CIT 470 Advanced Network and System Administration: Lab #7: LDAP

Lab #7: LDAP
Date: February 18, 2008

In this lab, we'll install and configure an LDAP server. We'll also configure the virtual machine to be an LDAP client. The LDAP HOWTO is a useful reference.

Setup the LDAP Server
1. Install OpenLDAP server and authentication configuration. This may take a while, so read the rest of the lab while you're waiting.
```
yum install openldap-servers openldap-clients
```
2. Check the contents of the LDAP directory. There shouldn't be anything here yet.
```
ls /var/lib/ldap
```
3. Investigate the OpenLDAP configuration directory. What configuration files are stored here? What schemas are supported by default?
```
cd /etc/openldap
ls -l
```
4. Backup the LDAP server configuration file, slapd.conf before modifying it. The ldap.conf file is the LDAP client configuration file.
```
cp -p slapd.conf slapd.conf.dist
```
5. Edit the LDAP server configuration file. Disable LDAPv2. Configure a suffix and rootdn corresponding to a DNS name of cit470.nku.edu. Be sure that you break each component of the DNS name into its own dc. Set a salted SHA hash format root password for LDAP. While normally you would use a different password for the LDAP root than for the UNIX root, in this case you should use your UNIX root password so that everyone has the same LDAP password. You'll need to use the slappasswd command to generate the hashed password. See the man page for slapd.conf for details on how to set configuration options.
```
vim slapd.conf
```
6. Start the LDAP server to verify that your configuration file is valid. It won't start if there's a problem with slapd.conf, as the first task performed by the LDAP server initialization script is to check the configuration files.
```
service ldap start
```
7. Check that the LDAP server has started correctly. If the status isn't running and you cannot find a slapd process, there is a problem with your configuration file that you need to fix.
```
service ldap status
ps auxw | grep ldap
```
8. Backup the LDAP client configuration file.
```
cd /etc/openldap
cp -p ldap.conf ldap.conf.dist
```
9. Edit the LDAP client configuration file. Set BASE to have the root DN of your LDAP directory.
```
vim /etc/openldap/ldap.conf
```
10. Once your server is up, login as student (if you aren't already running as student) and do a simple LDAP query to verify that it is functioning correctly. You can lookup the arguments to this command with man ldapsearch.
```
ldapsearch -x -LL -b '' -s base '(objectclass=*)'
```
  The output of the command should look like this, since we haven't added any data to our server.
```
version: 1

dn:
objectClass: top
objectClass: OpenLDAProotDSE
```
11. While there's no data (because we haven't added any yet), we can verify that you set the naming context correctly.
```
ldapsearch -x -LL -b '' -s base '(objectclass=*)' namingContexts
```
  The output of the command should look like this:
```
version: 1

dn:
namingContexts: dc=cit470,dc=nku,dc=edu
```
12. Use chkconfig to configure LDAP to start at boot.
13. Reboot the system.
```
reboot
```
14. Verify that the LDAP server is running after reboot.
```
service ldap status
```
Populate the LDAP directory
1. An LDAP directory organizes its data in a hierarchical fashion, as nodes in a tree. This tree is normally stored in a binary database format, like the one we saw in /var/lib/ldap above, but when we want to exchange LDAP data with other people, we use the LDAP Data Interchange Format (LDIF). That's the format we'll use to describe our example LDAP directory. Each LDIF file needs to have four components to describe the tree: a root node, branch nodes, an LDAP superuser leaf node, and leaf nodes to describe the actual data.
  The root node describes the organization as a whole. The distinguished name (DN) of the root node must be identical to the root DN you specified in /etc/openldap/slapd.conf above.
```
# Root node
dn: dc=cit470,dc=nku,dc=edu
objectclass: organization
objectclass: dcObject
o: cit470.nku.edu
dc: cit470
```
  The branch nodes describe departments within the organization. In our case, there is only one level of branch nodes, but there can be as many levels as you would like to have. Each branch and leaf node is uniquely identified by a DN consisting of a relative DN (ou=AcademicComputing in the node immediately below) followed by the directory's root DN. The DN serves the same purpose as a pathname or URL. Note that the objectclass of the branch nodes is organizationUnit. The leaf nodes will be of a different objectclass.
```
# AcademicComputing branch node
dn: ou=AcademicComputing, dc=cit470,dc=nku,dc=edu
objectclass: organizationalUnit
ou: AcademicComputing

# Informatics branch node
dn: ou=Informatics, dc=cit470,dc=nku,dc=edu
objectclass: organizationalUnit
ou: Informatics
```
  There is a special leaf node for the LDAP directory's superuser. This node belongs to the special objectclass called organizationalRole, as it describes a role, not a person in the organization.
```
# LDAP Superuser node
dn: cn=Manager, dc=cit470,dc=nku,dc=edu
objectclass: organizationalRole
cn: Manager
```
  The majority of nodes are leaf nodes that describe individual data objects, which belong to objectclass person. LDAP directories don't have to store information about persons. Leaf nodes could as easily be used to describe computers and other hardware devices in your inventory.
```
# AcademicComputing leaf nodes
dn: cn=To Fu, ou=AcademicComputing, dc=cit470,dc=nku,dc=edu
objectclass: person
cn: To Fu
sn: Fu

dn: cn=Fu Bar, ou=AcademicComputing, dc=cit470,dc=nku,dc=edu
objectclass: person
cn: Fu Bar
sn: Bar

# Informatics leaf nodes
dn: cn=Peter Python, ou=Informatics, dc=cit470,dc=nku,dc=edu
objectclass: person
cn: Peter Python
sn: Python

dn: cn=Ann Anaconda, ou=Informatics, dc=cit470,dc=nku,dc=edu
objectclass: person
cn: Ann Anaconda
sn: Anaconda

dn: cn=Valerie Viper, ou=Informatics, dc=cit470,dc=nku,dc=edu
objectclass: person
cn: Valerie Viper
cn: Val Viper
sn: Viper
```
2. While logged in as student, populate your LDAP database with the LDIF data described above. You'll can download the data as example.ldif. You will be prompted for the root password you added to the /etc/openldap/slapd.conf file above. The command should output one line for each new entry you added to the LDAP directory.
```
ldapadd -x -D "cn=Manager,dc=cit470,dc=nku,dc=edu" -W -f example.ldif
```
3. Test the LDAP directory to verify that it worked by listing every entry with a common name. This command should list all leaf nodes.
```
ldapsearch -x -LL -b 'dc=cit470,dc=nku,dc=edu' '(cn=*)'
```
4. You can refine your ldapsearch command by specifying a pattern that matches all common names that contain the string Python.
```
ldapsearch -x -LL -b 'dc=cit470,dc=nku,dc=edu' '(cn=*Python)'
```
5. You could do the same search by using the surname (sn) field without needing the * wildcard.
```
ldapsearch -x -LL -b 'dc=cit470,dc=nku,dc=edu' '(sn=Python)'
```
6. You could also search for all objects belonging to a particular objectclass.
```
ldapsearch -x -LL -b 'dc=cit470,dc=nku,dc=edu' '(objectclass=person)'
```
7. Construct an ldapsearch command to find the branch nodes. Include the command in your lab file. Also in your lab file, explain the meaning of the -x and -LL options that we've used in our LDAP search commands.
Configure Firewall on LDAP Server
1. Identify the LDAP TCP server ports by looking them up in /etc/services.
```
grep ldap /etc/services
```
2. Modify the firewall configuration to permit incoming packets to those two ports.
```
vim /etc/sysconfig/iptables
```
  Each line that you add to the configuration file should look like the following line with the appropriate port number used in place of the word LDAP_PORT. Be sure to add the lines to the appropriate part of the configuration file.
```
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport LDAP_PORT -j ACCEPT
```
3. Restart the firewall. If there are any error messages, go back to the previous step and fix your firewall configuration.
```
service iptables restart
```
Setup Virtual Machine as an LDAP Client
1. Start your CentOS virtual machine, login as root, then configure it to be an LDAP client pointed at your new LDAP server. First, install the LDAP client tools.
```
yum install openldap-clients
```
2. Backup the LDAP client configuration file.
```
cd /etc/openldap
cp -p ldap.conf ldap.conf.dist
```
3. Edit the LDAP client configuration file. Set HOST to have the IP address of your LDAP server, and set BASE to have the root DN of your LDAP directory.
```
vim /etc/openldap/ldap.conf
```
4. Try some LDAP searches to verify that you're reaching the client.
```
ldapsearch -x -LL -b 'dc=cit470,dc=nku,dc=edu' '(objectclass=person)'
```
5. If the LDAP searches fail, enable debug logging in syslog by adding the following line to /etc/syslog.conf:
```
*.=debug                            /var/log/debug
```
  then restart the syslog service. Once syslog has restarted, you can watch the debug log while attempting the query again.
```
tail -f /var/log/debug
```
6. Start Wireshark on the LDAP server and configure it to capture packets sent to or from your virtual machine. How many packets does an LDAP query require?
```
ldapsearch -x -LL -b 'dc=cit470,dc=nku,dc=edu' '(objectclass=person)'
```