CentOS · open ldap · Public key · SSH

Open LDAP and SSH Public key in CentOS6.2

Author: Kevin Zhang
Thanks Guide in CentOS 6.2 : http://blog.johnalvero.com/2012/03/ldap-server-installation-for-openssh.html (Centralize the administration of linux accounts/Centralize the administration of sudo access)
Thanks everyone in Open Source Community.


#edit CentOS network
vi /etc/resolv.conf //DNS
vi vi /etc/sysconfig/network-scripts/ifcfg-eth0 //NIC IP
vi /etc/networks //Route
#restart network service
/etc/init.d/network restart
#stop security services
setenforce permissive
getenforce
service iptables stop


#Update software repository.
yum -y update


#Install LDAP packages
yum install openldap-servers openldap-clients -y


#Generate the ldap admin password
slappasswd -s mysecret
{SSHA}cFJqdWOeG4b1p3bJFGSds5QKGw8faPd7       //copy string as password by following steps
Note: mysecret will now be your Manager password. You will use this password to execute administrative commands. Displayed after is the corresponding hash. Use the hash in succeeding steps.


#TLS settings
sed -i ‘s/dc=my-domain,dc=com/dc=netbrain,dc=com/g’ /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
# Also, add the password and TLS settings in the file
cat <> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcRootPW: {SSHA}cFJqdWOeG4b1p3bJFGSds5QKGw8faPd7
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem
EOF


#Also add a password for “cn=admin,cn=config” user
cat <> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif
olcRootPW: {SSHA}cFJqdWOeG4b1p3bJFGSds5QKGw8faPd7
EOF


#Monitor configuration
sed -i ‘s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=netbrain,dc=com/g’ /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif


#DB config
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/


#Generate SSL keys
openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365
chown -Rf root.ldap /etc/pki/tls/certs/slapdcert.pem
chown -Rf root.ldap /etc/pki/tls/certs/slapdkey.pem


#Schemas: Add openssh-lpk shema
cat < /etc/openldap/slapd.d/cn=config/cn=schema/cn={21}openssh-lpk.ldif
dn: cn={21}openssh-lpk
objectClass: olcSchemaConfig
cn: {21}openssh-lpk
olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME ‘sshPublicKey’ DES
C ‘MANDATORY: OpenSSH Public key’ EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME ‘ldapPublicKey’ DESC
 ‘MANDATORY: OpenSSH LPK objectclass’ SUP top AUXILIARY MAY ( sshPublicKey $
uid ) )
structuralObjectClass: olcSchemaConfig
entryUUID: 135574f4-bda0-102f-9362-0b01757f31d8
creatorsName: cn=config
createTimestamp: 20110126135819Z
entryCSN: 20110126135819.712350Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110126135819Z
EOF


Make initial for base.ldif , e.g. : create  base.ldif by command : vi base.ldif ,then enter:
dn: dc=netbrain,dc=com
dc: netbrain
objectClass: top
objectClass: domain


#We can now start the services and add the entries:
chkconfig slapd on
service slapd start
ldapadd -x -W -D “cn=Manager,dc=netbrain,dc=com” -f base.ldif
ldapadd -x -W -D “cn=Manager,dc=netbrain,dc=com” -f newsudoers.ldif


#Try searching to verify
ldapsearch -x -b “dc=netbrain,dc=com”
ldapsearch -H “ldap://127.0.0.1.com” -x -b “dc=netbrain,dc=com”


#Configuring ssh-lpk Clients
yum install openssh-ldap nss-pam-ldapd


#Setup LDAP config. This will modify various LDAP files including that of PAM
authconfig –disablenis –enablemkhomedir –enableshadow –enablelocauthorize –enableldap –ldapserver=ldap://127.0.0.1 –enablemd5 –ldapbasedn=dc=netbrain,dc=com –updateall
# Or, you can use a curses-based application. Enable necessary options based on the above command but –enablemkhomedir is not available in authconfig-tui
authconfig-tui


#Allow SSH public-key login
cat < /etc/ssh/ldap.conf
uri ldap://127.0.0.1/
base dc=netbrain,dc=com
ssl no
EOF
cat <> /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
AuthorizedKeysCommandRunAs nobody
EOF


#Tell system to lookup sudoers info from ldap or files respectively
echo ‘sudoers: ldap files’ >> /etc/nsswitch.conf
cat <> /etc/nslcd.conf
ou=sudoers,dc=netbrain,dc=com
sudoers_base ou=sudoers,dc=netbrain,dc=com
EOF


#Restart sshd
service sshd restart


#install phpldapadmin for LAM (ldap account manager, an excellent web-based LDAP manage tool), just add epel repo and ask yum to install it
//Click this link to search a higher version when wget run failed
rpm -ivh epel-release-6-5.noarch.rpm
#start Apache
service httpd restart


Install http://www.ldap-account-manager.org/ its alternative to phpldapadmin, just download rpm for CentOS/fedora and install it. Following is LAM instruction.
  • Address for ldap-account-manager is http://yourip/lam/ , you can manage your LDAP accounts by this now.  
  • Edit server profiles for LAM and LDAP connection
  • Enter LAM default password: lam , and click ‘Ok’
  • Modify server address, Tree suffix, List of valid users
  • Modify LDAP suffix of Users and Groups
Remove Hosts、Samba domain option by red ‘x’
  • Remove ‘Samba 3’ items from Users and Groups
Add ‘SSH Public Key’ to Users from Available module to extent LAM capability to manage SSH public key
  • Return to login page after you click ‘Save’ button; Login by LDAP root password : mysecret 
     
  • Create Groups 1st
  • Create users
  • Public key setting in User
Notice: PuTTYGen generated key format like :
—- BEGIN SSH2 PUBLIC KEY —-
Comment: “rsa-key-20121022”
AAAAB3NzaC1yc2EAAAABJQAAAIEAhGF6GIuMY8FJ1+CNApnSY1N2YSlkYz72Yvwu
a6N1nFpBklz1+dsIMg4rcTLcF34M/tW5Yz+NUDAw2AEbxQ32FPgw7sAOIXktkYOH
tr7mmimiTjkoSCrJh1kqalPSpi8rglT/Bp67Ql2SZwvUFfMzHISryR0EZC4rXP/u
vObrJe8=
—- END SSH2 PUBLIC KEY —-


But change the text to:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAhGF6GIuMY8FJ1+CNApnSY1N2YSlkYz72Yvwua6N1nFpBklz1+dsIMg4rcTLcF34M/tW5Yz+NUDAw2AEbxQ32FPgw7sAOIXktkYOHtr7mmimiTjkoSCrJh1kqalPSpi8rglT/Bp67Ql2SZwvUFfMzHISryR0EZC4rXP/uvObrJe8=


———————————————————————————————————————————
#Debug LDAP in CentOS:
more  /var/log/secure
find . –name slapd
path/slapd –V –d debuglevel


Ubuntu check authentication log:
more /var/log/auth.log


#Actions after you boot up:
setenforce permissive
getenforce
service iptables stop
/etc/init.d/slapd start
authconfig –disablenis –enablemkhomedir –enableshadow –enablelocauthorize –enableldap –ldapserver=ldap://127.0.0.1 –enablemd5 –ldapbasedn=dc=netbrain,dc=com –updateall
service httpd start


——————————————————————————————————————
Thanks Guide in Ubuntu:  
I failed run ldap with openssh-lpk in it because can’t download openssh source code to enable AuthorizedKeysCommand option in sshd.conf
1st of all when you start ldap installation under Ubuntu, Configure /etc/hosts, modify 127.0.0.1 item to FDNQ format:
127.0.0.1 ldap.netbrain.com ldap
openldap get dc from this item automatically.


You got the error msg:
$ sudo slapindex
   
   WARNING!
   Runnig as root!
   There’s a fair chance slapd will fail to start.
   Check file permissions!
Try : sudo –u openldap slapindex

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s