Global Open Versity, ICT Labs Install Guide OpenLDAP for Enterprise Identity Management & SSO v1.

Global Open Versity

Systems Integration Hands-on Labs Training Manual

Install Guide OpenLDAP for Enterprise Identity Management & SSO

Kefa Rabah
Global Open Versity, Vancouver Canada
krabah@globalopenversity.org
www.globalopenversity.org

Table of Contents Page No.

INSTALL GUIDE OPENLDAP FOR ENTERPRISE IDENTITY MANAGEMENT & SSO 1

1.0 Introduction 1
Topics Covered 2

1.1 Linux/Unix Authentication and Naming services 2

1.2 Introduction to LDAP 2

1.2.1 What is LDAP 2
1.2.2 LDAP Advantages 2
1.2.3 LDAP Disadvantages 3

1.3 LDAP Hierarchy 3

1.3.1 Components of LDAP directory for a small enterprise 3
1.3.2 Distinguished Names (dn) 4

2.0 LDAP Schema 4

2.1 Access to an LDAP Server 5
2.2 LDAP vendors 5

3.0 OpenLDAP installation and configuration 5

Step 1: Install OpenLDAP on CentOS5/RHE5 6
Step 2: OpenLDAP Setup & Configure on Linux CentOS5 6
Step 3: Test Populate our LDAP server 8
Step 4: More on OpenLDAP Commands 10

4.0 Deploying LDAP Directory Infrastructure 11

Step 1: Create an LDIF file for importing to the OpenLDAP database 12

5.0 Linux OpenLDAP Client Machine Configuration 14

Step 1: Download & Install OpenLDAP Client’s Required Packages 14
Step 2: Verify DNS Health Check 14
Step 3: Configuring OpenLDAP Client on Linux CentOS5 15
Step 4: Check & verify the client configuration file /etc/openldap/ldap.conf 17
Step 5: Check & verify the client configuration file /etc/ldap.conf 17
Step 6: Test OpenLDAP connectivity with Client 18

1
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS401 - Linux for Engineering and IT Applications

Global Open Versity, ICT Labs Install Guide OpenLDAP for Enterprise Identity Management & SSO v1.1

6.0 Deploying LDAP Directory for Infrastructure SSO 20

4.1 Data tree with dn, objectClass, cn, and sn attributes 23
Step 1: Populate the LDAP Tree 23

7.0 Summary 27

8.0 References: 27

9.0 Hands-on Lab Assignments 28

Linux Administration Training 28

A GOV Open Knowledge Access Technical Academic Publications

Enhancing education & empowering people worldwide through eLearning in the 21st Century
2
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS401 - Linux for Engineering and IT Applications

Global Open Versity, ICT Labs Install Guide OpenLDAP for Enterprise Identity Management & SSO v1.1

Global Open Versity

Systems Integration Hands-on Labs Training Manual

Install Guide OpenLDAP for Enterprise Identity Management & SSO

By Kefa Rabah, krabah@globalopenversity.org Nov 8, 2009 GTS Institute

1.0 Introduction
LDAP is an acronym for Lightweight Directory Access Protocol; it is a simplified version of the X.500
protocol. It’s lean mean and powerful with capability to support current exponential increased internet
traffic, electronic commerce and time-critical content on the web. The LDAP directory setup in this training
manual will be used for authentication, shared directory (for mail clients), contacts and addressbooks, etc.

Today, LDAP directories and LDAP authentication have become one of the enterprise user infrastructure
cornerstones. As the enterprise has digitized and opened itself up to customer, business partner, vendor
and wide-spread employee access to pieces of most enterprise applications, the need to know who the
user is has significantly increased from a security perspective. Who is the user trying to access an
application? What is the strength of authentication by which the application can trust the user trying to
access the application? What are the user's authorization privileges?

That is, an enterprise-wide LDAP implementation can enable almost any application, running on almost
any computer platform, to obtain information from your LDAP directory. And that directory can be used to
store a broad range of data: email address and mail routing information, HR data, public security keys,
contact lists, and much more. By making an LDAP directory a focal point in your systems integration,
you're providing one-stop shopping whenever people go looking for information within your company -
even if the primary source of the data lives elsewhere – i.e., they sign in once – via Single-Sign-On (SSO)
Identity Management – and thereafter they have access to all LDAP linked services and resources they
have permission to.

OpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol
(LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the
OpenLDAP Public License. LDAP is a platform-independent protocol.

Historically the OpenLDAP server (slapd, the Standalone LDAP Daemon) architecture was split between
a frontend (LDAP client) which handles network access and protocol processing, and a backend (LDAP
server) which deals strictly with data storage. The architecture is modular and many different backends
are available for interfacing to other technologies, not just traditional databases.

Proper design implementation and deployment of enterprise LDAP authentication right from the beginning
is very crucial and critical to the eventual success centralized identity management and therefore SSO.
Failure to do so can be very detrimental in terms of security. For example, it is very important that before
LDAP authentication is implemented the enterprise should first determine which system or application will
be authoritative for the identity data. And which users will be in super users’ categories and what kind of
privileges allocated to them. Not implementing things correctly in the end could mean cleaning up the
1
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS401 - Linux for Engineering and IT Applications

Global Open Versity, ICT Labs Install Guide OpenLDAP for Enterprise Identity Management & SSO v1.1

associated business processes dealing with identity creation, role changes and terminations. Often the
authoritative identity source will have many identities in their data stores listed as active but who are no
longer active. This can create undetected and sometimes hidden security holes in any large enterprise
LDAP authentication.

In this hands-on training manual, we’ll through step-by-step on how to successful plan, design, implement
& deploy OpenLDAP server and OpenLDAP client on separate Linux CentOS5 machines. It’s assumed in
this lab session that you have a good understanding of Linux and also know to setup DNS servers and
messaging mail servers. If not you can check up the following four articles to give you a quick start and
get you going.

1. Install Configure and Upgrade Linux CentOS5 Server v1.1

2. Using Webmin and Bind9 to Setup DNS Server on Linux
3. Deploy Secure Messaging Solution using Sendmail & Dovecot Servers with ClamAV on Linux
4. Step-by-Step Install Guide for Evolution Mail Client with Addressbook using LDAP on Linux v1.2

Topics Covered

1. Overview of Unix Authentication and Naming services

2. Introduction to LDAP
3. LDAP installation and configuration
4. LDAP applications
5. Practical Exercises

1.1 Linux/Unix Authentication and Naming services

Some of the UNIX authentication and naming services are: NIS, NIS+, LDAP and Kerberos.

1.2 Introduction to LDAP

1.2.1 What is LDAP

• A directory publishing service
• Lightweight Directory Access Protocol to X.500 directories
• The latest: Protocol v3 (RFC2253)
• Stores attribute based data (a kind of database)
• Data generally read more than written to (enhanced search, optimized for reads) Client/Server
implementation
• Possesses an extensible schema for Objectclasses

1.2.2 LDAP Advantages

• Provides a standard means of accessing data over a network
• Fast searches and retrieval of data

2
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS401 - Linux for Engineering and IT Applications

Global Open Versity, ICT Labs Install Guide OpenLDAP for Enterprise Identity Management & SSO v1.1

• Good security mechanisms

1.2.3 LDAP Disadvantages

• X.500 heritage
• Flexibility (relies on namespace and schema)
• Entries are in non-ASCII format (to update need special tools)
• Application vendors use directories in their own way
• Lack of standardization in some areas

1.3 LDAP Hierarchy

Figure 1 shows a schematic LDAP hierarchical structure.

Fig. 1: A data tree with root, branch and leaf nodes

1.3.1 Components of LDAP directory for a small enterprise

Figure 2 shows a more realistic schematic LDAP hierarchical structure data tree with root, branch and leaf
nodes.

Organization (o) or
Domain Controller (dc) example.com
Node

Organizational
IT Sales
Unit (OU) Node

Person (cn)
Node Joe Johns Rick Doug Sarah Smith Kate Jude Will Smith

Fig. 1.2: A data tree with root, branch and leaf nodes

3
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS401 - Linux for Engineering and IT Applications

Global Open Versity, ICT Labs Install Guide OpenLDAP for Enterprise Identity Management & SSO v1.1

• Directory Levels
• Domain component (dc) or organization (o)
• Organizational Unit (ou)
• Common names (cn)

1.3.2 Distinguished Names (dn)

Figure 3 shows LDAP hierarchical structure showing an organizational data tree with root, branch and leaf
nodes.

Fig. 3: An organizational data tree with root, branch and leaf nodes

Distinguished name (dn) is a unique name in the Directory tree.

dn: dc=example,dc=com
dn: ou=IT, dc=example,dc=com
dn: cn=Joe Johns, ou=IT, dc=example,dc=com
dn: cn=Rick Doug, ou=IT, dc=example,dc=com

2.0 LDAP Schema

LDAP schema:
• Set of rules that describes what kind of data is stored
• Helps maintain consistency and quality of data
• Reduces duplication of data
• Object class attribute determines schema rules the entry must follow
• Schema contains the following:
Required attributes
Allowed attributes
How to compare attributes
Limit what the attributes can store - i.e., restrict to integer etc
Restrict what information is stored - i.e., stops duplication etc

4
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS401 - Linux for Engineering and IT Applications

Global Open Versity, ICT Labs Install Guide OpenLDAP for Enterprise Identity Management & SSO v1.1

• There are Schemas available for various kinds of Directories.

2.1 Access to an LDAP Server

Figure 5 how LDAP clients can query and modify data in the LDAP Directory using commands.

LDAP Server
Client

Query

slapd
TCP/389

Directory

Fig. 5: Clients can query and modify data in the Directory using commands.

2.2 LDAP vendors

Some of the currently existing LDAP vendors, open source and proprietary:

• OpenLDAP (OpenLDAP public license) http://www.openldap.org

• COMMERCIAL Offerings:
• SunOne (iPlanet) Directory Server
• Novell's eDirectory
• IBM Directory Server
• Microsoft Active Directory
• Innosoft
• Lotus Domino
• Nexor
• Critical Path
• Sun OpenDS
• Fedora Directory Server

3.0 OpenLDAP installation and configuration

1. OpenLDAP can be downloaded from http://www.openldap.org, compiled and installed on major Unix
systems

2. Redhat RPMs.
• On a Linux Server:
5
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS401 - Linux for Engineering and IT Applications

Global Open Versity, ICT Labs Install Guide OpenLDAP for Enterprise Identity Management & SSO v1.1

openldap
openldap-servers
openldap-clients
nss_ldap

• On a Linux Client:
openldap
openldap-clients
nss_ldap

Step 1: Install OpenLDAP on CentOS5/RHE5

The command line equivalent of the steps below is yum install "openldap-servers" and
"openldap-clients".

1. First and foremost check if OpenLDAP is installed, as follows:

]# rpm –qa | grep openldap* \\ the star * allows you to parse all
installed openldap files
[root@server04 ~]# rpm -qa | grep openldap*
openldap-servers-2.3.43-3.el5
openldap-servers-sql-2.3.43-3.el5
openldap-2.3.27-8.el5_2.4
openldap-2.3.43-3.el5
openldap-devel-2.3.43-3.el5
openldap-servers-overlays-2.3.43-3.el5
openldap-clients-2.3.43-3.el5
[root@server04 ~]#

2. In case you get blank result, then openldap is not installed. Best way to get OpenLDAP is to compile
it from the source file. However, I have found that the RPM files obtained via Yum, if you use
CentOS5/RHE5 contain all the required files. To install all OpenLDAP files with CentOS5, do the
following:
[root@server04 ~]# yum install openldap* -y

To start "slapd" daemon, issue the following command:

[root@server04 ~]# service start ldap

[root@server04 ~]# chkconfig –level 35 ldap on

Step 2: OpenLDAP Setup & Configure on Linux CentOS5

In this section you will be shown you how to setup an LDAP address book using OpenLDAP, an open
source implementation of the Lightweight Directory Access Protocol.

The example below uses "beemtech.edu" as the base domain:

1. Edit the file /etc/openldap/slapd.conf.

6
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS401 - Linux for Engineering and IT Applications

Global Open Versity, ICT Labs Install Guide OpenLDAP for Enterprise Identity Management & SSO v1.1

suffix "dc=beemtech,dc=edu"
rootdn "cn=Manager,dc=beemtech,dc=edu"
rootpw password
directory /var/lib/ldap

• Note: To avoid storing the password in plain-text, convert the password to a hash by using the
command "slappasswd -s password" and paste the resulting hash into the file.

3. Copy the file "/etc/openldap/DB_CONFIG.example" and put it into "/var/lib/ldap" as

DB_CONFIG.

]# cd /etc/openldap/
]# cp DB_CONFIG.example /var/lib/ldap/DB_CONFIG

4. Start the ldap service

]# service ldap start
]# chkconfig –-level 35 ldap on

5. Create a file named base.ldif containing the lines below and save it into your home directory.

# File: base.ldif

## Root node
dn: dc=beemtech,dc=edu
objectclass: organization
objectclass: dcObject
o: beemtech.edu
dc: beemtech

6. Import base.ldif into your directory using the command below.

ldapadd -x -D "cn=Manager,dc=beemtech,dc=edu" -w password –f ~/base.ldif

adding new entry "dc=beemtech,dc=edu"
[root@server04 ~]#

• Replace password with the root password you specified in slapd.conf.

7. To verify that the service is working, try the following query command:

[root@server04 ~]# ldapsearch -x -b '' -s base '(objectClass=*)'

namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
7
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS401 - Linux for Engineering and IT Applications

Global Open Versity, ICT Labs Install Guide OpenLDAP for Enterprise Identity Management & SSO v1.1

# filter: (objectClass=*)
# requesting: namingContexts
#

#
dn:
namingContexts: dc=beemtech,dc=edu

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@server04 ~]#

Step 3: Test Populate our LDAP server

8. To test our LDAP directory we need to populate it. To this create an ldif file. The LDAP Data
Interchange Format (LDIF) is a standard plain text data interchange format for representing LDAP
(Lightweight Directory Access Protocol) directory content and update requests. LDIF conveys
directory content as a set of records, one record for each object (or entry). It represents update
requests, such as Add, Modify, Delete, and Rename, as a set of records, one record for each update
request.
9. To help you manage your LDAP directory, you can install some of the GUI tools available out there,
like:

• Kldap
• KDirAdm
• Directory Administrator.
• GQ
• LDAP Browser/Editor
• JXplorer

10. Follow the link below to access the doc.

The full document has moved to Docstoc.com. You may download it from here:

http://www.docstoc.com/docs/46024785/Install-Guide-OpenLDAP-for-Enterprise-Identity-Management-
and-SSO

-----------------------------------------------
Kefa Rabah is the Founder and CIO, of Serengeti Systems Group Inc. Kefa is knowledgeable in
several fields of Science & Technology, IT Security Compliance and Project Management, and
Renewable Energy Systems. He is also the founder of Global Open Versity, a place to enhance
your educating and career goals using the latest innovations and technologies.

8
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS401 - Linux for Engineering and IT Applications