Central login management with OpenLDAP

Over the weekend I spent some time learning how to configure OpenLDAP to provide a central login server at home. This is pretty useful since I was tired of either syncing UID/GID's across servers or setting directories to 777 on my NFSv4 server. I chose Fedora 12 as my OS for the server, and will show how easy it is to configure authentication on both Fedora and OpenSolaris.

Some information about the network

I'll give you a quick overview of how the network looks from home.

  • DNS: ns1.crazy.lan (172.16.1.3)
  • LDAP: ldap1.crazy.lan (10.10.1.1)
  • Client 1: test.crazy.lan (10.10.2.1)
  • Client 2: virt.crazy.lan (192.168.1.8)

I'm not going to go over the importance of DNS (both forward and reverse lookups should work!) right now, but you will save yourself plenty of headaches by making sure DNS is setup properly on your network.

Basic configurations

Install the needed software!

For Fedora 12, installing OpenLDAP is easy:

# yum install -y openldap*

This will get you everything you need to get started.

There are a few things you need to change in order to really start using OpenLDAP. Everything is all in one file slapd.conf. Prior to editing the file, you'll want to generate a password to use in this configuration.

# slappasswd
New password: 
Re-enter new password: 
{SSHA}fFVfwsztHn+xuQPjN/q/urdNC+V0G+dW

Copy the new hash as you will need to paste it into the configuration file. Add or modify the following in /etc/openldap/ldap.conf:

suffix      "dc=crazy,dc=lan"
rootdn      "cn=Manager,dc=crazy,dc=lan"
rootpw      {SSHA}fFVfwsztHn+xuQPjN/q/urdNC+V0G+dW

# ACL's to use
loglevel acl stats
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
        by self write
        by * read
        by anonymous auth

That's all you need there for a basic configuration. This will not be using TLS/SSL, I will cover that in a later post. It's always good to start with the basics so that you can spend more time learning the protocol. Once you've gotten that down hardening a service is easy.

Now we just need to finish up and start the service. Since slapd.conf is deprecated in favor of the slapd.d/ directory, we can use the configuration file to generate the appropriate directory structure. The huge advantage of this style is dynamic backend configuration changes. Yes, that means persistent dynamic changes. No more restarting your directory server to make changes to things such as your logging level.

# cd /etc/openldap
# rm -rf slapd.d
# mkdir slapd.d
# slaptest -f slapd.conf -F slapd.d
# chown -R ldap:ldap slapd.d
# chkconfig slapd on
# service slapd start

You can test for functionality by running the following:

ldapsearch -x -h localhost

If all went well you will see some output and no errors.

Configure rsyslog for logging

If you're not using Fedora, or rsyslog, you'll want to lookup the specifics for your logging daemon's configuration. OpenLDAP sends it's logging output to the local4 log facility. For rsyslog, just add the following line to /etc/rsyslog.conf:

local4.*                                                -/var/log/ldap

Then restart your logging service.

service rsyslog restart

Importing some data to LDAP

The LDIF formatted file is where things start to get a little bit tricky. Don't worry about it so much as there are plenty of good GUI clients for LDAP, but we do need to get a few things imported.

# crazy.lan
dn: dc=crazy,dc=lan
objectClass: dcObject  
objectClass: organization
o: Crazy Organization  
dc: crazy

# Manager, crazy.lan   
dn: cn=Manager,dc=crazy,dc=lan
objectClass: organizationalRole
cn: manager

# People, crazy.lan
dn: ou=People,dc=crazy,dc=lan
objectClass: organizationalUnit
ou: People

# Group, crazy.lan
dn: ou=Group,dc=crazy,dc=lan
objectClass: organizationalUnit
ou: Group

# users, Group, crazy.lan
dn: cn=users,ou=Group,dc=crazy,dc=lan
objectClass: posixGroup
objectClass: top
cn: users
gidNumber: 2000

# myaccount, People, crazy.lan
dn: uid=myaccount,ou=People,dc=crazy,dc=lan
uid: myaccount
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
gidNumber: 2000
uidNumber: 3000
homeDirectory: /home/myaccount
loginShell: /bin/bash
userPassword: {SSHA}cc696ZrGCPmgx0/CD2zGJrMqR3tb8iMk
cn: Allan Feid

I saved the above as import.ldif. You will probably want to generate a new password with slappaswd to use with the userPassword section above. Now to import, it all I have to do is this:

ldapadd -f import.ldif -D "cn=Manager,dc=crazy,dc=lan" -W

This will prompt you for your rootdn password that you created earlier using slappasswd. Now you have the following basic hierarchy configured:

  • Base Domain: crazy.lan
    • Organizational Unit: People
      • User: myaccount
    • Organizational Unit: Group
      • Group: users

User accounts will go into the People OU, and group accounts will be assigned the Group OU. This is a pretty standard configuration as the pam_ldap plugin will look in these OU's later for user/group information.

Client configuration

Fedora 12

Redhat has really made this easier than it used to be. Their authconfig command is pretty straight forward, the following commands will get you the nss_ldap, pam_ldap and ldap utility commands on your client:

# yum install -y openldap-clients
# authconfig --enableldap \
    --enableldapauth \
    --disablenis \
    --enablecache \
    --ldapserver=ldap1.crazy.lan \
    --ldapbasedn=dc=crazy,dc=lan \
    --updateall

That's it. You will now see the myaccount user if you run getent.

# getent passwd |grep myaccount
myaccount:x:3000:2000:Allan Feid:/home/myaccount:/bin/bash

OpenSolaris

This should also work for plain Solaris, but I prefer OpenSolaris and haven't tested on Solaris 10. This, just like Redhat, is very easy to configure, but does require one extra step. The ldapclient command by default copies /etc/nsswitch.ldap to /etc/nsswitch.conf. Which is fine, but the ldap nsswich configuration by, by default, uses ldap for hostname lookups. This is probably not desirable in most cases as that's what we use DNS for. So just change the following lines in /etc/nsswitch.ldap:

hosts:      files dns
ipnodes:    files dns

Then just a simple command will get you up and running:

# ldapclient -v manual -a defaultSearchBase=dc=crazy,dc=lan \
    -a domainName=crazy.lan \
    -a defaultServerList=ldap1.crazy.lan
# getent passwd |grep myaccount
myaccount:x:3000:2000::/home/myaccount:/bin/bas

General Configuration for client's using pam_ldap/nss_ldap

If you aren't using Fedora or OpenSolaris, anything that uses pam_ldap/nss_ldap can be configured pretty easily. The main configuration file for these two is /etc/ldap.conf. All you need is to make sure you have the following lines:

base dc=crazy,dc=lan
uri ldap://ldap1.crazy.lan/

Then you will have to configure nss by changing the following in /etc/nsswitch.conf:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

You will also need to modify your PAM configuration. Generally you will want to edit /etc/pam.d/system-auth but this may very from OS to OS. Always check with the documentation!

auth        sufficient    pam_ldap.so use_first_pass

Use ADS, make your life easier!

I highly recommend Apache Directory Studio as a great LDAP client. It is cross platform (java based) and having a GUI for ldap sometimes just makes more sense as you get to visualize your hierarchy easily. Setup a new connection and login as cn=Manager,dc=crazy,dc=lan using your rootdn password. You can now easily create a template user to be copied for new users, add new groups, add OU's, etc all from a comfortable GUI.

In upcoming posts, I plan on covering enabling TLS encryption, and eventually working on Kerberos integration with LDAP for a true Single SIgn-On (SSO) environment. If all goes well I'll share how I got it all working.

Tags: