Lab 10 - Authenticating to LDAP

Fuch's Warning:
        If you actually look like your passport photo, you aren't well
        enough to travel.

Overview

You will be playing with LDAP in two phases. First you will be installing and configuring an LDAP server on your machine, and then configuring your machine to authenticate users to your LDAP server. Second you will be enabling authentication using transport layer security (TLS) with your SSL certificate from the Apache lab.

All of the information in this lab was built from the following websites:

OpenLdap 2.4 Administrator's Guide
http://www.openldap.org/doc/admin24/
How to answer install questions when installing using 'apt-get'
http://mcwhirter.com.au/node/25

Tasks and Grading

This lab is due at 9:30am, Tuesday May 6th, 2007.

Each part is worth 1/2 of a lab for extra credit. Do not do anything in part 2 without getting part 1 completely functional.

Part 1 - Installing and Configuring OpenLDAP with a User

  1. Follow the instructions from lecture 26 and install and configure LDAP as per the following instructions.
  2. Create a top-level dcObject that is the name of your particular machine for the domain. I use 'dc=coolname,dc=cs,dc=colorado,dc=edu' in the examples in the slides. Use your particular machine name.
  3. Create two organizational units (ou) that sit underneath your top-level domain, one called 'people' and one called 'groups'.
  4. Create a group in your 'groups' organizational unit with the following attributes:
    • Group name: remoteusers
    • Group id: 26354
  5. Create a user in your 'people' organizational unit with the following attributes:
    • Username: jonesbm
    • Unix id: 15243
    • Home dir: /home/jonesbm
    • Shell: /bin/bash
    • Group id: 26354
    • cn: Bob Marley Jones
    • sn: Jones
    • gecos: Bob Marley Jones

Part 2 - Enabling and Enforcing SSL connections with LDAP Authentication

This part is self-guided and you will call upon your googling skills to figure out how to do this specific task.

  1. Turn on SSL encryption and configure your SSL certificates from the Apache lab in your /etc/ldap/slapd.conf file.
  2. Configure your /etc/pam_ldap.conf and /etc/libnss_ldap.conf files to enable TLS communication to perform authentication.

How to test your configuration

I will be performing the following tests on your ldap server for part 1:

  1. Perform an 'ldapsearch -x' on the command line searching for user 'jonesbm' and will expect an answer back.
  2. Run the command 'id jonesbm' and 'getent passwd jonesbm' and get all of user jonesbm's information back.
  3. Set a password for user 'jonesbm' by running 'sudo passwd jonesbm' and you should NOT be prompted for the existing password.
  4. Login with user 'jonesbm' via the console and via ssh with the newly set password.

I will be performing the following tests on your ldap server for part 2:

  1. Perform an 'ldapsearch -x' on the command line searching for user 'jonesbm' and NOT expect an answer back as this standard query does not use TLS.
  2. Perform an 'ldapsearch' on the command line searching for user 'jonesbm' with the command line options '-ZZ' and will expect an answer back as '-ZZ' enables TLS.
  3. Run all of the same tests for part 1 (excluding part 1.1) and have ALL of them still work.