OpenDJ
Introduction
OpenDJ is an open source Lightweight Directory Access Protocol (LDAPv3) and Directory Service Markup Language(DSMLv2) compliant directory service written in the Java programming language.
OpenDJ support java awt framework and thus provides a UI based management console window.
Things to know
OpenDJ Setup
$ wget http://download.forgerock.org/downloads/opendj/2.5.0-Xpress1/OpenDJ-2.5.0-Xpress1.zip
$ unzip OpenDJ-2.5.0-Xpress1.zip
Store User Details
Suppose, LDAP server setup at machine with IP: 192.168.1.11
1. /etc/openldap/ldap.conf
port 1389
uri ldap://192.168.1.11:1389/
ssl no
pam_password md5
UseLPK yes
3. /etc/ssh/sshd_config
Introduction
OpenDJ is an open source Lightweight Directory Access Protocol (LDAPv3) and Directory Service Markup Language(DSMLv2) compliant directory service written in the Java programming language.
OpenDJ support java awt framework and thus provides a UI based management console window.
LDAP, is an application protocol for accessing and maintaining distributed directory information services.
Lets give an example to understand LDAP more deeply.
Say, I want to configure a small LAN where a centralized system is to have the records of all the users like username, password, home directory and other details that are usual in any telephone directory. And rest of the systems in LAN provides access to the system using the user credentials that are registered on the centralized system.
Majorly, LDAP authentication is used for SSO, Single-Sign On authentication. SSO means a user has to login once and can access to every system in network without logging in again.
The centralized system which records all of these records of users is said LDAP server. Rest of the system that provide access to user registered on LDAP server are LDAP clients. Usually, LDAP server runs on 389 port but running LDAP server through OpenDJ may require sudo access to acquire port 389 otherwise LDAp server may get started on 1389 port.
I have setup OpenDJ in console mode and have added, modified and deleted users using console commands. I would provide the details in console mode.
Things to know
Before setting up LDAP server, I want to share few things about OpenDJ. There is one directory manager which is responsible for adding/modifying/deletion operations in LDAP server. LDAP clients connect to LDAP server for accessing the details of users through directory manager credentials. So, the directory manager that we create, has to remember his password.
There are many LDAP server available like OpenDS, OpenLDAP etc. OpenDJ uses different commands for operation from others.
OpenDJ Setup
OpenDJ setup is very easy to go setup. Make sure you have java installed and Java home set before you install. Since, I have tried this on basic linux machine supporting yum command, so you may try the same for basic linux machine. For debian supporting machines you may try this, I hope it may work.
Note: There can be some library dependencies, *.so file requirements which vary machine wise and you can install them through internet.
$ wget http://download.forgerock.org/downloads/opendj/2.5.0-Xpress1/OpenDJ-2.5.0-Xpress1.zip
$ unzip OpenDJ-2.5.0-Xpress1.zip
- $ cd OpenDJ-2.5.0-Xpress1
- $ ./setup --cli
- Follow the prompts to provide the required installation information.
Prompts for ./setup --cli
OpenDJ 2.5.0
Please wait while the setup program initializes...
What would you like to use as the initial root user DN for the Directory Server? [cn=Directory Manager]:cn=Manager
Please provide the password to use for the initial root user:
Please re-enter the password for confirmation:
Provide the fully-qualified directory server host name that will be used when
generating self-signed certificates for LDAP SSL/StartTLS, the administration
connector, and replication [opendj.example.com]:
On which port would you like the Directory Server to accept connections from LDAP clients? [1389]:
On which port would you like the Administration Connector to accept
connections? [4444]:
Do you want to create base DNs in the server? (yes / no) [yes]:
Provide the base DN for the directory data: dc=example,dc=com
Options for populating the database:
1) Only create the base entry
2) Leave the database empty
3) Import data from an LDIF file
4) Load automatically-generated sample data
Enter choice [1]:
Do you want to enable SSL? (yes / no) [no]:
Do you want to enable Start TLS? (yes / no) [no]:
Do you want to start the server when the configuration is completed? (yes / no) [yes]:
Setup Summary
=============
LDAP Listener Port: 1389
Administration Connector Port: 4444
LDAP Secure Access: disabled
Root User DN: cn=Directory Manager
Directory Data: Create New Base DN dc=example,dc=com.
Start Server when the configuration is completed
What would you like to do?
1) Set up the server with the parameters above
2) Provide the setup parameters again
3) Print equivalent non-interactive command-line
4) Cancel and exit
Enter choice [1]:
See /var/.../opendj-setup...log for a detailed log of this operation.
Configuring Directory Server ..... Done.
Starting Directory Server ........... Done.
To see basic server configuration status and configuration you can launch OpenDJ-2.5.0/bin/status
OpenDJ 2.5.0
Please wait while the setup program initializes...
What would you like to use as the initial root user DN for the Directory Server? [cn=Directory Manager]:cn=Manager
Please provide the password to use for the initial root user:
Please re-enter the password for confirmation:
Provide the fully-qualified directory server host name that will be used when
generating self-signed certificates for LDAP SSL/StartTLS, the administration
connector, and replication [opendj.example.com]:
On which port would you like the Directory Server to accept connections from LDAP clients? [1389]:
On which port would you like the Administration Connector to accept
connections? [4444]:
Do you want to create base DNs in the server? (yes / no) [yes]:
Provide the base DN for the directory data: dc=example,dc=com
Options for populating the database:
1) Only create the base entry
2) Leave the database empty
3) Import data from an LDIF file
4) Load automatically-generated sample data
Enter choice [1]:
Do you want to enable SSL? (yes / no) [no]:
Do you want to enable Start TLS? (yes / no) [no]:
Do you want to start the server when the configuration is completed? (yes / no) [yes]:
Setup Summary
=============
LDAP Listener Port: 1389
Administration Connector Port: 4444
LDAP Secure Access: disabled
Root User DN: cn=Directory Manager
Directory Data: Create New Base DN dc=example,dc=com.
Start Server when the configuration is completed
What would you like to do?
1) Set up the server with the parameters above
2) Provide the setup parameters again
3) Print equivalent non-interactive command-line
4) Cancel and exit
Enter choice [1]:
See /var/.../opendj-setup...log for a detailed log of this operation.
Configuring Directory Server ..... Done.
Starting Directory Server ........... Done.
To see basic server configuration status and configuration you can launch OpenDJ-2.5.0/bin/status
Create a file say, add-user.ldif and add below lines,
$ vi add-user.ldif
dn: uid=user1,ou=People,dc=example,dc=com
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: person
objectClass: posixAccount
objectClass: top
cn: user1
uid: user1
givenName: User1
sn: XYZ
uidNumber: 1
gidNumber: 1
homeDirectory: /home/user1
loginShell: /bin/bash
userPassword: password
mail: newuser@example.com
Command to add user.
$ ./ldapmodify -D "cn=Manager" -w <password> -p 1389 -a -f add-user.ldif
Verify user is added or not.
$ ./ldapsearch -h localhost -p 1389 -D "cn=Manager" -w <password> -b "ou=people,dc=example,dc=com" "uid=user1".
Add SSH-key attributes to OpenDJ LDAP server
This way we can provide a public-private key pair for login. We can store SSH public key in LDAP server and can keep private key with us. And can login to machines providing private keys.
1. Create a file add-objectClass.ldif.
$ vi add-objectClass.ldif
- Write following content on the file
- dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY DESC 'MANDATORY: OpenSSH LPK objectclass' MAY ( sshPublicKey $ uid )) - Now, add this attribute to OpenDJ, by following command.
- $ ./ldapmodify -D "cn=Manager" -w
<password> -p 1389 -f add-objectClass.ldif
- 2. Create a file add-attribute.ldif.
- $ vi add-attribute.ldif
- Write following content on the file
- dn: cn=schema
- changetype: modify
- add: attributetypes
- attributetypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
- Now, add this attribute to OpenDJ, by following command.
- $ ./ldapmodify -D "cn=Manager" -w <password>
-p 1389 -f add-attribute.ldif
Store SSH Public Key
1. Add Objectclass ldapPublicKey.
$ vi modify-user.ldif
Write following content on the file
dn: uid=user1,ou=People,dc=example,dc=com
changetype: modify
add: objectClasses
objectClass: ldapPublicKey
$ ./ldapmodify -D "cn=Manager" -w <password> -p 1389 -a -f modify-user.ldif
2. Create private-public key pair.
Prompts..
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/api-dev-123/.ssh/id_rsa): /home/user/demo.pem
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/demo.pem.
Your public key has been saved in /home/user/demo.pem.pub.
Note: Copy the key from demo.pem.pub for sshPublicKey. Make sure you copy the private key file demo.pem and keep secure with you.
$ ssh-keygen
Follow the prompts to provide the required installation information.Prompts..
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/api-dev-123/.ssh/id_rsa): /home/user/demo.pem
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/demo.pem.
Your public key has been saved in /home/user/demo.pem.pub.
Note: Copy the key from demo.pem.pub for sshPublicKey. Make sure you copy the private key file demo.pem and keep secure with you.
3. Store publicKey.
$ vi modify-user2.ldif
Write following content on the file
dn: uid=user1,ou=People,dc=example,dc=com
changetype: modify
add: publicKey
add: publicKey
publicKey: <publicKey>
$ ./ldapmodify -D "cn=Manager" -w <password> -p 1389 -a -f modify-user2.ldif
Confirm your changes using following command:
$ ./ldapsearch -h localhost -p 1389 -D "cn=Manager" -w <password> -b "ou=people,dc=example,dc=com" "uid=user1"
SSH access using LDAP Authentication
After successful installation of OpenDJ and addition of user. Its time to setup LDAP client machine to provide ssh access through LDAP authentication.
First of all we would install all the dependencies required by LDAP client,
Install Dependenies
- $ sudo yum install openldap-servers openldap-clients openldap-devel
- $ sudo yum install nss-pam-ldapd
- $ sudo yum install openssh-ldap
- $ sudo yum -y install gcc openldap-devel pam-devel zlib-devel openssl-devel
- $ wget -qO - http://ftp.jaist.ac.jp/pub/OpenBSD/OpenSSH/portable/openssh-5.4p1.tar.gz | tar zxf -
- $ cd openssh-5.4p1
- $ wget -q http://openssh-lpk.googlecode.com/svn/trunk/patch/contrib/contrib-openssh-lpk-5.4p1-0.3.13.patch
- $ sudo yum install make
- $ sudo yum install gcc
- $ sudo yum install patch
- $ sudo yum install pam-devel
Things to Know
PAM, pluggable authentication module is required for LDAP authentication. PAM is meant to provide authentication using different application which is not a basic mode of authentication. PAM supports authentication through LDAP, fingerprint, retina scan etc.
Make Configuration Changes on following files
Suppose, LDAP server setup at machine with IP: 192.168.1.11
1. /etc/openldap/ldap.conf
Provide BASE and URI details.
URI ldap://192.168.1.11:1389/
BASE dc=example,dc=com
2. /etc/pam_ldap.conf
2. /etc/pam_ldap.conf
Provide following details.
base dc=example,dc=comport 1389
uri ldap://192.168.1.11:1389/
ssl no
pam_password md5
UseLPK yes
3. /etc/ssh/sshd_config
Provide following details.
- UseLPK yes
- LpkServers ldap://192.168.1.11:1389/
- LpkForceTLS no
4. /etc/pam.d/sshd
Provide following details.
#%PAM-1.0
auth required pam_sepermit.so
auth sufficient pam_ldap.so no_warn
auth include password-auth no_warn try_first_pass
account required pam_nologin.so
account required pam_access.so
account sufficient pam_ldap.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
#session include password-auth
session required pam_permit.so
session required pam_mkhomedir.so
auth required pam_sepermit.so
auth sufficient pam_ldap.so no_warn
auth include password-auth no_warn try_first_pass
account required pam_nologin.so
account required pam_access.so
account sufficient pam_ldap.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
#session include password-auth
session required pam_permit.so
session required pam_mkhomedir.so
Setup and Initialize Configuration
$ sudo ./configure --with-ldap --sysconfdir=/etc/ssh --prefix=/usr --with-pam
$ sudo make install
$ sudo authconfig-tui
$ sudo /etc/init.d/sshd restart
$ getent passwd | grep user1
If it results on some response having user1 over there, then try loggin in from the same terminal.
$ ssh user1@localhost
It should ask for password. Enter your password.
After successful login, try login using private key from some other machine.
$ ssh -i demo.pem user1@<client-ip>
It has worked for me with Amazon EC2 basic linux. Hope it may work fine for others too.
$ sudo ./configure --with-ldap --sysconfdir=/etc/ssh --prefix=/usr --with-pam
$ sudo make install
$ sudo authconfig-tui
$ sudo /etc/init.d/sshd restart
Verify LDAP users are available
From the same terminal to ensure the user is available on machine.$ getent passwd | grep user1
If it results on some response having user1 over there, then try loggin in from the same terminal.
$ ssh user1@localhost
It should ask for password. Enter your password.
After successful login, try login using private key from some other machine.
$ ssh -i demo.pem user1@<client-ip>
It has worked for me with Amazon EC2 basic linux. Hope it may work fine for others too.
Comments