- Use the network and virtual machines from the previous exercises.
- Place the LDAP server on the first virtual machine.
- Set up the web interface for managing the LDAP server.
- Add two users to the LDAP server via the web interface.
- Use the command line to query the LDAP server and list both users.
- Through the web interface, enable users to make the settings necessary for logging into the operating system.
- On the second virtual machine, use both users to log into the operating system.
Lightweight Directory Access Protocol (LDAP) is a protocol for accessing and managing distributed directory data over a network. It enables distributed storage of objects with multiple properties defined by schemas. It also defines the LDAP Data Interchange Format (LDIF) and the language for querying stored data.
LDAP Data Interchange Format (LDIF) is a standard text format for exchanging and managing data stored in LDAP directories.
Portable Operating System Interface (POSIX) represents a family of standards that ensure compatibility between operating systems. They define user and system programming interfaces and tools for ensuring compatibility, for example common presentation of users between several operating systems.
Pluggable Authentication Module - PAM is a mechanism that combines several low-level authentication processes into a high-level programming interface (API).
Name Service Switch - NSS connects computers with various sources of jointly configured databases and mechanisms for resolving names or users.
NSLCD - LDAP Connection Daemon local service for resolving LDAP names or users.
NSCD - Name Service Cache Daemon a local service for caching the resolution of LDAP names or users.
ldapsearch is a tool that allows us to query the LDAP database.
getent command lists records from NSS libraries.
On the first virtual computer, we install the slapd LDAP server implementation and the ldap-utils tool for working with the LDAP server through the package manager of our operating system.
apt install slapd ldap-utils
During the installation, choose an administrator password and press the OK button. Then enter the password again and press the OK button again.
We can test the operation of the server with the command ldapsearch, which allows you to query the LDAP database. For example, we use simplified authentication with the -x flag, we choose anything as the starting base with the -b flag, we specify the database-level query method with the -s flag, and we want to print the namingContexts data field for all object classes.
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=nodomain
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
We find that we don't currently have any LDAP database created, so we create one by running the whole LDAP server setup process again.
dpkg-reconfigure slapd
In the first step, we start the procedure for setting up the LDAP database by selecting the No button.
In the second step, we choose the domain of our LDAP database, for example kpov.fri.uni-lj.si and press the OK button.
In the third step, we choose the name of our organization, for example KPOV and press the OK button.
In the next step, choose a new administrator password and press the OK button. Then enter the password again and press the OK button again.
Next, confirm that when removing the slapd LDAP server, the LDAP database is also deleted by pressing the Yes button.
In the last step, we confirm the movement or deleting the settings of the previous LDAP databases by pressing the Yes button so that we can successfully set up a new LDAP database.
Now run the command ldapsearch again and check if there is now an LDAP database with our domain.
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=kpov,dc=fri,dc=uni-lj,dc=si
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Install any web interface for managing the LDAP server. For example FusionDirectory which can be installed through our operating system's package manager. We also install the apache2 web server, the fusiondirectory-schema data schema, and the user management plugin fusiondirectory-plugin-posix.
apt install apache2 fusiondirectory fusiondirectory-schema fusiondirectory-plugin-posix
After successful installation, we continue the installation on the web address http://localhost/fusiondirectory. To start setting up the FusionDirectory program, we must run the echo command in the command line, which is displayed on the web page, and then press the Next button.
echo -n gihvljjoonp3l1u8ti740jtbai > /var/cache/fusiondirectory/fusiondirectory.auth
We choose the language we want to use during the setup, for example, we can leave it on the Automatic option and press the Next button.
Then check whether all plugins and environment variables are installed and correctly set, and press the Next button.
Now we enter the address of our LDAP server and enter the administrator password that we created during the installation. The correctness of the data for accessing the LDAP server can be checked by pressing the Repeat button. If the link check process returns us warnings and errors, then we need to add the schemas that FusionDirectory needs. After successfully establishing a connection with the LDAP server, press the Next button.
fusiondirectory-insert-schema
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
executing 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/fusiondirectory/core-fd.ldif'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core-fd,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
executing 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/fusiondirectory/core-fd-conf.ldif'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core-fd-conf,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
executing 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/fusiondirectory/ldapns.ldif'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=ldapns,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
executing 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/fusiondirectory/template-fd.ldif'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=template-fd,cn=schema,cn=config"
On the next page, check the settings of the FusionDirectory program. We leave all settings at their default values, but we can correct, for example, the time zone, and then press the Next button.
Now let's set up PHP modules and plugins. The verification of the object classes and the root object failed, so we create them by pressing the Migrate button.
The window for creating new classes of objects and the root object and the proposed changes, which we implement by clicking the Migrate button.
We see that we do not have an admin user created, so we create it by pressing the Create button. Enter any password for the administrator user twice in the Password and Password (repeat) fields and create the user by pressing the Apply button.
Also, we don't have any roles set and rolls for managing access. We add them by clicking the Migrate button. We have now eliminated all the missing requirements and run the entire test again by clicking the Check again button. When we have successfully finished setting up the PHP modules and plugins, click the Next button.
In the next step, we transfer the created configuration file via the browser to the local disk by clicking on the Download configuration button. We move the downloaded configuration file to the /etc/fusiondirectory folder and set the fusiondirectory program to start using it. To complete the setting, press the Next button.
mv /home/aleks/Prejemi/fusiondirectory.conf /etc/fusiondirectory
fusiondirectory-setup --check-config
/etc/fusiondirectory/fusiondirectory.conf exists…
/etc/fusiondirectory/fusiondirectory.conf is not set properly, do you want to fix it ?: [Yes/No]?
Yes
With the successful installation and setup of FusionDirectory, we can now access the application registration form at http://localhost/fusiondirectory. We log in with the default administrator fd-admin and the password we chose during installation.
Now that we have successfully logged into the FusionDirectory application, we can create two new users in it. To add users, click on the Users icon or select Users from the side menu. Now, by clicking on the pull-down menu Action and then Create and User, we get to the form for creating users.
In order to create a user, we select First name, Surname, Username and Password, which we confirm by re-entering it. By clicking on the OK button, the user is created. Using this procedure we create two users.
Locally, the LDAP database can be queried using the ldapsearch tool via the command line.
ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=kpov,dc=fri,dc=uni-lj,dc=si "givenName=Janez"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=kpov,dc=fri,dc=uni-lj,dc=si> with scope subtree
# filter: givenName=Janez
# requesting: ALL
#
# janezg, people, kpov.fri.uni-lj.si
dn: uid=janezg,ou=people,dc=kpov,dc=fri,dc=uni-lj,dc=si
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: Janez Godec
sn: Godec
givenName: Janez
uid: janezg
# janezn, people, kpov.fri.uni-lj.si
dn: uid=janezn,ou=people,dc=kpov,dc=fri,dc=uni-lj,dc=si
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: Janez Novak
sn: Novak
givenName: Janez
uid: janezn
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=kpov,dc=fri,dc=uni-lj,dc=si "givenName=Ja*"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=kpov,dc=fri,dc=uni-lj,dc=si> with scope subtree
# filter: givenName=Janez
# requesting: ALL
#
# janezg, people, kpov.fri.uni-lj.si
dn: uid=janezg,ou=people,dc=kpov,dc=fri,dc=uni-lj,dc=si
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: Janez Godec
sn: Godec
givenName: Janez
uid: janezg
# janezn, people, kpov.fri.uni-lj.si
dn: uid=janezn,ou=people,dc=kpov,dc=fri,dc=uni-lj,dc=si
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: Janez Novak
sn: Novak
givenName: Janez
uid: janezn
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=kpov,dc=fri,dc=uni-lj,dc=si "(&(givenName=Ja*)(uid=janezn))"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=kpov,dc=fri,dc=uni-lj,dc=si> with scope subtree
# filter: (&(givenName=Ja*)(uid=janezn))
# requesting: ALL
#
# janezn, people, kpov.fri.uni-lj.si
dn: uid=janezn,ou=people,dc=kpov,dc=fri,dc=uni-lj,dc=si
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: Janez Novak
sn: Novak
givenName: Janez
uid: janezn
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
We can also query the LDAP database from another virtual computer with the ldapsearch tool, which is installed with the ldap-utils package via the package manager of our operating system.
ldapsearch -H ldap://SERVER_IP:389/ -D cn=admin,dc=kpov,dc=fri,dc=uni-lj,dc=si -b dc=kpov,dc=fri,dc=uni-lj,dc=si "(&(givenName=Ja*)(uid=janezn))" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=kpov,dc=fri,dc=uni-lj,dc=si> with scope subtree
# filter: (&(givenName=Ja*)(uid=janezn))
# requesting: ALL
#
# janezn, people, kpov.fri.uni-lj.si
dn: uid=janezn,ou=people,dc=kpov,dc=fri,dc=uni-lj,dc=si
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: Janez Novak
sn: Novak
givenName: Janez
uid: janezn
userPassword:: e1NTSEF9NEg0K2p6L3V2OVhlTVdkYVphOS9tNjNEdUNqdVIvLzQ=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
In the FusionDirectory on the Users page, click on an individual user and select the Unix tab, where we enable log into Unix operating systems by clicking on the Add Unix settings button.
In the tab, specify the Home Folder and change the Executing Shell to /bin/bash. To confirm the changes, click on the Confirm button.
We do the same for the other user. On the Users page, there is now a penguin (Tux) icon next to users who are enabled to log into Unix operating systems.
On another virtual computer, we install the libpam-ldapd package, which takes care of user authentication (Pluggable Authentication Module - PAM) and libnss-ldapd, which takes care of the mapping between LDAP and operating system users (Name Service Switch - NSS).
apt install libpam-ldapd libnss-ldapd
During the installation, we must specify the IP address of our first virtual computer on which the LDAP server is running and press the OK button.
Then we enter the domain of our LDAP database, which is located on our LDAP server, and press the OK button.
We select the passwd base of users, the group base of groups and the shadow base of passwords, which we will map to LDAP users.
Let's check if the LDAP users are already reachable as local users of the operating system with the command getent.
getent passwd aleks
aleks:x:1000:1000:Aleks,,,:/home/aleks:/bin/bash
getent passwd janezn
getent passwd janezg
We can see that LDAP users are not yet reachable as local users of the operating system, so we reconfigure the nslcd package (NSLCD - LDAP Connection Daemon), which is a local service for resolving LDAP names or users. Where we again enter the IP address of our first virtual computer on which the LDAP server is running and press the OK button.
dpkg-reconfigure nslcd
Then we enter the domains of our LDAP database, which is located on our LDAP server, and press the OK button.
Now we choose not to use any LDAP authentication none and press the OK button.
We also choose not to encrypt the connection to our LDAP server by pressing the No button.
We run the package settings again, where we have to select the user base passwd, the group base group and the password base shadow.
dpkg-reconfigure libnss-ldapd
Now we restart nslcd and nscd (NSCD - Name Service Cache Daemon), which performs caching for nslcd, and run the getent command again to check if our LDAP users are already reachable as local operating system users.
service nslcd restart
service nscd restart
getent passwd janezg
janezg:x:1101:1101:Janez Godec:/home/janezg:/bin/bash
getent passwd janezn
janezn:x:1102:1102:Janez Novak:/home/janezn:/bin/bash
Now enable authentication by running the pam-auth-update command and choosing to enable Unix authentication, LDAP authentication, Register user sessions in the systemd control group..., Create home directory on login and GNOME Keyring Deamon - Login keyring management and press the OK button.
pam-auth-update
Now let's login with the LDAP user to our local operating system to test the operation, for example with ls and su commands.
ls /home
aleks
su - janezg
Creating directory '/home/janezg'.
ls /home
aleks janezg
su - janezn
Creating directory '/home/janezn'.
ls /home
aleks janezg janezn