Installation of openldap server for user Authentication and setting up password policies for users.
This document describes a step by step setup guide for openldap with password policies. This has been tested on RHEL5 for other version paths may vary.
1) Installtion of OpenLdap Server.
1.1) Install the openldap server and client RPM’s and the overlay ppolicy for password policies.
yum install openldap-servers.x86_64
yum install openldap-clients*
yum install openldap-servers-overlays.x86_64
These are the rpm’s installed on the server.
openldap-servers-2.3.43-3.el5
openldap-2.3.43-3.el5
openldap-clients-2.3.43-3.el5
openldap-devel-2.3.43-3.el5
mozldap-6.0.5-1.el5
nss_ldap-253-17.el5
nss_ldap-253-17.el5
openldap-servers-overlays-2.3.43-3.el5
openldap-devel-2.3.43-3.el5
1.2) Modify the /etc/openldap/slapd.conf file accordingly.
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/ppolicy.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload lastmod.la
moduleload ppolicy.la
access to attrs=userPassword
by self write
by anonymous auth
by dn.base=”cn=Manager,dc=example,dc=com” write
by * none
access to attrs=shadowLastChange
by self write
by * read
access to *
by self write
by dn.base=”cn=Manager,dc=example,dc=com” write
by * read
database bdb
suffix “dc=example,dc=com”
rootdn “cn=Manager,dc=example,dc=com”
#This password can be generated by the slappasswd command.
rootpw {SSHA}
#This directory has to be created and would contain the ldap database.
directory /var/lib/ldap/example.com/
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
#This enables the ppolicy overlday for our password policies and will be applicale to all users.
overlay ppolicy
#The object which contains all the password policies refer the ppolicy.ldif file for the policies.
ppolicy_default “cn=config,dc=example,dc=com”
#This would not return account locked in case the account is locked, for securty puppose.
ppolicy_use_lockout
Note: Make sure there is no space at the beginig of modulepath and moduleload line in slapd.conf. if you get error “ppolicy not found” it is because there is a space in the slapd.conf which came as a result of removing the hash (In my case) . Also the hashed pasword can be gerated by the command #slappasswd.
1.3) make a directory to store the ldap directory.
mkdir /var/lib/ldap/example.com
1.4) Start the openldap server using
/etc/init.d/ldap start.
1.5) Edit /etc/openldap/ldap.conf and make the following entry.(This configuration is the same for any ldap client configuration)
URI ldap://127.0.0.1/
BASE dc=example,dc=com
pam_password exop
1.6) Add the base dn and the container for our group and users.
This can be done by creating ldif files and adding it using ldapadd command.
Sample ldif for base dn with name domain.ldif.
dn: dc=example,dc=com
objectClass: domain
dc: example
Add it to the directory using the command:
ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f domain.ldif
Sample ldif for container for users with name people.ldif.
dn: ou=People,dc=example,dc=com
ou: People
objectClass: organizationalUnit
objectClass: top
Add it to the directory using the command:
ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f people.ldif
Sample ldif for container for Groups with name group.ldif.
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: organizationalUnit
objectClass: top
ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f group.ldif
Note: Please do not put any space for the ldif files created.
1.7) Configure ppolicy overlay for password policies.
Create a password policy configuration ldif file,ppolicy.ldif
dn: cn=config,dc=example,dc=com
cn: config
objectClass: pwdPolicy
objectClass: person
objectClass: top
sn: Password Policy
pwdAttribute: UserPassword
pwdCheckQuality: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 604800
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 2592000
pwdMaxFailure: 3
pwdMinAge: 1
pwdMinLength: 5
pwdMustChange: TRUE
pwdSafeModify: FALSE
pwdInHistory: 3
Add it to the directory using the command:
ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f ppolicy.ldif
Note: This policy makes policies like Account would be locked out after 3 attempts.The account expires after 30 days. etc..
Upon the completion of these steps the ldap is ready to use with the password policies.
2) The next step would be to configure users and and groups. This can be done in two ways either through ldif files or through phpldapadmin browser.
2.1) Option 1:
Group addition through ldif file group.ldif.
dn: cn=ldapusers,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapusers
gidNumber: 9000
Add it to the directory using the command:
ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f group.ldif
User addition through ldif file user.ldif:
2.1) dn: cn=Benn,ou=People,dc=example,dc=com
cn: Benn
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
sn: User
uid: benn
uidNumber: 1025
gidNumber: 9000
homeDirectory: /home/benn
Add it to the directory using the command:
ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f user.ldif
These steps create a user benn whose default group is ldapusers.Initially the password for user benn is not set this can be set using the command:
ldappasswd -x -D “cn=manager,dc=example,dc=com” cn=Benn,ou=People,dc=oracle,dc=com -W -S
2.2)Option 2:
Install a Web interface like PHPLdapAdmin and use it to create users.
Steps:
2.2.1) Install httpd (Apache) and php modules.
#yum install httpd.
#yum install php.x86_64
#yum install php-ldap.x86_64
Following rpm’s get installed as a result of above yum update.
httpd-2.2.3-31.0.1.el5_4.2
php-ldap-5.1.6-23.2.el5_3
php-cli-5.1.6-23.2.el5_3
php-5.1.6-23.2.el5_3
php-common-5.1.6-23.2.el5_3
2.2.2) Download the PHPLdapadmin software from the URl
http://sourceforge.net/projects/phpldapadmin/files/
2.2.3) copy the ZIP file to the server and Unzip in /var/www/html.This creates a new folder by the name phpldapadmin-1.2.0.4 (depending on the version that has been downloaded).
2.2.4) Edit the /etc/httpd/conf/httpd.conf with the following entries.
Alias /ldap/ /var/www/html/phpldapadmin-1.2.0.4/htdocs/
DirectoryIndex index.php
LoadModule php5_module modules/libphp5.so
AddHandler php5-script .php
AddType text/html .php
2.2.5) Rename the file /var/www/html/phpldapadmin-1.2.0.4/config/config.php.example to /var/www/html/phpldapadmin-1.2.0.4/config/config.php.
2.2.6) Modify the file /var/www/html/phpldapadmin-1.2.0.4/config/config.php to the appropriate hostname and port.
$servers->setValue(‘server’,’name’,’ldap://host.example.com/’);
$servers->setValue(‘server’,’port’,389);
At this point we have a working ldapserver which can be used to authenticate users.
3) Client Configuration.
3.1)The two main configuration files that are used by ldap clients are /etc/ldap.conf (mostly for nss, i.e pam ldap) and /etc/openldap/ldap.conf (for ldap utils like ldapsearch,ldapadd etc..)
Sample:
/etc/ldap.conf
base dc=example,dc=com
uri ldap://127.0.0.1/
timeout 5
/etc/openldap/ldap.conf
URI ldap://127.0.0.1/
BASE dc=example,dc=com
pam_password exop
3.2) pam_ldap client configuration:
The pam ldap has to be configured for the password policies to work. The file that has to be modified is /etc/pam.d/system-auth
auth required pam_env.so debug
auth sufficient pam_unix.so nullok try_first_pass debug
auth sufficient pam_ldap.so debug
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account sufficient pam_unix.so nullok try_first_pass
account sufficient pam_ldap.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
#password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_ldap.so debug
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
3.3) The /etc/nsswitch.conf file also has to be changed so that authentications can be forwarded to ldap server.
Modify the file as follows:
passwd: files ldap
shadow: files ldap
group: files ldap
3.4) Additional pam Configurations.
3.5) Create home directory for ldap users.
modify the /etc/pam.d/system-auth file and in the session stack make following change in the client.
session optional pam_keyinit.so revoke
session optional pam_mkhomedir.so skel=/etc/skel umask=0002
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
3.6) Restriction password lenth complexity etc..
We prefer to configure pam to handle the password complexity and length.(ppolicy might be able to do the same, nout quite sure how to do it.)
modify the /etc/pam.d/system-auth file and make following changes.
password requisite pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 diffok=5
password sufficient pam_unix.so md5 shadow use_authtok remember=10
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
This ensures that a new password would be atleast 8 characters in length with atleast 1 Upper Case,1 Number,1 Alphanumeric character,1 lower case.(-1 makes sure the length does not decrease due to credit asignment.).
4) Optional:SSl/TLS
SSL/TLS for Ldap Server needs the following steps.
1.Create a CA certificate
2.Create and sign the server certificate.
3.update the server and client configuration files.
4.1. Create CA certificate.
Make sure these rpm’s are installed.
openssl-0.9.8e-12.el5
openssl-perl-0.9.8e-12.el5
#/etc//pki/tls/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate …
Generating a 1024 bit RSA private key
……++++++
……………………………………………………………………………++++++
writing new private key to ‘../../CA/private/cakey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:AU
State or Province Name (full name) [Berkshire]:Victoria
Locality Name (eg, city) [Newbury]:Melbourne
Organization Name (eg, company) [My Company Ltd]:example
Organizational Unit Name (eg, section) []:ldap
Common Name (eg, your name or your server’s hostname) []:www.hostname.com
#make sure you give ur proper hostname
.
Email Address []:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c1:f0:c1:d8:cb:51:60:ee
Validity
Not Before: Jan 27 01:25:42 2010 GMT
Not After : Jan 26 01:25:42 2013 GMT
Subject:
countryName = AU
stateOrProvinceName = Victoria
organizationName = example
organizationalUnitName = ldap
commonName = orkxdevwamg01.espdev.aurdev.national.com.au
emailAddress =
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
X509v3 extensions:
X509v3 Subject Key Identifier:
6E:81:DE:26:38:C0:66:71:4D:31:0E:D5:14:50:EA:61:99:89:B2:36
X509v3 Authority Key Identifier:
keyid:6E:81:DE:26:38:C0:66:71:4D:31:0E:D5:14:50:EA:61:99:89:B2:36
DirName:/C=AU/ST=Victoria/O=example/OU=ldap/CN=orkxdevwamg01.espdev.aurdev.national.com.au/emailAddress=
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
serial:C1:F0:C1:D8:CB:51:60:EE
X509v3 Basic Constraints:
CA:TRUE/etc/pki/CA/cacert.pem
Certificate is to be certified until Jan 26 01:25:42 2013 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
This creates the CA private key in /etc/CA/private/cakey.pem and CA certificate in /etc/pki/CA/cacert.pem
4.2) Create a certificate request for our server
#cd /etc/openldap/cacerts
# openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
Generating a 1024 bit RSA private key
…….++++++
……………………………………………………………………………………………………….
…………………………..++++++
writing new private key to ‘newreq.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:AU
State or Province Name (full name) [Berkshire]:Victoria
Locality Name (eg, city) [Newbury]:melbourne
Organization Name (eg, company) [My Company Ltd]:example.com
Organizational Unit Name (eg, section) []:ldap
Common Name (eg, your name or your server’s hostname) []:orkxdevwamg01.espdev.aurdev.national.com.au
Email Address []:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
This will create a new csr newreq.pem in /etc/openldap/cacerts.
Once the CSR is created let us sign it.
#cp /etc/openldap/cacerts/newreq.pem /etc/pki/tls/misc
# ./CA.pl -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c1:f0:c1:d8:cb:51:60:ef
Validity
Not Before: Jan 27 02:09:51 2010 GMT
Not After : Jan 27 02:09:51 2011 GMT
Subject:
countryName = AU
stateOrProvinceName = Victoria
localityName = melbourne
organizationName = example.com
organizationalUnitName = ldap
commonName = orkxdevwamg01.espdev.aurdev.national.com.au
emailAddress =
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2E:FE:CA:FC:9D:BA:C9:9D:1B:2A:53:3F:F9:22:D6:BA:47:55:7A:24
X509v3 Authority Key Identifier:
keyid:6E:81:DE:26:38:C0:66:71:4D:31:0E:D5:14:50:EA:61:99:89:B2:36
Certificate is to be certified until Jan 27 02:09:51 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
This creates the new server certificate in the cuurent directory.Copy this file to /etc/openldap/cacerts.
# cp newcert.pem /etc/openldap/cacerts/
copy also the ca certificate to our certificate location.
# cp /etc/pki/CA/cacert /etc/openldap/cacerts/
4.3) Change owner of all certificates to ldap:ldpap:
# chown ldap:ldap /etc/openldap/cacerts/*
4.4) Make following changes on the slapd.conf file in the server.
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/newcert.pem
TLSCertificateKeyFile /etc/openldap/cacerts/newreq.pem
Once the configuration is completed the ldap server has to be started with the ldap option.
edit the /etc/sysconfig/ldap file (create if not present) and add the follwing line
export OPTIONS=” -l local7 -h “ldaps:/// ldap:///””
and restart ldap server.
/etc/init.d/ldap restart.
5) Client configuration for SSL/TLS
5.1) Copy the CA certificate file to the cacert.pem to the client server in the location /etc/openldap/cacerts.
5.2) Edit /etc/ldap.conf file and /etc/sysconfig/ldap.confg add the line
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_REQCERT demand
uri ldaps:/// #make sure the hostname is same as in cert file and is resolvable.
6) Backup/Restoration of important containers.
6.1) Backup the users container
#slapcat -a “(entryDN:dnSubtreeMatch:=ou=People,dc=oracle,dc=com)” -l users.ldif
6.2) Restoration of users container:
Stop the ldap server:
#slappadd -f users.ldif.
This can also be used to migrate form ldap serer to another.
6.3) For entire database
6.3.1) Backup.
#
6.3.2) Restoration.
Follow the steps till 1.7 and the restore the backed up database.
#slapadd -f ldap.ldif
TroubleShooting.
Most of the debuging on the server side can be doen by starting the ldap server in debug mode with a value of -1
slapd -d -1 -h “ldap:///” -u ldap
nss ldap on client side.
Add the following line in /etc/ldap.conf , this will create a file ldap. in /var/log which would help in trouble shooting lot of client side issues.
logdir /var/log
debug 9
References.
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0
http://www.zytrax.com/books/ldap/ch6/ppolicy.html
