posted Nov 1, 2015, 5:51 AM by Joshua S
[
updated Nov 10, 2015, 1:36 PM
]
This tutorial will connect to an LDAP server using OpenLDAP. This will allow for centralized authentication and authorization.
LDAP (Lightweight Directory Access Protocol) allows for central authorization (UserIDs and Passwords) and authorization (Security Groups), along with a number of other centralized management functions such as distribution lists.
With any of the Dabbles on this site, if you have questions, suggestions, or thoughts, please feel free to send me an eMail (I'm still working to figure out how to enable comments on Google Sites -- suggestions would be appreciated)!
- RaspberryPi – The actual RaspberryPi hardware this will all be built around. In this tutorial, a Raspberry Pi 2 is used and has a memory card with the Raspbian operating system pre-installed.
- PuTTY SSH Client – PuTTY is a free and open-source terminal emulator, serial console and network file transfer application. It supports several network protocols, including SCP, SSH, Telnet, rlogin, and raw socket connection. Other SSH tools can be used, but this tutorial will leverage PuTTY.
Prerequisites: - Install Raspbian on a memory card for the Raspberry Pi – for a tutorial to do this, try:
- Configure Raspbian so the basic setup is complete. For a tutorial to do this, try:
- Shrink the Raspbian operating system to remove unused components thus increasing efficiency and decreasing the attack surface. For a tutorial to do this, try:
- Configure a DNS server to allow for name based addressing which is managed centrally. For a tutorial to do this, try:
- Configure an LDAP server to allow for centralized authentication and authorization which is managed centrally. For a tutorial to do this, try:
- Update Raspbian to the latest software versions. This should be periodically and prior to making any changes to the RaspberryPi. For a tutorial to do this, try:
Project: - I know I said this guide was going to be comprehensive and not skip any steps, so what better way to start this off than by skipping steps. I am not writing out instructions for the following (and illustrating from XKCD):
- Buying a MicroSD Card
- Buying a RaspberryPi
- Finding the IP Address of your Pi
- This can be done in many ways, including on your router or using an IP scanner such as (AngryIP Scanner or NMAP) -- if there are requests from the "Contact Me" form; I'll look to create a tutorial for this.
- Obtaining and installing PuTTY
- Using PuTTY (or the SSH client of your choice) enter the IP Address or DNS Name of the RaspberryPi.
- If this is the first time you connect, you will get a warning that the RaspberryPi's host key is unknown. Click "Accept" or "Connect Once" to proceed with the connection.
- Once connected, log onto the Pi using the credentials you created. If you have not defined your own credentials, you should, but these are the default credentials:
- UserID: pi
- Password: raspberry
- OK, good! Now that everything is updated, let's install our LDAP client. Use the following commands:
sudo apt-get -y install libpam-ldapd libnss-ldapd
- libpam-ldapd – Integrates OpenLDAP with the Pluggable Authentication Module in Linux.
- libnss-ldapd – Integrates OpenLDAP with the Name Service Switch functionality in Linux.
- During the install, you will be prompted to enter the server location. This can be done with an IP address or URL, but it is recommended to use the IP address to prevent authentication errors if there is a failure in the DNS server. In our case, we'll use a URL in combination with an IP address fall back. By using both, the URL can be reassigned during a migration period from one server to another while the IP address remains assigned to the existing server. Accept the search base distinguished name on the next screen, and then select every option on the services screen by pressing space and the down arrow.
- To allow a user to log onto the Pi using LDAP, we need to edit the /etc/pam.d/common-session file using nano and add the following line, to the bottom of the file, which will create home directories for LDAP users if they do not already exist. A full example of this file is attached at the bottom of this lesson for reference.
sudo nano /etc/pam.d/common-session
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
- Issue the following command to check if the configuration is working. The first should list Users with LDAP Users listed at the end while the second should list Groups with LDAP Groups listed at the end. Look for users and groups you know you created in the LDAP directory to ensure the connection works.
- Congratulations! Your Client is now configured to authenticate against the central LDAP server!
|
 Updating... Joshua S, Nov 1, 2015, 6:00 AM
|
