Turnkey OpenLDAP

Posted on by a blogger

For this exercise, we’ll be setting up an OpenLDAP server (and at least one ldap client VM on Ubuntu desktop) using virtualbox.

Resources:
* Turnkey OpenLDAP VM = https://www.turnkeylinux.org/openldap
* Ubuntu desktop ISO = http://www.ubuntu.com/download/desktop

Sometimes it is important to configure an OpenLDAP server (and x clients). If you are just learning, or looking to get one setup quickly then using the turnkey VM might be the way to go.

Once you download the Turnkey OpenLDAP VM’s OVA file, you can double click the file to “import into Virtualbox”.  Once you have imported it, and started the VM, you will be required to enter the following:

  • Provide a new ROOT password
  • Provide password for the openldap ADMIN account
  • create a new domain (i’ll use example.com for this)
  • APPLY to start using services immediately
  • Local system notifications (optional)
  • Install system updates automatically (recommended usually)
  • Networking (dhcp by default, but you can swap to a Static IP via using the networking menu to change)

Typically one would also install tcpdump here as well, so you can examine the packets when doing ldap(s) authentication.  However, this depends if you have networking configured to be internet accessible or not.

Note:  This configuration will work out of the gate using plain-text ldap (port 389).  The configuration should be done this way first, to ensure everything is working PRIOR to swapping it over to ldaps.

LDAP Client Installation

Ubuntu 14.04 LDAP Client Installation

Once base system installed, do the following:

  • sudo apt-get update && sudo apt-get upgrade
  • edit the /etc/hosts file… add an entry for the IP address and FQDN for the openldap server.  (example:   192.168.5.95 example.com)
  • sudo apt-get install ldap-utils nscd tcpdump ldap-auth-config openssh-server  ## Refer to ldap-auth-config section for settings ##
  • edit /etc/pam.d/common-session and add this entry:
    • session required pam_mkhomedir.so skel=/etc/skel umask=0022

NOTE:  Recommend running a “save snapshot” on the client VM here before doing next step.  Just in case the nss bug comes into play.

next edit /etc/nsswitch.conf and update the 3 lines like so:

passwd: compat ldap
group: compat ldap
shadow: compat ldap

(You should just be adding LDAP for those 3 lines… ensure the word ldap is appended “after” compat. If you prepend it, the nss bug will most likely come into play and the next reboot will be affected.

ldap-auth-config

After installing ldap-auth-config, you will be presented some questions… Here are the answers for “example.com” domain.

  • ldap server = ldap://example.com # will change to ldaps later
  • DN of the search base = dc=example,dc=com
  • ldap version to use = 3
  • Make local root Database admin = yes
  • Does the LDAP database required login = no
  • LDAP account for root: cn=admin,dc=example,dc=com
  • LDAP root account password  (password set when turnkey OpenLDAP server above was installed for admin LDAP account)

Once this is done, restart nscd with: sudo service nscd restart. Next, confirm connectivity with:

ldapsearch -x -b 'dc=example,dc=com' -D'cn=admin,dc=example,dc=com' -H ldap://example.com -W

LDAP Configuration:

Connect to the website via:

https://example.com

or http://example.com (if not using openssl)

Login with your ldap admin account, and do the following to create a “sample test user”.

  • expand users, and create a child object.. as a “generix posix user” and fill out the required sections (we’ll give it a uid of smithj)
  • modify the recently created user, and change the UID to a higher number (so you don’t interfere with existing users on a system)… 5000 would be good for example.

Test it out by…

Using another box, attempt to ssh into the Ubuntu 14.04 LDAP Client box’s IP just configured. For this example, let’s assume this IP = 192.168.5.50

ssh [email protected]

If everything works, you should be logged into the Ubuntu LDAP Client machine as user smithj.

Now that you’ve confirmed that ldap works, you can now reconfigure it to use ldaps with the following steps:

* sudo dpkg-reconfigure ldap-auth-config and change the ldap entry to: ldaps://example.com (take defaults for everything else)

* Next edit /etc/ldap/ldap.conf and set the following: (do this on clients & server)

BASE dc=example,dc=com
URI ldaps://example.com
port 636
ssl on
ssl start_tls
TLS_REQCERT allow

Now attempt another ssh connection to the ubuntu ldap client machine 192.168.5.50 and it should connect. To confirm it’s encrypted, you can run the following command on your OpenLDAP Turnkey box:

tcpdump -i eth0 -nvvXSs 1514 port 636

Substitute eth0 with the proper ethernet interface if it isn’t eth0.

Category: Linux