbase, suffix, rootdn, rootpw in /etc/slapd.conf appropriately
- Use following commands (Only use on a new test server, these commands remove all old data)
rm /var/lib/ldap -rf mkdir /var/lib/ldap chown -R ldap:ldap /var/lib/ldap service slapd stop rm /etc/openldap/slapd.d -rf mkdir /etc/openldap/slapd.d chown -R ldap:ldap /etc/openldap/slapd.d slapd -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -h 'ldap://' -u ldap service slapd restart
- Create LDIF file for organization with following contents (Example <Dn> is dc=sbarjatiya,dc=com, <dc> is sbarjatiya, <o> is Barjatiya Softwares and <description> is Awesome software company)
#Main ldap base entry dn: <Dn> objectClass: dcObject objectClass: organization #dc is must for dcObject dc: <dc> #o is must for organization o: <organization> description: <description>
- To add ldif file to ldap database use: "ldapadd -x -D '<root_dn>' -f <ldif_file> -W" and then enter root password.
- Add organization units using LDIF file: (Example <dn> is ou=people,dc=sbarjatiya,dc=com, <ou> is people and description is All people in company)
dn: <dn> objectClass: organizationalUnit ou: <ou> description: <description>
- Add organization units for people, groups and hosts.
- Add users using LDIF file (Example <dn> uid=saurabh,ou=people,dc=sbarjatiya,dc=com, <gn> Saurabh, <sn> Barjatiya, <cn> Saurabh Barjatiya, <mail> saurabh@example.com, <display_name> Saurabh Barjatiya, <telephone> 99999 88888, <postal_address> Hyderabad, India <uid> saurabh, <uid_number> 1001, <gid_number> 1001, <home_dir> /home/saurabh, <login_shell> /bin/bash, <gecos> Hyderabad, India <secret> is secret:)
dn: <dn> objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount gn: <given_name> sn: <surname> cn: <common_name> mail: <email_address> displayName: <display_name> telephoneNumber: <telephone_number> postalAddress: <postal_address> uid: <uid> uidNumber: <uid_number> gidNumber: <gid_number> homeDirectory : <home_dir> loginShell: <login_shell> gecos: <gecos> userPassword: <secret> shadowLastChange: 0 shadowMax: -1 shadowWarning: 99999
- Add group using (Example <dn> cn=admin,ou=groups,dc=sbarjatiya,dc=com, <cn> admin, <secret> is secret and <gidnumber> is 1001
dn: <dn> objectClass: top objectClass: posixGroup cn: <cn> userPassword: <secret> gidNumber: <gidnumber>
- Add member to group using: (Example <dn> cn=admin,ou=groups,dc=sbarjatiya,dc=com, <memberuid> saurabh)
dn: <dn> changetype: modify add: memberuid memberuid: <memberuid>
- For adding member use ldapmodify (instead of ldapadd) as ldapmodify -x -D '<root_dn>' -f <ldif_file> -W
- Add hosts using (Example <dn> cn=ldap,ou=hosts,dc=sbarjatiya,dc=com, <ip1> 192.168.1.1, <ip2> 10.1.1.1 <cn1> ldap, <cn2> ldap.sbarjatiya.com
dn: <dn> objectClass: ipHost objectClass: device ipHostNumber: <ip1> ipHostNumber: <ip2> cn: <cn1> cn: <cn2>
Converting quick-server to LDAPS for security
To convert quick-server setup using above steps to LDAPS use:
- Create ca certificate, server certificate and client certificate using easy-rsa
- cp ca.crt ldap.sbarjatiya.com.crt ldap.sbarjatiya.com.key /etc/openldap/certs
- chown -R ldap:ldap /etc/openldap/certs
- chmod 755 /etc/openldap/certs/ca.crt
- rm -rf /etc/openldap/slapd.d/*
- Add following to /etc/openldap/slapd.conf before database entry
security tls=1 security ssf=1 update_ssf=112 simple_bind=64 TLSVerifyClient allow TLSCACertificateFile /etc/openldap/certs/ca.crt TLSCertificateFile /etc/openldap/certs/ldap.sbarjatiya.com.crt TLSCertificateKeyFile /etc/openldap/certs/ldap.sbarjatiya.com.key
- Edit /etc/sysconfig/ldap and change values to
SLAPD_LDAP=no SLAPD_LDAPI=no SLAPD_LDAPS=yes
- Edit /etc/openldap/ldap.conf and update to
BASE dc=rekall,dc=com URI ldaps://ldap.sbarjatiya.com/ #HOST ldap2.rekall.com TLS_CACERT /etc/openldap/certs/ca.crt
- Edit /etc/hosts and add server-IP to server FQDN entry. This is absolute must if LDAP FQDN cannot be converted to IP using DNS.
Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Quick LDAP setup for authentication
