| |
Practical exercises:
LDAP for centralized user authentication.
Configuring both the server and the client for LDAP user authentication.
On both master and n01 configure the NSS libraries to read users accounts from the LDAP server by
editing and modifying the content of /etc/nsswitch.conf to look as follows:
passwd: files ldap
group: files ldap
shadow: files ldap
#
hosts: files dns ldap
networks: files ldap
#
protocols: db files
services: db files
ethers: db files
rpc: db files
#
netgroup: nis
|
This settings, however, create a system bootup problem due to a known bug in nss_ldap on Ubuntu 14.04. For that reason, the system should see the generic nsswitch.conf file during a bootup. Create file /etc/nsswitch.conf.local with the following content:
passwd: compat
group: compat
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
|
On the both VMs, edit file /etc/ldap.conf, clear all the entries and put the following:
HOST master
base dc=dom02,dc=linux,dc=class
ldap_version 3
|
Setting user account scripts on the server.
On the server, master, install the LDAP user account scripts as follows:
Download configuration files
ldapscripts.conf,
ldapscripts.passwd, and copy them into directory /etc/ldapscripts
on the server:
On the server, there should be home directory for the NFS users,
/NFS/home, if the NFS execises have been completed.
Creating LDAP user accounts on the server
Create a new group, ldapusers:
Create a new LDAP user, mike, with group ldapusers:
Check if the client, n01, recognizes user mike:
If so, ssh to the client from your desktop as user mike. Note, you can figure out the IP address of n01 by
looking at the content of file /var/lib/libvirt/dnsmasq/default.leases.
For example,
shows the lease time, mac address, IP address, and the VM name:
In this case, the IP address of n01 is 192.168.122.99
User mike should be able to login to n01. If you have done
NFS exercises, the user's home directory should get mounted automatically.
Securing LDAP server
A. Restricting user access to the password hashes.
Browse the user's LDAP entries:
You should be able to see the password field entries since there was no
any access restriction set for the LDAP entries on the server.
Secure access to LDAP directory by adding the following access rules to
the end of /etc/ldap/slapd.conf on the server:
#Access control
access to attr=userPassword
by self write
by anonymous auth
by dn="cn=Manager,dc=dom02,dc=linux,dc=class" write
by * compare
access to *
by self write
by dn="cn=Manager,dc=dom02,dc=linux,dc=class" write
by * read
|
Restart slapd:
Make sure the passwords no longer show up on the client when you run
B. Restricting client access to LDAP server.
Create an entry in /etc/hosts.deny on the LDAP server, master:
On both, the server, master, and the client, n01, run
ldapsearch command to check if you can access LDAP:
It should give you the following error since
ldapsearch
is unable to access slapd daemon:
On the LDAP server, master, add the following line in file /etc/hosts.allow:
slapd: 192.168.122.0/24 127.0.0.1
|
This allows connection to slapd on master VM from the local host, 127.0.0.1, and the VM subnet 192.168.122.0/24 only.
Run ldapsearch on the client and the server again:
It should show you the LDAP data now.
|
|