Arief Yudhawarman

Masih belajar buat blog

LDAP Tutorial (1)

leave a comment »


LDAP

LDAP is an acronym for Lightweight Directory Access Protocol, it is a simplified version of the X.500 protocol. The directory setup in this section will be used for authentication. Nevertheless, LDAP can be used in numerous ways: authentication, shared directory (for mail clients), address book, etc.

To describe LDAP quickly, all information is stored in a tree structure. With OpenLDAP you have freedom to determine the directory arborescence (the Directory Information Tree: the DIT) yourself. We will begin with a basic tree containing two nodes below the root:

  • People node where your users will be stored
  • Groups node where your groups will be stored

Before beginning, you should determine what the root of your LDAP directory will be. By default, your tree will be determined by your Fully Qualified Domain Name (FQDN). If your domain is example.com (which we will use in this example), your root node will be dc=example,dc=com.

Entries are in a tree-like structure called Directory Information Tree (DIT)


Installation & Configuration On Debian Wheezy

In this tutorial we are using OS Debian Wheezy. First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities.

apt-get install slapd ldap-utils

OpenLDAP Installation

Default installation of OpenLDAP is using on-line configuration (OLC or cn=config). We start to using a textual configuration file (/etc/ldap/slapd.conf). In order to use a textual configuration file edit /etc/default/slapd.conf.

SLAPD_CONF=/etc/ldap/slapd.conf
SLAPD_USER="openldap"
SLAPD_GROUP="openldap"
SLAPD_PIDFILE=
SLAPD_SERVICES="ldap:/// ldapi:///"
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
SLAPD_OPTIONS=""

Edit file /etc/ldap/slapd.conf (Source: http://www.zytrax.com/books/ldap/ch5/step1-slapd.txt with some modifications).

#
###### SAMPLE 1 - SIMPLE DIRECTORY ############
#
# NB: Ubuntu schemas in /etc/ldap/schema
#
include		/etc/ldap/schema/core.schema
include		/etc/ldap/schema/cosine.schema
include		/etc/ldap/schema/inetorgperson.schema

# NO SECURITY - no access clause
# defaults to anonymous access for read
# only rootdn can write

# NO REFERRALS

# DON'T bother with ARGS file unless you feel strongly
# slapd scripts stop scripts need this to work
pidfile /var/run/slapd/slapd.pid

# enable a lot of logging - we might need it
# but generates huge logs
loglevel 	-1 

# MODULELOAD definitions
# not required (comment out) before version 2.3
moduleload back_bdb.la

# NO TLS-enabled connections

# backend definition not required

#
# bdb database definitions
# 
database bdb
suffix "dc=example, dc=com"

# root or superuser
rootdn "cn=jimbob, dc=example, dc=com"
rootpw dirtysecret
# The database directory MUST exist prior to running slapd AND 
# change path as necessary
directory	/var/lib/ldap

# Indices to maintain for this directory
# unique id so equality match only
index	uid	eq
# allows general searching on commonname, givenname and email
index	cn,gn,mail eq,sub
# allows multiple variants on surname searching
index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
index default eq,sub
# indices missing - uses default eq,sub
index telephonenumber

# other database parameters
# read more in slapd.conf reference section
cachesize 10000
checkpoint 128 15

If you want to generate an encrypted password with slappasswd using password dirtysecret.

$ slappasswd
New password: 
Re-enter new password: 
{SSHA}UiFULWX3tsrlT3nNbojAglsChDKPBBIJ

Then edit entry rootpw at slapd.conf:

rootpw          {SSHA}UiFULWX3tsrlT3nNbojAglsChDKPBBIJ

Then we do consecutively:

  • Change permission of the file /etc/ldap/slapd.conf
  • Stop slapd
  • Move the original ldap database directory
  • Create the new ldap database and change ownership
  • Copy file DB_CONFIG from the original ldap database
  • Start slapd
chmod 640 /etc/ldap/slapd.conf
chown openldap. /etc/ldap/slapd.conf
/etc/init.d/slapd stop
cd /var/lib
mv ldap ldap_orig
mkdir ldap
chown openldap. ldap
cp -a /var/lib/ldap_orig/DB_CONFIG /var/lib/ldap/
/etc/init.d/slapd start


Populate Database

Get samples simple database:

Edit file sample-3-people.txt.ldif

jpegphoto:< file:///tmp/robert.smith.jpg

There is no space between character : and <
Source: http://www.rfc-base.org/txt/rfc-2849.txt

Download image robert.smith.jpg and save at /tmp directory.

Populate database ldap

$ ldapadd -H ldap://localhost -x -D "cn=jimbob,dc=example,dc=com" -f sample-1-people.txt.ldif -w dirtysecret
adding new entry "dc=example,dc=com"
adding new entry "ou=people, dc=example,dc=com"
adding new entry "cn=Robert Smith,ou=people,dc=example,dc=com"

$ ldapadd -H ldap://localhost -x -D "cn=jimbob,dc=example,dc=com" -f sample-2-people.txt.ldif -w dirtysecret
adding new entry "cn=John Smith,ou=people,dc=example,dc=com"
adding new entry "cn=Sheri Smith,ou=people,dc=example,dc=com"

$ ldapadd -H ldap://localhost -x -D "cn=jimbob,dc=example,dc=com" -f sample-3-people.txt.ldif -w dirtysecret
modifying entry "cn=Robert Smith,ou=people,dc=example,dc=com"



Browsing directory as anonymous

You can use command

ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com '(cn=John Smith)'


or

ldapsearch -x -LLL -h localhost -b dc=example,dc=com '(cn=John Smith)'

$ ldapsearch -x -LLL -h localhost -b dc=example,dc=com '(cn=John Smith)'
dn: cn=John Smith,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
cn: John Smith
cn: John J Smith
sn: Smith
uid: jsmith
userPassword:: alNtaXRI
carLicense: HISCAR 124
homePhone: 555-111-2223
mail: j.smith@example.com
mail: jsmith@example.com
mail: john.smith@example.com
ou: Sales

$ ldapsearch -x -LLL -h localhost -b dc=example,dc=com '(cn=John Smith)' cn sn uid mail
dn: cn=John Smith,ou=people,dc=example,dc=com
cn: John Smith
cn: John J Smith
sn: Smith
uid: jsmith
mail: j.smith@example.com
mail: jsmith@example.com
mail: john.smith@example.com

$ ldapsearch -x -LLL -h localhost -b dc=example,dc=com '(cn=Robert Smith)'
dn: cn=Robert Smith,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob  smith
sn: smith
userPassword:: ckpzbWl0SA==
carLicense: HISCAR 123
homePhone: 555-111-2222
ou: Human Resources
telephoneNumber: 555-555-1212
telephoneNumber: 212
uid: rjosmith
mail: robert.smith@example.com
mail: bob.smith@example.com
jpegPhoto:: /9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAkGBxQTEhUUExQVFRUXFxsaGBcYFxgYGh
 gZHRgXGBgXFxcaHCggGxwlHBgYITEhJSkrLi4uGB8zODMsNygtLisBCgoKDg0OGhAQGywkICQsLCw
 sLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLP/AABEIAPkAygMB
 ...<truncated>...
 VAf1iDiFHJnGYZreFPm8FcdfzhjG/2U/W8O1c3ezwP0uGOycvhEOTjylHPeOzONLUAmyRcmjxAV7v
 ifnCk+6esYqorH9RzpOKkQu0ONUvIkswchudKwGibxb+54CII1gn2J9SWT3TdsWhLvUCj1+XWGCYf
 kX8DDCrxRR//Z

$ ldapsearch -x -LLL -h localhost -b dc=example,dc=com '(dc=example)'
dn: dc=example,dc=com
dc: example
description: My wonderful company as much text as you want to place in this li
 ne up to 32K continuation data for the line above must have <CR> or <CR
 ><LF> i.e. ENTER works on both Windows and *nix system - new line MUST beg
 in with ONE SPACE
objectClass: dcObject
objectClass: organization
o: Example, Inc.


Instead of using ldap tools on console we can use JXplorer.

Login as anonymous


Directory tree of dc=example,dc=com


Showing ‘(cn=Robert Smith)’


Image jpeg of Robert Smith



Perl LDAP

The perl script to browse directories on LDAP Server.

#!/usr/bin/perl
#
# This program is written by Arief Yudhawarman.
# It uses the PERL LDAP module.
# These module is available from the PERL CPAN system.
#

use warnings;
use strict;
use Net::LDAP;

my ($host, $basedn, $filter, $manager, $password);
my ($ldap, $mesg, $entry);

&init;

$ldap = Net::LDAP->new($host) or die "Can't bind to ldap: $!\n";

if (!$password) {
  $mesg = $ldap->bind ;    # an anonymous bind
} else {
  if ($manager) {
    $mesg = $ldap->bind( dn       => $manager,
	  	         password => $password,
	               );
  } else {
    print "dn can't be empty.\n";
    exit 1;
  }
}

if ($mesg->code) { 
  print "Invalid credentials.\n"; 
  exit 1;
}

$mesg = $ldap->search( base => $basedn,
        	       filter => $filter);

$mesg->code && die $mesg->error;

foreach $entry ($mesg->all_entries) { 
  $entry->dump; 
}

$ldap->unbind;

#
# Subroutines
#

sub init()
{
  use Getopt::Std;
  my $opt_string = 'd:p:h:b:f:';
  my %opt;
  getopts( "$opt_string", \%opt ) or usage();
  if(!$opt{h} || !$opt{b} || !$opt{f})
  {
    usage();
  }
  $host = $opt{h};
  $basedn = $opt{b};
  $filter = $opt{f};
  $manager = $opt{d} || '';
  $password = $opt{p} || '';
}

sub usage()
{
  print STDERR << "EOF";
Usage: $0 [-d dn -p password ] -h host -b basedn -f filter
   eg: $0 -h 192.168.1.1 -b 'dc=abc,dc=com' -f '(cn=John Smith)'
       $0 -d 'cn=root,dc=abc,dc=com' -p password -h 192.168.1.1 -b 'dc=abc,dc=com' -f '(cn=John Smith)'

EOF
  exit 1;
}

$ ./ldapbrowser.pl -h 192.168.63.31 -b 'dc=example,dc=com' -f '(cn=John Smith)'
------------------------------------------------------------------------
dn:cn=John Smith,ou=people,dc=example,dc=com

objectClass: inetOrgPerson
cn: John Smith
John J Smith
sn: Smith
uid: jsmith
userPassword: jSmitH
carLicense: HISCAR 124
homePhone: 555-111-2223
mail: j.smith@example.com
jsmith@example.com
john.smith@example.com
ou: Sales


LDAP Browser (Web Application)


You can download script perl cgi ldapbrowser.cgi to browse ldap directories including jpegPhoto. Put the script into cgi-bin directory, default is /var/www/cgi-bin then create images directory at html root directory, eg. /var/www/html/images. Give permission to apache user to enable write to it. Make sure you have already installed cgi and ldap module before executing the script.
.

Browsing directory of basedn dc=example,dc=com using filter (cn=Robert Smith) anonymously.

Showing (cn=Robert Smith)

Showing (cn=Robert Smith)


Browsing directory of Zimbra LDAP using filter (objectClass=zimbraAlias). In this case you must authenticate as user zimbra using uid=zimbra,cn=admins,cn=zimbra. If you want to know more about Zimbra please read this article.

Showing (objectClass=zimbraAlias)

Showing (objectClass=zimbraAlias)


Before go to the next part you could backup the ldap database using slapcat.

[ ! -e /usr/local/src/backup/ldap ] && mkdir -p /usr/local/src/backup/ldap
cd /usr/local/src/backup/ldap
cp /etc/ldap/slap.conf ldap-tut-1-slapd.conf
/usr/sbin/slapcat -f /etc/ldap/slapd.conf > ldap-tut-1.ldif


In case you forget this step you can download the backup in the ldif format here.

Next part Securing the Directory and Adding Groups.

References:

  1. LDAP Concepts & Overview
  2. LDAP Schemas, objectClasses and Attributes
  3. OpenLDAP Samples

Advertisements

Written by awarmanf

October 27, 2017 at 6:42 am

Posted in LDAP, Linux, perl

Tagged with , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: