Due on Friday, May 9, 2014, 11:59 PM
Note: You may use your remaining late hours on this lab.
In this lab, you will configure your VM to also run an LDAP server, and configure your VM and wiki server to use LDAP to obtain user account information. As with the previous lab, you will need to read, understand, and search the manuals for some configuration options.
This lab will be graded on a scale of 10 points.
You may do the lab alone, or with one partner. If you work with a partner, only one student will hand in the assignment for you. Be sure to list both partners' names on the handed-in assignment.
You will use your VM from lab 3 to complete this assignment.
When you are ready to hand in your lab code and write-up, upload the following to blackboard under Lab 4:
Note: Within a few days, the system administration staff will clone your VM, which will temporarily take it offline.
Because cloning the VM is a somewhat involved procedure, please do not submit multiple times unless the change in your grade will be substantial.
In this and all other labs, you may complete challenge problems for extra credit. If you do this, please include in your handin text a short (e.g., one or two paragraph) description of what you did to solve your chosen challenge problem and how to test it. If you implement more than one challenge problem, you must describe each one.
You may find it helpful to begin with a review of the slides on LDAP from 3/4.
NB: Ubuntu also provides an excellent quick-start guide and explanation of LDAP which you may find helpful.
Lightweight Directory Access Protocol, or LDAP, is a network service for storing directory information. One of the most common uses of LDAP is to store user account information, which is what you will do in this lab.
For this lab, we will use OpenLDAP, an open-source implementation of the LDAP protocol client and server. You can consult the manual for OpenLDAP here. Please read Chapter 1 of the manual before proceeding. The manual also explains how to build OpenLDAP; we will skip these steps by using apt-get. Chapters 2, 5, 6, and 7 will be useful and you would benefit from skimming these now.
The OpenLDAP server software is called slapd, and, by default, listens for connections on port 389. A client connects to the server to query whether a user exists, a given password hash matches the database, etc. The server generally stores its records in a database, BDB by default.
Similar to DNS, LDAP stores records in a hierarchical, tree-like format; each entry in the database has a distinguished name (DN) that uniquely and globally identifies the record. Each DN is a comma-separated list of both the ancestors, followed by the name of the entry. For instance, "cn=porter,dc=oscar,dc=cs,dc=stonybrook,dc=edu" is a DN for a record (cn=porter), that has 4 ancestors. The administrator can make whatever hierarchy she likes, but DNS-like top-level hierarchies are common by convention. Globally unique identifiers allow a client to aggregate records from different LDAP servers.
A record can store an abritrary number of fields. A record can instantiate object types, which basically define a set of expected records. For this assignment, you will need to define users as classes inetOrgPerson, posixAccount, and shadowAccount, which creates relevant record entries for a user.
First, select a "domain" for which you want serve an LDAP directory information tree (DIT). Before you install, configure this in /etc/hosts. If I want my domain to be oscar.cs.stonybrook.edu, my hosts file should look like this:
127.0.0.1 localhsot 127.0.1.1 ubuntu.oscar.cs.stonybrook.edu ubuntu #The following lines are for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00:0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters
Note that it is possible, but substantially harder, to change the base DN for a server after installation.
Use apt to install the slapd server; do not download and compile source.
To start slapd, use service slapd start. If the service fails to start, you can set the loglevel directive in the slapd.conf file, and look for entries in /var/log/syslog.
The configuration of sladp used to be in a single file, similar to many Unix utilities. Now, slapd actually stores its own configuration in its own directory tree; in my opinion, this makes initial setup and bootstrapping a little more difficult. You can see the raw configuration database files under /etc/ldap/slapd.d, but you should not edit these files by hand---the format is fairly fragile and even a small error may be impossible to recover from. Instead, you should use tools like ldapsearch and ldapmodify to read and modify configuration entries (as well as to create and edit user-facing records).
For instance, you can read the current state of your configuration tree with this command:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
Similarly, you can dump the current record for your domain (substituting your base dn for dc=oscar,dc=cs,dc=stonybrook,dc=edu) with this command:
sudo ldapsearch -x -LLL -H ldap:/// -b dc=oscar,dc=cs,dc=stonybrook,dc=edu dn
Currently, you will only have a top-level directory, and an administrator user.
NB: A useful, graphical tool for working with an LDAP server is jxplorer. Jxplorer lets you visually walk the directory tree. You will need to install and run jxplorer on your own desktop machine, which may require you to create an ssh tunnel to connect to port 389 on your VM from outside the department or off campus. You can modify entries in the tree with either command-line tools or jxplorer. My recommendation is to start with jxplorer until you have a better intuition about the tree-structure of your data, and then get some practice with the command-line utilities.
Exercise 1. (2 points) Install and configure slapd. You may need to refer to the manual for the configuration parameters.
Use jxplorer to verify that you can connect to the server and see a nearly-empty directory tree.
In jxplorer, create two organizationalUnit objects (i.e., directories) under your base DN called users and group. This will store your user and group objects.
Your next task will be to create an organizational hierarchy, similar to dc=oscar,dc=cs,dc=stonybrook,dc=edu. We recommend replacing oscar as your "organization", with something like your netid. Within your organization, you will need to create directories for groups, users, as well as an ldapadmin account record of classes simpleSecurityObject and organizationalRole types.
Initially, create a test user and group in the appropriate folders using jxplorer. Set up the group first. A group record should be of class posixGroup. The group record should include the following fields:
As described above, your user should be in the users folder, and should instantiate objectClasses top, inetOrgPerson, posixAccount, and shadowAccount. Although some fields will not be instantiated, you should be sure to set up the follwing fields:
Creating entries by hand in jxplorer is cumbersome and error prone. You can also create LDAP Directory Information Format files (.ldif) by hand, or write scripts that generate them for new users, and then add them in bulk. You can pattern match an ldif file (adapted from the Ubuntu tutorial), like the one below:
dn: cn=john,ou=group,dc=oscar,dc=cs,dc=stonybrook,dc=edu objectClass: posixGroup cn: john gidNumber: 5000 dn: cn=john,ou=users,dc=oscar,dc=cs,dc=stonybrook,dc=edu dn: uid=john,ou=users,dc=oscar,dc=cs,dc=stonybrook,dc=edu objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 10000 gidNumber: 5000 userPassword: johnldap gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john
Such an ldif file can have an arbitrary number of records. Once you have created this file, called test-info.ldif, you can add it to the tree using this command:
ldapadd -x -D cn=admin,dc=oscar,dc=cs,dc=stonybrook,dc=edu -W -f test-info.ldif
You can then use ldapsearch (or jxplorer) to confirm that the entries were created properly.
Exercise 2. (3 points) Create a directory hierarchy for your "organization", and create at least 3 test accounts and groups. Be sure to list these accounts and their passwords as part of your handin.
Also, for your own edification, try adding users both through jxplorer and on the command line, via an ldif file.
As we discussed in class, Linux systems with Pluggable Authentication Modules, or PAM, can be configured to get user and group information from LDAP and the local database.
Begin by installing libnss-ldap. Note that the apt setup dialog asks most of the questions you need to answer. Nonetheless, you may need to edit the following files:
Troubleshooting: If you have problems, start with the logs /var/log/syslog and /var/log/auth.log for messages about what might be going wrong.
Exercise 3. (2 points) Configure your system to get users and groups from both the local database and LDAP. Once this is successfully configured, the output of getent passwd should include both local and LDAP user accounts. Similarly, confirm that you can log in to the system as these users, and change their passwords.
Part of what makes LDAP so useful is that a given server can manage multiple users of multiple services. In the final exercise, we will also configure your MediaWiki server to use LDAP for user accounts. Specifically, we will create a group, called ldapwiki, which we can add system users to and automatically grant them wiki access with the same password.
You will need to install and configure the mediawiki ldap plugin. The manual lists several examples of the configuration necessary.
One particularly useful directive is:
$wgLDAPRequiredGroups = array( ""=>array("cn=ldapwiki,ou=groups,dc=LDAP,dc=example,dc=com") );
where, the prefix should match your organization.
Exercise 4. (3 points) Configure your wiki to allow ldap users in group ldapwiki. Add one of your test users to this group, and keep one out of the group. Verify that one user can log in and the other cannot.
This completes the lab. Hand in the assignment as explained above. The system staff will clone your VM a few days after you hand in the assignment via blackboard, which temporarily takes the VM offline.
Last updated: 2014-05-09 22:40:26 -0400 [validate xhtml]