skip navigation

www.Hilands.com


Content:: Installing LDAP on Debian Linux

Installing LDAP on Debian Linux
//Using our basic Debian Netinst instructions found at http://www.hilands.com/os-linux-netinst.htmlThis link will open a new window we will continue by making our Linux server an NFS server.

*These are my rough notes be warned this document is not ready for public consumption*

We will start by adding the LDAP server # apt-get install slapd
You will be prompted to enter a password.

a quick check with netstat #netstat -anutp
will show
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      8032/slapd
tcp6       0      0 :::389                  :::*                    LISTEN      8032/slapd


You should also notice a new folder
/etc/ldap


# apt-get install ldap-utils
# nano /etc/ldap/ldap.conf
add your Base and URI
BASE	dc=hilands,dc=com
URI	ldap://192.168.1.3



# ldapsearch at this point should give us an error
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
# ldapsearch -b'dc=hilands,dc=com' -x



# nano /etc/ldap/slapd.conf
loglevel can be 0 or "none" to 256 find
index objectClass eq
and add
index uid eq


# /etc/init.d/slapd stop
# find / -name slapindex
/usr/bins/slapindex # slapindex
# /etc/init.d/slapd start
# ldapsearch -x


ok lets try adding some of the other pieces
# apt-get install libpam-ldap
ldapi:///
ldapi://192.168.1.3/
dc=example,dc=net
dc=hilands,dc=com
ldap version 3
make local root database admin
yes
database require login
no
management account ldap account for root
dc=manager,dc=example,dc=net
dc=manager,dc=hilands,dc=com
ldap root account
ldapmin
# apt-get install libnss-ldap
cn=manager,dc=example,dc=net
cn=manager,dc=hilands,dc=com
ldap root account password
ldapmin
says we need to modify /etc/nsswitch.conf
/usr/share/docs/libnss-ldap/examples/nsswitch.ldap
# apt-get install nscd
# slapcat
// slap files are used for local queries or offline queries # nano /etc/ldap/slapd.conf
suffix	"dc=nodomain"
suffix	"dc=hilands"
access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=nodomain" write
        by anonymous auth
        by self write
        by * none
access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=hilands" write
        by anonymous auth
        by self write
        by * none
access to *
        by dn="cn=admin,dc=hilands" write
        by * read
I will assume at this point I just don't have any information built into ldap as I am getting a return error of 32

reverted all the changes to the slapd.conf

# /etc/init.d/slapd restart
# nano hilands.ldif
dn: dc=hilands,dc=com
dc: hilands
objectClass: dcObject
objectClass: organization
o: hilands

dn: ou=users,dc=hilands,dc=com
ou: users
objectClass: organizationalUnit
// can also do like
objectClass: organizationalUnit
ou: hilands


# ldapsearch -x -b 'dc=nodomain'
# /etc/init.d/slapd stop
# slapadd -v -l hilands.ldif
slapadd: line 1: database (dc=nodomain) not configured to hold "dc=hilands,dc=com"
slapadd: line 1: database (dc=nodomain) not configured to hold "dc=hilands,dc=com"
I think this means that its trying to add to DC of nodomain which won't take the input.
so we should add it in the slapd.conf
# nano /etc/ldap/slapd.conf
at the bottom add
suffix "dc=hilands,dc=com"
# /etc/init.d/slapd start
this gave an error check /var/log/syslog
only one suffix is allowed.
ooh we'd have to make an alternative database.

so we went back and changed everything in the slapd.conf
no we readd.

# dpkg-reconfigure slapd
No
DNS Name : hilands.com
Name of Organization : hilands
Admin Password : ldapmin
Confirm Password : ldapmin
ok
hdb
no
yes
no
/var/lib/ldap
should contain the databases
changed domain to hilands, o to hilands, password etc.
# slapcat
now shows nicely.. time to try to add the ldif again shows

dn: dc=hilands,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: hilands
dc: hilands
structuralObjectClass: organization
entryUUID: 1ebc157c-0ad2-102f-9a24-5f2907b981e9
creatorsName:
createTimestamp: 20100613005535Z
entryCSN: 20100613005535.545214Z#000000#000#000000
modifiersName:
modifyTimestamp: 20100613005535Z

dn: cn=admin,dc=hilands,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e2NyeXB0fTBMcFJ3OUpJcHF6QVk=
structuralObjectClass: organizationalRole
entryUUID: 1ebdcbba-0ad2-102f-9a25-5f2907b981e9
creatorsName:
createTimestamp: 20100613005535Z
entryCSN: 20100613005535.556543Z#000000#000#000000
modifiersName:
modifyTimestamp: 20100613005535Z
# nano hilands-users.ldif
	dn: ou=users,dc=hilands,dc=com
	ou: users
	objectClass: organizationalUnit
# slapadd -v -l hilands-users.ldif
added: "ou=users,dc=hilands,dc=com" (00000005)

now we should have a users OU
yay everything is working hoorah

check permissions
# ls -l /var/lib/ |grep ldap
drwxr-xr-x 2 openldap openldap 4096 Jun 12 13:08 ldap

get nfs to work with it with portmap?

# dpkg-reconfigure portmap
no

hmm we can also do "# slappasswd" to change passwords

# ps -ef |grep slap
openldap  8962     1  0 13:08 ?        00:00:00 /usr/sbin/slapd -g openldap -u openldap -f /etc/ldap/slapd.conf
# cp pam_ldap.conf pam_ldap.conf.orig
# nano pam_ldap.conf

ldif user example
dn: cn=John Doe, ou=Rochester, o=IBM, c=US
objectclass: person
objectclass: inetOrgPerson
objectclass: top
objectclass: organizationalPerson
objectclass: ePerson
cn: John Doe
sn: Doe
uid: jdoe
userpassword: secretpass

dn: cn=Phil Allen, ou=users, o=hilands, c=US
objectclass: person
objectclass: inetOrgPerson
objectclass: top
objectclass: organizationalPerson
objectclass: ePerson
cn: Phil Allen
sn: Allen
uid: phil
userpassword: 4ff67ae8875477e97c0ee063e984adc3
# echo | md5sum
# echo mypassword | md5sum

clear the databases
Remove the /var/lib/ldap folder
create a new one and change permissions to the openldap user and group.


# slapadd -v -l hilands.ldif
added: "dc=hilands,dc=com" (00000001)
added: "ou=users,dc=hilands,dc=com" (00000002)

str2entry: invalid value for attributeType objectClass #4 (syntax 1.3.6.1.4.1.1466.115.121.1.38)
slapadd: could not parse entry (line=11)

trying to figure this out lets get phpldapadmin installed on this.
do it easy no compilations just apt it.

# apt-get update
# apt-get install apache2
# apt-get install phpldapadmin
http://192.168.1.3/phpldapadmin/
*this appears to be an older exploitable version*

log into
Create a child entry
Organisational Unit
users
creates
dn: ou=users,dc=hilands,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
structuralObjectClass: organizationalUnit
entryUUID: 7eeec6c4-0ad2-102f-8d90-51ff5bf5ef15
creatorsName: cn=admin,dc=hilands,dc=com
createTimestamp: 20100613005816Z
entryCSN: 20100613005816.938827Z#000000#000#000000
modifiersName: cn=admin,dc=hilands,dc=com
modifyTimestamp: 20100613005816Z
go into ou=users
	Create a child entry
	User Account
	first name : Philip
	last name : Allen
	common name : Philip Allen
	password : ***** MD5
	UID :1000 (default)
	GID : empty
	home directory /home/users/pallen
	shell : /bin/sh
deb package installed 1.1.0.5
Download from sourceforge
http://sourceforge.net/projects/phpldapadmin/files/

phpldapadmin
http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page
http://www.zytrax.com/books/ldap/ch8/

yay
dn: cn=phil,ou=users,dc=hilands,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: phil
description: LDAP User
userpassword: {MD5}password?
structuralObjectClass: organizationalRole
4ff67ae8875477e97c0ee063e984adc3
the password I think needs {MD5} infront of it
nope that doesn't match
worked must have been a transfer / copy and paste error.
# apt-get install ncurses-hexedit
I have no idea how to input the password.
oh well we'll use admin if we must
# apt-get install bind
# apt-get install host
# apt-get install dnsutils
# nano /etc/bind/db.local
add
crossroads.hilands.com IN A 192.168.1.3
# /etc/init.d/bind9 restart
$TTL    604800
@       IN      SOA     hilands.com     phil@hilands.com (
                        2       ; serial
                        604800  ; refresh
                        86400   ; retry
                        2419200 ; expire
                        604800 )        ; negative cache ttl
;
@       IN      NS      hilands.com
@       IN      A       69.89.31.93
*       IN      A       69.89.31.93
crossroads      IN      A       192.168.1.3
named.conf
zone "hilands.com" {
        type master;
        file "/etc/bind/db.hilands.com";
};


Reference :
http://publib.boulder.ibm.com/infocenter/wsdoc400/v6r0/index.jsp?topic=/com.ibm.websphere.iseries.doc/info/ae/ae/tsec_seccltpa.html
http://logout.sh/computers/ldap/
http://elibrary.fultus.com/technical/topic/com.fultus.linux.howtos.nontldp/howtos/ldap/ldapbasics-c386.html
http://www.isrl.illinois.edu/systems/Documentation/ldap_webauth_howto.html
http://ubuntuforums.org/showthread.php?t=640760
http://www.openldap.org/lists/openldap-software/200310/msg00027.html
http://wiki.debian.org/LDAP/OpenLDAPSetup
http://wiki.debian.org/LDAP/LDAPUtils
http://wiki.debian.org/LDAP#ServerSetup
http://moduli.net/sysadmin/sarge-ldap-auth-howto.html
http://techpubs.spinlocksolutions.com/dklar/ldap.html
http://www.ibm.com/developerworks/linux/library/l-openldap/
Last Modified: 2010-06-17