LDAP

Or,

OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP) for Linux systems. It provides a centralized directory service for managing user accounts, authentication, and authorization. OpenLDAP is highly configurable and can be used in a variety of applications, including email, file sharing, and authentication for web applications. It is a valuable tool for system administrators and developers who need to manage large numbers of users and resources.

SERVER SIDE

sudo apt-get install slapd ldap-utils

The daemon responsible for running OpenLDAP is called slapd,

To view the config of the default installation, use sudo slapcat

touk@ubuntu-server:~$ sudo slapcat
[sudo] password for touk:
dn: dc=nodomain
objectClass: top
objectClass: dcObject
objectClass: organization
o: nodomain
dc: nodomain
structuralObjectClass: organization
entryUUID: 44312602-dd15-103d-93df-0f42276075fb
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20230901131446Z
entryCSN: 20230901131446.247307Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20230901131446Z

Objects are containers of attributes

  • CN: commonName

  • O: organizationName

  • OU: organizationalUnitName

  • DC: domainComponent

  • UID: userid

I need to change some of the default settings, at least the domain name

I can change it from its config file in /etc/ldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-provider.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

As you see, everything is commented and there is no documentation for that, we can use the GUI instead

sudo dpkg-reconfigure slapd

After following the guided GUI installation you can view the config again

touk@ubuntu-server:/etc/ldap$ sudo slapcat
dn: dc=homelab,dc=lan
objectClass: top
objectClass: dcObject
objectClass: organization
o: homelab
dc: homelab
structuralObjectClass: organization
entryUUID: e1f494de-dd18-103d-9993-5f91ec357370
creatorsName: cn=admin,dc=homelab,dc=lan
createTimestamp: 20230901134039Z
entryCSN: 20230901134039.420575Z#000000#000#000000
modifiersName: cn=admin,dc=homelab,dc=lan
modifyTimestamp: 20230901134039Z

Configuring LDAP is quite challenging on the terminal, i’ll use whats called phpOpenLDAP

sudo apt install phpldapadmin

When installing, a conflict will happen since ldap use apache, and i’ll need to solve this:

sudo vim /etc/phpldapadmin/config.php

look for a word called ‘name’. This is basics chnges

$servers->setValue('server','name','Homalab LDAP');

$servers->setValue('server','host','192.168.1.5');

/* The port your LDAP server listens on (no quotes). 389 is standard. */
// $servers->setValue('server','port',389);

/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
   auto-detect it for you. */
$servers->setValue('server','base',array('dc=homelab,dc=lan'));
$servers->setValue('auto_number','min',array('uidNumber'=>10000,'gidNumber'=>10000));
$servers->setValue('login','bind_id','cn=admin,dc=homelab,dc=lan');

Now to resolve the conflict between ldap web page and apache default web page

sudo a2dissite 000-default.conf

ACCESS VIA : 192.168.1.5/phpldapadmin

Managing objects in LDAP:

LDIF Files

  • LDAP Data Interchange Format (LDIF)

  • Text files that contain changes to the LDAP database

    • Create/Add

    • Modify

    • Delete

  • Follows a particular format based on attributes

Create OUs using LDIF files

  1. Create an LDIF file and populate with user attributes nano ou.ldif

dn: ou=users,dc=homelab,dc=lan
objectClass: organizationalUnit
ou: users

dn: ou=sysadmins, dc=homelab,dc=lan
objectClass: organizationalUnit
ou: sysadmins

dn: ou=groups, dc=homelab,dc=lan
objectClass: organizationalUnit
ou: groups

Here we have created the organizational unit and under it sit the users, we will create them later

Now let’s add it to the LDAP server

sudo ldapadd -x -D cn=admin,dc=homelab,dc=lan -W -f ou.ldif

  • x: i am telling it to do simple interactive authentication

  • D: distinguish name

  • W: password prompt

  • f: file input for LDIF

touk@ubuntu-server:~$ sudo ldapadd -x -D cn=admin,dc=homelab,dc=lan -W -f ou.ldif
Enter LDAP Password:
adding new entry "ou=users,dc=homelab,dc=lan"

adding new entry "ou=sysadmins, dc=homelab,dc=lan"

adding new entry "ou=groups, dc=homelab,dc=lan"

NOTE: Extra spaces at the end can cause loading issue to the LDAP server

Now it is time to add the user and group:

  • Create another file user.ldif

touk@ubuntu-server:~$ cat user.ldif
dn: uid=taki,ou=users,dc=homelab,dc=lan
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: taki
sn: touk
userPassword: {SSHA}bQkOjT2DovMF42uIftbWSidOIvk4Q/Qg
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/taki

dn: cn=taki,ou=groups,dc=homelab,dc=lan
objectClass: posixGroup
cn: taki
gidNumber: 10001
memberUid: taki

The hashed password can also be in plain text or gnereted using slappasswd and populated to this entry file

Now it is time to add this LDIF file:

sudo ldapadd -x -D cn=admin,dc=homelab,dc=lan -W -f user.ldif

touk@ubuntu-server:~$ sudo ldapadd -x -D cn=admin,dc=homelab,dc=lan -W -f user.ldif
Enter LDAP Password:
adding new entry "uid=taki,ou=users,dc=homelab,dc=lan"

adding new entry "cn=taki,ou=groups,dc=homelab,dc=lan"

CLIENT SIDE

This theory is necessary to understand

on the client machine i will configure it to have the necessary packages so i can use it to login with an account that dosen’t exist on it but on the ldap

to get our clients connect to the machine we need two things pam and NLCSD

but fortunately, there is something that's installed by default on Linux clients, and it's something called PAM. PAM is the Pluggable Authentication Modules, and it's a framework that lets us add in all sorts of different types of methods of authentication.

We stick the OpenLDAP module onto PAM, and now the Linux server or client, when we go to log in, it'll know

When we set up OpenLDAP, it's easy to focus on the OpenLDAP piece like we've been doing, but there's actually another piece that comes along with it that's called NSLCD, which is the Name Service LDAP Connection Demon. And what this is, is a service that when we add the OpenLDAP module to PAM, it's what's going to run in the background to do the name lookups, to be able to find the directory server, to get connected and let us log in.

sudo apt install libnss-ldapd libpam-ldapd ldap-utils

You will be prompted to add the following:

  • ldap://192.168.1.5/ #In my case this is the LDAP IP address

  • dc=lhomelab,dc=lan

  • Select passwd, group, and shadow

Now, everything is setup unless home directories are not

So if you try to login you won’t have your directory (the user directory)

for that we need to modify the enable home directories in PAM

sudoedit /etc/pam.d/common-session
session optional pam_mkhomedir.so skel=/etc/skel umask=077

Now Reboot the machine (client), and then try to login:

ssh taki@192.168.1.9

taki@k8snode:~$ ls /home
taki  touk

One thing else!

Our connection is not secure by default so let’s use TLS for that!

Every time we start working with TLS we need 3 things, Certificate authority, public key, private key

  1. Lets create the private key

    openssl genrsa -aes128 -out openldap.key 2848

    Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Actually we need to strip that passphrase otherwise the service cant use the private key

openssl rsa -in openldap.key -out openldap.key

It will ask you for a passphrase just for the security purpose but it will remove it

  1. Generate a Certificate

    we need to get this private key digitally signed, so i can generate public key off of it, so i need to generate a certificate signing request

    openssl req -new -days 7300 -key openldap.key

    touk@ubuntu-server:~$ ls *.csr
openldap.csr

  2. Normally i would take this to LET’S ENCRYPT or some signing authority, but i’ll sign it by myself since it is locally only

    openssl x509 -in openldap.csr -out openldap.crt -req -signkey openldap.key -days 7300

touk@ubuntu-server:~$ ls *.crt
openldap.crt

  1. Move the certificates into position

    sudo cp ./openldap.key /etc/ldap/sasl2/
sudo cp ./openldap.crt /etc/ldap/sasl2/
sudo cp /etc/ssl/certs/ca-certificates.crt /etc/ldap/sasl2/
sudo chown openldap /etc/ldap/sasl2/*

sudo vim /etc/nslcd.conf

PreviousDHCPNextEmail Service (SMTP,IMAP)

Last updated