Install And Configure OpenLDAP On CentOS 5 - Page 2
On this page
- 12) To add a group also use an ldif formatted file (in this case group.ldif)
- 13) We also add to LDAP ldapadd as follows:
- 14) Now create the user home and copy files from skel.
- 15) Log a user
- 16) If you need to add another user CAREFULLY edit the file user.ldif used previously.
- 17) To add the user to the group users:
- 18) To update the LDAP database using the command ldapmodify
- 19) Basic LDAP Security
- TASKS TO BE CARRIED OUT:
12) To add a group also use an ldif formatted file (in this case group.ldif)
[[email protected] openldap]# cat group.ldif
dn: cn=users,dc=ldap-kike,dc=com,dc=uy
objectClass: posixGroup
gidNumber: 10000
cn: users
memberUid: usuario1
description: Grupo Users
13) We also add to LDAP ldapadd as follows:
[[email protected] openldap]# ldapadd -a -x -D 'cn=Manager,dc=ldap-kike,dc=com,dc=uy' -W -f group.ldif
To test if successfully added:
[[email protected] openldap]# id usuario1
uid=10000(usuario1) gid=10000(users) groups=10000(users)
We see that the user is in group "users."
14) Now create the user home and copy files from skel.
[[email protected] openldap]# mkdir /home/usuario1
[[email protected] openldap]# rsync -a /etc/skel/ /home/usuario1
[[email protected] openldap]# chown -R usuario1.users /home/usuario1
[[email protected] openldap]# chmod 700 /home/usuario1
[[email protected] openldap]# ls -la /home/usuario1
total 20
drwx—— 2 users 4096 Jan 15 15:37 .
drwxr-xr-x 4 root root 4096 Jan 15 15:37 ..
-rw-r–r– 1 usuario1 users 33 Dec 29 2010 .bash_logout
-rw-r–r– 1 usuario1 users 176 Dec 29 2010 .bash_profile
-rw-r–r– 1 usuario1 users 124 Dec 29 2010 .bashrc
15) Log a user
Once completed we will check if everything works fine. In the example the OpenLDAP server is running on a computer with the IP address 192.168.150.24, and we attempt a connection to that computer from another with the command ssh (double check that the sshd daemon is running on the server where you installed openldap).
$ ssh -l usuario1 192.168.150.24
[email protected]?s password:
Last login: Sat Jan 15 21:24:50 2010 from 192.168.150.207
[[email protected] ~]$ id
uid=10000(usuario1) gid=10000(users) grupos=10000(users)
[[email protected] ~]$ pwd
/home/usuario1
The user is logged on the server authenticated by the OpenLDAP server.
16) If you need to add another user CAREFULLY edit the file user.ldif used previously.
[[email protected] openldap]# cat user.ldif
dn: uid=usuario2,dc=ldap-kike,dc=com,dc=uy
uid: usuario2
cn: usuario2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$TEDFGNB3$ogOvJKTt/CviC47q/dBon1
shadowLastChange: 14335
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 10000
homeDirectory: /home/usuario2
gecos: usuario2
Add it to the LDAP database:
[[email protected] openldap]# ldapadd -x -D 'cn=Manager,dc=ldap-kike,dc=com,dc=uy' -W -f user.ldif
Enter LDAP Password:
adding new entry "uid=usuario2,dc=ldap-kike,dc=com,dc=uy"
Then we create the home and will copy the files from skel, change permissions as we did with the other user.
17) To add the user to the group users:
# cat group.ldif
dn: cn=users,dc=ldap-kike,dc=com,dc=uy
objectClass: posixGroup
gidNumber: 10000
cn: users
memberUid: usuario1
memberUid: usuario2
description: Grupo Users
18) To update the LDAP database using the command ldapmodify
[[email protected] openldap]# ldapmodify -x -D 'cn=Manager,dc=ldap-kike,dc=com,dc=uy' -W -f group.ldif
Enter LDAP Password:
modifying entry "cn=users,dc=ldap-kike,dc=com,dc=uy"
Ok, check the data with ldapsearch:
[[email protected] openldap]# ldapsearch -h 127.0.0.1 -x -b "dc=ldap-kike,dc=com,dc=uy"
……
……
We verify that everything is working properly:
[[email protected] openldap]# id usuario2
uid=10001(usuario2) gid=10000(users) groups=10000(users)
19) Basic LDAP Security
With ACLs we can add minimum security controls to restrict access to the LDAP database, so that users cannot see the passwords of other users (shadow style).
Add to the file sldap.conf:
access to attrs=userPassword by dn="cn=Manager,dc=ldap-kike,dc=com,dc=uy" write by self write by anonymous auth by * none access to dn.base="" by * read access to * by dn="cn=Manager,dc=ldap-kike,dc=com,dc=uy" write by * read
Restart LDAP:
[[email protected] openldap]# service ldap restart
Now, if we run:
ldapsearch -h 127.0.0.1 -x -b "dc=ldap-kike,dc=com,dc=uy"
We are NOT able to observe all user passwords, only you, if you authenticate to LDAP.
ldapsearch -h 127.0.0.1 -x -b "dc=ldap-kike,dc=com,dc=uy" -D "uid=usuario2,dc=ldap-kike,dc=com,dc=uy" -W
# usuario1, ldap-kike.com.uy
dn: uid=usuario1,dc=ldap-kike,dc=com,dc=uy
uid: usuario1
cn: usuario1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 14335
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/usuario1
gecos: usuario1
# usuario2, ldap-kike.com.uy
dn: uid=usuario2,dc=ldap-kike,dc=com,dc=uy
uid: usuario2
cn: usuario2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJFRFREZHTkIzJG9nT3ZKS1R0L0N2aUM0N3EvZEJvbjE=
shadowLastChange: 14335
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/usuario2
gecos: usuario2
TASKS TO BE CARRIED OUT:
It would be interesting to use an LDAP replica server so you can serve the user in case of fall of the devil or the computer fails.