LDAP Is a popular, standard way to access information and includes excellent security and fine-grained access control. It is usually used to provide fast search and lookup of “directories” (a type of “database”), including DNS data, calendar data, and data about people. It is often used as a central data store to support single sign-on, replacing other stores such as the traditional Unix account files.
LDAP organizes data as “objects” (or other terms such as entries, records, etc.). Each object is a collection of named attributes, each with zero, one, or more values. Attributes may be optional or required; it depends on the type of the object. (An object can have multiple types; it must contain all the attributes required of any of them, and can contain any optional attributes defined by any of the types.) The types are defined in one or more schema files.
The objects in a directory or organized in a hierarchy.
There is a “root” object at the top, which is a
container type (that is, it can contain other objects).
Originally the top-most objects represented a geographical
location: a country object at the top, then (possibly) a
state object, then an organization object.
The lower part of the tree consists of organizational units
(“ou”) which contain the actual (useful) data objects.
For example it is common (and the default with OpenLDAP)
to keep objects about users in an
A problem of this organization is the difficulty of having globally
unique names for an organization's records.
The modern trend is to name the top-most branches after an
organization's DNS name, using domainComponent
dc”) for each part of the DNS
Every object has a unique name based on the names of each object
from the root to the object, analogous to the absolute pathname
of a file in a file system.
This is called the object's distinguished name, which is
of the form “
type” is the object's type and
name” is the (common) name of that object,
and a comma is used as a separator.
For an organization with the DNS name of
gcaw.org, you should name the top objects
in the hierarchy “
OpenLDAP server is configured by editing the file
The file starts with directives that apply to all directories
served by this daemon.
This is followed by one or more database definitions, each
starting with a “
The client tools that ship with OpenLDAP have default
settings (so you don't have to enter them on the command line every
time) in the file
This file should not be confused with the
which are used for PAM and the name service switch.
LDAP supports powerful security but by default
uses plain-text passwords (not safe to send across a
network, but safe enough for localhost use).
To use these with the OpenLDAP client tools,
you must include the option “
-x” on the command
In addition, a special user name with “
in the base of the directory (in our case,
dc=gcaw,dc=org”) is the only user with write
access to the directory.
This user is called the “rootdn”.
All other users have read-only access.
To make changes to the directory, you must connect as the rootdn (or
some other user to whom you have granted access) using the option
You will also need to supply “
-W” so the command
will prompt you to enter the matching password.
You can change the defaults by adding access directives of the form:
access to what by who list-of-rights ...
Each access directive ends with an implicit
by * none”, so if you don't
explicitly allow access to someone to something it will
In addition, there is a “first match” rule, so you must list
the more specific access directives before the more general ones.
Once you add any “
access” directives, the default
read-only acces by all users (except the rootdn) doesn't apply.
Instead, there is an implicit rule that denies all access.
So if you want to add back the read access, you must add this directive
at the end:
access to * by * read
In this project you will setup the OpenLDAP server, use it to serve as a single sign-on directory for your server. Then you will run some experiments and fix the access permissions.
Perform the following tasks and answer the following questions:
yum: openldap-clients, openldap-servers, openldap, nss_ldap, migrationtools, and gq.
/var/lib/ldap/gcaw.org” to hold the data files. This directory must be mode “
0700” (that is, accessible by owner only), with owner “
ldap” and group “
DB_CONFIG” in that directory with mode “
0600” (that is, read-write by owner only), with owner “
ldap” and group “
ldap.log”. LDAP messages are sent to “
local4” facility. Reload or restart the system log daemon and check the system log; if any errors result, fix and repeat. What changes did you make to
/etc/rsyslog.conf(the syslog version used by Fedora)?
/etc/logrotate.dto rotate your new log file. What is the name and contents of your new
slapd.conffile. The newer versions use a folder hierarchy containing many
.ldiffiles. You can edit those files, or use the sample
slapd.conffile I provide. (See the hints section below for the link). Note if both the directory and the file are present,
slapdwill use the directory! You should rename the “
slapd.d” directory. Then the server will fall back on using the
It is easy to convert the old-style file to the new-style directories, if you wish (not required):
mv slapd.d/ slapd.d-ORIG mkdir slapd.d chown ldap.ldap slapd.d slaptest -f slapd.conf -F slapd.d/ chown -R ldap.ldap slapd.d/
If this works, you can remove the
/etc/openldap/slapd.conf and make the following
loglevel conns filter config
rootdn(the privileged LDAP administrator) to:
slappasswdcommand. DO NOT provide your new password on the command line. What exact command did you use? Use the resulting password hash as the value for
directoryto the pathname of the directory created earlier.
slaptest -uv. If any errors, fix and repeat.
/etc/openldap/ldap.conf” and change the
BASEto the correct value for our organization. What changes did you make to this file?
ldapsearch -xW -D 'cn=Manager,dc=gcaw,dc=org' -b cn=monitor ldapsearch -x
Were the results what you expected?
If this doesn't work, what security service(s) might be blocking access? Verify they all allow access. Remember to check log files if you encounter unknown problems.
useradd -c "LDAP User" -m luser
luser. (You can use a virtual terminal for this, or try “
/usr/share/doc/migrationtools*/migration-tools.txt. Change your directory to where the scripts were installed,
/usr/share/migrationtools/. These tools all have pointless defaults that must be changed. You can over-ride the defaults (set in the file “
migrate_common.ph”) by exporting the following environment variables, then run as root the following commands:
export LDAP_EXTENDED_SCHEMA="1" export LDAP_DEFAULT_MAIL_DOMAIN="gcaw.org" export LDAP_BASEDN="dc=gcaw,dc=org" ./migrate_base.pl > ~/base.ldif ./migrate_group.pl /etc/group ~/group.ldif ./migrate_passwd.pl /etc/passwd ~/passwd.ldif
ldapaddto import the
ldiffiles. The order you add them matters. You can't add an object to some container, if that container object hasn't been created yet! Check the man page for this command to see what options you might need to use. What are the exact commands you used to add the three files? (Hint: You don't have
SASLconfigured, so you will need to use the “
-x” option. Since only the “rootdn” user has “write” privileges initially, you must connect to (called “binding with”) the server using that distinguished name. Since that user has a password set, you will need the option to have the command prompt you for a password.)
ldapsearch -x uid=luser ldapsearch -x uid=luser mail
Explain the results of each command.
luserfrom the password files, with the command “
userdel luser”. Note this doesn't affect the LDAP data, and leaves the user's home directory.
/etc/nsswitch.conf, and all of
Next run the GUI tool
Make sure to configure both for “User Information” and
“Authentication” to use LDAP.
You will also need to configure LDAP to use the
correct organization name (“
For security reasons, this tool won't let you authenticate using
plain-text passwords over a network.
Rather than do this correctly and security, pretend to use
LDAPS in the tool, and aftwards, edit each file modified
by this tool by replacing “
The screen for Fedora 15 looks like this:
Note: make sure you also set the password crypt mechanism to
sha512” (it may default to
This change should be seen in all the
What files were changed by this tool?
What was changed (if anything) in the files
What was changed (if anything) in the PAM configuration files?
Which files (if any) did you have to edit, to change the scheme from
With modern Fedora, the name service switch
nsswitch.conf) file no longer directly needs to use
Instead it uses “
sss”, for System
Security Services, for both PAM and nsswitch.
This in turn uses a daemon “
Make sure this daemon is running!
If you make any changes to your configuration, or add new users, or
even simply update a password, daemons such as
nscd must be restarted, to flush their caches.
For testing purposes, I recommend you don't run
luser. If that works, you are using single sign-on! Assuming this works, what security changes would you need to make to allow other hosts to use your new LDAP server? (Just in general; you don't need to list specific file changes.)
luser. Now on the second host, confirm you can log in as
luser. (In reality, you would also use NFS to remotely mount users' home directories, but we will skip that for this project.)
luser, try to change your password using the
passwdcommand. I bet this didn't work! Now try this search:
ldapsearch -x uid=root userPassword
You have now read the hashed password for root!
groupfiles can be read by anyone, root can read or write attributes from the
shadowfile, and all other users can only authenticate using the userPassword attribute, or change their own password.
In addition to these access controls, you can define others. also you can define other security parameters so that passwords are never sent from an LDAP client to the server. A complete security setup is beyond the scope of this assignment.
slapd.conffile, in either the general area or in the directory-specific area of the file:
# Restrict access to shadow attributes: access to dn.children="ou=People,dc=gcaw,dc=org" attrs=userPassword,shadowLastChange,shadowMax,shadowWarning by self write by dn.exact="uid=root,ou=People,dc=gcaw,dc=org" write by * auth # Root has write access to everything else too (others have read): access to * by dn.exact="uid=root,ou=People,dc=gcaw,dc=org" write by * read
slaptest -vcommand and make sure there are no errors. Then restart the LDAP daemon.
luseragain, and change the password using the
passwdcommand. If this works, log out and become
luser's password using the command
passwd luser. What happened?
root, to change someone's password. However the simple access rules we are using means that
rootis being “mapped” to the user with
cn=Manager,dc=gcaw,dc=org. and that user requires a password. Try changing the
rootagain, and this time supply the correct password.
View sample configuration and LDIF data files. For each configuration file I have provided the before version (file-ORIG), the result after changes (file), and a diff listing (file.diff).
A copy of your relevant system journal entries, and the answers to the questions asked above. You can send as email to (preferred). If email is a problem for some reason, you may turn in a hard-copy. In this case the pages should be readable, dated, and stapled together. Your name should appear on the first page.
Please see your syllabus for more information about submitting projects.