Lab #6 - OpenLDAP; phpLDAPAdmin; PAM Integration

Lab Steps:
I.

Stanislav

OpenLDAP & phpLDAPAdmin Installation A. Install openldap-clients, openldap-servers, and php-ldap using yum B. Start the ldap service and set it to automatically start on reboot. C. Download phpLDAPAdmin using wget http://bit.ly/d9IhR2 D. Unpackage the source by running tar xf phpldapadmin-1.2.0.5.tgz E. Execute mv phpldapadmin-1.2.0.5 /var/www/html/phpldapadmin F. Run cd /var/www/html/phpldapadmin/config && cp config.php.example config.php G. Execute sed -i “s/16M/32M/g” /etc/php.ini and restart the httpd service. H. Edit /etc/openldap/slapd.conf and make the following changes: 1. suffix to be dc=testing 2. rootdn to be cn=Admin,dc=testing 3. Add a line for rootpw to be linuxlab I. Execute cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG J. Execute chown ldap:ldap /var/lib/ldap/DB_CONFIG K. Restart the ldap service. OpenLDAP Initial Setup A. Edit /usr/share/openldap/migration/migrate_common.ph and change $DEFAULT_MAIL_DOMAIN to testing and $DEFAULT_BASE to dc=testing B. Execute /usr/share/openldap/migration/migrate_all_online.sh and configure the settings as below. You will likely receive an error at the end; ignore any: 1. dc=testing 2. localhost 3. cn=Admin,dc=testing 4. linuxlab (No output will be shown when you type this) 5. no (You will receive an error for the last entry, thatʼs okay) C. Execute chcon -t httpd_sys_content_t -R /var/www/html to fix SELinux permissions. D. Using your host machineʼs web browser, go to https://<your VM IP>/phpldapadmin/ E. Log into the web site with cn=Admin,dc=testing and linuxlab F. Go through the hierarchy of the dc=testing base and observe how the directory structure exists. Interacting with OpenLDAP A. Become your regular system user before proceeding. B. Execute an ldapsearch -x -b “dc=testing” to receive a full LDAP directory listing. C. To narrow your search to users, execute ldapsearch -x -b “ou=People,dc=testing” D. To find your user specifically, execute ldapsearch -x -b “uid=bjones,ou=People,dc=testing” E. To dump a file with all records, execute sudo /usr/sbin/slapcat > /home/bjones/slapd.db F. Create a file called addgroup.ldif to create a new group in the directory with the following: " dn: cn=testing_group,ou=Group,dc=testing " objectClass: posixGroup " objectClass: top " cn: testing_group " gidNumber: 4242 G. Execute ldapadd -D “cn=Admin,dc=testing” -W -x -f addgroup.ldif to add the new record. H. To see the new record, run ldapsearch -x -b “cn=testing_group,ou=Group,dc=testing”

II.

III.

" " " " "

IV.

" "

" " " " " " " " " " " " " " " " ! " " "

OpenLDAP System Integration A. Become the root user once again. B. Edit /etc/openldap/ldap.conf and make it contain the following lines: " BASE" " dc=testing " URI" " ldap://127.0.0.1 C. Edit /etc/ldap.conf and make it contain only the following lines: 1. Note: Using the ʻddʼ command in vim you could delete lines very quickly " host 127.0.0.1 " base dc=testing " binddn cn=Admin,dc=testing " bindpw linuxlab " rootbinddn cn=Admin,dc=testing " scope sub " bind_policy soft " pam_login_attribute uid " pam_member_attribute memberuid " pam_password exop " nss_base_passwd ou=People,dc=testing?one " nss_base_shadow ou=People,dc=testing?one " nss_base_group ou=Group,dc=testing?one D. Edit /etc/nsswitch.conf and update the following lines: " passwd: files ldap " shadow: files ldap " group: files ldap E. Edit /etc/pam.d/system-auth and update these sections: ! auth! sufficient! pam_ldap.so! use_first_pass (after pam_unix.so line) " account" sufficient" pam_ldap.so" (after pam_unix.so line) " password sufficient" pam_ldap.so" use_first_pass" (after pam_unix.so line) " session required" pam_ldap.so" (after pam_unix.so line) F. Execute a getent group | grep testing_group and verify you receive a result. G. Create a file called /etc/ldap.secret and make the contents simply contain linuxlab H. Open a different virtual terminal and make sure that you can login as your regular user still. I. Save a snapshot of your VM and call it “Lab #6 Completed”

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.