student
We will be working entirely on the VM. In order to setup and manage LDAP on our server, we will be using 389-ds. This tools offers a more user-friendly way of managing LDAP, rather than using cumbersome CLI commands.
Add in the /etc/hosts
file an entry for our future hostname. This will be necessary for ldap to work. We will be using the scgc.ro
domain in this laboratory and the server will be identified by server.scgc.ro
.
10.9.x.y server.scgc.ro
In order for 389-ds to function properly, some default Linux limitations have to be changed. Add the following lines in /etc/sysctl.conf
net.ipv4.tcp_keepalive_time = 300 net.ipv4.ip_local_port_range = 1024 65000 fs.file-max = 64000
These are needed to allow more connections to the LDAP server. To reload these settings run the following command:
sysctl -p
Also add the following lines in the /etc/security/limits.conf
file:
* soft nofile 8192 * hard nofile 8192
This will allow 389-ds to open up to 8192 processes, if needed. You will need to relogin for these change to take place.
Finally, add the following line to the /etc/pam.d/login
file.
session required /lib/security/pam_limits.so
We will also need a user account for LDAP. Create a new account and set a password for it.
[root@server ~]# useradd ldapadmin [root@server ~]# passwd ldapadmin
Before we install the 389-ds, we need to add the Extra Packages for Enterprise Linux(EPEL), as the 389-ds available in the default packages is too basic for our needs. Too install EPEL, run the following command:
[root@server ~]# yum install epel-release
After this we are ready to install 389-ds using the command:
[root@server ~]# yum install 389-ds
Now it’s time to configure LDAP server. Run the following command to configure 389 directory server.
[root@server ~]# setup-ds-admin.pl
Please read the instructions carefully before entering the information required.
============================================================================== This program will set up the 389 Directory and Administration Servers. It is recommended that you have "root" privilege to set up the software. Tips for using this program: - Press "Enter" to choose the default and go to the next screen - Type "Control-B" then "Enter" to go back to the previous screen - Type "Control-C" to cancel the setup program Would you like to continue with set up? [yes]: #press Enter ============================================================================== Your system has been scanned for potential problems, missing patches, etc. The following output is a report of the items found that need to be addressed before running this software in a production environment. 389 Directory Server system tuning analysis version 14-JULY-2016. NOTICE : System is x86_64-unknown-linux3.10.0-123.9.3.el7.x86_64 (1 processor). Would you like to continue? [yes]: #press Enter ============================================================================== Choose a setup type: 1. Express Allows you to quickly set up the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products. 2. Typical Allows you to specify common defaults and options. 3. Custom Allows you to specify more advanced options. This is recommended for experienced server administrators only. To accept the default shown in brackets, press the Enter key. Choose a setup type [2]: #press Enter ============================================================================== Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: eros.example.com. To accept the default shown in brackets, press the Enter key. Warning: This step may take a few minutes if your DNS servers can not be reached or if DNS is not configured correctly. If you would rather not wait, hit Ctrl-C and run this program again with the following command line option to specify the hostname: General.FullMachineName=your.hostname.domain.name Computer name [server]: server.scgc.ro ============================================================================== The servers must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. If you have not yet created a user and group for the servers, create this user and group using your native operating system utilities. System User [dirsrv]: ldapadmin System Group [dirsrv]: ldapadmin ============================================================================== Server information is stored in the configuration directory server. This information is used by the console and administration server to configure and manage your servers. If you have already set up a configuration directory server, you should register any servers you set up or create with the configuration server. To do so, the following information about the configuration server is required: the fully qualified host name of the form <hostname>.<domainname>(e.g. hostname.example.com), the port number (default 389), the suffix, the DN and password of a user having permission to write the configuration information, usually the configuration directory administrator, and if you are using security (TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port number (default 636) instead of the regular LDAP port number, and provide the CA certificate (in PEM/ASCII format). If you do not yet have a configuration directory server, enter 'No' to be prompted to set up one. Do you want to register this software with an existing configuration directory server? [no]: #press Enter ============================================================================== Please enter the administrator ID for the configuration directory server. This is the ID typically used to log in to the console. You will also be prompted for the password. Configuration directory server administrator ID [admin]: #press Enter Password: Password (confirm): ============================================================================== The information stored in the configuration directory server can be separated into different Administration Domains. If you are managing multiple software releases at the same time, or managing information about multiple domains, you may use the Administration Domain to keep them separate. If you are not using administrative domains, press Enter to select the default. Otherwise, enter some descriptive, unique name for the administration domain, such as the name of the organization responsible for managing the domain. Administration Domain [scgc.ro]: #press Enter ============================================================================== The standard directory server network port number is 389. However, if you are not logged as the superuser, or port 389 is in use, the default value will be a random unused port number greater than 1024. If you want to use port 389, make sure that you are logged in as the superuser, that port 389 is not in use. Directory server network port [389]: #press Enter ============================================================================== Each instance of a directory server requires a unique identifier. This identifier is used to name the various instance specific files and directories in the file system, as well as for other uses as a server instance identifier. Directory server identifier [server]: #press Enter ============================================================================== The suffix is the root of your directory tree. The suffix must be a valid DN. It is recommended that you use the dc=domaincomponent suffix convention. For example, if your domain is example.com, you should use dc=example,dc=com for your suffix. Setup will create this initial suffix for you, but you may have more than one suffix. Use the directory server utilities to create additional suffixes. Suffix [dc=scgc, dc=ro]: #press Enter ============================================================================== Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and typically has a bind Distinguished Name (DN) of cn=Directory Manager. You will also be prompted for the password for this user. The password must be at least 8 characters long, and contain no spaces. Press Control-B or type the word "back", then Enter to back up and start over. Directory Manager DN [cn=Directory Manager]: #press Enter Password: Password (confirm): ============================================================================== The Administration Server is separate from any of your web or application servers since it listens to a different port and access to it is restricted. Pick a port number between 1024 and 65535 to run your Administration Server on. You should NOT use a port number which you plan to run a web or application server on, rather, select a number which you will remember and which will not be used for anything else. Administration port [9830]: #press Enter ============================================================================== The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. Are you ready to set up your servers? [yes]: Creating directory server . . . Your new DS instance 'server' was successfully created. Creating the configuration directory server . . . Beginning Admin Server creation . . . Creating Admin Server files and directories . . . Updating adm.conf . . . Updating admpw . . . Registering admin server with the configuration directory server . . . Updating adm.conf with information from configuration directory server . . . Updating the configuration for the httpd engine . . . Starting admin server . . . The admin server was successfully started. Admin server was successfully created, configured, and started. Exiting . . . Log file is '/tmp/setupGq9QqD.log'
To start 389-ds on reboot, run the following commands:
[root@server ~]# systemctl enable dirsrv.target Created symlink from /etc/systemd/system/multi-user.target.wants/dirsrv.target to /usr/lib/systemd/system/dirsrv.target. [root@server ~]# systemctl enable dirsrv-admin Created symlink from /etc/systemd/system/multi-user.target.wants/dirsrv-admin.service to /usr/lib/systemd/system/dirsrv-admin.service.
To check that LDAP is working we can use either CLI commands or the 389-ds GUI.
To check from CLI, run the following command:
[root@server ~]# ldapsearch -x -b "dc=scgc,dc=ro" # extended LDIF # # LDAPv3 # base <dc=scgc,dc=ro> with scope subtree # filter: (objectclass=*) # requesting: ALL # # scgc.ro dn: dc=scgc,dc=ro objectClass: top objectClass: domain dc: scgc # Directory Administrators, scgc.ro dn: cn=Directory Administrators,dc=scgc,dc=ro objectClass: top objectClass: groupofuniquenames cn: Directory Administrators uniqueMember: cn=Directory Manager # Groups, scgc.ro dn: ou=Groups,dc=scgc,dc=ro objectClass: top objectClass: organizationalunit ou: Groups # People, scgc.ro dn: ou=People,dc=scgc,dc=ro objectClass: top objectClass: organizationalunit ou: People # Special Users, scgc.ro dn: ou=Special Users,dc=scgc,dc=ro objectClass: top objectClass: organizationalUnit ou: Special Users description: Special Administrative Accounts # Accounting Managers, Groups, scgc.ro dn: cn=Accounting Managers,ou=Groups,dc=scgc,dc=ro objectClass: top objectClass: groupOfUniqueNames cn: Accounting Managers ou: groups description: People who can manage accounting entries uniqueMember: cn=Directory Manager # HR Managers, Groups, scgc.ro dn: cn=HR Managers,ou=Groups,dc=scgc,dc=ro objectClass: top objectClass: groupOfUniqueNames cn: HR Managers ou: groups description: People who can manage HR entries uniqueMember: cn=Directory Manager # QA Managers, Groups, scgc.ro dn: cn=QA Managers,ou=Groups,dc=scgc,dc=ro objectClass: top objectClass: groupOfUniqueNames cn: QA Managers ou: groups description: People who can manage QA entries uniqueMember: cn=Directory Manager # PD Managers, Groups, scgc.ro dn: cn=PD Managers,ou=Groups,dc=scgc,dc=ro objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries uniqueMember: cn=Directory Manager # search result search: 2 result: 0 Success # numResponses: 10 # numEntries: 9
The -x
parameter uses simple authentication. In this case the connection is anonymous. The -b
parameter specifies the node in the LDAP tree/directory to traverse.
To start the 389-ds GUI run the following command (from student
user):
[student@server ~]$ 389-console -a http://server.scgc.ro:9830
If everything is configured correctly, the following GUI should pop up:
Login as admin with password used at setup. To see the LDAP entries, go to Users and Groups
tab and press Search
.
Using the GUI from the previous subtask, add a User to LDAP to the People
Organizational Unit. Use your name for the User data. Hint: User and Groups
, Create
Use ldapsearch
to verify that the User is added.
We want to use LDAP for different Linux tasks, such as user administration or hostnames. In order, to achieve this we will need the nss-pam-ldapd
package(yum install nss-pam-ldapd). The nss-pam-ldapd package allows LDAP directory servers to be used as a primary source of name service information. The file contains options, one on each line, defining the way NSS lookups and PAM actions are mapped to LDAP lookups.
We have to specify the LDAP server and base DN for the authentication system to know where to get the data. We can use the following command for this:
authconfig --enableldap --enableldapauth --ldapserver=ldap://server.scgc.ro:389/ --ldapbasedn="dc=scgc,dc=ro" --update
Let us now add a new user from LDAP. To do this we will use the GUI interface. Create a new user and enable the Posix User Attributes from the Posix User section. For UID and GID use unused values.
After adding the user we can now check that we can login.
[root@server ~]# getent passwd han han:*:1500:1500:Han Solo:/home/han:/bin/bash [root@server ~]# su han bash-4.2$ id uid=1500(han) gid=1500 groups=1500 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Edit the User created at 1.4 to also be a Linux user.
When authenticating as a new user through LDAP, the home directory will not automatically be created. This can be problematic. In order to solve this issue, we can configure pam to create the home directory on the first login. For this you need to add the following line in the /etc/pam.d/login
file.
session required pam_mkhomdir.so skel=/etc/skel umask=0027
We will need to enable this functionality by running the command:
[root@server ~]# authconfig --enablemkhomedir --update
Now when logging in for the first time, the home directories should be created.
Add a group from LDAP in which you will include the user created previously. Create a Group
in the Groups
organizational unit. Don't forget to add Posix attributes.
Name resolving can be done using different resources (e.g. DNS, files such as /etc/hosts). The way in which name resolving is performed is specified in the /etc/nsswitch.conf
file, in particular the hosts
component. We can also use LDAP for name resolving. In order to this we first need to add ldap to the /etc/nsswitch.conf
file.
hosts: files dns ldap
We will follow the schema used to add hostnames from CLI through LDAP. This is presented in detail here.
Firstly, we will create a new Organizational Unit for the hosts from the GUI. Select the Base DN as the Organizational Unit. The name of our new OU will be Hosts
.
After creating our OU for our hosts, we will need more advanced functionality, so we will use the Directory Server
from the Servers and Applications
tabs.
In the Directory Server
, in the Directory
tab, we will select the Hosts
from scgc
. Right clicking will bring up a menu from which we will select New…
and Other
. From the list we will select iphost
. We will add a new host for the server IP.
After this the new host should be configured.
[root@server ~]# getent hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 127.0.0.1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.9.109.77 server.scgc.ro server 10.9.109.77 ldaphost [root@server ~]# ping ldaphost -c 1 PING ldaphost (10.9.109.77) 56(84) bytes of data. 64 bytes from server.scgc.ro (10.9.109.77): icmp_seq=1 ttl=64 time=0.046 ms --- ldaphost ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.046/0.046/0.046/0.000 ms
Using the same methods from task 2, add entries for the following entities (all entities will be Posix):