Topic 7

Date: 3/1/2017
Lightweight Directory Access Protocol (LDAP)
Linux System Administration


Practical exercises: LDAP for centralized user authentication.

Configuring both the server and the client for LDAP user authentication.
  • On both master and n01 configure the NSS libraries to read users accounts from the LDAP server by editing and modifying the content of /etc/nsswitch.conf to look as follows:
    passwd:         compat ldap
    group:          compat ldap
    shadow:         compat ldap
    gshadow:        files
    
    hosts:          files dns
    networks:       files
    
    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files
    
    netgroup:       nis
    


  • On the both VMs, edit file /etc/ldap.conf, clear all the entries and put the following:
    HOST master 
    base dc=dom02,dc=linux,dc=class
    ldap_version 3
    

  • On both the server and the client, edit file /etc/pam.d/common-session and add the following line to the bottom:
    session     optional      pam_mkhomedir.so
    


    Setting user account scripts on the server.
  • On the server, master, install the LDAP user account scripts as follows:
    apt-get install ldapscripts
    apt-get install pwgen
    
  • Download configuration files ldapscripts.conf, ldapscripts.passwd, and copy them into directory /etc/ldapscripts on the server:
    wget http://linuxcourse.rutgers.edu/lessons/LDAP/ldapscripts.conf
    wget http://linuxcourse.rutgers.edu/lessons/LDAP/ldapscripts.passwd
    cp ldapscripts.conf /etc/ldapscripts
    cp ldapscripts.passwd /etc/ldapscripts
    
  • On the server, there should be home directory for the NFS users, /NFS/home, if the NFS execises have been completed.

    Creating LDAP user accounts on the server
  • Create a new group, ldapusers:
    ldapaddgroup ldapusers 20000
    

  • Create a new LDAP user, mike, with group ldapusers:
    ldapadduser mike ldapusers
    ldapsetpasswd mike
    

  • Check if the client, n01, recognizes user mike:
    id mike 
    
    If so, ssh to the client from your desktop as user mike. Note, you can figure out the IP address of n01 by looking at the content of file /var/lib/libvirt/dnsmasq/default.leases. For example,
    cat /var/lib/libvirt/dnsmasq/default.leases
    
    shows the lease time, mac address, IP address, and the VM name:
    1363897168 52:54:00:69:71:72 192.168.122.99 n01 *
    1363897396 52:54:00:e3:b2:33 192.168.122.42 master *
    
    In this case, the IP address of n01 is 192.168.122.99
    ssh mike@192.168.122.99
    
    User mike should be able to login to n01. If you have done NFS exercises, the user's home directory should get mounted automatically.

    Securing LDAP server
    A. Restricting user access to the password hashes.
  • Browse the user's LDAP entries:
    ldapsearch -x -LL -b  'dc=dom02,dc=linux,dc=class' 'cn=mike'
    
    You should be able to see the password field entries since there was no any access restriction set for the LDAP entries on the server.

  • Secure access to LDAP directory by adding the following access rules to the end of /etc/ldap/slapd.conf on the server:
    #Access control
    access to attr=userPassword
         by self write
         by anonymous auth
         by dn="cn=Manager,dc=dom02,dc=linux,dc=class"  write
         by *   compare
    
    access to *
         by self write
         by dn="cn=Manager,dc=dom02,dc=linux,dc=class"  write
         by *   read
    

    Restart slapd:
    systemctl restart slapd
    

    Make sure the passwords no longer show up on the client when you run
    ldapsearch -x -LL -b  'dc=dom02,dc=linux,dc=class' 'cn=mike'    
    


    B. Restricting client access to LDAP server.
  • Create an entry in /etc/hosts.deny on the LDAP server, master:
    slapd: ALL
    
  • On both, the server, master, and the client, n01, run ldapsearch command to check if you can access LDAP:
    ldapsearch -x -LL -b  'dc=dom02,dc=linux,dc=class' 
    
    It should give you the following error since ldapsearch is unable to access slapd daemon:
    ldap_result: Can't contact LDAP server (-1)
    

  • On the LDAP server, master, add the following line in file /etc/hosts.allow:
    slapd: 192.168.122.0/24   127.0.0.1 
    
    This allows connection to slapd on master VM from the local host, 127.0.0.1, and the VM subnet 192.168.122.0/24 only. Run ldapsearch on the client and the server again:
    ldapsearch -x -LL -b  'dc=dom02,dc=linux,dc=class' 
    
    It should show you the LDAP data now.


  • Take me to the Course Website