posted Oct 24, 2015, 3:02 PM by Joshua S
[
updated Nov 10, 2015, 1:38 PM
]
This tutorial will implement an LDAP server using OpenLDAP. Ultimately, this server will be the "authorization and authentication" server.
LDAP (Lightweight Directory Access Protocol) allows for central authorization (UserIDs and Passwords) and authorization (Security Groups), along with a number of other centralized management functions such as distribution lists.
With any of the Dabbles on this site, if you have questions, suggestions, or thoughts, please feel free to send me an eMail (I'm still working to figure out how to enable comments on Google Sites -- suggestions would be appreciated)!
- RaspberryPi – The actual RaspberryPi hardware this will all be built around. In this tutorial, a Raspberry Pi 2 is used and has a memory card with the Raspbian operating system pre-installed.
- PuTTY SSH Client – PuTTY is a free and open-source terminal emulator, serial console and network file transfer application. It supports several network protocols, including SCP, SSH, Telnet, rlogin, and raw socket connection. Other SSH tools can be used, but this tutorial will leverage PuTTY.
- LDAP Admin – LDAP Admin is a free Windows LDAP client and administration tool for LDAP directory management. I have not yet found a Linux administration tool that I like, and this tool does not play nicely in WINE, but there are Linux tools for anyone who does not have access to Windows.
Prerequisites: - Install Raspbian on a memory card for the Raspberry Pi – for a tutorial to do this, try:
- Configure Raspbian so the basic setup is complete. For a tutorial to do this, try:
- Shrink the Raspbian operating system to remove unused components thus increasing efficiency and decreasing the attack surface. For a tutorial to do this, try:
- Configure a DNS server to allow for name based addressing which is managed centrally. For a tutorial to do this, try:
- Update Raspbian to the latest software versions. This should be periodically and prior to making any changes to the RaspberryPi. For a tutorial to do this, try:
Project: - I know I said this guide was going to be comprehensive and not skip any steps, so what better way to start this off than by skipping steps. I am not writing out instructions for the following (and illustrating from XKCD):
- Buying a MicroSD Card
- Buying a RaspberryPi
- Finding the IP Address of your Pi
- This can be done in many ways, including on your router or using an IP scanner such as (AngryIP Scanner or NMAP) -- if there are requests from the "Contact Me" form; I'll look to create a tutorial for this.
- Obtaining and installing PuTTY
- Using PuTTY (or the SSH client of your choice) enter the IP Address or DNS Name of the RaspberryPi.
- If this is the first time you connect, you will get a warning that the RaspberryPi's host key is unknown. Click "Accept" or "Connect Once" to proceed with the connection.
- Once connected, log onto the Pi using the credentials you created. If you have not defined your own credentials, you should, but these are the default credentials:
- UserID: pi
- Password: raspberry
- OK, good! Now that we are connected, let's install let's install OpenLDAP:
sudo apt-get -y install slapd ldap-utils
- slapd – OpenLDAP, this is the base package to allow for authentication and authorization.
- ldap-utils – These are the LDAP utilities used to interact and manage the LDAP installation.
- During the installation process, configuration screens will appear and solicit input. The first screen prompts us for an Administrator Password. We are going to have to reset this password later when we perform a detailed configuration, so enter something here, but it doesn't matter what you choose -- you'll change it later and don't need to remember it now. You will be prompted to re-enter the password -- type the same password in that prompt and press enter.
- Let's restart, then we can start working on configuration.
- In order to setup the LDAP Server, we need to reconfigure the slapd package. In essence, it has you setup a basic configuration when it installs, but we need to edit more configurations than it initially presented. To do this, we'll issue the following command:
sudo dpkg-reconfigure slapd
- The first step asks if we want to reconfigure the OpenLDAP server. We should select No.
- Next, choose your domain name. This does not have to be a real domain, and is often something with a .lan or .home address. In this case, I'll use the same domain used in the previous lesson when configuring the DNS server.
- Now, enter your organization name. This is a business name or something similar that is meaningful to a person who would read it.
- We must now enter the Administrator password. Do not forget this, and choose a strong complex password as this will be the most powerful account in your LDAP installation. You will then be prompted to re-enter the same password.
- We are now prompted to choose a database format. Note, the prompt points out that while both formats support the same configuration and use similar storage options, MDB supports subtree renames. We will choose MDB as it is the more flexible options.
- We will then be prompted to determineif the database should be removed when slapd is purged -- select no.
- The configuration process now wants to know if we should move the default database created when we first installed slapd. We won't use this database, so let's say yes.
- Next, we need to decide if we want to enable LDAPv2. This is outdated and insecure -- unless there is a reason to enable it, we should accept the option to disable LDAPv2.
- Our setup of slapd should be complete. We need to validate this by opening LDAP Admin and selecting the connection button.
- Now select New connection in order to configure our connection to the RaspberryPi.
- In the configuration, provide the name at the top -- this can be anything descriptive, but I'll use AcademicDabbling. The connection section needs to be updated with the host IP of 192.168.84.158 and the Base can be populated by clicking Fetch DNs button (after the IP is populated). Note, in your environment ensure the host IP matches the RaspberryPi we've been working on. Finally, in the account section, enter the admin account in the format in the image and the password you selected. Check if everything worked by clicking "Test connection" and if everything works then click OK.
- Congratulations! Your OpenLDAP Authentication Server is now installed and ready to go!
|
|
