Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature
Advanced Linux LDAP authentication
Share
Print
CommentsIf client machines are to authenticate through LDAP, administrators must make sure user changes are reflected within the LDAP server. Most user management utilities on a client system expect to find information in files like /etc/passwd and /etc/group. If such information is only available through LDAP, utilities may complain about unknown users. To make changes in these cases, an administrator must modify the corresponding LDAP entries. While utilities such as phpLDAPadmin can help with this task, you must know what you're doing if you're to use them effectively.
Changing user information in LDAP
Just as creating users and groups with LDAP is often a process of populating and adding Lightweight Directory Interchange Format (LDIF) files, so is the process of making LDAP changes. Suppose you had used the following LDIF file to add a user called "myuser" to LDAP:
dn: cn=Myuser,ou=People,dc=example,dc=org cn: Myuser objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson sn: User uid: myuser uidNumber: 1025 gidNumber: 9000 homeDirectory: /tmp
Later you decide you would like a directory other than /tmp as myuser's home. Make a file with a name like myuser_change.ldif and add the following:
dn: cn=Myuser,ou=People,dc=example,dc=org homeDirectory: /home/myuser
Notice all that is needed here is the DN (Distinguished Name) and the information we wish to change. Though we only changed the home directory, we could also have changed attributes like the uidNumber or uid. Add your changes with the ldapmodify command:
ldapmodify -x -D "cn=admin,dc=example,dc=org" -W -f myuser_change.ldif
Because the DN is a unique identifier, deleting a DN with the ldapdelete command will remove everything about a user or group:
ldapdelete -x -D "cn=admin,dc=example,dc=org" -W "cn=Myuser,ou=People,dc=example,dc=org"
Encrypting communication between the clients and server
Our LDAP authentication system works well but has a major drawback: nothing is encrypted. Anyone with a packet analyzer and access to the network can read all communication between the client and server, so it's vital to enable LDAP encryption.
OpenLDAP offers two major methods of encrypting communication: LDAP with Transport Layer Security (TLS), and LDAP over Secure Sockets Layer (SSL). LDAP with TLS describes a normal LDAP session where a client requests SSL communication. This type of encryption would occur over the normal LDAP port (389). LDAP over SSL is LDAP being transmitted through an SSL tunnel over port 636. This communication is also called "ldaps://". Both approaches offer the same amount of security. Our example will use the latter approach, LDAP over SSL.
On your machine running OpenLDAP, ensure you have OpenSSL installed. If not, issuing a simple apt-get install openssl will do the trick for Debian systems. If you're using a different Linux distribution, you should be able to find packages for OpenSSL.
Our example will create our own CA (certificate authority), but you can have a third party act as a certificate authority as well. The following commands create our CA:
mkdir /etc/myca cd /etc/myca sh /usr/lib/ssl/misc/CA.sh -newca
After running the CA.sh script, you will be prompted to enter a certificate filename or press Enter for a new certificate. In this case, you'll want to press Enter. Then you'll be prompted for a pass phrase; use "cacert," and enter it twice. Then you'll be prompted for the following information:
Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: Yourstate Locality Name (eg, city) []: Your City Organization Name (eg, company) [Internet Widgits Pty Ltd]: Exampleorg Organizational Unit Name (eg, section) []: Exampleunit Common Name (eg, YOUR name) []: example.org Email Address []: ldapadmin@example.org
Enter the correct information for your company or organization.
The Common Name, or "CN" for short, must be a fully qualified domain name pointing to your server. Incorrect CN values will completely break encryption, and there exist countless examples of this error on mailing lists and forums throughout the Internet.
Next we will create a certificate request and private key. Perform the following:
openssl req -new -nodes -keyout newreq.pem -out newreq.pem
You will then be prompted for the following information:
Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: Yourstate Locality Name (eg, city) []: Your City Organization Name (eg, company) [Internet Widgits Pty Ltd]: Exampleorg Organizational Unit Name (eg, section) []: Exampleunit Common Name (eg, YOUR name) []: example.org Email Address []: ldapadmin@example.org
Enter the appropriate information for your certificate. You will also be prompted for a challenge password and optional company name, which you can leave blank. OpenLDAP does not support password-protected private keys.
Notice the questions are roughly the same as the ones we saw before, and be aware that the same domain name warnings apply to the CN value here. The CA we created earlier will now sign our certificate request, and we will move the resulting files into place:
sh /usr/lib/ssl/misc/CA.sh -sign
Enter your CA password and answer "y" to the two questions, then copy the certificates to /etc/ldap:
cp demoCA/cacert.pem /etc/ldap/cacert.pem
cp newcert.pem /etc/ldap/servercrt.pem
cp newreq.pem /etc/ldap/serverkey.pem
chmod 600 /etc/ldap/serverkey.pem
We now have all the files we need to enable LDAP encryption. Edit the LDAP daemon's configuration file, /etc/ldap/slapd.conf, and add the following values:
TLSCACertificateFile /etc/ldap/cacert.pem TLSCertificateFile /etc/ldap/servercrt.pem TLSCertificateKeyFile /etc/ldap/serverkey.pem loglevel 256
This tells slapd where to find our certificates and key, and we added an option to enable more verbose logging. Next we need to start an LDAP daemon that listens on port 636. To test your setup and get immediate feedback, start a debugging slapd. Ensure no other instances of slapd are running and issue the following command as root:
slapd -h 'ldap:// ldaps://' -d1
This command starts a normal slapd running on port 389 and an SSL-only slapd running on port 636. If you messed up any of the above steps, slapd will refuse to start with a sometimes less-than-helpful error message.
Client encryption configuration
Once the server is running smoothly and listening on port 636, we can configure a client. While on the client machine, open /etc/ldap/ldap.conf and make the following changes:
BASE dc=example,dc=org URI ldaps://example.org TLS_REQCERT allow
We changed the URI stanza to consult ldaps:// instead of the unencrypted ldap://. The TLS_REQCERT stanza allows the client to request the server's certificate, alleviating the need to place a copy of the certificate on each client machine.
Next we need to configure the client's authentication files to use our newly minted secure connection. First up is /etc/libnss-ldap.conf. Comment out any "host" lines and ensure only the following exists:
base dc=example,dc=org uri ldaps://example.org ldap_version 3
Notice the change to "ldaps://" in the above lines. Next we will edit /etc/pam_ldap.conf and change it to use SSL. Open /etc/pam_ldap.conf and ensure the following exists:
base dc=example,dc=org uri ldaps://example.org/ ldap_version 3 rootbinddn cn=admin,dc=example,dc=org pam_password exop
Note the mention here of ldaps://. Again, any "host" stanzas or any lines referring to an IP address rather than the CN of the server certificate will break your setup. SSL is extremely picky in this regard.
Since we have made some serious changes, we now need to restart the name service cache daemon (nscd). Issue the command:
/etc/init.d/nscd restart
Because we made the server run a slapd that listens to both insecure and secure connections, we can test normal and encrypted LDAP. First, test a normal LDAP connection:
ldapsearch -x -b dc=example,dc=org -H 'ldap://example.org'
And to test LDAP over SSL:
ldapsearch -x -b dc=example,dc=org -H 'ldaps://example.org'
If the second ldapsearch command worked, client logins will be encrypted. You can verify this by looking at the output on the server terminal you started slapd with. Log in as an LDAP user on your client machine. Congratulations, you've securely authenticated over LDAP.
To make LDAP over SSL the only option on your network, open /etc/default/slapd on the OpenLDAP server and change the SLAPD_SERVICES line to the following:
SLAPD_SERVICES="ldaps:///"
Linux and LDAP play together nicely, and now we know how to make LDAP more flexible and secure. Making LDAP work with SSL is a sometimes tedious process that grinds to a halt if LDAP is not configured correctly. But the alternative of exchanging unencrypted user information is not an option. With what you now know, you should be able to make the connections work.
Comments
on Advanced Linux LDAP authenticationNote: Comments are owned by the poster. We are not responsible for their content.
I guess with all the support from big ones that LDAP is getting, we will need to adapt to it, but it's ugly and bulky nonetheless.
You can make all your modifications to the original entry and it will generate a file to give to ldapmodify.
No commercial directory requires its users to use LDIF files to add or edit a single user. They all offer very nice GUI administration tools such as <a href="http://www.microsoft.com/windows2000/images/ud_fig02.gif" title="microsoft.com">Microsoft's</a microsoft.com> and <a href="http://www.novell.com/documentation//consol13/c1_enu/graphics/console1.gif" title="novell.com">Novell's</a novell.com> or even the awful <a href="http://common.ziffdavisinternet.com/util_get_image/5/0,1425,sz=1&i=59468,00.gif" title="ziffdavisinternet.com">web based</a ziffdavisinternet.com> interfaces to the directory. When pressed for a GUI to OpenLDAP most people will offer up <a href="http://confluence.atlassian.com/download/attachments/4761/gq1.png" title="atlassian.com">GQ</a atlassian.com>. But, even an apologist would admit that GQ is very crude compared to the commercial offerings. GQ has been unmaintained since 2003! That means that there is no further development being done on GQ so it won't get better! Other's offer this <a href="http://www-unix.mcs.anl.gov/~gawor/ldap/images/Browser28.jpg" title="anl.gov">Java monstrosity</a anl.gov> despite the fcat that it is slow, resource hungry and buggy as hell.
LDIF import/export is still a part of most directories, especially for very large bulk operations but, come on, going through all these gyrations just to add a user when everyone else just clicks add user and enters the details in a form is ridiculous in this day and age. Even worse, and so frequently not mentioned as to seem like intentional concealment, how about moving an OpenLDAP object from one OU to another? You can't! You have to delete and recreate the object via LDIF files!?!? Using commercial directories, Moves are a simple matter of clicking the object, selecting move, and then choosing a destination!
How about an article about GOOD GUI admin tool for OpenLDAP? How about an article admonishing the community for such a woefully inadequate toolset? How about we get with the times, instead of yet another MP3 player, how about some decent LDAP tools?
Theres a lack of admin tools on the command line and gui to make task simple.
At least there should be a set of tools included in openssl for managing user and group accounts like useradd, usermod,.. for<nobr> <wbr></nobr>/etc/passwd.
Compare:
excute: usermod -d<nobr> <wbr></nobr>/home/myuser Myuser
VS
create myuser_change.ldif:
dn: cn=Myuser,ou=People,dc=example,dc=org
homeDirectory:<nobr> <wbr></nobr>/home/myuser
execute:
ldapmodify -x -D "cn=admin,dc=example,dc=org" -W -f myuser_change.ldif
Conversely, any decent package comes repleat with the necessary management tools - if not, they are abandoned for superior packages. Good sysadmins don't waste time with poor quality packages, they use the best tool for the job.
eDirectory
Active Directory
Red Hat/Fedora Directory
Sun One Directory
It's a great big cumbersome mess and it means yet another group of packages and processes, possibly even another computer, to manage. I feel that there should be a desktop application, a non-Java one, that is ported to multiple platforms. Think MMC or NWAdmin or even ConsoleOne without Java.
Greetings,
Chessy
It's been around for quite some time and is in constant active development. It has a templating system for common objects (such as managing users / groups.) There are also plugins for webmin (which suck IMHO.)
Use google. There are NUMEROUS LDAP admin tools out there. Some are great - others suck.
I'm working on a web-based admin tool for LDAP in perl (don't really care for PHP. And yes, it uses TLS to connect to the LDAP server.) It should be ready soon (I'll create a SF project for it.) There is really nothing wrong with web-based tools if they are written correctly. With a good web tool, I can manage everything I need to via a simple web browser wherever I am.
Some people go all out and try to do everything in LDAP. Services? Hosts? screw that! There is no reason to put those in LDAP. Use it for what it is really good at - user, group, and contact management.
I've got cetralized auth for all applications across all machines - web (modauthldap, tiki, webdav, etc), email (exim, courier, squirrel), logins (ssh, ftp, etc.), and more all via LDAP. Quite nice. Blows the old system away where many things had independant password files, and you had to rdist stuff around all the time. Addnig a new user was an hour long process and is now a 2 min process.
As another comment to a different thread - WTF would you store salary info in LDAP??? Ldap is NOT a generic DB for all info despite what it appears to be. Some things just don't belong in ldap.
I will point out that these two articles were written to enable users to centralize user information. How to do it, why to do certain tasks, and what the process looks like. Certainly I could have reviewed frontends and tools but I wanted to show people how to make something, and make that something work. Yes, tools can make the job easier, but I want people knowing firstly how to do it themselves.
As for your last paragraph, there are good tools to manage LDAP/OpenLDAP. It would be great if someone were to review them. As for "admonishing the community for such a woefully inadequate toolset"... well, let me only say that I disagree with that approach.
If I were to teach how to change a car's oil, I wouldn't start my lesson at Jiffy Lube. Know how to get things done, then take shortcuts if you wish.
I am conceptionally missing one piece of the pie, multiple linux hosts. I have some 60 linux servers I would like to authenticate against LDAP. I don’t see how the LDAP user entry relates to the linux server other then search base in the ldap.conf file. I realize I could make multiple user entries, one per linux server, but that makes little sense. So my question is, how would you give an LDAP user entry access to multiple linux servers?
One serious issue I see: the password for LDAP stored in<nobr> <wbr></nobr>/etc/pam_ldap.conf is unencrypted. Bad. Is there a way to avoid doing that? Can I create a bind-only user that has no other power than to authenticate against LDAP?
Thanks for a great couple of articles, I was just beginning to look into doing this. You've saved me a bit of research.<nobr> <wbr></nobr>:) If you wanna write an article on using LDAP as an address book, I wouldn't complain.
I think most of your questions were answered by other posts but I can shed a little more light.
LDAP SSL Only? Yes. Our example will default to SSL only if you change Debian/[your distro] to listen only on port 636.
Mix LDAP and normal accounts? Yes. By default the articles will steer you toward creating LDAP-only users but will drop back to trying local accounts as well. What that means is if you created "jobu" in LDAP as well as locally, your setup will first try LDAP and then local files. Since Jobu exists locally, you will log in.
That said, if LDAP is down and the user only exists in LDAP, you will not be able to log in. That is why myself and others advise not putting root in LDAP. Also, a commentor to my last article mentioned a solution that caches LDAP information.
Is this setup standard? Well, that is not really answerable. Linux LDAP documentation isn't documented well. My hope with these articles was to change that.
LDAP password stored locally. Big issue that many of us complain about. I certainly would hope that could be avoided. Maybe enough light has been shed for someone to volunteer to fix it?
Thanks again for the kind words. As per the LDAP address book, there is a pretty decent article located at: <a href="http://applications.linux.com/applications/05/05/18/1248224.shtml?tid=37" title="linux.com">http://applications.linux.com/applications/05/05/<nobr>1<wbr></nobr> 8/1248224.shtml?tid=37</a linux.com>
Secondary Linux LDAP authentication slow
Posted by: Anonymous [ip: 139.85.237.78] on February 26, 2008 04:59 PMCould someone tell me what is the problem with my redundant LDAP server? My Ldap servers are on CentOS. But whenever the communication to the primary LDAP server lost my linux clients are experiencing a very slow login via the secondary LDAP server, even though my Solaris clients are still ok.
Your help is very much appreciated!
Re:Questions, questions, questions...
Posted by: Anonymous Coward on October 27, 2005 11:22 PMSSL only: Yes.
Fallback: No, posible by configuration.
Mixture: Yes.
(Unavailability: No, don't want to DOS myself. Set it up in PAM (and nsswitch.conf))
Standard user: Yes, this is a standard UNIX user, you can set it up for samba as well.
pam_ldap.conf: Yes. pam_ldap.conf is not necessary, you need it for "passwd myuser" as root. I don't know if you can encrypt it.
Bind only: Yes, "anonymous" can only authenticate (if you set it up)
#