RHCSA Series: Setting Up LDAP-based Authentication in RHEL 7 – Part 14

[‘

n

We will begin this article by outlining some LDAP basics (what it is, where it is used and why) and show how to set up a LDAP server and configure a client to authenticate against it using Red Hat Enterprise Linux 7 systems.

n

Setup LDAP Server and Client Authentication
RHCSA Series: Setup LDAP Server and Client Authentication – Part 14

n

As we will see, there are several other possible application scenarios, but in this guide we will focus entirely on LDAP-based authentication. In addition, please keep in mind that due to the vastness of the subject, we will only cover its basics here, but you can refer to the documentation outlined in the summary for more in-depth details.

n

For the same reason, you will note that I have decided to leave out several references to man pages of LDAP tools for the sake of brevity, but the corresponding explanations are at a fingertip’s distance (man ldapadd, for example).

n

That said, let’s get started.

n

Our Testing Environment

n

Our test environment consists of two RHEL 7 boxes:

n

Server: 192.168.0.18. FQDN: rhel7.mydomain.comrnClient: 192.168.0.20. FQDN: ldapclient.mydomain.comrn

n

If you want, you can use the machine installed in Part 12: Automate RHEL 7 installations using Kickstart as client.

n

What is LDAP?

n

LDAP stands for Lightweight Directory Access Protocol and consists in a set of protocols that allows a client to access, over a network, centrally stored information (such as a directory of login shells, absolute paths to home directories, and other typical system user information, for example) that should be accessible from different places or available to a large number of end users (another example would be a directory of home addresses and phone numbers of all employees in a company).

n

Keeping such (and more) information centrally means it can be more easily maintained and accessed by everyone who has been granted permissions to use it.

n

The following diagram offers a simplified diagram of LDAP, and is described below in greater detail:

n

LDAP Diagram
LDAP Diagram

n

Explanation of above diagram in detail.

n

    n

  1. An entry in a LDAP directory represents a single unit or information and is uniquely identified by what is called a Distinguished Name.
  2. n

  3. An attribute is a piece of information associated with an entry (for example, addresses, available contact phone numbers, and email addresses).
  4. n

  5. Each attribute is assigned one or more values consisting in a space-separated list. A value that is unique per entry is called a Relative Distinguished Name.
  6. n

n

That being said, let’s proceed with the server and client installations.

n

Installing and Configuring a LDAP Server and Client

n

In RHEL 7, LDAP is implemented by OpenLDAP. To install the server and client, use the following commands, respectively:

n

# yum update && yum install openldap openldap-clients openldap-serversrn# yum update && yum install openldap openldap-clients nss-pam-ldapdrn

n

Once the installation is complete, there are some things we look at. The following steps should be performed on the server alone, unless explicitly noted:

n

1. Make sure SELinux does not get in the way by enabling the following booleans persistently, both on the server and the client:

n

# setsebool -P allow_ypbind=0 authlogin_nsswitch_use_ldap=0rn

n

Where allow_ypbind is required for LDAP-based authentication, and authlogin_nsswitch_use_ldap may be needed by some applications.

n

2. Enable and start the service:

n

# systemctl enable slapd.servicern# systemctl start slapd.servicern

n

Keep in mind that you can also disable, restart, or stop the service with systemctl as well:

n

# systemctl disable slapd.servicern# systemctl restart slapd.servicern# systemctl stop slapd.servicern

n

3. Since the slapd service runs as the ldap user (which you can verify with ps -e -o pid,uname,comm | grep slapd), such user should own the /var/lib/ldap directory in order for the server to be able to modify entries created by administrative tools that can only be run as root (more on this in a minute).

n

Before changing the ownership of this directory recursively, copy the sample database configuration file for slapd into it:

n

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIGrn# chown -R ldap:ldap /var/lib/ldaprn

n

4. Set up an OpenLDAP administrative user and assign a password:

n

# slappasswdrn

n

as shown in the next image:

n

Set LDAP Admin Password
Set LDAP Admin Password

n

and create an LDIF file (ldaprootpasswd.ldif) with the following contents:

n

dn: olcDatabase={0}config,cn=configrnchangetype: modifyrnadd: olcRootPWrnolcRootPW: {SSHA}PASSWORDrn

n

where:

n

    n

  1. PASSWORD is the hashed string obtained earlier.
  2. n

  3. cn=config indicates global config options.
  4. n

  5. olcDatabase indicates a specific database instance name and can be typically found inside /etc/openldap/slapd.d/cn=config.
  6. n

n

Referring to the theoretical background provided earlier, the ldaprootpasswd.ldif file will add an entry to the LDAP directory. In that entry, each line represents an attribute: value pair (where dn, changetype, add, and olcRootPW are the attributes and the strings to the right of each colon are their corresponding values).

n

You may want to keep this in mind as we proceed further, and please note that we are using the same Common Names (cn=) throughout the rest of this article, where each step depends on the previous one.

n

5. Now, add the corresponding LDAP entry by specifying the URI referring to the ldap server, where only the protocol/host/port fields are allowed.

n

# ldapadd -H ldapi:/// -f ldaprootpasswd.ldif rn

n

The output should be similar to:

n

LDAP Configuration
LDAP Configuration

n

and import some basic LDAP definitions from the /etc/openldap/schema directory:

n

# for def in cosine.ldif nis.ldif inetorgperson.ldif; do ldapadd -H ldapi:/// -f /etc/openldap/schema/$def; donern

n

LDAP Definitions
LDAP Definitions

n

6. Have LDAP use your domain in its database.

n

Create another LDIF file, which we will call ldapdomain.ldif, with the following contents, replacing your domain (in the Domain Component dc=) and password as appropriate:

n

dn: olcDatabase={1}monitor,cn=configrnchangetype: modifyrnreplace: olcAccessrnolcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"rn  read by dn.base="cn=Manager,dc=mydomain,dc=com" read by * nonernrndn: olcDatabase={2}hdb,cn=configrnchangetype: modifyrnreplace: olcSuffixrnolcSuffix: dc=mydomain,dc=comrnrndn: olcDatabase={2}hdb,cn=configrnchangetype: modifyrnreplace: olcRootDNrnolcRootDN: cn=Manager,dc=mydomain,dc=comrnrndn: olcDatabase={2}hdb,cn=configrnchangetype: modifyrnadd: olcRootPWrnolcRootPW: {SSHA}PASSWORDrnrndn: olcDatabase={2}hdb,cn=configrnchangetype: modifyrnadd: olcAccessrnolcAccess: {0}to attrs=userPassword,shadowLastChange byrn  dn="cn=Manager,dc=mydomain,dc=com" write by anonymous auth by self write by * nonernolcAccess: {1}to dn.base="" by * readrnolcAccess: {2}to * by dn="cn=Manager,dc=mydomain,dc=com" write by * readrn

n

Then load it as follows:

n

# ldapmodify -H ldapi:/// -f ldapdomain.ldifrn

n

LDAP Domain Configuration
LDAP Domain Configuration

n

7. Now it’s time to add some entries to our LDAP directory. Attributes and values are separated by a colon (:) in the following file, which we’ll name baseldapdomain.ldif:

n

dn: dc=mydomain,dc=comrnobjectClass: toprnobjectClass: dcObjectrnobjectclass: organizationrno: mydomain comrndc: mydomainrnrndn: cn=Manager,dc=mydomain,dc=comrnobjectClass: organizationalRolerncn: Managerrndescription: Directory Managerrnrndn: ou=People,dc=mydomain,dc=comrnobjectClass: organizationalUnitrnou: Peoplernrndn: ou=Group,dc=mydomain,dc=comrnobjectClass: organizationalUnitrnou: Grouprn

n

Add the entries to the LDAP directory:

n

# ldapadd -x -D cn=Manager,dc=mydomain,dc=com -W -f baseldapdomain.ldifrn

n

Add LDAP Domain Attributes and Values
Add LDAP Domain Attributes and Values

n

8. Create a LDAP user called ldapuser (adduser ldapuser), then create the definitions for a LDAP group in ldapgroup.ldif.

n

# adduser ldapuserrn# vi ldapgroup.ldifrn

n

Add following content.

n

dn: cn=Manager,ou=Group,dc=mydomain,dc=comrnobjectClass: toprnobjectClass: posixGrouprngidNumber: 1004rn

n

where gidNumber is the GID in /etc/group for ldapuser) and load it:

n

# ldapadd -x -W -D "cn=Manager,dc=mydomain,dc=com" -f ldapgroup.ldifrn

n

9. Add a LDIF file with the definitions for user ldapuser (ldapuser.ldif):

n

dn: uid=ldapuser,ou=People,dc=mydomain,dc=comrnobjectClass: toprnobjectClass: accountrnobjectClass: posixAccountrnobjectClass: shadowAccountrncn: ldapuserrnuid: ldapuserrnuidNumber: 1004rngidNumber: 1004rnhomeDirectory: /home/ldapuserrnuserPassword: {SSHA}fiN0YqzbDuDI0Fpqq9UudWmjZQY28S3MrnloginShell: /bin/bashrngecos: ldapuserrnshadowLastChange: 0rnshadowMax: 0rnshadowWarning: 0rn

n

and load it:

n

# ldapadd -x -D cn=Manager,dc=mydomain,dc=com -W -f ldapuser.ldifrn

n

LDAP User Configuration
LDAP User Configuration

n

Likewise, you can delete the user entry you just created:

n

# ldapdelete -x -W -D cn=Manager,dc=mydomain,dc=com "uid=ldapuser,ou=People,dc=mydomain,dc=com"rn

n

10. Allow communication through the firewall:

n

# firewall-cmd --add-service=ldaprn

n

11. Last, but not least, enable the client to authenticate using LDAP.

n

To help us in this final step, we will use the authconfig utility (an interface for configuring system authentication resources).

n

Using the following command, the home directory for the requested user is created if it doesn’t exist after the authentication against the LDAP server succeeds:

n

# authconfig --enableldap --enableldapauth --ldapserver=rhel7.mydomain.com --ldapbasedn="dc=mydomain,dc=com" --enablemkhomedir --updatern

n

LDAP Client Configuration
LDAP Client Configuration

n

Summary

n

In this article we have explained how to set up basic authentication against a LDAP server. To further configure the setup described in the present guide, please refer to Chapter 13 – LDAP Configuration in the RHEL 7 System administrator’s guide, paying special attention to the security settings using TLS.

n

Feel free to leave any questions you may have using the comment form below.

n

‘]