4. Tutorial 5:
Information Security
Session 6: Authentication Lab
Session 6 Outline:
•Install apache and use LDAP authentication and hashed
password files. (windows with administrative rights)
•Install openLDAP
•Apache with LDAP authentications
5. Tutorial 5:
Session 6: Authentication LAB
This session will contribute to the following
ILOs:
• C: Professional and Practical Skills:
• c4: Configure user authentication and authorization services using
LDAP certificates.
• D: General and Transferable Skills
• d1: Communication and team work.
• d2: Systems configurations.
• d3: Analysis and identification skills.
6. OpenLDAP Server
• In this lab, we will explain how to setup OpenLDAP and
use it for authentication.
• We will use Ubuntu 11.10 in setting up OpenLDAP server,
currently at version 2.4.
• With OpenLDAP, all information is stored in a tree
structure, Directory Information Tree (DIT).
• The tree is often determined by a Fully Qualified Domain
Name (FQDN). If the domain name is example.com, the
root node will be dc=example,dc=com.
• An entry in LDAP directory consists of a set of attributes.
• An attribute has a type (a name/description) and one or
more values.
7. OpenLDAP Server
• Every attribute must be defined in at least one objectClass.
• Attributes and objectclasses are defined in schemas.
• Each entry has a unique identifier: it's Distinguished Name (DN
or dn). For example:
• dn: uid=galjabari,dc=example,dc=com
• uid: galjabari
• cn: Ghannam Aljabari
• givenName: Ghannam
• sn: Aljabari
• mail: galjabari@example.com
• objectClass: inetOrgPerson
• The above entry is in LDIF format (LDAP Data Interchange
Format)
8. Installing OpenLDAP
• To install OpenLDAP server and LDAP management utilities
from the command-line run the following command:
• sudo apt-get install slapd ldap-utils
• By default slapd is configured with minimal configuration
option needed to run slapd daemon and will need additional
configuration options in order to populate the directory.
• OpenLDAP uses a separate directory which contains the
cn=config Directory Information Tree (DIT). The cn=config
DIT is used to dynamically configure the slapd daemon.
• During the install you will be prompted for LDAP admin
password.
e-Government Lifelong 8
9. Installing OpenLDAP
• To view slapd-config DIT:
• sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:///
-b cn=config dn
• To setup initial configuration for (dc=example,dc=com)
database/DIT:
• sudo dpkg-reconfigure slapd
• You will be prompted to enter the domain name, organization
name, and password for the rootDN. By default, this user's DN
is cn=admin,dc=example,dc=com.
• To view dc=example,dc=com DIT:
• ldapsearch -x -LLL -H ldap:/// -b
dc=example,dc=com dn
10. Populating LDAP
• Create a frontend.ldif with the following contents:
• dn: ou=users, dc=example,dc=com
• ou: users
• objectclass: organizationalunit
• dn: uid=galjabari,ou=Users,dc=example,dc=com
• objectClass: inetOrgPerson
• uid: galjabari
• sn: Aljabari
• givenName: Ghannam
• cn: Ghannam Aljabari
• mail: galjabari@example.com
• userPassword: test
11. Populating LDAP
• Add the entries to the LDAP directory:
• sudo ldapadd -x -D
cn=admin,dc=example,dc=com -W -f
frontend.ldif
• To check that the content has been correctly added,
execute a search of the LDAP directory:
• ldapsearch -xLLL -b "dc=example,dc=com"
uid=galjabari sn givenName cn
12. LDAP Authentication in Apache
• LDAP directory can be used to authenticate users for a
website.
• Edit /etc/hosts and add LDAP hostname:
• 127.0.0.1 ldap.example.com
• To configure Apache for LDAP authentication, edit default
configuration file in /etc/apache2/sites-available as follows:
• <Directory /var/www/example.com/secret>
• AuthType Basic
• AuthName "Restricted Files
• AuthLDAPURL
"ldap://ldap.example.com/ou=users,dc=example,dc=com
?uid?
• AuthBasicProvider ldap
• Require valid-user
• </Directory>
13. • Next, enable ldap module in Apache:
• sudo a2enmod authnz_ldap
• With Apache now configured for LDAP authentication,
restart the service to enable the new settings:
• sudo /etc/init.d/apache2 restart
• The last step is to check access to the directory by runing
the web browser and enter http://example.com/secret in
the address bar. The browser should ask for username
and password to load the page.
e-Government Lifelong 13
14. Summary
• In this session we discussed the
following:
– introduced user authentication
– LDAP LAB