T-110.5201 Laboratory Works on Information Security (5 cr)
Lab 6: LDAP
Lightweight Directory Access Protocol
Description of exercise:
In this exercise you will learn the basics of Lightweight Directory Access Protocol (LDAP), to setup and create an LDAP database and how it can be used for authentication.
Material:
www.openldap.org
1. Preparation
Add static addresses for virtual machines, and assign names for VM’s in the /etc/hosts file: lab1 as ldap.dcslabs.fi, lab2 as lab2.dcslabs.fi, lab3 as lab3.dcslabs.fi. Add routes if needed.
Test that you can ping lab2 and lab3 from host ldap. Lab2 doesn't need to be able to ping lab3 and vice versa.
If you have firewall rules from firewall assignment, flush the rules and set default policy to accept.
Install openLDAP server to lab1. You can find the right package with the command apt-cache search.
Question set 1:| 1.1 | Describe your network configuration. What IPs did you assign to the interfaces (4 interfaces in all) of each the three hosts? How does your /etc/hosts file and routing table look like? | 1 p |
| 1.2 | What is LDAP and how the data is stored into it? (ps. when looking for the answer, think the scope of your answer compared the points given) | 1 p |
2. Implementing LDAP server
Configuring the LDAP daemon
Create simple configuration for the ldap daemon by editing /etc/ldap/slapd.conf file. You can test the configuration file with slaptest tool.
Use this as a skeleton for the configuration:
|
include /etc/ldap/schema/core.schema
# Set cn=manager to be your rootdn (you have to extend this!), |
Creating database
Next you have to create database and add some data there. That is done by creating an LDIF file and then adding data from that file to the database with ldapadd command. Use simple authentication. (PS. ldap server daemon has to be running)
Note: the database directory that you defined earlier must exist and be writable by openldap user (if you are using the default installation directory /var/lib/ldap then the directory permissions should be okay by default).
Skeleton of the LDIF file.
| # This is the start of the tree. dn: # fill in this part, use the "domain" as DN. objectClass: dcObject objectClass: Organization objectClass: top dc: dcslabs o: dcslabs dn: # fill in this part objectClass: simpleSecurityObject objectClass: organizationalRole objectClass: top cn: manager userPassword: # fill in this part dn: ou=users,dc=dcslabs,dc=fi objectClass: organizationalUnit ou: users dn: # fill in this part uid: ldapusr1 cn: LDAP testuser 1 objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: top userPassword: # fill in this part loginShell: /bin/bash uidNumber: 2001 gidNumber: 1000 homeDirectory: /home/ldapusr1 gecos: LDAP testuser 1,,,, shadowLastChange: 15300 shadowExpire: 16000 shadowMin: 0 shadowWarning: 0 shadowMax: 1000 |
Question set 2
| 2.1 | How did you modify slapd.conf file? | 2 p |
| 2.2 | What is the meaning of index lines in slapd.conf file? And what are schema files? | 1 p |
| 2.3 | The slapd.conf configuration isn't so good from the view of security. How would you improve it? (at least two things to improve) | 1 p |
| 2.4 | What does DN and CN stand for in LDIF file? Can there be multiple similar DN or CN records in the database? | 1 p |
| 2.5 | What modifications did you make to the LDIF file and what command line options and arguments did you use to create the database? | 2 p |
3. Setting up LDAP client
Modify /etc/ldap/ldap.conf in every VM if needed so that you don’t have to define host every time when using ldap tools.
Test your configuration with ldapsearch by showing only uid=ldapusr1 tree entry with the attributes from lab2. Test also modifying entries with ldapvi tool.
Adding new entry to database
Add new user named "ldapusr2" from command line by using ldapadd command from lab2. Do not use ldif for this. For uid use 2002, and for gid 1000. Fill in all the needed details.
Question set 3
| 3.1 | How did you modify /etc/ldap/ldap.conf file? Justify your answer. | 1 p |
| 3.2 | Show the working ldapseach commands from lab2 and lab3, and the output of the commands. Ldapsearch doesn’t show all the information in the database, why? Could you somehow see all the information? If yes, how? | 3 p |
| 3.3 | How did you add the new user with ldapadd command? Demo the process. | 2 p |
| 3.4 | Change ldapusr2 password with ldappasswd and ldapusr2's CN to "testuser2 for LDAP" with ldapmodify command. Demo the process. | 2 p |
4. Activating PAM module for LDAP authentication
On lab3 machine activate PAM module so that you can use accounts from LDAP directory to log in to the virtual machine. For that to be possible, install libnss-ldap, libpam-ldap and ldap-auth-config packages if not installed already and configure them to use the LDAP server. You also need to modify /etc/nsswitch.conf file and restart the service afterwards.
Remember also to create home directories and change the permissions according to LDAP entries. Modify lab3’s /etc/ssh/sshd_config file not to let ldapusr1 to log in to the VM but ldapusr2 to be able to log in. Test your configurations.
Question set 4
| 4.1 | What directories did you create and how did you change their permissions? | 1 p |
| 4.2 | How did you configure the packages? What services did you activate for LDAP to use? | 1 p |
| 4.3 | Demonstrate successful ssh login from lab1 to lab3 with ldapusr2 account. How did you block ldapusr1 access? How could you define only the users that can log in? | 1 p |
| 4.4 | Normal user addministrative tools should use now ldap server. But for example users from ldap directory can't change their password. Why is that? How would you allow them to do that? | 1 p |