Introduction

Managing system information even in network with small number of computers can be quite difficult. If you want to add new user you have to add it on all machines or use some scripts to distribute this task.
Password management is even bigger problem. Users have to change their passwords on one of the machines and you need some distribution system to transfer it. These tasks can be simplified using LDAP. All the information needed by the machines is stored in LDAP server and they access it on-line.
Document describes how to setup LDAP based network information system for your network and how it can co-exist with plain files. Configuration has been tested on Linux and Solaris servers and workstations however it should be possible tu use it on other types of UNIX.

Why LDAP ?

well documented standard (RFC2307)
OpenLDAP - free LDAP server available for many platforms
free client software available for many operating systems (http://www.padl.com/)
fast read access
Lightweight protocol
other possible choices were NIS and NIS+
NIS does not hide user password and using it would have impact on security similar to resigning from shadow file. NIS+ is fully supported only on Solaris but even there administration is complicated.

Server instalation

Short description of OpenLDAP instalation:

download source package with the latest stable version of OpenLDAP from http://www.openldap.org/
unzip/untar it
run configure
you might need to add -tls option to use SSL (see security section).
compile and install (make, make depend, make install)
you can read more on OpenLDAP instalation from OpenLDAP 2.0 Administrator's Guide

When you have OpenLDAP installed you have to configure it. Edit <LDAP_DIR>/etc/openldap/slapd.conf. Important entries are:

suffix
set suffix based on your domain for example dc=mat,dc=uni,dc=torun,dc=pl
rootdn
dn of LDAP server manager
rootpw
Initially it is set to secret. Remember to change it ! You can get password hash from Unix crypt and set this option to: {crypt}<crypted_password>

schema files:

include         <LDAP_DIR>/etc/openldap/schema/core.schema
include         <LDAP_DIR>/etc/openldap/schema/cosine.schema
include         <LDAP_DIR>/etc/openldap/schema/nis.schema

ACL entries:

access to attr=userPassword
       by self write         # for user password change
       by anonymous auth     # for authentication bind
       by * none             # no anonymous access to password

indices:

index   default                 pres,eq
index   objectClass             pres,eq
index   cn,uid                  pres,eq,sub
index   uidnumber,gidnumber     pres,eq

PAM and NSS

Base LDAP client software for UNIX system includes pam-ldap and nss-ldap. The first is responsible for authorization and the second reads information about users, groups, hosts etc. from LDAP server and provides it to the rest of the system.

Instalation:

install OpenLDAP client libraries even if you have others ldap libraries. It may save some troubles later. Name Switch Service is used very early after system boot and it is very important part of the system so installing ldap libraries on root partition might be a good idea.
download the latest pam-ldap and nss-ldap from http://www.padl.com/.
Operating systems like Solaris and some Linux distributions come with own LDAP support in pam and nss but in heterogenous environment it would be better to use the same software for each platform. Another advantages of using modules from Padl Software is that they are free software and source is available.
untar packages, configure, compile and install it.
You may add option --with-ldap-dir to specify location of OpenLDAP libraries.
On Solaris patches may replace mod_ldap and nss_ldap with standard Solaris modules. I have not resolved the problem yet.

Both modules use common configuration file /etc/ldap.conf. You can take default configuration from pam-ldap package and make some modifications:

host <IP_of_your_LDAP_server>
base <same as suffix in slapd.conf>
ldap_version 3
OpenLDAP 2 supports third version of ldap protocol
pam_password crypt
Password will be hashed localy during password change. This option was required for OpenLDAP. There is new option designed specialy for OpenLDAP password change pam_password exop but I have not tested it yet :-(.
leave all the bind ... options commented so nss_ldap will bind anonymously.
pam_ldap binds with user dn and password. If bind is successfull access is allowed.

You also have to edit /etc/nsswitch.conf to enable LDAP support for NSS. Depending on type of your system you must edit /etc/pam.conf or /etc/pam.d/*. Example files are included in modules packages.

Migration

There are two ways you can switch to LDAP:

move information about users, groups, hosts etc. from your files to LDAP so it will be the only source of information. It is the best way but pay attention on reliability of your service (see section about replication). You can use Migration Tools from http://www.padl.com/ to transfer information from files to LDAP.
leave existing setup (for example plain files) on some of the machines and start to use LDAP only on group of hosts. This may seems a little strange but imagine following situation: you have few UNIX servers and your files distribution system works fine. Suppose you have PCs and you want to install Linux and allow users to log in locally. It is not a good idea to transfer passwords to PCs because of security reasons. That was my motivation to use LDAP. Here is how I have cope with migration:
- passwd, shadow, group and hosts files are transfered to the ldap host after every change (with some delay)
- ldap server listens not only on TCP but also on UNIX socket - you can specify it on slapd startup using -h option for example:
  <LDAP_DIR>/libexec/slapd -h ldap:/// ldapi:///
- full access is set for user connected by UNIX socket
```
access to attr=userPassword
          by self write
          by sockurl="^ldapi://.*$" * write
          by anonymous auth
          by * none

access to *
          by sockurl="^ldapi://.*$" * write
          by * read
```
- base DNs must be added to LDAP database, for example:
```
dn: dc=uni,dc=torun,dc=pl
objectClass: top

dn: dc=mat,dc=uni,dc=torun,dc=pl
objectClass: top

dn: ou=People,dc=mat,dc=uni,dc=torun,dc=pl
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Hosts,dc=mat,dc=uni,dc=torun,dc=pl
ou: Hosts
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=mat,dc=uni,dc=torun,dc=pl
ou: Group
objectClass: top
objectClass: organizationalUnit
```
- you can download synchronization script I have written in perl, modify configuration and run it. Script requiers Net::LDAP module with modifications that allow to access server by UNIX socket - replace _connect function in file <PATH TO PERL>/site_perl/<PERL VERSION>/Net/LDAP.pm with that one:
```
sub _connect {
  my ($ldap, $host, $arg) = @_;

 if (defined $arg->{unix_socket}) {
  $ldap->{net_ldap_socket} = IO::Socket::UNIX->new($host)
 } else {
  $ldap->{net_ldap_socket} = IO::Socket::INET->new(
    PeerAddr => $host,
    PeerPort => $arg->{port} || '389',
    Proto    => 'tcp',
    Timeout  => defined $arg->{timeout}
                 ? $arg->{timeout}
                 : 120
  );
 }

}
```

Replication

Using central source of information has many advantages but also has big disadvantage. If for some reasons server host will be inaccessible from client your system will be practically useless for users. To solve this problem you can use mechanism implemented in LDAP servers called replication. One of the servers is used as master and others work as slaves (replicas). Every change in content of master LDAP is propagated to replicas. When client can not access master server it will connect to replica.
How to add replication to existing system:

client
Just add IP of the replica to /etc/ldap.conf
host <IP_of_your_LDAP_server> <IP_of_your_replica>
replica
install OpenLDAP server on replica host and copy content of <LDAP_DIR>/var/. You can even copy whole directory tree <LDAP_DIR> if replica uses the same operating system as master. You must stop master before copying.
Add DN that will be used by master for replication, for example:
```
dn: cn=Replicator,dc=mat,dc=uni,dc=torun,dc=pl
objectClass: top
objectClass: person
userPassword: {crypt}<CRYPTED PASSWORD>
cn: Replicator
sn: Replicator
```
Add the following lines to <LDAP_DIR>/etc/openldap/slapd.conf.
```
access to *
          by dn="cn=Replicator,dc=mat,dc=uni,dc=torun,dc=pl" write
          by * read

updatedn "cn=Replicator,dc=mat,dc=uni,dc=torun,dc=pl"
```
master
existing server will become master. Add following lines to <LDAP_DIR>/etc/openldap/slapd.conf.
```
replica host=<IP OF REPLICA>
        binddn="cn=Replicator,dc=mat,dc=uni,dc=torun,dc=pl"
        bindmethod=simple
        credentials=secret
```
After making changes you should start slapd and also slurpd - replication daemon.

Security

During user authentication pam_ldap tries to bind to server with user's password. In standard transmision clear password is sent. To protect password use of encryption is needed.

Configuration:

OpenLDAP has to be configured with option --with-tls (Transport Layer Security)
you have to create own CA and server certificate or get cerfiticate from existing CA. Description how to create own CA and how to issue certificates you can find at http://www.modssl.org/docs/2.8/ssl_faq.html

in OpenLDAP configuration (slapd.conf) you have to set options concerning certificates:

TLSCertificateFile      /path/to/certificates/ldap_cert.pem
TLSCertificateKeyFile   /path/to/certificates/ldap_key.pem
TLSCACertificateFile    /path/to/certificates/cacert.pem

on client side in /etc/ldap.conf file you have to set ssl start_tls option.

Sendmail

One of the most interesting application of LDAP used in Mail Transfer Agents is possibility to store mail aliases definitions. There are two main advantages of such solution:

aliases can be stored in one place - it is important in case many mail servers accepts mail for domain
it is possible to delegate some privileges (to create and modify aliases) to different users

Configuration:

include definitions of objects from sendmail.schema in OpenLDAP server configuration:
```
include         /opt/ldap/etc/openldap/schema/sendmail.schema
```

add branch to store mail aliases, for example:

dn: ou=mail-aliases, dc=mat, dc=uni, dc=torun, dc=pl
objectClass: top
objectClass: organizationalUnit
ou: sendmail-maps

and some alias, for example:

dn: sendmailMTAKey=mailtest, ou=mail-aliases, dc=mat, dc=uni, dc=torun, dc=pl
objectClass: sendmailMTA
objectClass: sendmailMTAAlias
objectClass: sendmailMTAAliasObject
sendmailMTAAliasGrouping: aliases
sendmailMTACluster: mat-servers
sendmailMTAKey: mailtest
sendmailMTAAliasValue: rafmet

create devtools/Site/site.config.m4 file with content:

APPENDDEF(`confLIBS', `-lldap -llber')
APPENDDEF(`confINCDIRS', `-I/path/to/ldap/include')
APPENDDEF(`confLIBDIRS', `-L/path/to/ldap/lib -R/path/to/ldap/lib')

and recompile sendmail. If LDAP libraries are in standard locations last two lines are not needed.

change Sendmail configuration file by adding lines similar to:

dnl LDAP support
define(`confLDAP_DEFAULT_SPEC', `-h "jowita.mat.uni.torun.pl ldap2.studmat.uni.torun.pl" -b ou=mail-aliases,dc=mat,dc=uni,dc=torun,dc=pl')
define(`confLDAP_CLUSTER', `mat-servers')
define(`ALIAS_FILE', `/etc/mail/aliases,ldap:')

Other

Automounter

Configuration:

include definitions of objects from autofs.schema in OpenLDAP server
```
include         /opt/ldap/etc/openldap/schema/autofs.schema
```

add a branch that will be master automounter map

dn: ou=auto.master,dc=mat,dc=uni,dc=torun,dc=pl
objectClass: automountMap
ou: auto.master

dn: cn=/home,ou=auto.master,dc=mat,dc=uni,dc=torun,dc=pl
objectClass: automount
automountInformation: ldap:ou=auto.home,dc=mat,dc=uni,dc=torun,dc=pl --timeout 360
cn: /home

add a branches that will be other automounter maps

dn: ou=auto.home,dc=mat,dc=uni,dc=torun,dc=pl
objectClass: top
objectClass: automountMap
ou: auto.home

dn: cn=login,ou=auto.home,dc=mat,dc=uni,dc=torun,dc=pl
objectClass: top
objectClass: automount
cn: login
automountInformation: fileserver:/export/home/login

on client side in /etc/nsswitch.conf add automount: files ldap





 © 2002-2003 Rafal Metkowski

LDAP as Network Information Service

Introduction

Why LDAP ?

Server instalation

PAM and NSS

Migration

Replication

Security

Sendmail

Other

Automounter