Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 27080 Details for
Bug 44110
[id] ldap-howto.xml
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[id] ldap-howto.xml
ldap-howto.xml (text/xml), 12.09 KB, created by
Siauw Nam Khong
on 2004-03-09 03:17:18 UTC
(
hide
)
Description:
[id] ldap-howto.xml
Filename:
MIME Type:
Creator:
Siauw Nam Khong
Created:
2004-03-09 03:17:18 UTC
Size:
12.09 KB
patch
obsolete
><?xml version='1.0' encoding='UTF-8'?> ><!-- English doc rev. 1.10 --> ><!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> > ><guide link="/doc/en/ldap-howto.xml"> ><title>Gentoo Guide to OpenLDAP Authentication</title> > ><author title="Author"> > <mail link="sj7trunks@gentoo.org">Benjamin Coles</mail> ></author> > ><author title="Editor"> > <mail link="swift@gentoo.org">Sven Vermeulen</mail> ></author> > ><author title="Editor"> > <mail link="tseng@gentoo.org">Brandon Hale</mail> ></author> ><author title="Editor"> > <mail link="bennyc@gentoo.org">Benny Chuang</mail> ></author> > > ><abstract> >This guide introduces the basics of LDAP and shows you how to setup >OpenLDAP for authentication purposes between a group of Gentoo boxes. ></abstract> > ><license/> > ><version>0.5</version> ><date>January 29, 2004</date> > ><chapter> ><title>Getting Started with OpenLDAP</title> ><section> ><title>What is LDAP?</title> ><body> > ><p> >LDAP stands for <e>Lightweight Directory Access Protocol</e>. Based on >X.500 it encompasses most of its primary functions, but lacks the more >esoteric functions that X.500 has. Now what is this X.500 and why is there an >LDAP? ></p> > ><p> >X.500 is a model for Directory Services in the OSI concept. It contains >namespace definitions and the protocols for querying and updating the >directory. However, X.500 has been found to be overkill in many situations. >Enter LDAP. Like X.500 it provides a data/namespace model for the >directory and a protocol too. However, LDAP is designed to run directly >over the TCP/IP stack. See LDAP as a slim-down version of X.500. ></p> > ></body> ></section> > ><section> ><title>I don't get it. What is a directory?</title> ><body> > ><p> >A directory is a specialized database designed for frequent queries but >infrequent updates. Unlike general databases they don't contain >transaction support or roll-back functionality. Directories are easily >replicated to increase availability and reliability. When directories >are replicated, temporary inconsistencies are allowed as long as they >get synchronised eventually. ></p> > ></body> ></section> > ><section> ><title>How is information structured?</title> ><body> > ><p> >All information inside a directory is structured hierarchically. Even >more, if you want to enter data inside a directory, the directory must >know how to store this data inside a tree. Lets take a look at a >fictional company and an Internet-like tree: ></p> > ><pre caption = "Organisational structure for GenFic, a Fictional Gentoo company"> >dc: com > | >dc: genfic <comment>(Organisation)</comment> > / \ >ou: people servers <comment>(Organisational Units)</comment> > / \ .. >uid: .. jhon <comment>(OU-specific data)</comment> ></pre> > ><p> >Since you don't feed data to the database in this ascii-art like manner, >every node of such a tree must be defined. To name such nodes, LDAP uses >a naming scheme. Most LDAP distributions (including OpenLDAP) already >contain quite a number of predefined (and general approved) schemes, >such as the inetorgperson, a frequently used scheme to define users. ></p> > ><p> >Interested users are encouraged to read the <uri >link="http://www.openldap.org/doc/admin21/">OpenLDAP Admin Guide</uri>. ></p> > ></body> ></section> > ></chapter> > > ><chapter> ><title>Configuring OpenLDAP</title> ><section> ><title>Initial Configuration</title> ><body> > ><note> >In this document we use the genfic.com address as an example. You will >ofcourse have to change this. However, make sure that the top node is an >official top level domain (net, com, cc, be, ...). ></note> > ><p> >Lets first emerge all necessary components on our server: ></p> > ><pre caption="Install OpenLDAP"> ># <i>emerge openldap pam_ldap nss_ldap migrationtools</i> ># <i>chown ldap:ldap /var/lib/openldap-ldbm /var/lib/openldap-data /var/lib/openldap-slurp</i> ></pre> > ><p> >Edit <path>/etc/openldap/slapd.conf</path> and add the following right after ><c>core.schema</c>: ></p> > ><pre caption="/etc/openldap/slapd.conf"> ><comment># Include the needed data schemes</comment> >include /etc/openldap/schema/cosine.schema >include /etc/openldap/schema/inetorgperson.schema >include /etc/openldap/schema/nis.schema > ><comment># Use crypt to hash the passwords</comment> >password-hash {crypt} > ><comment># Define SSL and TLS properties (optional)</comment> >TLSCertificateFile /etc/ssl/ldap.pem >TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem >TLSCACertificateFile /etc/ssl/ldap.pem > ><codenote>Further down...</codenote> > >database ldbm >suffix "dc=genfic,dc=com" >rootdn "cn=Manager,dc=genfic,dc=com" >rootpw <i>{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==</i> >directory /var/lib/openldap-ldbm >index objectClass eq > ><codenote>You can get an encrypted password like above with slappasswd -h {Md5}</codenote> ></pre> > ><p> >Next we edit the LDAP configuration file: ></p> > ><pre caption="/etc/openldap/ldap.conf"> ># <i>nano -w /etc/openldap/ldap.conf</i> ><codenote>Add the following...</codenote> > >BASE dc=genfic, dc=com >URI ldaps://auth.genfic.com:636/ >TLS_REQCERT allow ></pre> > ><p> >Now you will generate an SSL certificate to secure your directory. >Answer the question you receive as good as possible. When asked for your ><e>Common Name</e>, enter the name the clients will use when contacting >the server. This is usually the full domainname (e.g. ><path>auth.genfic.com</path>). ></p> > ><pre caption="Generating SSL Certificate"> ># <i>cd /etc/ssl</i> ># <i>openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out \ >ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 999999</i> ></pre> > ><p> >Now edit <path>/etc/conf.d/slapd</path> and add the following, commenting out >the existing line: ></p> > ><pre caption="/etc/conf.d/slapd"> >OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'" ></pre> > ><p> >Start slapd: ></p> > ><pre caption = "Starting SLAPd"> ># <i>/etc/init.d/slapd start</i> ></pre> > ><p> >You can test with the following command: ></p> > ><pre caption = "Test the SLAPd daemon"> ># <i>ldapsearch -D "cn=Manager,dc=genfic,dc=com" -W</i> ></pre> > ><p> >If you receive an error, try adding <c>-d 255</c> to increase the >verbosity and solve the issue you have. ></p> > ></body> ></section> ></chapter> > ><chapter> ><title>Migrate Existing Data</title> ><section> ><title>Migrate User Accounts</title> ><body> > ><p> >Next, we migrate the user accounts. Open ><path>/usr/share/migrationtools/migrate_common.ph</path> and edit the >following: ></p> > ><pre caption="/usr/share/migrationtools/migrate_common.ph"> >$DEFAULT_BASE = "dc=genfic,dc=com"; >$EXTENDED_SCHEMA = 1; ><comment># Comment these lines out unless you have a mail schema loaded</comment> ><comment>#$DEFAULT_MAIL_DOMAIN = "genfic.com";</comment> ><comment>#$DEFAULT_MAIL_HOST = "mail.genfic.com";</comment> ></pre> > ><p> >Now run the migration scripts: ></p> > ><pre caption="Running the migration scripts"> ># <i>export ETC_SHADOW=/etc/shadow</i> ># <i>cd /usr/share/migrationtools</i> ># <i>./migrate_base.pl > /tmp/base.ldif</i> ># <i>./migrate_group.pl /etc/group /tmp/group.ldif</i> ># <i>./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif</i> ># <i>./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif</i> ></pre> > ><p> >This last step migrated the files above to ldif files read by LDAP. Now lets add the files to our directory: ></p> > ><pre caption="Importing the data to our directory"> ># <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/base.ldif</i> ># <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/group.ldif</i> ># <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/passwd.ldif</i> ># <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/hosts.ldif</i> ></pre> > ></body> ></section> ></chapter> > ><chapter> ><title>Authentication Configuration</title> ><section> ><title>Configuring PAM</title> ><body> > ><p> >Next, we will configure PAM to allow LDAP authorization. Add the >following lines to <path>/etc/pam.d/system-auth</path>: ></p> > ><pre caption="/etc/pam.d/system-auth"> >auth sufficient /lib/security/pam_ldap.so use_first_pass >account sufficient /lib/security/pam_ldap.so >password sufficient /lib/security/pam_ldap.so use_authtok >session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0 >session optional /lib/security/pam_ldap.so ></pre> > ><p> >Now change <path>/etc/ldap.conf</path> to read: ></p> > ><pre caption="/etc/ldap.conf"> ><comment>#host 127.0.0.1</comment> ><comment>#base dc=padl,dc=com</comment> > >ssl start_tls >ssl on >suffix "dc=genfic,dc=com" ><comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment> > >uri ldaps://auth.genfic.com/ >pam_password exop > >ldap_version 3 >pam_filter objectclass=posixAccount >pam_login_attribute uid >pam_member_attribute memberuid >nss_base_passwd ou=People,dc=genfic,dc=com >nss_base_shadow ou=People,dc=genfic,dc=com >nss_base_group ou=Group,dc=genfic,dc=com >nss_base_hosts ou=Hosts,dc=genfic,dc=com > >scope one ></pre> > ><p> >Finally, configure your clients so that they check the LDAP for system >accounts: ></p> > ><pre caption="/etc/nsswitch.conf"> >passwd: files ldap >group: files ldap >shadow: files ldap ></pre> > ><p> >To test the changes, type: ></p> > ><pre caption="Testing LDAP Auth"> ># <i>getent passwd|grep 0:0</i> > ><codenote>You should get two entries back:</codenote> >root:x:0:0:root:/root:/bin/bash >root:x:0:0:root:/root:/bin/bash ></pre> > ><p> >If you noticed one of the lines you pasted into your <path>/etc/ldap.conf</path> >was commented out (the <c>rootbinddn</c> line): you don't need it unless you >want to change a user's password as superuser. In this case you need to echo >the root password to <path>/etc/ldap.secret</path> in plaintext. This is ><brite>DANGEROUS</brite> and should be chmoded to 600. What I do is keep that >file blank and when I need to change someones password thats both in the ldap >and <path>/etc/passwd</path> I put the pass in there for 10 seconds while I >change it and remove it when I'm done. ></p> > ></body> ></section> > ><section> ><title>OpenLDAP permissions</title> ><body> > ><p> >If we take a look at <path>/etc/openldap/slapd.conf</path> you'll see >that you can specify the ACLs (permissions if you like) of what data >users can read and/or write: ></p> > ><pre caption="/etc/openldap/slapd.conf"> >access to * > by dn="uid=root,ou=people,dc=genfic,dc=com" write > by users read > by anonymous auth >access to attrs=userPassword,gecos,description,loginShell > by self write ></pre> > ><p> >This gives you access to everything a user should be able to change. If it's >your information, then you got write access to it; if it's another user his >information then you can read it; anonymous people can send a login/pass to get >logged in. There are four levels, ranking them from lowest to greatest: <c>auth >search read write</c>. ></p> > ><p> >The next ACL is a bit more secure as it blocks normal users to read >other people their shadowed password: ></p> > ><pre caption="/etc/openldap/slapd.conf"> >access to dn=".*,dc=genfic,dc=com" attr="userPassword" > by dn="uid=root,ou=people,dc=genfic,dc=com" write > by dn="uid=John, ou=People,dc=genfic,dc=com" write > by anonymous auth > by self write > by * search > >access to * > by dn="uid=root,ou=People,dc=genfic,dc=com" write > by * read ></pre> > ><p> >This example gives root and John access to read/write/search >for everything in the the tree below <path>dc=genfic,dc=com</path>. This also >lets users change their own <path>userPassword</path>'s. As for the ending >statement everyone else just has a search ability meaning they can fill in a >search filter, but can't read the search results. Now you can have multiple >acls but the rule of the thumb is it processes from bottom up, so your >toplevel should be the most restrictive ones. ></p> > ></body> ></section> ></chapter> > ><chapter> ><title>Working with OpenLDAP</title> ><section> ><title>Maintaining the directory</title> ><body> > ><p> >You can start using the directory to authenticate users in >apache/proftpd/qmail/samba. You can manage it with Webmin, which provides a >really easy management interface. You can also use gq or >directory_administrator. ></p> > ></body> ></section> ></chapter> > ><chapter> ><title>Acknowledgements</title> ><section> ><body> > ><p> >We would like to thank Matt Heler for lending us his box for the purpose of >this guide. Thanks also go to the cool guys in #ldap @ irc.freenode.net ></p> > ></body> ></section> > ></chapter> ></guide>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=27080">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 44110
:
27080
|
27128
|
27137
|
27146
