January 27, 2010

Openldap with ppolicy overlay for user authentication

Installation of openldap server for user Authentication and setting up password policies for users.

This document describes a step by step setup guide for openldap with password policies. This has been tested on RHEL5 for other version paths may vary.

1) Installtion of OpenLdap Server.

1.1) Install the openldap server and client RPM's and the overlay ppolicy for password policies.

yum install openldap-servers.x86_64

yum install openldap-clients*

yum install openldap-servers-overlays.x86_64

 

These are the rpm's installed on the server.

openldap-servers-2.3.43-3.el5

openldap-2.3.43-3.el5

openldap-clients-2.3.43-3.el5

openldap-devel-2.3.43-3.el5

mozldap-6.0.5-1.el5

nss_ldap-253-17.el5

nss_ldap-253-17.el5

openldap-servers-overlays-2.3.43-3.el5

openldap-devel-2.3.43-3.el5

1.2) Modify the /etc/openldap/slapd.conf file accordingly.

include /etc/openldap/schema/core.schema

include /etc/openldap/schema/cosine.schema

include /etc/openldap/schema/inetorgperson.schema

include /etc/openldap/schema/nis.schema

include /etc/openldap/schema/ppolicy.schema

pidfile /var/run/openldap/slapd.pid

argsfile /var/run/openldap/slapd.args

modulepath /usr/lib64/openldap

moduleload lastmod.la

moduleload ppolicy.la

access to attrs=userPassword

by self write

by anonymous auth

by dn.base="cn=Manager,dc=example,dc=com" write

by * none

access to attrs=shadowLastChange

by self write

by * read

access to *

by self write

by dn.base="cn=Manager,dc=example,dc=com" write

by * read

database bdb

suffix "dc=example,dc=com"

rootdn "cn=Manager,dc=example,dc=com"

#This password can be generated by the slappasswd command.

rootpw {SSHA}

#This directory has to be created and would contain the ldap database.

directory /var/lib/ldap/example.com/

index objectClass eq,pres

index ou,cn,mail,surname,givenname eq,pres,sub

index uidNumber,gidNumber,loginShell eq,pres

index uid,memberUid eq,pres,sub

index nisMapName,nisMapEntry eq,pres,sub

#This enables the ppolicy overlday for our password policies and will be applicale to all users.

overlay ppolicy

#The object which contains all the password policies refer the ppolicy.ldif file for the policies.

ppolicy_default "cn=config,dc=example,dc=com"

#This would not return account locked in case the account is locked, for securty puppose.

ppolicy_use_lockout

Note: Make sure there is no space at the beginig of modulepath and moduleload line in slapd.conf. if you get error "ppolicy not found" it is because there is a space in the slapd.conf which came as a result of removing the hash (In my case) . Also the hashed pasword can be gerated by the command #slappasswd.

1.3) make a directory to store the ldap directory.

mkdir /var/lib/ldap/example.com

1.4) Start the openldap server using

/etc/init.d/ldap start.

1.5) Edit /etc/openldap/ldap.conf and make the following entry.(This configuration is the same for any ldap client configuration)

URI ldap://127.0.0.1/

BASE dc=example,dc=com

pam_password exop

 

1.6) Add the base dn and the container for our group and users.

This can be done by creating ldif files and adding it using ldapadd command.

 

Sample ldif for base dn with name domain.ldif.

dn: dc=example,dc=com

objectClass: domain

dc: example

Add it to the directory using the command:

ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f domain.ldif

 

Sample ldif for container for users with name people.ldif.

dn: ou=People,dc=example,dc=com

ou: People

objectClass: organizationalUnit

objectClass: top

Add it to the directory using the command:

ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f people.ldif

Sample ldif for container for Groups with name group.ldif.

dn: ou=Group,dc=example,dc=com

ou: Group

objectClass: organizationalUnit

objectClass: top

ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f group.ldif

Note: Please do not put any space for the ldif files created.

1.7) Configure ppolicy overlay for password policies.

 

Create a password policy configuration ldif file,ppolicy.ldif

dn: cn=config,dc=example,dc=com

cn: config

objectClass: pwdPolicy

objectClass: person

objectClass: top

sn: Password Policy

pwdAttribute: UserPassword

pwdCheckQuality: 0

pwdAllowUserChange: TRUE

pwdExpireWarning: 604800

pwdFailureCountInterval: 0

pwdGraceAuthNLimit: 5

pwdLockout: TRUE

pwdLockoutDuration: 0

pwdMaxAge: 2592000

pwdMaxFailure: 3

pwdMinAge: 1

pwdMinLength: 5

pwdMustChange: TRUE

pwdSafeModify: FALSE

pwdInHistory: 3

Add it to the directory using the command:

ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f ppolicy.ldif

Note: This policy makes policies like Account would be locked out after 3 attempts.The account expires after 30 days. etc..

Upon the completion of these steps the ldap is ready to use with the password policies.

2) The next step would be to configure users and and groups. This can be done in two ways either through ldif files or through phpldapadmin browser.

2.1) Option 1:

Group addition through ldif file group.ldif.

dn: cn=ldapusers,ou=Group,dc=example,dc=com

objectClass: posixGroup

objectClass: top

cn: ldapusers

gidNumber: 9000

Add it to the directory using the command:

ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f group.ldif

User addition through ldif file user.ldif:

2.1) dn: cn=Benn,ou=People,dc=example,dc=com

cn: Benn

objectClass: posixAccount

objectClass: shadowAccount

objectClass: inetOrgPerson

sn: User

uid: benn

uidNumber: 1025

gidNumber: 9000

homeDirectory: /home/benn

Add it to the directory using the command:

ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f user.ldif

These steps create a user benn whose default group is ldapusers.Initially the password for user benn is not set this can be set using the command:

ldappasswd -x -D "cn=manager,dc=example,dc=com" cn=Benn,ou=People,dc=oracle,dc=com -W -S

2.2)Option 2:

Install a Web interface like PHPLdapAdmin and use it to create users.

Steps:

2.2.1) Install httpd (Apache) and php modules.

#yum install httpd.

#yum install php.x86_64

#yum install php-ldap.x86_64

Following rpm's get installed as a result of above yum update.

httpd-2.2.3-31.0.1.el5_4.2

php-ldap-5.1.6-23.2.el5_3

php-cli-5.1.6-23.2.el5_3

php-5.1.6-23.2.el5_3

php-common-5.1.6-23.2.el5_3

2.2.2) Download the PHPLdapadmin software from the URl

http://sourceforge.net/projects/phpldapadmin/files/

2.2.3) copy the ZIP file to the server and Unzip in /var/www/html.This creates a new folder by the name phpldapadmin-1.2.0.4 (depending on the version that has been downloaded).

2.2.4) Edit the /etc/httpd/conf/httpd.conf with the following entries.

Alias /ldap/ /var/www/html/phpldapadmin-1.2.0.4/htdocs/

DirectoryIndex index.php

LoadModule php5_module modules/libphp5.so

AddHandler php5-script .php

AddType text/html .php

2.2.5) Rename the file /var/www/html/phpldapadmin-1.2.0.4/config/config.php.example to /var/www/html/phpldapadmin-1.2.0.4/config/config.php.

2.2.6) Modify the file /var/www/html/phpldapadmin-1.2.0.4/config/config.php to the appropriate hostname and port.

$servers->setValue('server','name','ldap://host.example.com/');

$servers->setValue('server','port',389);

At this point we have a working ldapserver which can be used to authenticate users.

 

3) Client Configuration.

3.1)The two main configuration files that are used by ldap clients are /etc/ldap.conf (mostly for nss, i.e pam ldap) and /etc/openldap/ldap.conf (for ldap utils like ldapsearch,ldapadd etc..)

Sample:

/etc/ldap.conf

base dc=example,dc=com

uri ldap://127.0.0.1/

timeout 5

/etc/openldap/ldap.conf

URI ldap://127.0.0.1/

BASE dc=example,dc=com

pam_password exop

3.2) pam_ldap client configuration:

The pam ldap has to be configured for the password policies to work. The file that has to be modified is /etc/pam.d/system-auth

auth required pam_env.so debug

auth sufficient pam_unix.so nullok try_first_pass debug

auth sufficient pam_ldap.so debug

auth requisite pam_succeed_if.so uid >= 500 quiet

auth required pam_deny.so

account sufficient pam_unix.so nullok try_first_pass

account sufficient pam_ldap.so

account sufficient pam_succeed_if.so uid < 500 quiet

account required pam_permit.so

#password requisite pam_cracklib.so try_first_pass retry=3

password sufficient pam_ldap.so debug

password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

password required pam_deny.so

session optional pam_keyinit.so revoke

session required pam_limits.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

 

3.3) The /etc/nsswitch.conf file also has to be changed so that authentications can be forwarded to ldap server.

Modify the file as follows:

passwd: files ldap

shadow: files ldap

group: files ldap

3.4) Additional pam Configurations.

3.5) Create home directory for ldap users.

modify the /etc/pam.d/system-auth file and in the session stack make following change in the client.

session optional pam_keyinit.so revoke

session optional pam_mkhomedir.so skel=/etc/skel umask=0002

session required pam_limits.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

session optional pam_ldap.so

3.6) Restriction password lenth complexity etc..

We prefer to configure pam to handle the password complexity and length.(ppolicy might be able to do the same, nout quite sure how to do it.)

modify the /etc/pam.d/system-auth file and make following changes.

password requisite pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 diffok=5

password sufficient pam_unix.so md5 shadow use_authtok remember=10

password sufficient pam_ldap.so use_authtok

password required pam_deny.so

 

This ensures that a new password would be atleast 8 characters in length with atleast 1 Upper Case,1 Number,1 Alphanumeric character,1 lower case.(-1 makes sure the length does not decrease due to credit asignment.).

 

4) Optional:SSl/TLS

SSL/TLS for Ldap Server needs the following steps.

1.Create a CA certificate

2.Create and sign the server certificate.

3.update the server and client configuration files.

4.1. Create CA certificate.

Make sure these rpm's are installed.

openssl-0.9.8e-12.el5

openssl-perl-0.9.8e-12.el5

#/etc//pki/tls/misc/CA.pl -newca

CA certificate filename (or enter to create)

Making CA certificate ...

Generating a 1024 bit RSA private key

......++++++

.......................................................................................++++++

writing new private key to '../../CA/private/cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:AU

State or Province Name (full name) [Berkshire]:Victoria

Locality Name (eg, city) [Newbury]:Melbourne

Organization Name (eg, company) [My Company Ltd]:example

Organizational Unit Name (eg, section) []:ldap

 

Common Name (eg, your name or your server's hostname) []:www.hostname.com


#make sure you give ur proper hostname

.

Email Address []:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ../../CA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number:

c1:f0:c1:d8:cb:51:60:ee

Validity

Not Before: Jan 27 01:25:42 2010 GMT

Not After : Jan 26 01:25:42 2013 GMT

Subject:

countryName = AU

stateOrProvinceName = Victoria

organizationName = example

organizationalUnitName = ldap

commonName = orkxdevwamg01.espdev.aurdev.national.com.au

emailAddress =
This e-mail address is being protected from spambots. You need JavaScript enabled to view it

X509v3 extensions:

X509v3 Subject Key Identifier:

6E:81:DE:26:38:C0:66:71:4D:31:0E:D5:14:50:EA:61:99:89:B2:36

X509v3 Authority Key Identifier:

keyid:6E:81:DE:26:38:C0:66:71:4D:31:0E:D5:14:50:EA:61:99:89:B2:36

DirName:/C=AU/ST=Victoria/O=example/OU=ldap/CN=orkxdevwamg01.espdev.aurdev.national.com.au/emailAddress=
This e-mail address is being protected from spambots. You need JavaScript enabled to view it

serial:C1:F0:C1:D8:CB:51:60:EE

X509v3 Basic Constraints:

CA:TRUE/etc/pki/CA/cacert.pem

Certificate is to be certified until Jan 26 01:25:42 2013 GMT (1095 days)

Write out database with 1 new entries

Data Base Updated

This creates the CA private key in /etc/CA/private/cakey.pem and CA certificate in /etc/pki/CA/cacert.pem

4.2) Create a certificate request for our server

#cd /etc/openldap/cacerts

# openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

Generating a 1024 bit RSA private key

.......++++++

......................................................................................................................

................................++++++

writing new private key to 'newreq.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:AU

State or Province Name (full name) [Berkshire]:Victoria

Locality Name (eg, city) [Newbury]:melbourne

Organization Name (eg, company) [My Company Ltd]:example.com

Organizational Unit Name (eg, section) []:ldap

Common Name (eg, your name or your server's hostname) []:orkxdevwamg01.espdev.aurdev.national.com.au

Email Address []:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

This will create a new csr newreq.pem in /etc/openldap/cacerts.

Once the CSR is created let us sign it.

#cp /etc/openldap/cacerts/newreq.pem /etc/pki/tls/misc

# ./CA.pl -sign

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ../../CA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number:

c1:f0:c1:d8:cb:51:60:ef

Validity

Not Before: Jan 27 02:09:51 2010 GMT

Not After : Jan 27 02:09:51 2011 GMT

Subject:

countryName = AU

stateOrProvinceName = Victoria

localityName = melbourne

organizationName = example.com

organizationalUnitName = ldap

commonName = orkxdevwamg01.espdev.aurdev.national.com.au

emailAddress =
This e-mail address is being protected from spambots. You need JavaScript enabled to view it

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

2E:FE:CA:FC:9D:BA:C9:9D:1B:2A:53:3F:F9:22:D6:BA:47:55:7A:24

X509v3 Authority Key Identifier:

keyid:6E:81:DE:26:38:C0:66:71:4D:31:0E:D5:14:50:EA:61:99:89:B2:36

Certificate is to be certified until Jan 27 02:09:51 2011 GMT (365 days)

Sign the certificate? [y/n]:y

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Signed certificate is in newcert.pem

This creates the new server certificate in the cuurent directory.Copy this file to /etc/openldap/cacerts.

# cp newcert.pem /etc/openldap/cacerts/

copy also the ca certificate to our certificate location.

# cp /etc/pki/CA/cacert /etc/openldap/cacerts/

4.3) Change owner of all certificates to ldap:ldpap:

# chown ldap:ldap /etc/openldap/cacerts/*

4.4) Make following changes on the slapd.conf file in the server.

TLSCipherSuite HIGH:MEDIUM:+SSLv2

TLSCACertificateFile /etc/openldap/cacerts/cacert.pem

TLSCertificateFile /etc/openldap/cacerts/newcert.pem

TLSCertificateKeyFile /etc/openldap/cacerts/newreq.pem

Once the configuration is completed the ldap server has to be started with the ldap option.

edit the /etc/sysconfig/ldap file (create if not present) and add the follwing line

export OPTIONS=" -l local7 -h "ldaps:/// ldap:///""

and restart ldap server.

/etc/init.d/ldap restart.

5) Client configuration for SSL/TLS

5.1) Copy the CA certificate file to the cacert.pem to the client server in the location /etc/openldap/cacerts.

5.2) Edit /etc/ldap.conf file and /etc/sysconfig/ldap.confg add the line

TLS_CACERT /etc/openldap/cacerts/cacert.pem

TLS_REQCERT demand

uri ldaps:/// #make sure the hostname is same as in cert file and is resolvable.

6) Backup/Restoration of important containers.

6.1) Backup the users container

#slapcat -a "(entryDN:dnSubtreeMatch:=ou=People,dc=oracle,dc=com)" -l users.ldif

6.2) Restoration of users container:

Stop the ldap server:

#slappadd -f users.ldif.

This can also be used to migrate form ldap serer to another.

 

6.3) For entire database

6.3.1) Backup.

#

 

6.3.2) Restoration.

Follow the steps till 1.7 and the restore the backed up database.

#slapadd -f ldap.ldif

TroubleShooting.

Most of the debuging on the server side can be doen by starting the ldap server in debug mode with a value of -1

slapd -d -1 -h "ldap:///" -u ldap

 

nss ldap on client side.

Add the following line in /etc/ldap.conf , this will create a file ldap. in /var/log which would help in trouble shooting lot of client side issues.

logdir /var/log

debug 9

 

References.

http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0

http://www.zytrax.com/books/ldap/ch6/ppolicy.html

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Click Here!