LDAP Authentication

Hardware and System Section

Prepared by:
Aala Omer Taha Ali

August 16, 2021

 The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry
standard application protocol for accessing and maintaining distributed directory information services
over an Internet Protocol (IP) network. Directory services play an important role in developing
intranet and Internet applications by allowing the sharing of information about users, systems,
networks, services, and applications throughout the network.
A common use of LDAP is to provide a central place to store usernames and passwords. This allows
many different applications and services to connect to the LDAP server to validate users.
In this guide, we will configure LDAP server and LDAP clients to use LDAP authentication
mechanism for login access.

Configuration of LDAP server:

1. Install the required Openldap Package
# yum -y install openldap* migrationtools

2. Create a ldap root password for administration purpose

# slappasswd
New password:
Re-enter new password:
{SSHA}bHSiwuPJEypHS6zHSE2Uy7M69sQjmkPL

(Copy the encrypted password for later use in configuration file)

3. Edit the Openldap server configuration
 Go to cn=config directory under /etc /open ldap/slapd.d and edit the olcDatabase={2}hdb.ldif
file
# cd /etc/openldap/slapd.d/cn=config
# vim olcDatabase={2}hdb.ldif

 Change the variable of olcSufix and olcRootDN according to your domain

olcSuffix: dc=ldap,dc=com
olcRootDN: cn=Manager,dc=ldap,dc=com

 add the olcRootPW value and put that hashed password that we copy
olcRootPW : {SSHA}bHSiwuPJEypHS6zHSE2Uy7M69sQjmkPL

 add tls certificate path of tls file and key file and hash them or add them after generate keys
olcTLSCertificateFile: /etc/pki/tls/certs/ldap.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/ldapkey.pem

4. Provide the monitor privilege

 Go to cn=config directory under /etc /open ldap/slapd.d and edit the
olcDatabase={1}monitor.ldif file
# cd /etc/openldap/slapd.d/cn=config
# vim olcDatabase={1}monitor.ldif

 Change the variable of olcAccess particurllay dc in dn.base

dn.base="cn=Manager,dc=ldap,dc=com

 verify the configuration

# slaptest -u

5. Enable and Start slapd service

# systemctl start slapd
# systemctl enable slapd
# netstat -lt | grep ldap
tcp 0 0 0.0.0.0:ldap 0.0.0.0:* LISTEN
tcp6 0 0 [::]:ldap [::]:* LISTEN

6. Configure the LDAP database

 Copy the sample database configuration file and change the file permeation
# cp /usr/share/openldap-servers/DB_CONFIG.example
/var/lib/ldap/DB_CONFIG
# chown -R ldap:ldap /var/lib/ldap/

 Add the following LDAP schema

#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
#ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
#ldapadd -Y EXTERNAL -H ldapi:/// -f
/etc/openldap/schema/inetorgperson.ldif

7. Create the self-singed certificate

# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/ldap.pem -
keyout /etc/pki/tls/certs/ldapkey.pem -days 365

 Provide the needed information to generate the certificate

Country Name (2 letter code) [XX]: Sudan
State or Province Name (full name) []: Khartoum
Locality Name (eg, city) [Default City]: Khartoum
Organization Name (eg, company) [Default Company Ltd]: ebs
Organizational Unit Name (eg, section) []: infra
Common Name (eg, your name or your server's hostname) []: server.ldap.com
Email Address []: a.taha@ebs-sd.com

 Verify the created certificate under the location /etc/pki/tls/certs

# ll /etc/pki/tls/certs/*.pem
-rw-r--r--. 1 root root 1704 Jan 8 14:52 /etc/pki/tls/certs/ldapkey.pem
-rw-r--r--. 1 root root 1497 Jan 8 14:52 /etc/pki/tls/certs/ldap.pem

8. create base object in OPENLDAP

to create base object, we will use migrationtools, we found its files and scripts under
/usr/share/migrationtools/, we will change predefine values in “migrate_common.pl” according to our
domain name
# cd /usr/share/migrationtools/
#vim migrate_common.ph

 Change your domain name in

$DEFAULT_MAIL_DOMAIN = "ldap.com";

 Change your base name in

$DEFAULT_BASE = "dc=ldap,dc=com";

 Change your extended schema from 0 to 1

$EXTENDED_SCHEMA = 1;

9. generate a base.ldif file for your domain

# vim /root/base.ldif

 Copy the below lines and paste inside the file /root/base.ldif
dn: dc=ldap,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: ldap com
dc: ldap

dn: cn=Manager,dc=ldap,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=ldap,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=ldap,dc=com
objectClass: organizationalUnit
ou: Group

10. create a local users

 create local users and groups then we will migrate to ldap
# useradd ldapuser1
# useradd ldapuser2
# echo "redhat" | passwd --stdin ldapuser1
# echo "redhat" | passwd --stdin ldapuser2

 Then filter out these users from /etc/passwd to another file

# grep ":10[0-9][0-9]" /etc/passwd > /root/passwd

 Filter out users group from /etc/group to another file

# grep ":10[0-9][0-9]" /etc/group > /root/group

 Generate ldif file for users

# ./migrate_passwd.pl /root/passwd /root/users.ldif

 Generate ldif file for groups

# ./migrate_group.pl /root/group /root/groups.ldif

 import users and groups to ldap database

# ldapadd -x -W -D "cn=Manager,dc=ldap,dc=com" -f /root/base.ldif
# ldapadd -x -W -D "cn=Manager,dc=ldap,dc=com" -f /root/users.ldif
# ldapadd -x -W -D "cn=Manager,dc=ldap,dc=com" -f /root/groups.ldif

 test configuration by searching for user “ldapuser1”in ldap as below

#ldapsearch -x cn=ldapuser1 -b dc=ldap,dc=com
# ldapsearch -x -b 'dc=ldap,dc=com' '(objectclass=*)'

 stop firewall to allow the connection

# systemctl stop firewalld

Ldap configuration is done, now we need to share ldap users home directory via NFS .so
users how logged in client server will also be able to save their data remotely on LDAP server.
NFS configuration
1. In server Edit the file /etc/exports and add an entry as below to export the home directory.
# vi /etc/exports
/home *(rw,sync)

2. Enable and restart rpcbind and nfs service

# yum -y install rpcbind nfs-utils
# systemctl start rpcbind
# systemctl start nfs
# systemctl enable rpcbind
# systemctl enable nfs

3. Test the NFS configuration

# showmount -e
Export list for linux1.learnitguide.net:
/home *

4. In client server mount the ldap users home directory by adding this line in /etc/fstab as below
#vim /etc/fstab
server.ldap.com:/home /home auto defaults 0 0

LDAP client configuration

1. Install require package
# Yum install -y openldap-clients nss-pam-ldapd
# authconfig-tui

2. Steps to follow for LDAP Authentication

 Put” *” Mark on “USE LDAP”
 Put “*” Mark on “Use LDAP Authentication”
 Select “Next” and Enter
 Enter the server field as “ldap://server ip /
 Enter the Base DN Field as “dc=ldap,dc=com”
 Select” OK” and Enter

3. Test the client configuration

# getent passwd ldapuser1
ldapuser1:x:1000:1000:ldapuser1:/home/ldapuser1:/bin/bash
PHP Ldap Admin
1. install php-ldap and a few other php packages needed to run phpLDAPadmin
# yum install php-ldap php-mbstring php-pear php-xml

2. The Extra Packages for Enterprise Linux (EPEL) release updates have to be installed because
phpLDAPadmin is not available in the main repository.
# yum install epel-release
# yum -y install phpldapadmin

3. Configure the phpLDAPadmin Virtual Host

 Add to the configuration file located at /etc/httpd/conf.d/phpldapadmin.conf your IPs that
want to access your ldap from it
Allow from 127.0.0.1 10.130.22.0/24

4. Configure the phpLDAPadmin

 Open the configuration file with your favourite editor.
# vim /etc/phpldapadmin/config.php

 The following changes are to be made in the php code Line 332 will define your domain
details, change it appropriately.
$servers_>setValue('login','bind_id','cn=Manager,dc=ldap,dc=com')

 Line 397 should be uncommented to ensure the login credentials used are the domain name
details and not the user identification (so comment out line 398)
$servers->setValue('login','attr','dn');
//$servers->setValue('login','attr','uid')

Save your changes and exit the editor.

Finally, open your browser and enter your server
http://10.130.22.90/phpldapadmin