nita 412 - linux security administration - lab #6
TRANSCRIPT
8/3/2019 NITA 412 - Linux Security Administration - Lab #6
http://slidepdf.com/reader/full/nita-412-linux-security-administration-lab-6 1/2
Lab #6 - OpenLDAP; phpLDAPAdmin; PAM Integration Stanislav
Lab Steps:I. OpenLDAP & phpLDAPAdmin Installation
A. Install openldap-clients , openldap-servers , and php-ldap using yumB. Start the ldap service and set it to automatically start on reboot.C. Download phpLDAPAdmin using wget http://bit.ly/d9IhR2 D. Unpackage the source by running t ar xf phpldapadmin-1.2.0.5.tgz
E. Execute mv phpldapadmin-1.2.0.5 /var/www/html/phpldapadminF. Run cd /var/www/html/phpldapadmin/config && cp config.php.example config.php G. Execute sed -i “s/16M/32M/g” /etc/php.ini and restart the httpd service.H. Edit /etc/openldap/slapd.conf and make the following changes:
1. suffix to be dc=testing2. rootdn to be cn=Admin,dc=testing3. Add a line for rootpw to be linuxlab
I. Execute cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
J. Execute chown ldap:ldap /var/lib/ldap/DB_CONFIG
K. Restart the ldap service.
II. OpenLDAP Initial Setup
A. Edit /usr/share/openldap/migration/migrate_common.ph and change$DEFAULT_MAIL_DOMAIN to testing and $DEFAULT_BASE to dc=testing
B. Execute /usr/share/openldap/migration/migrate_all_online.sh and configure the settingsas below. You will likely receive an error at the end; ignore any:1. dc=testing2. localhost3. cn=Admin,dc=testing4. linuxlab (No output will be shown when you type this)5. no (You will receive an error for the last entry, that̓ s okay)
C. Execute chcon -t httpd_sys_content_t -R /var/www/html to fix SELinux permissions.
D. Using your host machineʼs web browser, go to https://<your VM IP>/phpldapadmin/ E. Log into the web site with cn=Admin,dc=testing and linuxlabF. Go through the hierarchy of the dc=testing base and observe how the directory structure exists.
III. Interacting with OpenLDAP
A. Become your regular system user before proceeding.
B. Execute an ldapsearch -x -b “dc=testing” to receive a full LDAP directory listing.C. To narrow your search to users, execute ldapsearch -x -b “ou=People,dc=testing” D. To find your user specifically, execute ldapsearch -x -b “uid=bjones,ou=People,dc=testing” E. To dump a file with all records, execute sudo /usr/sbin/slapcat > /home/bjones/slapd.db F. Create a file called addgroup.ldif to create a new group in the directory with the following:
" " dn: cn=testing_group,ou=Group,dc=testing" "
objectClass: posixGroup" " objectClass: top" " cn: testing_group" " gidNumber: 4242
G. Execute ldapadd -D “cn=Admin,dc=testing” -W -x -f addgroup.ldif to add the new record.H. To see the new record, run ldapsearch -x -b “cn=testing_group,ou=Group,dc=testing”
8/3/2019 NITA 412 - Linux Security Administration - Lab #6
http://slidepdf.com/reader/full/nita-412-linux-security-administration-lab-6 2/2
IV. OpenLDAP System Integration
A. Become the root user once again.B. Edit /etc/openldap/ldap.conf and make it contain the following lines:
" " BASE" " dc=testing" " URI" " ldap://127.0.0.1
C. Edit /etc/ldap.conf and make it contain only the following lines:
1. Note: Using theʻdd
ʼcommand in vim you could delete lines very quickly
" " host 127.0.0.1" " base dc=testing" " binddn cn=Admin,dc=testing" " bindpw linuxlab" " rootbinddn cn=Admin,dc=testing" " scope sub" " bind_policy soft" " pam_login_attribute uid" " pam_member_attribute memberuid" " pam_password exop" " nss_base_passwd ou=People,dc=testing?one" " nss_base_shadow ou=People,dc=testing?one
" " nss_base_group ou=Group,dc=testing?oneD. Edit /etc/nsswitch.conf and update the following lines:
" " passwd: files ldap" " shadow: files ldap" " group: files ldap
E. Edit /etc/pam.d/system-auth and update these sections:! ! auth ! sufficient ! pam_ldap.so ! use_first_pass (after pam_unix.so line)" " account" sufficient" pam_ldap.so" (after pam_unix.so line)" " password sufficient" pam_ldap.so" use_first_pass" (after pam_unix.so line)" " session required" pam_ldap.so" (after pam_unix.so line)
F. Execute a getent group | grep testing_group and verify you receive a result.G. Create a file called /etc/ldap.secret and make the contents simply contain linuxlab
H. Open a different virtual terminal and make sure that you can login as your regular user still.I. Save a snapshot of your VM and call it “Lab #6 Completed”