Your own lightening fast LDAP server (and your first client) in 20 minutes, or your money back!
Preliminaries (doesn't count in the 20 minutes)
 |
| openssl |
 |
| openldap |
1. Create theroot ca:
notes: Give a password for this certificate. It's Common Name MUST be the same as your fqdn. In my case it's opensuse3.hh3.site
In a root shell out of harms way (e.g. under /tmp):
opensuse3:~ # mkdir myCA
opensuse3:~ # cd myCA
opensuse3:~/myCA # /usr/share/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
....................................................++++++
........................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:alc
Locality Name (eg, city) []:localidad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lcb
Organizational Unit Name (eg, section) []:it
Common Name (eg, YOUR name) []:opensuse3.hh3.site
Email Address []:lynn@steve-ss.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abc123
An optional company name []:lcb
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
af:fc:2e:28:3d:67:85:17
Validity
Not Before: Mar 21 11:49:20 2012 GMT
Not After : Mar 21 11:49:20 2015 GMT
Subject:
countryName = ES
stateOrProvinceName = alc
organizationName = lcb
organizationalUnitName = it
commonName = opensuse3.hh3.site
emailAddress = lynn@steve-ss.com
X509v3 extensions:
X509v3 Subject Key Identifier:
39:A1:33:0B:F5:5A:27:4A:5F:96:11:62:1A:51:C7:46:C6:9B:91:95
X509v3 Authority Key Identifier:
keyid:39:A1:33:0B:F5:5A:27:4A:5F:96:11:62:1A:51:C7:46:C6:9B:91:95
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Mar 21 11:49:20 2015 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
2. Create the server certificate. DO NOT give a password.
opensuse3:~/myCA # openssl req -new -nodes -keyout newreq.pem -out
newreq.pem
Generating a 1024 bit RSA private key
.....................................................++++++
....................................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:alc
Locality Name (eg, city) []:localidad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lcb
Organizational Unit Name (eg, section) []:it
Common Name (eg, YOUR name) []:opensuse3.hh3.site
Email Address []:lynn@steve-ss.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3. Sign the server certificate with the root CA
opensuse3:~/myCA # /usr/share/ssl/misc/CA.pl -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
af:fc:2e:28:3d:67:85:18
Validity
Not Before: Mar 21 11:51:52 2012 GMT
Not After : Mar 21 11:51:52 2013 GMT
Subject:
countryName = ES
stateOrProvinceName = alc
localityName = localidad
organizationName = lcb
organizationalUnitName = it
commonName = opensuse3.hh3.site
emailAddress = lynn@steve-ss.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2C:7E:C5:27:65:25:32:E8:DA:BE:88:1F:12:17:2F:7D:C8:22:74:60
X509v3 Authority Key Identifier:
keyid:39:A1:33:0B:F5:5A:27:4A:5F:96:11:62:1A:51:C7:46:C6:9B:91:95
Certificate is to be certified until Mar 21 11:51:52 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
4. Finally, secure the certificates in the ldap configuration directory:
opensuse3:~/myCA # cp demoCA/cacert.pem /etc/openldap/
opensuse3:~/myCA # cp newcert.pem /etc/openldap/servercrt.pem
opensuse3:~/myCA # cp newreq.pem /etc/openldap/serverkey.pem
opensuse3:~/myCA # chown ldap.ldap /etc/openldap/*.pem
opensuse3:~/myCA # chmod 640 /etc/openldap/cacert.pem
opensuse3:~/myCA # chmod 600 /etc/openldap/serverkey.pem
 |
| Yast LDAP Server |
 |
| Stand alone Server |
 |
| Selecting the CA and Cerver Certificates |
 |
| Or just copy and paste from your shell |
 |
| admin is easier to type than Administrator |
 |
| All OK? |
 |
| Yast LDAP Client settings |
 |
| This is the Adminisration tab. Leave the client tab as it it. Then click Configure User options. |
 |
| Change the values to match your LAN to avoid collisions with local users |
 |
| Now the fun bit. Here we create an LDAP-ified group. Don't forget to choose the LDAP filter. |
 |
| Adding an LDAP-ified user. |
 |
| Putting the user and group together. |
 |
| Using the Yast Ldap Browser |
 |
| Now to add personal details to keep tabs on your users |
 |
| Log in and less /var/log/messages. Here you can see that the TLS has succeeded upon login. |
 |
| Just as good. Here is a full LDAP search for lynn2 |
ldapsearch -H ldap://localhost -D cn=admin,dc=hh3,dc=site 'uid=lynn2' -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=hh3,dc=site> (default) with scope subtree
# filter: uid=lynn2
# requesting: ALL
#
# lynn2, people, hh3.site
dn: uid=lynn2,ou=people,dc=hh3,dc=site
cn: l
gidNumber: 1000
homeDirectory: /home/lynn2
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
sn: l
uid: lynn2
uidNumber: 1002
userPassword:: e3NzaGF9YzIyUVQ3SXNSZDlNSTlBTDkxOEtZZ040OWZSQlJFdEtWZz09
homePhone: 123 456 789
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
joe lynnpolop.ldif
dn: uid=lynnpolop,ou=people,dc=hh3,dc=site
cn: lp
gidNumber: 1000
homeDirectory: /home/lynnpolop
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
sn: lp
uid: lynnpolop
uidNumber: 1003
userPassword:: e3NzaGF9YzIyUVQ3SXNSZDlNSTlBTDkxOEtZZ040OWZSQlJFdEtWZz09
homePhone: 968 765 432
note the password is the same as whatever you gave the first user. Get the user to change password (on the first login)
ldapadd -H ldap://opensuse3.hh3.site -x -D "cn=admin,dc=hh3,dc=site" -W -f lynnpolop.ldif
Enter LDAP Password:
adding new entry "uid=lynnpolop,ou=people,dc=hh3,dc=site"
lynnpolop:*:1003:1000:l-p:/home/lynnpolop:/bin/bash
opensuse3:/home/lynn # mkdir /home/lynnpolop
opensuse3:/home/lynn # chown lynnpolop:ldapusers /home/lynnpolop
opensuse3:/home/lynn # exit
exit
lynn@opensuse3:~> su lynnpolop
Contraseña:
lynnpolop@opensuse3:/home/lynn> cd ~
lynnpolop@opensuse3:~> id
uid=1003(lynnpolop) gid=1000(ldapusers) grupos=1000(ldapusers)
lynnpolop@opensuse3:~> passwd
Changing password for lynnpolop.
Enter login(LDAP) password:
Nueva contraseña:
Vuelva a introducir la nueva contraseña:
LDAP password information changed for lynnpolop
lynnpolop@opensuse3:~>getent passwd lynnpolop
lynnpolop:*:1003:1000:lp:/home/lynnpolop:/bin/bash