instal guide openldap for enterprise identity management & sso v1.1

Global Open Versity, ICT Labs Install Guide OpenLDAP for Enterprise Identity Management & SSO v1.1

© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada www.globalopenversity.org CIS401 - Linux for Engineering and IT Applications

1

Global Open Versity

Systems Integration Hands-on Labs Training Manual

Install Guide OpenLDAP for Enterprise Identity Management & SSO

Kefa Rabah Global Open Versity, Vancouver Canada

[email protected] www.globalopenversity.org

Table of Contents Page No.

INSTALL GUIDE OPENLDAP FOR ENTERPRISE IDENTITY MANAGEMENT & SSO 1

1.0 Introduction 1 Topics Covered 2

1.1 Linux/Unix Authentication and Naming services 2

1.2 Introduction to LDAP 2 1.2.1 What is LDAP 2 1.2.2 LDAP Advantages 2 1.2.3 LDAP Disadvantages 3

1.3 LDAP Hierarchy 3 1.3.1 Components of LDAP directory for a small enterprise 3 1.3.2 Distinguished Names (dn) 4

2.0 LDAP Schema 4 2.1 Access to an LDAP Server 5 2.2 LDAP vendors 5

3.0 OpenLDAP installation and configuration 5 Step 1: Install OpenLDAP on CentOS5/RHE5 6 Step 2: OpenLDAP Setup & Configure on Linux CentOS5 6 Step 3: Test Populate our LDAP server 8 Step 4: More on OpenLDAP Commands 10

4.0 Deploying LDAP Directory Infrastructure 11 Step 1: Create an LDIF file for importing to the OpenLDAP database 12

5.0 Linux OpenLDAP Client Machine Configuration 14 Step 1: Download & Install OpenLDAP Client’s Required Packages 14 Step 2: Verify DNS Health Check 14 Step 3: Configuring OpenLDAP Client on Linux CentOS5 15 Step 4: Check & verify the client configuration file /etc/openldap/ldap.conf 17 Step 5: Check & verify the client configuration file /etc/ldap.conf 17 Step 6: Test OpenLDAP connectivity with Client 18



2

6.0 Deploying LDAP Directory for Infrastructure SSO 20 4.1 Data tree with dn, objectClass, cn, and sn attributes 23 Step 1: Populate the LDAP Tree 23

7.0 Summary 27

8.0 References: 27

9.0 Hands-on Lab Assignments 28

Linux Administration Training 28 A GOV Open Knowledge Access Technical Academic Publications Enhancing education & empowering people worldwide through eLearning in the 21st Century



1

Global Open Versity Systems Integration Hands-on Labs Training Manual

Install Guide OpenLDAP for Enterprise Identity Management & SSO By Kefa Rabah, [email protected] Nov 8, 2009 GTS Institute

1.0 Introduction LDAP is an acronym for Lightweight Directory Access Protocol; it is a simplified version of the X.500 protocol. It’s lean mean and powerful with capability to support current exponential increased internet traffic, electronic commerce and time-critical content on the web. The LDAP directory setup in this training manual will be used for authentication, shared directory (for mail clients), contacts and addressbooks, etc. Today, LDAP directories and LDAP authentication have become one of the enterprise user infrastructure cornerstones. As the enterprise has digitized and opened itself up to customer, business partner, vendor and wide-spread employee access to pieces of most enterprise applications, the need to know who the user is has significantly increased from a security perspective. Who is the user trying to access an application? What is the strength of authentication by which the application can trust the user trying to access the application? What are the user's authorization privileges? That is, an enterprise-wide LDAP implementation can enable almost any application, running on almost any computer platform, to obtain information from your LDAP directory. And that directory can be used to store a broad range of data: email address and mail routing information, HR data, public security keys, contact lists, and much more. By making an LDAP directory a focal point in your systems integration, you're providing one-stop shopping whenever people go looking for information within your company - even if the primary source of the data lives elsewhere – i.e., they sign in once – via Single-Sign-On (SSO) Identity Management – and thereafter they have access to all LDAP linked services and resources they have permission to. OpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol. Historically the OpenLDAP server (slapd, the Standalone LDAP Daemon) architecture was split between a frontend (LDAP client) which handles network access and protocol processing, and a backend (LDAP server) which deals strictly with data storage. The architecture is modular and many different backends are available for interfacing to other technologies, not just traditional databases. Proper design implementation and deployment of enterprise LDAP authentication right from the beginning is very crucial and critical to the eventual success centralized identity management and therefore SSO. Failure to do so can be very detrimental in terms of security. For example, it is very important that before LDAP authentication is implemented the enterprise should first determine which system or application will be authoritative for the identity data. And which users will be in super users’ categories and what kind of privileges allocated to them. Not implementing things correctly in the end could mean cleaning up the



2

associated business processes dealing with identity creation, role changes and terminations. Often the authoritative identity source will have many identities in their data stores listed as active but who are no longer active. This can create undetected and sometimes hidden security holes in any large enterprise LDAP authentication. In this hands-on training manual, we’ll through step-by-step on how to successful plan, design, implement & deploy OpenLDAP server and OpenLDAP client on separate Linux CentOS5 machines. It’s assumed in this lab session that you have a good understanding of Linux and also know to setup DNS servers and messaging mail servers. If not you can check up the following four articles to give you a quick start and get you going.

1. Install Configure and Upgrade Linux CentOS5 Server v1.1 2. Using Webmin and Bind9 to Setup DNS Server on Linux 3. Deploy Secure Messaging Solution using Sendmail & Dovecot Servers with ClamAV on Linux 4. Step-by-Step Install Guide for Evolution Mail Client with Addressbook using LDAP on Linux v1.2

Topics Covered

1. Overview of Unix Authentication and Naming services 2. Introduction to LDAP 3. LDAP installation and configuration 4. LDAP applications 5. Practical Exercises

1.1 Linux/Unix Authentication and Naming services Some of the UNIX authentication and naming services are: NIS, NIS+, LDAP and Kerberos.

1.2 Introduction to LDAP

1.2.1 What is LDAP

• A directory publishing service • Lightweight Directory Access Protocol to X.500 directories • The latest: Protocol v3 (RFC2253) • Stores attribute based data (a kind of database) • Data generally read more than written to (enhanced search, optimized for reads) Client/Server

implementation • Possesses an extensible schema for Objectclasses

1.2.2 LDAP Advantages

• Provides a standard means of accessing data over a network • Fast searches and retrieval of data



3

• Good security mechanisms

1.2.3 LDAP Disadvantages

• X.500 heritage • Flexibility (relies on namespace and schema) • Entries are in non-ASCII format (to update need special tools) • Application vendors use directories in their own way • Lack of standardization in some areas

1.3 LDAP Hierarchy Figure 1 shows a schematic LDAP hierarchical structure.

s

Fig. 1: A data tree with root, branch and leaf nodes

1.3.1 Components of LDAP directory for a small enterprise

Figure 2 shows a more realistic schematic LDAP hierarchical structure data tree with root, branch and leaf nodes.

example.com

Rick DougJoe Johns

IT

Will Smith

Sales

Sarah Smith Kate Jude

Organization (o) or Domain Controller (dc) Node

Organizational Unit (OU) Node

Person (cn)Node

Fig. 1.2: A data tree with root, branch and leaf nodes



4

• Directory Levels • Domain component (dc) or organization (o) • Organizational Unit (ou) • Common names (cn)

1.3.2 Distinguished Names (dn)

Figure 3 shows LDAP hierarchical structure showing an organizational data tree with root, branch and leaf nodes.

Fig. 3: An organizational data tree with root, branch and leaf nodes

Distinguished name (dn) is a unique name in the Directory tree. dn: dc=example,dc=com dn: ou=IT, dc=example,dc=com dn: cn=Joe Johns, ou=IT, dc=example,dc=com dn: cn=Rick Doug, ou=IT, dc=example,dc=com

2.0 LDAP Schema LDAP schema:

• Set of rules that describes what kind of data is stored • Helps maintain consistency and quality of data • Reduces duplication of data • Object class attribute determines schema rules the entry must follow • Schema contains the following:

Required attributes Allowed attributes How to compare attributes Limit what the attributes can store - i.e., restrict to integer etc Restrict what information is stored - i.e., stops duplication etc



5

• There are Schemas available for various kinds of Directories.

2.1 Access to an LDAP Server

Figure 5 how LDAP clients can query and modify data in the LDAP Directory using commands.

Client

Query

LDAP Server

Directory

slapdTCP/389

Fig. 5: Clients can query and modify data in the Directory using commands.

2.2 LDAP vendors

Some of the currently existing LDAP vendors, open source and proprietary:

• OpenLDAP (OpenLDAP public license) http://www.openldap.org • COMMERCIAL Offerings: • SunOne (iPlanet) Directory Server • Novell's eDirectory • IBM Directory Server • Microsoft Active Directory • Innosoft • Lotus Domino • Nexor • Critical Path • Sun OpenDS • Fedora Directory Server

3.0 OpenLDAP installation and configuration 1. OpenLDAP can be downloaded from http://www.openldap.org, compiled and installed on major Unix

systems 2. Redhat RPMs.

• On a Linux Server:



6

openldap openldap-servers openldap-clients nss_ldap

• On a Linux Client:

openldap openldap-clients nss_ldap

Step 1: Install OpenLDAP on CentOS5/RHE5 The command line equivalent of the steps below is yum install "openldap-servers" and "openldap-clients". 1. First and foremost check if OpenLDAP is installed, as follows:

]# rpm –qa | grep openldap* \\ the star * allows you to parse all installed openldap files

[root@server04 ~]# rpm -qa | grep openldap* openldap-servers-2.3.43-3.el5 openldap-servers-sql-2.3.43-3.el5 openldap-2.3.27-8.el5_2.4 openldap-2.3.43-3.el5 openldap-devel-2.3.43-3.el5 openldap-servers-overlays-2.3.43-3.el5 openldap-clients-2.3.43-3.el5 [root@server04 ~]#

2. In case you get blank result, then openldap is not installed. Best way to get OpenLDAP is to compile it from the source file. However, I have found that the RPM files obtained via Yum, if you use CentOS5/RHE5 contain all the required files. To install all OpenLDAP files with CentOS5, do the following:

[root@server04 ~]# yum install openldap* -y

To start "slapd" daemon, issue the following command:

[root@server04 ~]# service start ldap [root@server04 ~]# chkconfig –level 35 ldap on

Step 2: OpenLDAP Setup & Configure on Linux CentOS5 In this section you will be shown you how to setup an LDAP address book using OpenLDAP, an open source implementation of the Lightweight Directory Access Protocol. The example below uses "beemtech.edu" as the base domain: 1. Edit the file /etc/openldap/slapd.conf.



7

suffix "dc=beemtech,dc=edu" rootdn "cn=Manager,dc=beemtech,dc=edu" rootpw password directory /var/lib/ldap

• Note: To avoid storing the password in plain-text, convert the password to a hash by using the

command "slappasswd -s password" and paste the resulting hash into the file. 3. Copy the file "/etc/openldap/DB_CONFIG.example" and put it into "/var/lib/ldap" as

DB_CONFIG.

]# cd /etc/openldap/ ]# cp DB_CONFIG.example /var/lib/ldap/DB_CONFIG

4. Start the ldap service

]# service ldap start

]# chkconfig –-level 35 ldap on

5. Create a file named base.ldif containing the lines below and save it into your home directory.

# File: base.ldif ## Root node dn: dc=beemtech,dc=edu objectclass: organization objectclass: dcObject o: beemtech.edu dc: beemtech

6. Import base.ldif into your directory using the command below.

ldapadd -x -D "cn=Manager,dc=beemtech,dc=edu" -w password –f ~/base.ldif adding new entry "dc=beemtech,dc=edu" [root@server04 ~]# • Replace password with the root password you specified in slapd.conf.

7. To verify that the service is working, try the following query command:

[root@server04 ~]# ldapsearch -x -b '' -s base '(objectClass=*)' namingContexts # extended LDIF # # LDAPv3 # base <> with scope baseObject



8

# filter: (objectClass=*) # requesting: namingContexts # # dn: namingContexts: dc=beemtech,dc=edu # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@server04 ~]#

Step 3: Test Populate our LDAP server

8. To test our LDAP directory we need to populate it. To this create an ldif file. The LDAP Data Interchange Format (LDIF) is a standard plain text data interchange format for representing LDAP (Lightweight Directory Access Protocol) directory content and update requests. LDIF conveys directory content as a set of records, one record for each object (or entry). It represents update requests, such as Add, Modify, Delete, and Rename, as a set of records, one record for each update request.

9. To help you manage your LDAP directory, you can install some of the GUI tools available out there, like:

• Kldap • KDirAdm • Directory Administrator. • GQ • LDAP Browser/Editor • JXplorer

10. Follow the link below to access the doc. The full document has moved to Docstoc.com. You may download it from here: http://www.docstoc.com/docs/46024785/Install-Guide-OpenLDAP-for-Enterprise-Identity-Management-and-SSO ----------------------------------------------- Kefa Rabah is the Founder and CIO, of Serengeti Systems Group Inc. Kefa is knowledgeable in several fields of Science & Technology, IT Security Compliance and Project Management, and Renewable Energy Systems. He is also the founder of Global Open Versity, a place to enhance your educating and career goals using the latest innovations and technologies.

instal guide openldap for enterprise identity management & sso v1.1

Documents