| |
Practical exercises
Before starting the exercises, please update your apt settings.
Download sources.list into your /etc/apt/sources.list file, the run apt-get update
If you have completed the NIS exercises, disable NIS on both the desktop and
the node:
/etc/init.d/nis stop
update-rc.d -f nis remove
1. Install OpenLDAP packages
On the server (the node):
slapd
ldap-utils
libldap-2.4-2
On the client (the desktop):
ldap-utils
libldap-2.4-2
libnss-ldap
libpam-ldap
You can accept the default entries in configuration stage since you will configure LDAP
manually. On the node, remove the databases created during LDAP setup:
/etc/init.d/slapd stop
rm -rf /var/lib/ldap/*
2. Setup LDAP server.
On the node, remove the original content of /etc/ldap/slapd.conf
and put there the configuration shown below.
Choose a unique dc (Domain Component) name, for example,
dc=dom02, dc=linux, dc=class if you are using
node02 and desktop02.
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Include Schemas
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
# bdb database definitions
database bdb
# Define Domain components and Root distinguished name (Manager)
suffix "dc=dom02, dc=linux, dc=class"
rootdn "cn=Manager,dc=dom02,dc=linux,dc=class"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# Root password can be created with:
# perl -e "print crypt(thisp, ac,)" > pass.txt
# rootpw thisp
rootpw {crypt}acunRNwFPEdHQ
# slapd process ID file
pidfile /var/run/slapd/slapd.pid
|
3. start LDAP:
/etc/init.d/slapd start
To make sure LDAP is running, execute ldapsearch:
ldapsearch -x -h localhost -LL -b '' -s base '(objectclass=*)' namingContexts
You should see:
namingContexts: dc=dom02,dc=linux,dc=class
4. Bind the client, desktop02, to the server by editing file /etc/ldap/ldap.conf
and leaving uncommented only two entries:
HOST node02
BASE dc=dom02,dc=linux,dc=class
Check if you can quiry the server:
ldapsearch -x -h node02 -LL -b '' -s base '(objectclass=*)' namingContexts
Similarly, bind the server, node02, to itself by creating the same file,
/etc/ldap/ldap.conf
5. On the server, create a new directory, LDAP_dev, where you will have ldif files.
Compose a new LDIF file, init.ldif, so far, including only the following part of the Directory:
# Root node
dn: dc=dom02,dc=linux,dc=class
objectclass: organization
objectclass: dcObject
o: dom02.linux.com
dc: dom02
# The list branch node
dn: ou=Consulting, dc=dom02,dc=linux,dc=class
objectclass: organizationalUnit
ou: Consulting
# The Super-User's node
dn: cn=Manager, dc=dom02, dc=linux, dc=class
objectclass: organizationalRole
cn: Manager
# A leaf node
dn: cn=Dennis Ritchie, ou=Consulting, dc=dom02,dc=linux,dc=class
objectclass: person
cn: Dennis Ritchie
sn: Ritchie
# Another leaf node
dn: cn=Ken Thompson , ou=Consulting, dc=dom02,dc=linux,dc=class
objectclass: person
cn: Ken Thompson
sn: Thompson
|
6. ldapadd -x -D 'cn=Manager,dc=dom02,dc=linux,dc=class' -W -f init.ldif
7. On the client, desktop02, run
ldapsearch -x -L -b 'dc=dom02,dc=linux,dc=class' '(objectclass=*)'
ldapsearch -x -LL -b 'dc=dom02,dc=linux,dc=class' '(cn=*)'
ldapsearch -x -LL -b 'dc=dom02,dc=linux,dc=class' '(cn=Ken Thompson)'
8. Create a new LDIF file, people.ldif:
dn: ou=passwords, dc=dom02, dc=linux, dc=class
ou: passwords
objectclass: organizationalUnit
dn: ou=group, dc=dom02, dc=linux, dc=class
ou: group
objectclass: organizationalUnit
|
9. Add it to the LDAP database:
ldapadd -x -D 'cn=Manager,dc=dom02,dc=linux,dc=class' -W -f people.ldif
Check if the "ou" entries are in the database. On the client, run
ldapsearch -x -LL -b 'dc=dom02,dc=linux,dc=class'
10. Delete Organizational Units "passwords" and "group":
create a file, delp.txt:
ou=passwords, dc=dom02, dc=linux, dc=class
ou=group, dc=dom02, dc=linux, dc=class
Run
ldapdelete -x -D 'cn=Manager,dc=dom02,dc=linux,dc=class' -W -f delp.txt
11. Modify people.ldif:
dn: ou=People, dc=dom02, dc=linux, dc=class
ou: People
objectclass: organizationalUnit
dn: ou=group, dc=dom02, dc=linux, dc=class
ou: group
objectclass: organizationalUnit
|
Run
ldapadd -x -D 'cn=Manager,dc=dom02,dc=linux,dc=class' -W -f people.ldif
Now the LDAP directory should look as follows:
12. On the server, enable shadow passwords by running command
pwconv
Install migradiontools package on the server:
apt-get install migrationtools
Copy common, password, and group migration Perl scripts from
/usr/share/migrationtools into your current directory, LDAP_dev.
cp /usr/share/migrationtools/migrate_passwd.pl .
cp /usr/share/migrationtools/migrate_group.pl .
Modify file /usr/share/perl5/migrate_common.ph:
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "node02.linux.com";
# Default base
$DEFAULT_BASE = "dc=dom02,dc=linux,dc=class";
# turn this on to support more general object clases
# such as person.
$EXTENDED_SCHEMA = 1;
# Uncomment these to exclude Ubuntu-managed system users and groups
$IGNORE_UID_BELOW = 5000;
$IGNORE_GID_BELOW = 5000;
# And here's the opposite for completeness
$IGNORE_UID_ABOVE = 9999;
$IGNORE_GID_ABOVE = 9999;
Comment out the DEFAULT_REALM setting in the EXTENDED schema settings.
# $DEFAULT_REALM = $DEFAULT_MAIL_DOMAIN;
# $DEFAULT_REALM =~ tr/a-z/A-Z/;
By using the migration script, migrate user accounts into LDIF file passwd.ldif:
./migrate_passwd.pl /etc/passwd > passwd.ldif
File passwd.ldif should contain entries only for user jack.
Add the new user entry to the database:
ldapadd -x -D 'cn=Manager,dc=dom02,dc=linux,dc=class' -W -f passwd.ldif
13. Create a group LDIF file using migrate_group.pl script:
./migrate_group.pl /etc/group > group.ldif
File group.ldif should contain only entries for group ldap.
Add the group entries to LDAP database:
ldapadd -x -D 'cn=Manager,dc=dom02,dc=linux,dc=class' -W -f group.ldif
On the client, desktop02, run ldapsearch on user jack to make sure the user
entries are in the database:
ldapsearch -x -LL -b 'dc=dom02,dc=linux,dc=class' 'cn=jack'
14. Set the the client, desktop02, to authenticate users agains the LDAP server.
Modify /etc/nsswitch.conf:
passwd: files ldap
group: files ldap
shadow: files ldap
#
hosts: files dns ldap
networks: files ldap
#
protocols: db files
services: db files
ethers: db files
rpc: db files
#
netgroup: nis
Edit file /etc/ldap.conf and have only the following entries:
HOST node02
base dc=dom02,dc=linux,dc=class
ldap_version 3
rootbinddn cn=Manager,dc=dom02,dc=linux,dc=class
Check if the client recognizes user jack:
id jack
If so, ssh to the client from the server as user jack:
ssh jack@desktop02
--------------------------------------------------------------
If id jack gives error
id: jack: No such user,
check if the configuration in the following files is correct:
/etc/nsswitch.conf, /etc/libnss-ldap.conf, /etc/pam_ldap.conf,
then stop the name caching daemon:
/etc/init.d/nscd stop
--------------------------------------------------------------
Become root by running command su
Browse the user's LDAP entries:
ldapsearch -x -LL -b 'dc=dom02,dc=linux,dc=class' 'cn=jack'
You should be able to see the password hash since there was no
any access restriction set for the LDAP entries on the server.
15. Secure access to LDAP directory adding the following access rules to
the end of slapd.conf:
#Access control
access to attr=userPassword
by self write
by anonymous auth
by dn="cn=Manager,dc=dom02,dc=linux,dc=class" write
by * compare
access to *
by self write
by dn="cn=Manager,dc=dom02,dc=linux,dc=class" write
by * read
|
Restart slapd:
/etc/init.d/slapd stop
/etc/init.d/slapd start
Make sure the passwords no longer show up on the client when you run
ldapsearch -x -LL -b 'dc=dom02,dc=linux,dc=class' 'cn=jack'
16. Create an entry in /etc/hosts.deny on the LDAP server:
slapd: ALL
Check id you can run ldapsearch on the client.
Overwrite the denial to access slapd in /etc/hosts.allow:
slapd: 192.168.5.2 127.0.0.1
Run ldapsearch again on the client.
|
|