Monday, 19 March 2018

OpenLDAP Server Software Setup


Server Side setup
#######################

Check DNS with Public IP
#####################################
root@ip-172-31-3-85:~# nslookup 13.127.170.246
Server:       172.31.0.2
Address:    172.31.0.2#53

Non-authoritative answer:
246.170.127.13.in-addr.arpa    
name = ec2-13-127-170-246.ap-south-1.compute.amazonaws.com.

(Copy the above DNS to paste it in configuration step)


Install updates if any
##############################################
root@ip-172-31-3-85:~# sudo apt-get update


Install ldap software package
##############################################
root@ip-172-31-3-85:~# sudo apt-get install slapd ldap-utils -y

(During the above setup installation, the installer will prompt 
you to set a password for LDAP administrator. Just enter a 
password of your wish.)


Reconfigure ldap configuration if required
#######################################
root@ip-172-31-3-85:~# sudo dpkg-reconfigure slapd

Omit OpenLDAP server configuration? No (If you select yes, it will 
just cancel the configuration)


DNS Domain name:  This will construct the base DN of the LDAP directory. 
Just enter the domain name from the above command(refer first step)
ec2-13-127-170-246.ap-south-1.compute.amazonaws.com

Organization name: You can just name your organization - Crevise



Enter the administrator password for LDAP admin account, by default; 
admin is the name of the administrator user
Confirm the administrator password



Choose the backend format for LDAP: MDB (BDB/HDB/MDBoptions 
depends on the working and requirement)
Choose whether you want the database to be removed when slapd is purged. Select No.


If you have any old data in the LDAP, you can consider to move the old 
database before creating a new one
Option to allow or disable LDAPv2 protocol. Select No


Once the reconfiguration is complete, you would get an output like below.

 Moving old database directory to /var/backups:
 - directory unknown... done.
 Creating initial configuration... done.
 Creating LDAP directory... done.

(The above output will clear that your ldap setup has been configured)


Verify the LDAP by port no
######################
root@ip-172-31-3-85:~# sudo netstat -tnlp | grep slapd
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      27798/slapd   
tcp6       0      0 :::389                  :::*                    LISTEN      27798/slapd   




Add ldap service to the firewall rule
##############################################
root@ip-172-31-3-85:~# sudo ufw allow ldap


Check for the Ldap Base by ldapsearch command
##########################################
root@ip-172-31-3-85:~# ldapsearch -x -LLL -H ldap:/// 
-b dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazonaws,
dc=com dn
(It shows the output as below)

dn: dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazonaws,
dc=com
dn: cn=admin,dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,
dc=amazonaws,dc=com


Now Install PhpLDAPadmin
######################################
root@ip-172-31-3-85:~# sudo apt-get install phpldapadmin


(Now we need to configure phpLDAPadmin to use our domain, 
and to not autofill the LDAP login information.)

Configure PhpLDAPAdmin in the main configuration file
#################################################
root@ip-172-31-3-85:~# vim /etc/phpldapadmin/config.php


(Line no: 161 is a setting that controls the visibility of some phpLDAPadmin 
warning messages. By default the application will show quite a few warning
messages about template files. These have no impact on our current use of 
the software. We can hide them as below:)

Uncomment and change False to true
#########################################################
/* Hide the warnings for invalid objectClasses/attributes in templates. */
$config->custom->appearance['hide_template_warning'] = true;



(Line no: 286 - displays name for your LDAP server, which the web interface
uses for headers and messages about the server.)

Change the name of the your LDAP server as below:
########################################################
/* A convenient name that will appear in the tree viewer and throughout
  phpLDAPadmin to identify this LDAP server to users. */
$servers->setValue('server','name','test Server');


(Line no: 300 tells phpLDAPadmin what the root of the LDAP hierarchy is. 
This is based on the value we typed in when reconfiguring the slapd package.)

Change the server base array as below:
##############################################################
/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
  auto-detect it for you. */
$servers->setValue('server','base',array
(‘dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazonaws,dc=com’));


(Line no: 326 pre-populates the admin login details in the web interface. 
This is information we shouldn't share if our phpLDAPadmin page is publicly accessible.)

Comment it out with a # at the beginning of the line as below:
###################################################################
/* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or
  'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS
  BLANK. If you specify a login_attr in conjunction with a cookie or session
  auth_type, then you can also specify the bind_id/bind_pass here for searching
  the directory for users (ie, if your LDAP server does not allow anonymous
  binds. */
#$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');


After configuration restart apache2 service
###########################################
root@ip-172-31-3-85:~# systemctl restart apache2
root@ip-172-31-3-85:~# systemctl enable apache2

Open http://13.127.170.246/phpldapadmin in your browser to make users database


(The Login DN is the username which contains the account name 
as a cn= section, and the domain name you selected for the server broken 
into dc= sections. The default admin account that we set up during install is 
called admin, so in our case:

Login DN is : cn=admin,dc=ec2-13-127-170-246,
dc=ap-south 1,dc=compute,dc=amazonaws,dc=com
After entering the appropriate string for your domain, type in the admin 
password you created during configuration, then click the Authenticate button as below:



At this point, you are logged into the phpLDAPadmin interface. 
You have the ability to add users, organizational units, groups, and relationships.


Click on dc=ec2-13-127-170-246,dc=ap-south-1,
dc=compute,dc=amazonaws,dc=com (1) then click on create new entry here


Select and Click on Generic: Organisational Unit
Create Organisational Unit as : groups

Commit it


Add another organisation unit as : users same as above.
It will look like below: see on the left side. The two organisational units 
groups and users are added 

 


Now create posix group in the groups organisational unit. 
Click on the ou=groups(on the left) , click on Create a child entry 
and then click on Generic: Posix Group
Create a group named user and admin. Commit changes

You will see the two posix group admin and user added on the left side
in the groups organisational unit.


Now create users in the users organisational unit. 
Click on the ou=users(on the left) , click on  
Create a child entry and then click on Generic: Users Account


Fill up the entries as required and then click on create object and 
commit on the next step You can see that the ldapuser is added in
the ou=users organisational unit


Repeat the same steps for the other users to add


Check for the groups and users by ldapsearch
#######################################################
root@ip-172-31-3-85:~# ldapsearch -x -LLL -H ldap:/// 
-b dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazonaws,dc=com dn
(See the groups and users are added below)

dn: dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazonaws,dc=com

dn: cn=admin,dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazonaws,dc=co
m

dn: ou=groups,dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazonaws,dc=c
om

dn: ou=users,dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazonaws,dc=co
m

dn: cn=user,ou=groups,dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazon
aws,dc=com

dn: cn=admin,ou=groups,dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=amazo
naws,dc=com

dn: cn=ldapuser,ou=users,dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=ama
zonaws,dc=com

dn: cn=shashank,ou=users,dc=ec2-13-127-170-246,dc=ap-south-1,dc=compute,dc=ama
zonaws,dc=com

No comments:

Post a Comment

Amazon EKS - Kubernetes on AWS

By Komal Devgaonkar Amazon Elastic Container Service for Kubernetes (Amazon EKS), which is highly available and scalable AWS service....