CSE 311: Lab 4: LDAP Server

Due on Friday, May 9, 2014, 11:59 PM
Note: You may use your remaining late hours on this lab.

Introduction

In this lab, you will configure your VM to also run an LDAP server, and configure your VM and wiki server to use LDAP to obtain user account information. As with the previous lab, you will need to read, understand, and search the manuals for some configuration options.

This lab will be graded on a scale of 10 points.

Picking your partner

You may do the lab alone, or with one partner. If you work with a partner, only one student will hand in the assignment for you. Be sure to list both partners' names on the handed-in assignment.

Getting started

You will use your VM from lab 3 to complete this assignment.

Hand-In Procedure

When you are ready to hand in your lab code and write-up, upload the following to blackboard under Lab 4:

Note: Within a few days, the system administration staff will clone your VM, which will temporarily take it offline.

Because cloning the VM is a somewhat involved procedure, please do not submit multiple times unless the change in your grade will be substantial.

In this and all other labs, you may complete challenge problems for extra credit. If you do this, please include in your handin text a short (e.g., one or two paragraph) description of what you did to solve your chosen challenge problem and how to test it. If you implement more than one challenge problem, you must describe each one.

LDAP Overview

You may find it helpful to begin with a review of the slides on LDAP from 3/4.

NB: Ubuntu also provides an excellent quick-start guide and explanation of LDAP which you may find helpful.

Lightweight Directory Access Protocol, or LDAP, is a network service for storing directory information. One of the most common uses of LDAP is to store user account information, which is what you will do in this lab.

For this lab, we will use OpenLDAP, an open-source implementation of the LDAP protocol client and server. You can consult the manual for OpenLDAP here. Please read Chapter 1 of the manual before proceeding. The manual also explains how to build OpenLDAP; we will skip these steps by using apt-get. Chapters 2, 5, 6, and 7 will be useful and you would benefit from skimming these now.

The OpenLDAP server software is called slapd, and, by default, listens for connections on port 389. A client connects to the server to query whether a user exists, a given password hash matches the database, etc. The server generally stores its records in a database, BDB by default.

Similar to DNS, LDAP stores records in a hierarchical, tree-like format; each entry in the database has a distinguished name (DN) that uniquely and globally identifies the record. Each DN is a comma-separated list of both the ancestors, followed by the name of the entry. For instance, "cn=porter,dc=oscar,dc=cs,dc=stonybrook,dc=edu" is a DN for a record (cn=porter), that has 4 ancestors. The administrator can make whatever hierarchy she likes, but DNS-like top-level hierarchies are common by convention. Globally unique identifiers allow a client to aggregate records from different LDAP servers.

A record can store an abritrary number of fields. A record can instantiate object types, which basically define a set of expected records. For this assignment, you will need to define users as classes inetOrgPerson, posixAccount, and shadowAccount, which creates relevant record entries for a user.

LDAP installation

First, select a "domain" for which you want serve an LDAP directory information tree (DIT). Before you install, configure this in /etc/hosts. If I want my domain to be oscar.cs.stonybrook.edu, my hosts file should look like this:

127.0.0.1	localhsot
127.0.1.1	ubuntu.oscar.cs.stonybrook.edu	ubuntu

#The following lines are for IPv6 capable hosts
::1  	       ip6-localhost ip6-loopback
fe00:0	       ip6-localnet
ff00::0	       ip6-mcastprefix
ff02::1	       ip6-allnodes
ff02::2	       ip6-allrouters

Note that it is possible, but substantially harder, to change the base DN for a server after installation.

Use apt to install the slapd server; do not download and compile source.

To start slapd, use service slapd start. If the service fails to start, you can set the loglevel directive in the slapd.conf file, and look for entries in /var/log/syslog.

LDAP Configuration and Browsing

The configuration of sladp used to be in a single file, similar to many Unix utilities. Now, slapd actually stores its own configuration in its own directory tree; in my opinion, this makes initial setup and bootstrapping a little more difficult. You can see the raw configuration database files under /etc/ldap/slapd.d, but you should not edit these files by hand---the format is fairly fragile and even a small error may be impossible to recover from. Instead, you should use tools like ldapsearch and ldapmodify to read and modify configuration entries (as well as to create and edit user-facing records).

For instance, you can read the current state of your configuration tree with this command:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn

Similarly, you can dump the current record for your domain (substituting your base dn for dc=oscar,dc=cs,dc=stonybrook,dc=edu) with this command:

sudo ldapsearch -x -LLL -H ldap:/// -b dc=oscar,dc=cs,dc=stonybrook,dc=edu dn

Currently, you will only have a top-level directory, and an administrator user.

NB: A useful, graphical tool for working with an LDAP server is jxplorer. Jxplorer lets you visually walk the directory tree. You will need to install and run jxplorer on your own desktop machine, which may require you to create an ssh tunnel to connect to port 389 on your VM from outside the department or off campus. You can modify entries in the tree with either command-line tools or jxplorer. My recommendation is to start with jxplorer until you have a better intuition about the tree-structure of your data, and then get some practice with the command-line utilities.

Exercise 1. (2 points) Install and configure slapd. You may need to refer to the manual for the configuration parameters.

Use jxplorer to verify that you can connect to the server and see a nearly-empty directory tree.

In jxplorer, create two organizationalUnit objects (i.e., directories) under your base DN called users and group. This will store your user and group objects.

Create a directory hierarchy for users and groups on Linux

Your next task will be to create an organizational hierarchy, similar to dc=oscar,dc=cs,dc=stonybrook,dc=edu. We recommend replacing oscar as your "organization", with something like your netid. Within your organization, you will need to create directories for groups, users, as well as an ldapadmin account record of classes simpleSecurityObject and organizationalRole types.

Initially, create a test user and group in the appropriate folders using jxplorer. Set up the group first. A group record should be of class posixGroup. The group record should include the following fields:

  1. cn is the group's name, or identifier, such as porter. This is equivalent to the first entry in a record in /etc/group.
  2. gidNumber sets the group ID number, such as 4009. Be sure to select a group number that is substantially higher than the system will use for local groups (e.g., starting at 4000 or 10000).
  3. One or more memberUid entries should be added to the group to indicate membership. These are userid names, like porter.

As described above, your user should be in the users folder, and should instantiate objectClasses top, inetOrgPerson, posixAccount, and shadowAccount. Although some fields will not be instantiated, you should be sure to set up the follwing fields:

  1. cn and displayName should be set to the user's name
  2. gidNumber should set the default group number (e.g., 4009), and should match a group record.
  3. homeDirectory should be the user's home directory, like /home/porter.
  4. uid is the human-readable, user id, like porter
  5. uidNumber is a unique integer representing the uid, like 4010. As with groups, select unique numbers that are not likely to be allocated by any clients (say starting at 4,000 or 10,000).
  6. loginShell sets the default shell, such as /bin/bash
  7. userPassword stores an md5 hash of the user's password. You may set this in jxplorer, and it will offer you a selection of hash algorithms; select md5.

Bulk and scripted creation of users

Creating entries by hand in jxplorer is cumbersome and error prone. You can also create LDAP Directory Information Format files (.ldif) by hand, or write scripts that generate them for new users, and then add them in bulk. You can pattern match an ldif file (adapted from the Ubuntu tutorial), like the one below:

dn: cn=john,ou=group,dc=oscar,dc=cs,dc=stonybrook,dc=edu
objectClass: posixGroup
cn: john
gidNumber: 5000

dn: cn=john,ou=users,dc=oscar,dc=cs,dc=stonybrook,dc=edu
dn: uid=john,ou=users,dc=oscar,dc=cs,dc=stonybrook,dc=edu
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john

Such an ldif file can have an arbitrary number of records. Once you have created this file, called test-info.ldif, you can add it to the tree using this command:

ldapadd -x -D cn=admin,dc=oscar,dc=cs,dc=stonybrook,dc=edu -W -f test-info.ldif

You can then use ldapsearch (or jxplorer) to confirm that the entries were created properly.

Exercise 2. (3 points) Create a directory hierarchy for your "organization", and create at least 3 test accounts and groups. Be sure to list these accounts and their passwords as part of your handin.

Also, for your own edification, try adding users both through jxplorer and on the command line, via an ldif file.

Configuring an LDAP client

As we discussed in class, Linux systems with Pluggable Authentication Modules, or PAM, can be configured to get user and group information from LDAP and the local database.

Begin by installing libnss-ldap. Note that the apt setup dialog asks most of the questions you need to answer. Nonetheless, you may need to edit the following files:

  1. /etc/ldap.conf --- This file configures the ldap server and search base (e.g., dc=oscar,dc=cs,dc=stonybrook,dc=edu) to use, as well as the server (use ldap://localhost). The defaults for other options should be sufficient.
  2. /etc/pam.d/common-[account,auth,password,session] all require entries for ldap and unix. Be sure to check out try_first_pass for common-password and use_first_pass for common-auth.
  3. /etc/nsswitch.conf --- this file configures where to get password, group, and shadow information. This is where you can select files as well as ldap.

Troubleshooting: If you have problems, start with the logs /var/log/syslog and /var/log/auth.log for messages about what might be going wrong.

Exercise 3. (2 points) Configure your system to get users and groups from both the local database and LDAP. Once this is successfully configured, the output of getent passwd should include both local and LDAP user accounts. Similarly, confirm that you can log in to the system as these users, and change their passwords.

MediaWiki and LDAP

Part of what makes LDAP so useful is that a given server can manage multiple users of multiple services. In the final exercise, we will also configure your MediaWiki server to use LDAP for user accounts. Specifically, we will create a group, called ldapwiki, which we can add system users to and automatically grant them wiki access with the same password.

You will need to install and configure the mediawiki ldap plugin. The manual lists several examples of the configuration necessary.

One particularly useful directive is:

$wgLDAPRequiredGroups = array( ""=>array("cn=ldapwiki,ou=groups,dc=LDAP,dc=example,dc=com") );

where, the prefix should match your organization.

Exercise 4. (3 points) Configure your wiki to allow ldap users in group ldapwiki. Add one of your test users to this group, and keep one out of the group. Verify that one user can log in and the other cannot.

This completes the lab. Hand in the assignment as explained above. The system staff will clone your VM a few days after you hand in the assignment via blackboard, which temporarily takes the VM offline.


Last updated: 2014-05-09 22:40:26 -0400 [validate xhtml]