CIT 470 Advanced Network and System Administration: Lab #8: LDAP Authentication

In this lab, we'll migrate the existing user accounts and groups on our system to the LDAP directory, then configure PAM to use the LDAP server on the virtual machine for authentication. This task is a common procedure in environments that are migrating from file-based network-based authentication systems.

This lab assumes that you have completed the previous LDAP lab, where you set up an LDAP server on the physical machine and configured your virtual machine as an LDAP client. Since you are obtaining your IP addresses via DHCP, your IP addresses may have changed since the previous lab, requiring you to modify the LDAP client configuration to point to the correct server. Use the ifconfig command to check the IP address of your physical machine (the LDAP server) and compare it against /etc/openldap/ldap.conf on the virtual machine before doing any of the steps of the lab. Use the service command on the physical machine to verify that the LDAP server is running before starting the lab too.

1. LDAP client configuration

   Edit the LDAP client configuration file on both physical and virtual machines.

   1. Backup the LDAP client configuration file that you modified last time.

      cd /etc/openldap
      cp -p ldap.conf ldap.conf.bak
      

   2. Edit the LDAP client configuration file. Set BASE to have the root DN of your LDAP directory. Set HOST to be the IP address of the physical machine.

      vim /etc/openldap/ldap.conf
      

2. Configure client PAM to use LDAP server
   1. Identify the password hash format currently used by PAM.

      grep password /etc/pam.d/system-auth
      

   2. Backup the PAM LDAP configuration file: /etc/ldap.conf. Note that this file has the same name as the LDAP client configuration file, but is located under /etc instead of /etc/openldap.

      cd /etc
      cp -p ldap.conf ldap.conf.dist
      

   3. Configure the base and nss_base_{shadow,passwd,group} items to point to the root DN of your LDAP server. Be sure that the password hash type specified matches the one specified by PAM.

      vim ldap.conf
      

3. Delete your old LDAP database
   1. Shutdown the LDAP server.

      service ldap stop
      

   2. Delete all database files. Do not restart the LDAP server until the migration is complete.

      rm /var/lib/ldap/*
      

4. Migrate Account/Group Data to LDAP Server
   1. Migrate the authentication information from /etc/{passwd,shadow,group} to the LDAP directory. Start by going to the migration directory and reading the README file there.

      cd /usr/share/openldap/migration
      less README
      

   2. Configure the DEFAULT_BASE and DEFAULT_MAIL_DOMAIN with your basedn and associated domain in migrate_common.ph before running the migration tools.

      vim migrate_common.ph
      

   3. Create a base.ldif file containing the basedn and organization units, then add it to the directory using slapadd, the offline directory add tool.

      cat >base.ldif <<EOF
      dn: dc=cit470,dc=nku,dc=edu
      dc: cit470
      objectClass: top
      objectClass: domain
      
      dn: ou=People,dc=cit470,dc=nku,dc=edu
      ou: People
      objectClass: top
      objectClass: organizationalUnit
      
      dn: ou=Group,dc=cit470,dc=nku,dc=edu
      ou: Group
      objectClass: top
      objectClass: organizationalUnit
      EOF
      slapadd -v -l base.ldif
      

   4. Migrate the passwd database. How does the size of the LDIF file compare with /etc/passwd? Is everything needed for users to login stored in the LDIF file?

      ./migrate_passwd.pl /etc/passwd >passwd.ldif
      ls -l /etc/passwd passwd.ldif
      less passwd.ldif
      slapadd -v -l passwd.ldif
      

   5. List the LDAP database to verify that all passwd entries are present.

      slapcat | less
      

   6. Migrate the group database. How does the size of the LDIF file compare with /etc/group? Is everything needed for groups to function stored in the LDIF file?

      ./migrate_group.pl /etc/group >group.ldif
      ls -l /etc/group group.ldif
      less group.ldif
      slapadd -v -l group.ldif
      

   7. List the LDAP database to verify that all group entries are present.

      slapcat | less
      

   8. Change ownership of all files in /var/lib/ldap to ldap and note the additional files you created. (Running slapadd as root created new files under /var/lib/ldap owned by root.)

      ls -l /var/lib/ldap
      chown -R ldap.ldap /var/lib/ldap
      

   9. Start the server

      service ldap start
      

   10. Verify that the LDAP server is serving the directory entries you added.

       ldapsearch -x -b dc=cit470,dc=nku,dc=edu | less
       

   11. From the virtual machine, lookup individual user and group names in the directory. Continue onto the next step only if all of these commands succeed. How many fields are stored in a person entry?

       ldapsearch -x -b uid=root,ou=People,dc=cit470,dc=nku,dc=edu
       ldapsearch -x -b cn=wheel,ou=Group,dc=cit470,dc=nku,dc=edu
       

5. Configure VM to use LDAP authentiction
   1. Verify that you can lookup information on user student before making any changes. If you have problems, you probably haven't created this user on your LDAP client.

      id student
      

   2. On the LDAP client, edit /etc/nsswitch.conf to use LDAP authentication and groups. The comments at the top of this file explain the format briefly, while man nsswitch.conf will provide more detail.

      cd /etc
      cp -p nsswitch.conf nsswitch.conf.dist
      vim nsswitch.conf
      

   3. Remove your student account from /etc/passwd so that it's only present in the LDAP directory. Note that vipw creates its own backup files so we don't need to manually create backup files like we did for the LDAP configuration files.

      vipw
      

   4. Verify that you can still lookup information about user student. If you cannot, check /var/log for any LDAP error messages.

      id student
      

   5. Verify that you can still login with your student account. If you cannot, check /var/log for any LDAP error messages. You should also be sure that the firewall on the virtual machine is not blocking incoming ssh connections. If it is, fix it using the techniques you used to fix the firewall on the LDAP server in the last lab.

      ssh student@localhost
      

   6. Check who is logged in via ssh as student.

      w
      

6. Reboot the VM.

   reboot
   

7. Start Wireshark on the LDAP server to capture the LDAP login session in the next step.

   wireshark &
   

8. Verify that you can login to the VM with your student account. You'll probably get an error about not having a home directory. That's a problem we'll solve later with the Network File System (NFS).