Installing LDAP client
The Lightweight Directory Access Protocol (LDAP; /ˈɛldæp/) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.[1] Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network.[2] As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number. https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
LDAP Client side
- Install Command line tools from package
ldap-utils - Download our
ldapCA.pemcertificate fromhttps://scoring.sa.cs.ut.ee/files/ldapCA.pemand save into/etc/ssl/certsunder nameldapCA.pem. Make sure its readable for all (everybody). - Modify
/etc/ldap/ldap.confand set:
BASE dc=est URI ldap://ldap.est/ TLS_CACERT /etc/ssl/certs/ldapCA.pem
- Test LDAP client,fetch all distinguished names (DN):
- Use plain channel, no authentication:
ldapsearch -LLL -x dn- What are the options -LLL and -x responsible for? Refer to:
man ldapsearch
- What are the options -LLL and -x responsible for? Refer to:
- Force TLS channel, no authentication:
ldapsearch -ZZ -LLL -x dn- What are the options -ZZ responsible for?
- Force SSL channel, no authentication:
ldapsearch -H ldaps://ldap.est -LLL -x dn
- Use plain channel, no authentication:
... all previous queries should print the list of distinguished names (DN) defined in our directory, the first one is our directory tree root (dc=est):
dn: dc=est dn: cn=ldapadm,dc=est dn: ou=People,dc=est dn: ou=Group,dc=est ...
The directory tree has 2 organizational units (OU): groups and people. You can modify ldap query to fetch only specific information by providing attribute filters (using attribute=value), additionally you can only query for a specific attributes by appending attribute names. Examples:
- Fetching all organizational units, printing all attributes
$ ldapsearch -LLL -x ou=*
- Fetching all organizational units, printing only (ou) attribute
$ ldapsearch -LLL -x ou=* ou
- Alternating search BASE (-b), fetching all distinguished names (dn) in groups unit (ou=groups,dc=sa18,dc=est)
$ ldapsearch -LLL -x -b 'ou=Group,dc=est' dn
Figure out the ldap command to query only the distinguished names inside people organization unit.
- Fetch only dn
- How many records are there ?
- What are the attributes of the records ?
- Fetch only the displayName attribute
- Can you see your name in the list ?
- Fetch the information regarding your LDAP account, print all attributes
So far we did access the directory using no authentication, therefore LDAP restricted our queries to read-only. Also the secured account attributes like password hashes were hidden. Next let's try to authenticate and perform LDAP queries. In order to authenticate, we need to provide LDAP client the attribute to use to bind to when authenticating (-D option'), additionally we should force LDAP client to ask for password input (-W option). Otherwise password has to be provided from STDIN or through -w argument in plain text or through -y argument (password file). Examples:
- Tester figuring out his distinguished name in LDAP directory using attribute filter
$ ldapsearch -LLL -x cn=<study-number> dn
- Tester is asking all information regarding his LDAP account (non-authenticated):
$ ldapsearch -LLL -x uid=<study-number>
- The same query using authentication
$ ldapsearch -LLL -ZZ -WD 'uid=<study-number>,ou=People,dc=est' uid=<study-number>
- For credentials, see the next box. (Replace the whole
<study-number>part)
Please notice that in previous example tester asked LDAP to for TLS channel (-ZZ) when authenticating into LDAP. We advise all the authenticated access to LDAP to be done over secure channels like TLS.
- Using TLS channel, authenticate using your LDAP distinguished name and fetch all the attributes of your LDAP account.
- Your username is your
Number of a study bookakaMatrikli number. - Password is
sysadm2019! - Notice that in case of successful authentication, you should able to see the password hash of your account
- attribute userPassword
- Your username is your
In case you can authenticate and see your account data, you can actually change it, as the LDAP provides the read-write access to authenticated clients. Be aware you can only modify the attributes of your bound DN (-D option), since these are the bounds of your authorization. Examples:
# Changing the password ldappasswd -ZZ -WASD 'uid=<study-number>,ou=People,dc=est'
Here (-ZZ) enforces TLS channel, (-D) specifies the DN to bind to for authentication, (-W) forces password prompt for authentication, (-A) double-checks the old password, (-S) double-checks the new password.
Change the default password of your LDAP account. Refer to the example above. Please be aware the ldappasswd utility will:
- first ask you old password twice
- second ask you new password twice
- submit the changes to LDAP
- NB! will ask for an old password once more!
Verify if you can use your new password:
- ldapsearch -LLL -ZZ -WD <your DN> uid=<your uid>
Important: Refer to ldapmodify utility and LDAP diff file format (''*.ldif):
- Try to modify the mail attribute of your LDAP account (use the email you did setup during the course, example user@<vm-name>.est)
- Modify the host attribute of your LDAP account. Set it to the format of
<vm-name>.est.
This will be checked manually by teachers!
To make it easier, here is the .ldif file your user was made with:
dn: uid={uid},ou=People,dc=est
objectClass: top
objectClass: account
objectClass: extensibleObject
objectClass: posixAccount
objectClass: shadowAccount
cn: {uid}
uid: {uid}
uidNumber: {uidnum}
gidNumber: {uidnum}
homeDirectory: /home/{uid}
loginShell: /bin/bash
description: {gecos}
userPassword: {SSHA}CSCjtJuZc6qYoRZxyMOEzfuw6dW3hiYL
shadowLastChange: 17058
mail: unset
host: unset
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
You can verify whether you've completed the necessary modifications using the ldapsearch command. (host and mail attributes can be read only when binding with auth)
Configuring Apache to authenticate against the LDAP
There routine is quiet similar to the one of Apache .httpasswd file and Unix PAM back-ends of the HTTP authentication. Naturally we should declare a <Location ...> or <Directory ...> to limit the access to. This time we are not going to create an additional virtual host or specific document-root for LDAP auth. Instead we are going to use the LDAP status module (more info here as our <Location ...> target.
- In your apache virtual host test.<yourdomain>.est SSL site definition add the following
Locationdirective
<Location "/ldap-status">
SetHandler ldap-status
AuthType Basic
AuthName "LDAP Protected"
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap.est/ou=People,dc=est?uid?one TLS
Require valid-user
</Location>
As you can see here we enforce TLS channel therefore we also want apache to use our LDAP CA certificate to verify the LDAP server.
- Make sure you did download LDAP CA in PEM format:
- https://scoring.sa.cs.ut.ee/files/ldapCA.pem
- Stored it in
/etc/ssl/certsunder nameldapCA.pemand made it readable for all
- Download the LDAP CA in DER format:
- https://scoring.sa.cs.ut.ee/files/ldapCA.der
- Stored it in
/etc/ssl/certsunder nameldapCA.derand make it readable for all
- In
/etc/apache2/conf-available/- Create a configuration file
ldap-certs.conf - Add the following lines:
- Create a configuration file
LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/ldapCA.pem LDAPTrustedGlobalCert CA_DER /etc/ssl/certs/ldapCA.der
- Enable apache2 modules
ldapandauthnz_ldap - Enable newly create configuration
ldap-certs.conf(using a2enconf) Check the syntaxandrestart apache
- Enable apache2 modules
Test LDAP by accessing from your local browser:
https://test.<yourdomain>.est/ldap-status
- should ask for authentication against LDAP server where username is CN and the password is either
sysadm2019!or the one you set withslappasswd.
- should ask for authentication against LDAP server where username is CN and the password is either