Table of Contents
Open LDAP Provider Installation on Debian Squeeze.
Using SSH from a terminal, login as root to the virtual machine you have created for use as the LDAP provider, using the root password set at creation.
:~$ssh root@vm36.student.lab root@vm36.student.lab's password:NaNaKiNg
Preliminary configuration adaptation.
At the virtual machine prompt use pico to edit the /etc/hosts file to match:
127.0.0.1 localhost 10.80.3.36 vm36.student.lab vm36 # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts
And save the file with <Ctrl>+<X>.
Packet Installation.
- Now, at the prompt, install the ssh nmap package using the command:
root@vm36:~#apt-get install ssh nmap
- Enter 'Y' when prompted and press <Enter>.
- Next install the slapd and ldap-utils packages using the command:
root@vm36:~#apt-get install slapd ldap-utils
- Again, enter 'Y' and press <Enter> when prompted.
- When prompted enter an administrator password for slapd,(CaK30RD3aTH) and press <Enter>.
- Reenter the password to confirm and press <Enter>.
Confirm that slapd is running using the command:
~# nmap -p 389 localhost
The response received should look like:
Starting Nmap 5.00 ( http://nmap.org ) at 2010-10-27 15:05 CEST Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1. Interesting ports on localhost (127.0.0.1): PORT STATE SERVICE 389/tcp open ldap Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
Configuring the LDAP
- Use pico to edit the file /etc/ldap/ldap.conf
- Change the line “#BASE dc=example, dc=com” to read “BASE dc=student, dc=lab”
- Change the line “#URI ldap://ldaps1.example.com” to read “URI ldap://vm36.student.lab ldap://vm36.student.lab:666”
- Save the file using the <Ctrl>+<x> command.
- Create and edit a file for configuration changes using the command '~/pico olc-mod1.ldif'. Entering the following content.
# 1. dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats # 2.1. dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: uid eq - # 2.2. add: olcDbIndex olcDbIndex: cn eq - # 2.3. add: olcDbIndex olcDbIndex: ou eq - # 2.4. add: olcDbIndex olcDbIndex: dc eq
- Use the <Ctrl>+<x> command to save and exit from pico.
- Implement the changes with the fololowing command:
~# ldapmodify -QY EXTERNAL -H ldapi:/// -f ~/olc-mod1.ldif
If the changes are implemented the screen should display:
modifying entry "cn=config" modifying entry "olcDatabase={1}hdb,cn=config" ~#
Create a Basic Tree
- Create and edit a file using 'pico ~/tree.ldif' so it contains the following:
dn: ou=people,dc=student,dc=lab ou: people objectClass: organizationalUnit dn: ou=groups,dc=student,dc=lab ou: groups objectClass: organizationalUnit
- Save and Exit using the <Ctrl>+<x> command
- implement the changes using the following command:
~# ldapadd -cxWD cn=admin,dc=student,dc=lab -f ~/tree.ldif Enter LDAP Password:CaK30RD3aTH
The screen should display:
adding new entry "ou=people,dc=student,dc=lab" adding new entry "ou=groups,dc=student,dc=lab" ~#
Perform a test. Run an ldapsearch with an anonymous bind (no DN specified) to check that the new organizational units have indeed been added to the database. Using the command:
~#ldapsearch -xLLL
Check that the output looks like the following and does not contain any obvious errors:
~# ldapsearch -xLLL dn: dc=student,dc=lab objectClass: top objectClass: dcObject objectClass: organization o: student.lab dc: student dn: cn=admin,dc=student,dc=lab objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator dn: ou=people,dc=student,dc=lab ou: people objectClass: organizationalUnit dn: ou=groups,dc=student,dc=lab ou: groups objectClass: organizationalUnit ~#
Create a User Account
- Create a new user account, called genUsr. First create ane edit a file:
- Use the command '~/genUsr.ldif'
- Enter the following contents:
dn: cn=genUsr,ou=groups,dc=student,dc=lab cn: genUsr gidNumber: 20000 objectClass: top objectClass: posixGroup dn: uid=genUsr,ou=people,dc=student,dc=lab uid: genUsr uidNumber: 20000 gidNumber: 20000 cn: Generic sn: User objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash homeDirectory: /home/genUsr userPassword: Guest1
- Implement the account using the command:
ldapadd -cxWD cn=admin,dc=student,dc=lab -f ~/genUsr.ldif
- Run a search for the new genUsr entry using the command:
ldapsearch -xLLL uid=genUsr
- The resulting output should look like:
dn: uid=genUsr,ou=people,dc=student,dc=lab uid: genUsr uidNumber: 20000 gidNumber: 20000 cn: General sn: User objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash homeDirectory: /home/genUsr
It is possible to test authentication for a LDAP account by using the 'whoami' command:
- Use the -w option followed by the assigned password specify the password in the command line.
ldapwhoami -xD uid=genUsr,ou=people,dc=student,dc=lab -w Guest1
- The same specification requirement is required for ldapsearch.
- In all such cases the principle is the same: authentication and authorization must take place before any such single commands are processed.