Bi thc hnh

Ci t v cu hnh OpenLDAP - PAM

Trong bi thc hnh ny, bn cn s dng 02 my o Linux v my tht Windows kt ni theo m hnh bn di

LDAP-CLIENT

LDAP-SVR

MS Windows

eth0
192.168.1.2

eth0
192.168.1.1

192.168.1.100

NAT NETWORK 192.168.1.0/24

Bi thc hnh ny bao gm cc ni dung sau y: Ci t v cu hnh dch v LDAP trn my LDAP-SVR s dng OpenLDAP. To LDAP Domain vi tn ipmac.lab v to cc i tng qun tr (user, group) trong domain ny. Ci t cng c qun tr LDAP Admin trn my Windows v tm hiu cc tnh nng ca cng c ny. Cu hnh LDAP-CLIENT xc thc ngi dng thng qua dch v LDAP

I. Ci t v khi to dch v LDAP trn LDAP Server

Bc 1. [Trn LDAP Server] Cu hnh cc interface trn theo m hnh trn
[root@LDAP-SVR]# ifconfig eth0 192.168.1.1/24 up [root@LDAP-SVR]# service iptables stop

Bc 2. [Trn LDAP Server] Kim tra package openldap-servers v openldap-clients c ci t hay cha. Nu cha cn tin hnh ci t package ny qua yum hoc rpm
[root@LDAP-SVR]# rpm qa | grep openldap openldap-devel-2.3.43-12.el5 openldap-2.3.43-12.el5 [root@LDAP-SVR]# yum install openldap-servers openldap-clients [root@LDAP-SVR]# rpm qa | grep openldap openldap-devel-2.3.43-12.el5 openldap-clients-2.3.43-12.el5 openldap-2.3.43-12.el5 openldap-servers-2.3.43-12.el5

Bc 3. M file cu hnh tng th ca OpenLDAP Server (/etc/openldap/slapd.conf) v xem cc thng tin cu hnh chnh
[root@LDAP-SVR]# less /etc/openldap/slapd.conf #Cc file schema c s dng mc nh include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema ####################################################################### # ldbm and/or bdb database definitions ####################################################################### #Cc thng tin v base, rootdn v manager password database bdb suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass index ou,cn,mail,surname,givenname index uidNumber,gidNumber,loginShell index uid,memberUid index nisMapName,nisMapEntry eq,pres eq,pres,sub eq,pres eq,pres,sub eq,pres,sub

Bc 4. [Trn LDAP Server] Chy lnh slappasswd sinh password dng encrypt qun tr OpenLDAP. Copy li password c encrypt
[root@LDAP-SVR]# slappasswd New password: Re-enter new password: {SSHA}ffhPJKASQXjwhRb0ANi9z7V0WTH+9xYA

Bc 5. [Trn LDAP Server] Sa li cc dng trong /etc/openldap/slapd.conf v a thng tin v password qun tr (sinh ra bc 4).
[root@LDAP-SVR]# vi /etc/openldap/slapd.conf ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=ipmac,dc=lab" rootdn "cn=Manager,dc=ipmac,dc=lab" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg rootpw {SSHA}ffhPJKASQXjwhRb0ANi9z7V0WTH+9xYA # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass index ou,cn,mail,surname,givenname index uidNumber,gidNumber,loginShell index uid,memberUid index nisMapName,nisMapEntry

eq,pres eq,pres,sub eq,pres eq,pres,sub eq,pres,sub

Bc 6. [Trn LDAP Server] Khi ng dch v LDAP

[root@LDAP-SVR]# service ldap start Checking configuration files for slapd: Starting slapd: config file testing succeeded [ OK ] [ OK ]

II. T vit file LDIF xy dng kin trc cho LDAP Server
Bc 7. [Trn LDAP Server] Son file /tmp/ipmac.lab.ldif vi thng tin nh bn di.
[root@LDAP-SVR]# vi /tmp/ipmac.lab.ldif dn: dc=ipmac,dc=lab dc: ipmac o: IPMac Lab description: Root LDAP entry for ipmac.lab objectClass: dcObject objectClass: organization dn: ou=People, dc=ipmac, dc=lab ou: People description: All the people in our domain objectClass: organizationalUnit dn: cn=testuser, ou=People, dc=ipmac, dc=lab cn: testuser objectClass: organizationalRole

Bc 8. [Trn LDAP Server] a ni dung ca file ipmac.lab.ldif vo kin trc ca LDAP server bng lnh ldapadd
[root@LDAP-SVR]# ldapadd -x -D "cn=Manager,dc=ipmac,dc=lab" \ -W -f /tmp/ipmac.lab.ldif Enter LDAP Password: adding new entry "dc=ipmac,dc=lab" adding new entry "ou=People, dc=ipmac, dc=lab" adding new entry "cn=testuser, ou=People, dc=ipmac, dc=lab"

Bc 9. [Trn LDAP Server] Xem v tm kim cc ni dung va c import bng lnh

ldapsearch [root@LDAP-SVR]# ldapsearch -x -b "dc=ipmac,dc=lab" "(objectclass=*)" Enter LDAP Password: # ipmac.lab dn: dc=ipmac,dc=lab dc: ipmac o: IPMac Lab description: Root LDAP entry for ipmac.lab objectClass: dcObject objectClass: organization # People, ipmac.lab dn: ou=People,dc=ipmac,dc=lab ou: People description: All the people in our domain objectClass: organizationalUnit

# testuser, People, ipmac.lab dn: cn=testuser,ou=People,dc=ipmac,dc=lab cn: testuser objectClass: organizationalRole [root@LDAP-SVR]# ldapsearch -x -LLL -b "dc=ipmac,dc=lab" "(cn=testuser)" dn: cn=testuser,ou=People,dc=ipmac,dc=lab cn: testuser objectClass: organizationalRole

Bc 10. [Trn LDAP Server] Xa user testuser bng lnh ldapdelete

[root@LDAP-SVR]# ldapdelete -x -W -D "cn=Manager,dc=ipmac,dc=lab" \ "cn=testuser,ou=People,dc=ipmac,dc=lab" Enter LDAP Password: [root@LDAP-SVR]# ldapsearch -x -LLL -b "dc=ipmac,dc=lab" "(cn=testuser)"

III. Xy dng kin trc LDAP Server da trn thng tin c sn ca h thng s dng cc migration script
Bc 11. [Trn LDAP Server] Chuyn n th mc cha cc migration script (/usr/share/openldap/migration) v chnh sa file cu hnh chung migrate_common.ph
[root@LDAP-SVR]# cd /usr/share/openldap/migration [root@LDAP-SVR]# vi migrate_common.ph # Default DNS domain $DEFAULT_MAIL_DOMAIN = "ipmac.lab"; # Default base $DEFAULT_BASE = "dc=ipmac,dc=lab";

Bc 12. [Trn LDAP Server] Chy script migrate_base.pl to file LDIF cha thng tin v base mi. Xem ni dung file ny.
[root@LDAP-SVR]# ./migrate_base.pl > /tmp/base.ldif [root@LDAP-SVR]# less /tmp/base.ldif

Bc 13. [Trn LDAP Server] a ni dung file base.ldif vo kin trc ca LDAP bng ldapadd v kim tra kt qu vi ldapsearch
[root@LDAP-SVR]# ldapadd -c -x -D "cn=Manager,dc=ipmac,dc=lab" \ -W -f /tmp/base.ldif Enter LDAP Password: adding new entry "dc=ipmac,dc=lab" ldapadd: Already exists (68) adding new entry "ou=Hosts,dc=ipmac,dc=lab" adding new entry "ou=Rpc,dc=ipmac,dc=lab" adding new entry "ou=Services,dc=ipmac,dc=lab" adding new entry "nisMapName=netgroup.byuser,dc=ipmac,dc=lab" adding new entry "ou=Mounts,dc=ipmac,dc=lab" adding new entry "ou=Networks,dc=ipmac,dc=lab" adding new entry "ou=People,dc=ipmac,dc=lab" ldapadd: Already exists (68) adding new entry "ou=Group,dc=ipmac,dc=lab" adding new entry "ou=Netgroup,dc=ipmac,dc=lab" adding new entry "ou=Protocols,dc=ipmac,dc=lab" adding new entry "ou=Aliases,dc=ipmac,dc=lab" adding new entry "nisMapName=netgroup.byhost,dc=ipmac,dc=lab" [root@LDAP-SVR]# ldapsearch -x -LLL -b "dc=ipmac,dc=lab" "(objectclass=*)" dn: dc=ipmac,dc=lab dc: ipmac o: IPMac Lab description: Root LDAP entry for ipmac.lab objectClass: dcObject objectClass: organization

dn: ou=People,dc=ipmac,dc=lab ou: People description: All the people in our domain objectClass: organizationalUnit dn: ou=Hosts,dc=ipmac,dc=lab ou: Hosts objectClass: top objectClass: organizationalUnit

Bc 14. [Trn LDAP Server] Chy script migrate_passwd.pl to file LDIF cha danh mc user cho LDAP da trn danh sch cc user hin c trn h thng (cha trong file /etc/passwd). Xem ni dung file LDIF .
[root@LDAP-SVR]# pwd /usr/share/openldap/migration [root@LDAP-SVR]# ./migrate_passwd.pl /etc/passwd > /tmp/allusers.ldif [root@LDAP-SVR]# less /tmp/allusers.ldif

Bc 15. [Trn LDAP Server] a ni dung file allusers.ldif vo kin trc ca LDAP bng ldapadd v kim tra kt qu vi ldapsearch
[root@LDAP-SVR]# ldapadd -c -x -D "cn=Manager,dc=ipmac,dc=lab" \ -W -f /tmp/allusers.ldif Enter LDAP Password: adding new entry "uid=root,ou=People,dc=ipmac,dc=lab" adding new entry "uid=bin,ou=People,dc=ipmac,dc=lab" adding new entry "uid=daemon,ou=People,dc=ipmac,dc=lab" adding new entry "uid=user,ou=People,dc=ipmac,dc=lab" adding new entry "uid=named,ou=People,dc=ipmac,dc=lab" adding new entry "uid=squid,ou=People,dc=ipmac,dc=lab" adding new entry "uid=ipmac,ou=People,dc=ipmac,dc=lab" [root@LDAP-SVR]# ldapsearch -x -LLL -b "dc=ipmac,dc=lab" "(uid=root)" dn: uid=root,ou=People,dc=ipmac,dc=lab uid: root cn: root objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJG1Qem1jbHFoJDFxL25UMWpzRnpkYWxQYmtxdWxvNC8= shadowLastChange: 15020 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 0 gidNumber: 0 homeDirectory: /root gecos: root

Bc 16. [Trn LDAP Server] To mi mt account c tn ldapuser trn h thng v a account ny vo LDAP.
#To mt user tn l ldapuser, thuc nhm users v t password cho user ny [root@LDAP-SVR]# useradd -g users ldapuser [root@LDAP-SVR]# passwd ldapuser Changing password for user ldapuser. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. #Ly thng tin v "ldapuser" t /etc/passwd v ghi ra /tmp/ldapuser.info [root@LDAP-SVR]# grep "ldapuser" /etc/passwd | tee /tmp/ldapuser.info ldapuser:x:502:100::/home/ldapuser:/bin/bash #Kim tra th mc hin ti m bo ang /usr/share/openldap/migration [root@LDAP-SVR]# pwd /usr/share/openldap/migration #Dng script migrate_passwd.pl to LDIF file t /tmp/ldapuser.info [root@LDAP-SVR]# ./migrate_passwd.pl /tmp/ldapuser.info > /tmp/ldapuser.ldif [root@LDAP-SVR]# less /tmp/ldapuser.ldif #a thng tin v user ldapuser trong LDIF file vo kin trc ca LDAP [root@LDAP-SVR]# ldapadd -c -x -D "cn=Manager,dc=ipmac,dc=lab" \ -W -f /tmp/ldapuser.ldif Enter LDAP Password: adding new entry "uid=ldapuser,ou=People,dc=ipmac,dc=lab" #Kim tra thng tin v user ldapuser trong kin trc ca LDAP [root@LDAP-SVR]# ldapsearch -x -LLL -b "dc=ipmac,dc=lab" "(uid=ldapuser)" dn: uid=ldapuser,ou=People,dc=ipmac,dc=lab uid: ldapuser cn: ldapuser objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJEN5RHY5ajQvJG1Ya0RWbzlIRFZwSURnbjZteTJhdC4= shadowLastChange: 15058 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 502 gidNumber: 100 homeDirectory: /home/ldapuser

IV. Cu hnh LDAP Server s dng cng c LDAP Admin

Bc 17. [Trn my tht Windows] Download cng c LDAP Admin ti a ch http://nchc.dl.sourceforge.net/project/ldapadmin/ldapadmin/1.1/LdapAdminExe-1.1.zip Bc 18. [Trn my tht Windows] Chy LDAP Admin. Vo Start > Connect... > New Connection v in thng tin kt ni n LDAP Server. Click OK hon tt. Ch : Sau khi in a ch IP ca Host c th click Fetch DNs cng c t ng ly cc thng tin v Base.

Bc 19. [Trn my tht Windows] Double click vo kt ni va to v nhp password (nu yu cu) kt ni n LDAP Server. Sau khi kt ni thnh cng, tm hiu giao din v cc tnh nng m cng c LDAP Admin cung cp.

V. Cu hnh Client xc thc qua LDAP Server

Bc 20. [Trn LDAP Client] Cu hnh a ch IP cho client trn theo m hnh trn, kim tra vic kt ni gia LDAP Client v LDAP Server
[root@LDAP-CLIENT]# ifconfig eth0 192.168.1.2/24 up [root@LDAP-CLIENT]# service iptables stop [root@LDAP-CLIENT]# ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.370 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.179 ms

Bc 21. [Trn LDAP Client] Kim tra thng tin v account ldapuser trn client m bo cha c user ny
[root@LDAP-CLIENT]# finger ldapuser finger: ldapuser: no such user.

Bc 22. [Trn LDAP Client] Kim tra file /etc/nsswitch.conf v cc file trong /etc/pam.d/ thy vic tm kim thng tin user (User Information) v xc thc cho user (Authentication) cha c cu hnh s dng LDAP
[root@LDAP-CLIENT]# cat /etc/nsswitch.conf paswd: files shadow: files group: files [root@LDAP-CLIENT]# grep "ldap" /etc/pam.d/*

Bc 23. [Trn LDAP Client] Chy lnh authconfig-tui m chng trnh Authentication Configuration. Chn Use LDAP trong mc User Information v Use LDAP Authentication trong mc Authentication nh hnh di v chn Next.

Nhp thng tin v LDAP Server v Base DN v chn OK

10

Bc 24. [Trn LDAP Client] Kim tra li cc file /etc/nsswitch.conf v /etc/pam.d/system-auth thy vic tm kim thng tin user (User Information) v xc thc cho user (Authentication) c cu hnh s dng LDAP
[root@LDAP-CLIENT]# grep "ldap" /etc/nsswitch.conf paswd: files ldap shadow: files ldap group: files ldap [root@LDAP-CLIENT]# grep "ldap" /etc/pam.d/system-auth auth sufficent pam_ldap.so use_first_pass account [default=bad success=ok user_unknown=ignore] pam_ldap.so password sufficent pam_ldap.so use_authtok session optional pam_ldap.so

Bc 25. [Trn LDAP Client] Kim tra li thng tin v account ldapuser. Ch rng th mc $HOME ca ldapuser (/home/ldapuser) cha c to sn.
[root@LDAP-CLIENT]# finger ldapuser Login: ldapuser Name: ldapuser Directory: /home/ldapuser Shell: /bin/bash Never logged in. No mail. No Plan. [root@LDAP-CLIENT]# cd /home/ldapuser -bash: cd: /home/ldapuser: No such file or directory

Bc 26. [Trn LDAP Client] Cu hnh thm cho PAM t ng to th mc $HOME cho cc user khi login ln u tin vo h thng
[root@LDAP-CLIENT]# ls /lib/security | grep pam_mkhomedir pam_mkhomedir.so [root@LDAP-CLIENT]# vi /etc/pam.d/system-auth #Chn vo cui cng ca file session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022

Bc 27. [Trn LDAP Client] Chuyn sang mt terminal khc (Ctrl+Alt+F3) v th login s dng account ldapuser. Kim tra thy th mc $HOME ca account ny c t ng to ra trn h thng
LDAP-CLIENT release 5.5 (Final) Kernel 2.6.18-194.el5 on an i686

11

LDAP-CLIENT login: ldapuser Password: Creating directory /home/ldapuser Creating directory /home/ldapuser/.mozilla Creating directory /home/ldapuser/.mozilla/plugins Creating directory /home/ldapuser/.mozilla/extensions [ldapuser@LDAP-CLIENT ~]$ pwd /home/ldapuser

12