Set Up OpenLDAP Server on Centos

7/31/2019 Set Up OpenLDAP Server on Centos

1/15

Set up OpenLDAP server

Install OpenLDAP Serversu - root

yum install gcc

yum install openldap*

Setup OpenLDAP Server via Webmin

Point brower to Webmin ->Unused Modules ->LDAP Server -> Module Config and

change values to match attached screenshot

Point brower to Webmin ->Unused Modules ->LDAP Server -> OpenLDAP Server

configuration and change values to match attached screenshot


2/15

Point brower to Webmin ->Unused Modules ->LDAP Server -> Manage Schema andchange values to match attached screenshot

Edit slapd.confsu - root

gedit /etc/openldap/slapd.conf

paste the following lines into slapd.conf (Add Access Control Rules)

access to attrs=userPassword,shadowLastChange

by dn="cn=manager,dc=saioc,dc=in" writeby anonymous auth

by self write

by * none

access to *

by dn="cn=manager,dc=saioc,dc=in" write

by dn="cn=nss,dc=saioc,dc=in" read

by * auth


3/15

After above step, point brower to Webmin ->Unused Modules ->LDAP Server -> LDAPAccess control and match with attached screenshot


4/15

Start LDAP server

Point brower to Webmin ->Servers ->LDAP Server and click on Start server

LDAP Directory Structure - design and implementation

Design considerations and explanation for LDAP

Directory Structure

SAIoC LDAP Directory structure as a treedc=in

|

dc=saioc----|------------|------------|------------|------------|

| | | | | |

| | | | | |

ou=People ou=Group ou=Hosts ou=policies ou=machines

cn=nss,ldapadmin

| || |

| cn=ldapusers, labadmin, students, myfuse

|

|

|

cn=adminuser, pcuser1, labteacher1, labstudent1

# Design comments Notes

1

The base DN or root of the LDAP directory tree was

derived from the domain name in use in SAIoC LAN

i.e. saioc.in

1

organizationalUnit is a standard ObjectClass? inLDAP. It is used to define entries that represent a

relatively static grouping in an organization. We have

chosen to create 5 top-level organizationalUnits.

1 People - all user accounts representing people in
http://www.zytrax.com/books/ldap/ape/#organizationalunithttp://weusefoss.sriaurobindoinstitute.org/tiki-editpage.php?page=ObjectClasshttp://www.zytrax.com/books/ldap/ape/#organizationalunithttp://weusefoss.sriaurobindoinstitute.org/tiki-editpage.php?page=ObjectClass


5/15

# Design comments Notes

SAIoC will belong to this organizationalUnit

1

Group - the concept of groups is used to logicallyorganize resources for managing them. This seems

similar to the concept of organizationalUnit but one

thumb-rule to differentiate between them is that aresource can belong to only one organizationalUnit at

a time but it can belong to multiple groups

1 Hosts - this is for future use

1 Machines - this is for future use

1 Policies - this is for future use

1

organizationalRole is a standard ObjectClass? in

LDAP. It is used to define entries that represent rolesheld by people within an organization

simpleSecurityObject is a standard ObjectClass? in

LDAP. It is used to allow an entry to contain the

userPassword attributeWe have chosen to create two roles.

1

nss represents a role which is allowed to perform

read-only operations on LDAP and will be used byLDAP clients especially nss

What is nss or name switch

service?

1ldapadmin represents a role which is allowed to

change passwords for user accounts created in LDAP

server

1

posixGroup is a standard ObjectClass? in LDAP. It

is an abstraction of a group of accounts. It

corresponds to Unix groups.We have chosen to create 4 groups

Special Note for adminstrators: it is

decided to reserve the range 10000

to 10199 to be used as groupId forgroups created in LDAP.

1ldapusers - this is the primary group to which all user

accounts created in LDAP belong to.The groupId is 10000.

1labadmin - this is the group which represents the

computer lab administrators typically the lab

teachers.

The groupId is 10001. This groupwill typically be used to provide its

members with extra privileges like

read/write/execute access to homedirectories of all students etc

1students - this groups represents students who use the

computer lab.The groupId is 10002

1myfuse - this corresponds to an inbuilt group in

Ubuntu 8, named fuse with groupId 107.

The groupId is 107. All users whoneed to have USB drives auto-

mounted need to be made members

of this group

1
http://www.zytrax.com/books/ldap/ape/#organizationalrolehttp://weusefoss.sriaurobindoinstitute.org/tiki-editpage.php?page=ObjectClasshttp://www.zytrax.com/books/ldap/ape/core-schema.html#simplesecurityobjecthttp://weusefoss.sriaurobindoinstitute.org/tiki-editpage.php?page=ObjectClasshttp://www.wlug.org.nz/NSShttp://www.wlug.org.nz/NSShttp://www.zytrax.com/books/ldap/ape/nis.htmlhttp://weusefoss.sriaurobindoinstitute.org/tiki-editpage.php?page=ObjectClasshttp://www.zytrax.com/books/ldap/ape/#organizationalrolehttp://weusefoss.sriaurobindoinstitute.org/tiki-editpage.php?page=ObjectClasshttp://www.zytrax.com/books/ldap/ape/core-schema.html#simplesecurityobjecthttp://weusefoss.sriaurobindoinstitute.org/tiki-editpage.php?page=ObjectClasshttp://www.wlug.org.nz/NSShttp://www.wlug.org.nz/NSShttp://www.zytrax.com/books/ldap/ape/nis.htmlhttp://weusefoss.sriaurobindoinstitute.org/tiki-editpage.php?page=ObjectClass


6/15

Explanation for LDIF

LDIF Design comments

saioc.ldifdn: dc=saioc,dc=in

objectClass: domaindc: saioc

dn: cn=nss,dc=saioc,dc=in

objectClass: organizationalRole

objectClass: simpleSecurityObject

cn: nss

description: LDAP NSS user

userPassword: testpwd

dn: cn=ldapadmin,dc=saioc,dc=in



cn: ldapadmin

description: LDAP Password Admin user


dn: ou=Hosts,dc=saioc,dc=in

ou: Hosts

objectClass: top

objectClass: organizationalUnit

objectClass: domainRelatedObject

associatedDomain: saioc.in

dn: ou=People,dc=saioc,dc=in

objectClass: top


objectClass: domainRelatedObjectou: People


dn: ou=Group,dc=saioc,dc=in

ou: Group

objectClass: top




dn: cn=ldapusers,ou=Group,dc=saioc,dc=in

cn: ldapusers

objectClass: posixGroupgidNumber: 10000

dn: cn=labadmin,ou=Group,dc=saioc,dc=in

cn: labadmin

objectClass: posixGroup

gidNumber: 10001

dn: cn=myfuse,ou=Group,dc=saioc,dc=in

cn: myfuse

TBD


7/15

LDIF Design commentsobjectClass: posixGroup

gidNumber: 107

dn: cn=students,ou=Group,dc=saioc,dc=in

cn: students


dn: ou=machines,dc=saioc,dc=in


ou: machines

dn: ou=policies,dc=saioc,dc=in

ou: policies

objectClass: top


Create LDAP directory structure (Create LDAP objects using saioc.ldif)

Create a file named saioc.ldiffirst.

ldapadd -W -x -D "cn=manager,dc=saioc,dc=in" -f saioc.ldif

saioc.ldifdn: dc=saioc,dc=in

objectClass: domain

dc: saioc

dn: cn=nss,dc=saioc,dc=in



cn: nss

description: LDAP NSS useruserPassword: testpwd

dn: cn=ldapadmin,dc=saioc,dc=in



cn: ldapadmin

description: LDAP Password Admin user


dn: ou=Hosts,dc=saioc,dc=in

ou: Hosts

objectClass: top

objectClass: organizationalUnitobjectClass: domainRelatedObject


dn: ou=People,dc=saioc,dc=in

objectClass: top



ou: People



8/15

dn: ou=Group,dc=saioc,dc=in

ou: Group

objectClass: top




dn: cn=ldapusers,ou=Group,dc=saioc,dc=in

cn: ldapusers


gidNumber: 10000

dn: cn=labadmin,ou=Group,dc=saioc,dc=in

cn: labadmin


gidNumber: 10001

dn: cn=myfuse,ou=Group,dc=saioc,dc=in

cn: myfuse


dn: cn=students,ou=Group,dc=saioc,dc=in

cn: students


gidNumber: 10002

dn: ou=machines,dc=saioc,dc=in


ou: machines

dn: ou=policies,dc=saioc,dc=in

ou: policies

objectClass: top


After above step, point brower to Webmin ->Servers ->LDAP Server -> Browse Database

and match with attached screenshot


9/15

Restart LDAP server

Point brower to Webmin ->Servers ->LDAP Server and restart server

Setup ldap client on Gratitude

Point browser to webmin ->System ->LDAP client ->Module config and change values tomatch attached screenshot


10/15

Point browser to webmin ->System ->LDAP client ->LDAP Server Config and changevalues to match attached screenshot

Point browser to webmin ->System ->LDAP client ->LDAP Search Bases and change

values to match attached screenshot


11/15

Point browser to webmin ->System ->LDAP client ->Authentication options and changevalues to match attached screenshot

Point browser to webmin ->System ->LDAP client ->Services using LDAP.

Edit options to match attached screenshot


12/15

Screenshot of editing service options

Create users in LDAPCreate admin user in LDAP (via Webmin using screen)

Point browser to Webmin ->System ->LDAP user and groups -> Add LDAP userCreate adminuser by following attached screenshots


13/15


14/15

users.txtcreate:pcuser1:testpwd:10202:10000:PC user1:/home/pcuser1:/bin/bash:::::

create:pcuser2:testpwd:10203:10000:PC user1:/home/pcuser2:/bin/bash:::::

create:labteacher1:testpwd:10204:10000:Lab

teacher1:/home/labteacher1:/bin/bash:::::

create:labteacher2:testpwd:10205:10000:Lab

teacher2:/home/labteacher2:/bin/bash:::::

create:labstudent1:testpwd:10206:10000:Lab

student1:/home/labstudent1:/bin/bash:::::

create:labstudent2:testpwd:10207:10000:Lab

student2:/home/labstudent2:/bin/bash:::::

Associate all users with secondary group myfuse

This will allow users to automount USB drives in Ubuntu

Point browser to Webmin ->System ->LDAP user and groups -> Groups

Click on myfuse

Associate lab teachers with secondary group labadmin

This will allow lab teachers to access home directories of lab studentsPoint browser to Webmin ->System ->LDAP user and groups -> Groups

Click on labadmin

Enable SSL in OpenLDAP server

Point brower to Webmin ->Servers ->LDAP Server -> OpenLDAP Server configurationand click on Generate SSL certificate


15/15

Documents

Set Up OpenLDAP Server on Centos