Assignment

SNA
2021

Install and Configure OpenLDAP server

Your Assignment Should Cover Following Tasks

• Update and upgrade your system packages.

• Configure OpenLDAP server

• Set the OpenLDAP administrator password.

(This can be done using the slappasswd command which generate an encrypted
password hash)

{SSHA}MI/malE7t763EWw7YiRzXsojGETmqMJq
You can also set the password in a one line command; slappasswd -h {SHA} -s password.
Replace the ‘password‘ with your password.

• Configure OpenLDAP database

• Import OpenLDAP basic schemas

Navigate to OpenLDAP schemas directory and import the cosine, nis and
inetorgperson schemas.
cd /etc/openldap/schema

for schema in cosine.ldif nis.ldif inetorgperson.ldif; do ldapadd -

Y EXTERNAL -H ldapi:/// -f $schema; done

SASL/EXTERNAL authentication started

SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=cosine,cn=schema,cn=config"

SASL/EXTERNAL authentication started

SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=nis,cn=schema,cn=config"

SASL/EXTERNAL authentication started

SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=inetorgperson,cn=schema,cn=config"

Update the OpenLDAP database configuration file by modifying the values of the
following attributes;

• olcSuffix – set the value to your base domain

• olcRootDN – set the value to your LDAP domain administrative entry
• olcRootPW – This is set to your LDAP admin password generated
above.
Also, configure the access control list for the LDAP monitor backend
(olcDatabase\=\{1\}monitor.ldif) and the primary database backend
(olcDatabase={2}mdb.ldif).

All these modifications can be implemented using a single ldif file as shown
below;

vim mod_domain.ldif

dn: olcDatabase={1}monitor,cn=config

changetype: modify

replace: olcAccess

olcAccess: {0}to * by
dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
 read by dn.base="cn=Manager,dc=example,dc=com" read by * none

dn: olcDatabase={2}mdb,cn=config

changetype: modify

replace: olcSuffix

olcSuffix: dc=example,dc=com

dn: olcDatabase={2}mdb,cn=config

changetype: modify

replace: olcRootDN

olcRootDN: cn=Manager,dc=example,dc=com

dn: olcDatabase={2}mdb,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}MI/malE7t763EWw7YiRzXsojGETmqMJq

dn: olcDatabase={2}mdb,cn=config

changetype: modify

add: olcAccess

olcAccess: {0}to attrs=userPassword,shadowLastChange by

 dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self
write by * none

olcAccess: {1}to dn.base="" by * read

olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by *

read
These modifications can be implemented using the ldapmodify command.

ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_domain.ldif

SASL/EXTERNAL authentication started

SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

You can use ldapsearch command to verify this.

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

olcDatabase={2}mdb -LLL

SASL/EXTERNAL authentication started

SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

dn: olcDatabase={2}mdb,cn=config

objectClass: olcDatabaseConfig

objectClass: olcMdbConfig

olcDatabase: {2}mdb

olcDbDirectory: /var/lib/ldap

olcDbIndex: objectClass eq,pres

olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

olcSuffix: dc=example,dc=com

olcRootDN: cn=Manager,dc=example,dc=com

olcRootPW: {SSHA}MI/malE7t763EWw7YiRzXsojGETmqMJq

olcAccess: {0}to attrs=userPassword,shadowLastChange by

dn="cn=Manager,dc=exam

ple,dc=com" write by anonymous auth by self write by * none

olcAccess: {1}to dn.base="" by * read

olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by *

read

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

olcDatabase={1}monitor -LLL

SASL/EXTERNAL authentication started

SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

dn: olcDatabase={1}monitor,cn=config

objectClass: olcDatabaseConfig

olcDatabase: {1}monitor

olcAccess: {0}to * by
dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external

,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by *

none
Create the base domain and add it to LDAP to create your directory. Replace the
domain entries approriately.

vim basedn.ldif

dn: dc=example,dc=com

objectClass: top

objectClass: dcObject

objectclass: organization

o: Example Com

dc: Example

dn: cn=Manager,dc=example,dc=com

objectClass: organizationalRole

cn: Manager

description: LDAP Directory Manager

dn: ou=People,dc=example,dc=com

objectClass: organizationalUnit

ou: People

dn: ou=Group,dc=example,dc=com

objectClass: organizationalUnit

ou: Group
To add the Base domain entry, run the command below;

ldapadd -x -D cn=Manager,dc=example,dc=com -W -f basedn.ldif

Enter LDAP Password: LDAP manager's password set above

adding new entry "dc=example,dc=com"

adding new entry "cn=Manager,dc=example,dc=com"

adding new entry "ou=People,dc=example,dc=com"

The OpenLDAP server configuration is about done.

Create OpenLDAP server User Accounts

Generate a password for the user using the slappasswd command;

slappasswd

New password:

Re-enter new password:

{SSHA}QLXFlVsiNY7bLgcwx8yurJqMZVaErD9b
Create an ldif file for specifying user attributes.

vim add_user.ldif

dn: uid=amosm,ou=People,dc=example,dc=com

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

cn: Amos

sn: Mibey

userPassword: {SSHA}QLXFlVsiNY7bLgcwx8yurJqMZVaErD9b

loginShell: /bin/bash

uidNumber: 10000

gidNumber: 10000

homeDirectory: /home/amosm

dn: cn=amosm,ou=Group,dc=example,dc=com

objectClass: posixGroup

cn: Amos

gidNumber: 10000

memberUid: amosm

ldapadd -x -D cn=Manager,dc=example,dc=com -W -f add_user.ldif

Enter LDAP Password:

adding new entry "uid=amosm,ou=People,dc=example,dc=com"

adding new entry "cn=amosm,ou=Group,dc=example,dc=com"

To verify that the user is created, you can use ldapsearch command to query
its details.

ldapsearch -x uid=amosm -b dc=example,dc=com -LLL

dn: uid=amosm,ou=People,dc=example,dc=com

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

cn: Amos

sn: Mibey

loginShell: /bin/bash

uidNumber: 10000

gidNumber: 10000

homeDirectory: /home/amosm

uid: amosm
Well, that it all takes to install and configure OpenLDAP server on Fedora 29. It
all seems good. Feel free to add more users and explore the full funtionality of
OpenLDAP. Before we can wrap up, open the OpenLDAP server service on
firewall to allow external access.

firewall-cmd --permanent --add-service=ldapfirewall-cmd --reload

Your Tasks as Following:
1. Do above configuration, use your virtual PC
2. configure the LDAP client to authenticate via the OpenLDAP server
3. Create documentation
4. Prepare presentation

Due Date : 17th April 2021

Submission Links available on Courseweb (SNA page )