path: root/xml/htdocs/doc/en/ldap-howto.xml

<?xml version='1.0' encoding='UTF-8'?>
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/ldap-howto.xml,v 1.9 2004/01/29 12:58:22 swift Exp $ -->
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">

<guide link="/doc/en/ldap-howto.xml">
<title>Gentoo Guide to OpenLDAP Authentication</title>

<author title="Author">
  <mail link="sj7trunks@gentoo.org">Benjamin Coles</mail>
</author>

<author title="Editor">
  <mail link="swift@gentoo.org">Sven Vermeulen</mail>
</author>

<author title="Editor">
  <mail link="tseng@gentoo.org">Brandon Hale</mail>
</author>
<author title="Editor">
  <mail link="bennyc@gentoo.org">Benny Chuang</mail>
</author>

<license/>

<abstract>
This guide introduces the basics of LDAP and shows you how to setup
OpenLDAP for authentication purposes between a group of Gentoo boxes.
</abstract>

<version>0.5</version>
<date>January 29, 2004</date>

<chapter>
<title>Getting Started with OpenLDAP</title>
<section>
<title>What is LDAP?</title>
<body>

<p>
LDAP stands for <e>Lightweight Directory Access Protocol</e>. Based on
X.500 it encompasses most of its primary functions, but lacks the more
esoteric functions that X.500 has. Now what is this X.500 and why is there an
LDAP?
</p>

<p>
X.500 is a model for Directory Services in the OSI concept. It contains
namespace definitions and the protocols for querying and updating the
directory. However, X.500 has been found to be overkill in many situations.
Enter LDAP. Like X.500 it provides a data/namespace model for the
directory and a protocol too. However, LDAP is designed to run directly
over the TCP/IP stack. See LDAP as a slim-down version of X.500.
</p>

</body>
</section>

<section>
<title>I don't get it. What is a directory?</title>
<body>

<p>
A directory is a specialized database designed for frequent queries but
infrequent updates. Unlike general databases they don't contain
transaction support or roll-back functionality. Directories are easily
replicated to increase availability and reliability. When directories
are replicated, temporary inconsistencies are allowed as long as they
get synchronised eventually. 
</p>

</body>
</section>

<section>
<title>How is information structured?</title>
<body>

<p>
All information inside a directory is structured hierarchically. Even
more, if you want to enter data inside a directory, the directory must
know how to store this data inside a tree. Lets take a look at a
fictional company and an Internet-like tree:
</p>

<pre caption = "Organisational structure for GenFic, a Fictional Gentoo company">
dc:         com
             |
dc:        genfic         <comment>(Organisation)</comment>
          /      \
ou:   people   servers    <comment>(Organisational Units)</comment>
      /    \     ..     
uid: ..   jhon            <comment>(OU-specific data)</comment>
</pre>

<p>
Since you don't feed data to the database in this ascii-art like manner,
every node of such a tree must be defined. To name such nodes, LDAP uses
a naming scheme. Most LDAP distributions (including OpenLDAP) already
contain quite a number of predefined (and general approved) schemes,
such as the inetorgperson, a frequently used scheme to define users.
</p>

<p>
Interested users are encouraged to read the <uri
link="http://www.openldap.org/doc/admin21/">OpenLDAP Admin Guide</uri>.
</p>

</body>
</section>

</chapter>


<chapter>
<title>Configuring OpenLDAP</title>
<section>
<title>Initial Configuration</title>
<body>

<note>
In this document we use the genfic.com address as an example. You will
ofcourse have to change this. However, make sure that the top node is an
official top level domain (net, com, cc, be, ...).
</note>

<p>
Lets first emerge all necessary components on our server:
</p>

<pre caption="Install OpenLDAP">
# <i>emerge openldap pam_ldap nss_ldap migrationtools</i>
# <i>chown ldap:ldap /var/lib/openldap-ldbm /var/lib/openldap-data /var/lib/openldap-slurp</i>
</pre>

<p>
Edit <path>/etc/openldap/slapd.conf</path> and add the following right after 
<c>core.schema</c>:
</p>

<pre caption="/etc/openldap/slapd.conf">
<comment># Include the needed data schemes</comment>
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

<comment># Use crypt to hash the passwords</comment>
password-hash {crypt}

<comment># Define SSL and TLS properties (optional)</comment>
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
TLSCACertificateFile /etc/ssl/ldap.pem

<codenote>Further down...</codenote>

database        ldbm
suffix          "dc=genfic,dc=com"
rootdn          "cn=Manager,dc=genfic,dc=com"
rootpw          <i>{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==</i>
directory       /var/lib/openldap-ldbm
index           objectClass     eq

<codenote>You can get an encrypted password like above with slappasswd -h {Md5}</codenote>
</pre>

<p>
Next we edit the LDAP configuration file:
</p>

<pre caption="/etc/openldap/ldap.conf">
# <i>nano -w /etc/openldap/ldap.conf</i>
<codenote>Add the following...</codenote>

BASE         dc=genfic, dc=com
URI          ldaps://auth.genfic.com:636/
TLS_REQCERT  allow
</pre>

<p>
Now you will generate an SSL certificate to secure your directory.
Answer the question you receive as good as possible. When asked for your
<e>Common Name</e>, enter the name the clients will use when contacting
the server. This is usually the full domainname (e.g. 
<path>auth.genfic.com</path>).
</p>

<pre caption="Generating SSL Certificate">
# <i>cd /etc/ssl</i>
# <i>openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out \
ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 999999</i>
</pre>

<p>
Now edit <path>/etc/conf.d/slapd</path> and add the following, commenting out 
the existing line:
</p>

<pre caption="/etc/conf.d/slapd">
OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
</pre>

<p>
Start slapd:
</p>

<pre caption = "Starting SLAPd">
# <i>/etc/init.d/slapd start</i>
</pre>

<p>
You can test with the following command:
</p>

<pre caption = "Test the SLAPd daemon">
# <i>ldapsearch -D "cn=Manager,dc=genfic,dc=com" -W</i>
</pre>

<p>
If you receive an error, try adding <c>-d 255</c> to increase the
verbosity and solve the issue you have.
</p>

</body>
</section>
</chapter>

<chapter>
<title>Migrate Existing Data</title>
<section>
<title>Migrate User Accounts</title>
<body>

<p>
Next, we migrate the user accounts. Open 
<path>/usr/share/migrationtools/migrate_common.ph</path> and edit the 
following:
</p>

<pre caption="/usr/share/migrationtools/migrate_common.ph">
$DEFAULT_BASE = "dc=genfic,dc=com";
$EXTENDED_SCHEMA = 1;
<comment># Comment these lines out unless you have a mail schema loaded</comment>
<comment>#$DEFAULT_MAIL_DOMAIN = "genfic.com";</comment>
<comment>#$DEFAULT_MAIL_HOST = "mail.genfic.com";</comment>
</pre>

<p>
Now run the migration scripts:
</p>

<pre caption="Running the migration scripts">
# <i>export ETC_SHADOW=/etc/shadow</i>
# <i>cd /usr/share/migrationtools</i>
# <i>./migrate_base.pl > /tmp/base.ldif</i>
# <i>./migrate_group.pl /etc/group /tmp/group.ldif</i>
# <i>./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif</i>
# <i>./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif</i>
</pre>

<p>
This last step migrated the files above to ldif files read by LDAP. Now lets add the files to our directory:
</p>

<pre caption="Importing the data to our directory">
# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/base.ldif</i>
# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/group.ldif</i>
# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/passwd.ldif</i>
# <i>ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/hosts.ldif</i>
</pre>

</body>
</section>
</chapter>

<chapter>
<title>Authentication Configuration</title>
<section>
<title>Configuring PAM</title>
<body>

<p>
Next, we will configure PAM to allow LDAP authorization. Add the
following lines to <path>/etc/pam.d/system-auth</path>:
</p>

<pre caption="/etc/pam.d/system-auth">
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
account     sufficient    /lib/security/pam_ldap.so
password    sufficient    /lib/security/pam_ldap.so use_authtok
session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0
session     optional      /lib/security/pam_ldap.so
</pre>

<p>
Now change <path>/etc/ldap.conf</path> to read:
</p>

<pre caption="/etc/ldap.conf">
<comment>#host 127.0.0.1</comment>
<comment>#base dc=padl,dc=com</comment>

ssl start_tls
ssl on
suffix          "dc=genfic,dc=com"
<comment>#rootbinddn uid=root,ou=People,dc=genfic,dc=com</comment>

uri ldaps://auth.genfic.com/
pam_password exop

ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
nss_base_passwd ou=People,dc=genfic,dc=com
nss_base_shadow ou=People,dc=genfic,dc=com
nss_base_group  ou=Group,dc=genfic,dc=com
nss_base_hosts  ou=Hosts,dc=genfic,dc=com

scope one
</pre>

<p>
Finally, configure your clients so that they check the LDAP for system
accounts:
</p>

<pre caption="/etc/nsswitch.conf">
passwd:         files ldap
group:          files ldap
shadow:         files ldap
</pre>

<p>
To test the changes, type:
</p>

<pre caption="Testing LDAP Auth">
# <i>getent passwd|grep 0:0</i>

<codenote>You should get two entries back:</codenote>
root:x:0:0:root:/root:/bin/bash 
root:x:0:0:root:/root:/bin/bash
</pre>

<p>
If you noticed one of the lines you pasted into your <path>/etc/ldap.conf</path>
was commented out (the <c>rootbinddn</c> line): you don't need it unless you 
want to change a user's password as superuser. In this case you need to echo 
the root password to <path>/etc/ldap.secret</path> in plaintext. This is 
<brite>DANGEROUS</brite> and should be chmoded to 600. What I do is keep that 
file blank and when I need to change someones password thats both in the ldap 
and <path>/etc/passwd</path> I put the pass in there for 10 seconds while I 
change it and remove it when I'm done.
</p>

</body>
</section>

<section>
<title>OpenLDAP permissions</title>
<body>

<p>
If we take a look at <path>/etc/openldap/slapd.conf</path> you'll see
that you can specify the ACLs (permissions if you like) of what data
users can read and/or write:
</p>

<pre caption="/etc/openldap/slapd.conf">
access to *
  by dn="uid=root,ou=people,dc=genfic,dc=com" write
  by users read
  by anonymous auth
access to attrs=userPassword,gecos,description,loginShell
  by self write
</pre>

<p>
This gives you access to everything a user should be able to change. If it's 
your information, then you got write access to it; if it's another user his 
information then you can read it; anonymous people can send a login/pass to get 
logged in. There are four levels, ranking them from lowest to greatest: <c>auth 
search read write</c>.
</p>

<p>
The next ACL is a bit more secure as it blocks normal users to read
other people their shadowed password:
</p>

<pre caption="/etc/openldap/slapd.conf">
access to dn=".*,dc=genfic,dc=com" attr="userPassword"
  by dn="uid=root,ou=people,dc=genfic,dc=com" write
  by dn="uid=John, ou=People,dc=genfic,dc=com" write
  by anonymous auth
  by self write
  by * search
  
access to *
  by dn="uid=root,ou=People,dc=genfic,dc=com" write
  by * read
</pre>

<p>
This example gives root and John access to read/write/search
for everything in the the tree below <path>dc=genfic,dc=com</path>. This also 
lets users change their own <path>userPassword</path>'s. As for the ending 
statement everyone else just has a search ability meaning they can fill in a 
search filter, but can't read the search results. Now you can have multiple 
acls but the rule of the thumb is it processes from bottom up, so your 
toplevel should be the most restrictive ones.
</p>

</body>
</section>
</chapter>

<chapter>
<title>Working with OpenLDAP</title>
<section>
<title>Maintaining the directory</title>
<body>

<p>
You can start using the directory to authenticate users in 
apache/proftpd/qmail/samba. You can manage it with Webmin, which provides a 
really easy management interface. You can also use gq or 
directory_administrator. 
</p>

</body>
</section>
</chapter>

<chapter>
<title>Acknowledgements</title>
<section>
<body>

<p>
We would like to thank Matt Heler for lending us his box for the purpose of 
this guide. Thanks also go to the cool guys in #ldap @ irc.freenode.net
</p>

</body>
</section>

</chapter>
</guide>