LDAP
Contents
- Install prerequisites
- Update slapd.conf
- Add authorizedService schema
- Setup DB_CONFIG
- Disable slap.d config files
- Start service
- Import base schema
- Import Linux accounts details in schema
- Setup LDAP client on the HDA
- Change a LDAP user to use authorizedService
- Allow a user SSH access
- Control a web-application access using LDAP
Install prerequisites
yum -y install openldap openldap-servers openldap-clients migrationtools
Update slapd.conf
DOMAIN=`mysql -u amahihda -pAmahiHDARulez -e "select value from settings where name = 'domain'" hda_production | grep -v value`
SUFFIX=`echo '<?php $domain = explode(".", $argv[1]); echo "dc=". implode(",dc=", $domain); ?>' | php -- $DOMAIN`
cd /etc/openldap
mv slapd.conf.bak slapd.conf
POS=`grep -n "# allow onl. rootdn to read the monitor" slapd.conf | awk -F':' '{print $1}'`
head -n `echo $POS-1|bc` slapd.conf > slapd.conf.new && mv -f slapd.conf.new slapd.conf
sed --in-place -e "s/suffix.*.dc=my-domain,dc=com./suffix \"$SUFFIX\"/" slapd.conf
sed --in-place -e "s/rootdn.*.cn=Manager,dc=my-domain,dc=com./rootdn \"cn=root,$SUFFIX\"/" slapd.conf
sed --in-place -e "s/# rootpw.*crypt.*/rootpw {MD5}ISMvKXpXpadDiUoOSoAfww==\npassword-hash {crypt}\npassword-crypt-salt-format \"\$1\$%.8s\"/" slapd.conf
cat >> slapd.conf <<'EOF'
access to dn.regex=".*,$SUFFIX" attrs=userPassword by dn="cn=root,$SUFFIX" write by self write by * auth access to dn.regex=".*,$SUFFIX" attrs=mail by dn="cn=root,$SUFFIX" write by self write by * read access to dn.regex=".*,ou=People,$SUFFIX" by * read access to dn.regex=".*,$SUFFIX" by self write by * read
EOF
sed --in-place -e "s/\$SUFFIX/$SUFFIX/" slapd.conf
Add authorizedService schema
cat > /etc/openldap/schema/ldapns.schema <<'EOF'
attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' DESC 'Auxiliary object class for adding authorizedService attribute' SUP top AUXILIARY MAY authorizedService )
EOF
echo "include /etc/openldap/schema/ldapns.schema" >> slapd.conf
Setup DB_CONFIG
cp /usr/share/doc/openldap-servers-*/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/
Disable slap.d config files
mv slapd.d slapd.d.orig
Start service
chown -R ldap:ldap .
service slapd start
chkconfig slapd on
Import base schema
/usr/share/migrationtools/migrate_base.pl > base.ldif
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" base.ldif
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f base.ldif
If you only want to use LDAP as an address book, you're done.
Just find a way to insert entries in your LDAP server, and you'll be able to use it in your email clients as your address book.
If you want to use LDAP to control who can use SSH, web-applications, etc. continue below.
Import Linux accounts details in schema
/usr/share/migrationtools/migrate_hosts.pl /etc/hosts hosts.ldif
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" hosts.ldif
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f hosts.ldif
Error is fine. Duplicate names for IPv6 probably...
/usr/share/migrationtools/migrate_group.pl /etc/group group.ldif
vi group.ldif # Remove all system groups; keep 'users' etc.
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" group.ldif
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f group.ldif
ETC_SHADOW=/etc/shadow /usr/share/migrationtools/migrate_passwd.pl /etc/passwd passwd.ldif
vi passwd.ldif # Remove all system users; keep only 'real' users
sed --in-place -e "s/dc=padl,dc=com/$SUFFIX/" passwd.ldif
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f passwd.ldif
Setup LDAP client on the HDA
sed --in-place -e "s/#host 127.0.0.1/host hda.home.com/" /etc/ldap.conf
sed --in-place -e "s/base dc=example,dc=com/base $SUFFIX/" /etc/ldap.conf
sed --in-place -e "s/#rootbinddn cn=manager,dc=example,dc=com/rootbinddn cn=root,$SUFFIX/" /etc/ldap.conf
sed --in-place -e "s/#scope one/scope one/" /etc/ldap.conf
sed --in-place -e "s/#pam_filter objectclass=account/pam_filter objectclass=posixaccount/" /etc/ldap.conf
sed --in-place -e "s/#pam_login_attribute uid/pam_login_attribute uid/" /etc/ldap.conf
sed --in-place -e "s/#pam_member_attribute uniquemember/pam_member_attribute gid/" /etc/ldap.conf
sed --in-place -e "s/#nss_base_passwd.*ou=People,dc=example,dc=com.*/nss_base_passwd ou=People,$SUFFIX?one/" /etc/ldap.conf
sed --in-place -e "s/#nss_base_shadow.*ou=People,dc=example,dc=com.*/nss_base_shadow ou=People,$SUFFIX?one/" /etc/ldap.conf
sed --in-place -e "s/#nss_base_group.*ou=Group,dc=example,dc=com.*/nss_base_group ou=Group,$SUFFIX?one/" /etc/ldap.conf
sed --in-place -e "s/#nss_base_hosts.*ou=Hosts,dc=example,dc=com.*/nss_base_hosts ou=Hosts,$SUFFIX?one/" /etc/ldap.conf
sed --in-place -e "s/#pam_check_service_attr yes/pam_check_service_attr yes/" /etc/ldap.conf
echo admin > /etc/ldap.secret
chown root:root /etc/ldap.secret
chmod 600 /etc/ldap.secret
sed --in-place -e "s/^passwd:.*/passwd: files ldap/" /etc/nsswitch.conf
sed --in-place -e "s/^shadow:.*/shadow: files ldap/" /etc/nsswitch.conf
sed --in-place -e "s/^hosts:.*/hosts: files ldap dns mdns/" /etc/nsswitch.conf
Change a LDAP user to use authorizedService
For a specific user to be authorized or not on specific services, you need to add an objectClass to it's LDAP object, like this:
cat > authorizedService.ldif <<'EOF'
dn: uid=some_user,ou=People,dc=home,dc=com changetype: modify add: objectclass objectclass: authorizedServiceObject
EOF
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f authorizedService.ldif
Replace uid=some_user with the Linux username you want to modify.
Allow a user SSH access
cat > give_ssh_access.ldif <<'EOF'
dn: uid=some_user,ou=People,dc=home,dc=com changetype: modify add: authorizedService authorizedService: sshd
EOF
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f give_ssh_access.ldif
Replace uid=some_user with the Linux username you want to modify.
TODO: Need to document how to tell the SSH daemon (server) to use LDAP authorizedService property to control who can login...
Control a web-application access using LDAP
The procedure below will allow you to use Linux user accounts to allow or deny access to specific web-applications.
Note that this level of authentication will not replace the web-app login, if any (there are exceptions). It will prevent or allow specific users to reach the web-app homepage.
cat > give_webapp_access.ldif <<'EOF'
dn: uid=some_user,ou=People,dc=home,dc=com changetype: modify add: authorizedService authorizedService: webapp-some_name
EOF
ldapadd -h localhost -D "cn=root,$SUFFIX" -w admin -x -f give_webapp_access.ldif
Replace uid=some_user with the Linux username you want to modify, and some_name with the name of the web-app you want to protect (for example, authorizedService: webapp-bookmarks).
You'll also need to modify the httpd conf for the web-app you want to protect.
You'll find it in /etc/httpd/conf.d/xxxx-web_app_name.conf
In this file, remove the following two lines:
Order allow,deny
Allow from all
And replace them with those lines:
Deny from all
Order deny,allow
AllowOverride None
AuthType Basic
AuthName LDAP
AuthBasicAuthoritative off
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://127.0.0.1/dc=home,dc=com?uid?sub?(authorizedService=webapp-some_name)
require valid-user
satisfy any
AuthLDAPBindDN "cn=root,dc=home,dc=com"
AuthLDAPBindPassword "admin"
Replace some_name with the name of the web-app you want to protect (for example, authorizedService: webapp-bookmarks). Make sure to use the same string as you used in give_webapp_access.ldif above.