LDAP

LDAP
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate data
about organizations, individuals and other resources such as files and devices in a network -- whether on the
public Internet or on a corporate Intranet.

The common use of LDAP is to provide a central place for authentication, meaning it stores usernames and
passwords. As some examples, LDAP can be used to validate usernames and passwords with Email, Open
VPN and Linux Samba servers.
OpenLDAP
OpenLDAP is an Open Source implementation of the Lightweight Directory Access Protocol.

The suite includes:

● lloadd - stand-alone LDAP Load Balancer Daemon (server or slapd module)

● slapd - stand-alone LDAP daemon (server)
● libraries implementing the LDAP protocol, and
● utilities, tools, and sample clients.
Lab ITNSA
Configure LDAP in MAIL to provide users available for VPN Authentication.

● Configure using domain dc=itnsa,dc=id.

● Create user ‘vpn’ with password ‘Skills39’ for VPN testing.
● Disable Anonymous Login

LDAP User

User Password

vpn Skills39

admin Skills39

ops Skills39

dev Skills39
SLAPD on Debian
● Install SLAPD
○ # apt install slapd ldap-utils
○ Enter admin password
SLAPD on Debian
○ Confirm admin password
SLAPD on Debian
● Reconfigure SLAPD
○ # dpkg-reconfigure slapd
SLAPD on Debian
SLAPD on Debian
SLAPD on Debian
SLAPD on Debian
● Configure ldap.conf
○ # vim /etc/ldap/ldap.conf

BASE dc=itnsa,dc=id
URI ldap://ldap.itnsa.id

○ # systemctl restart slapd

● Verify slapd configuration
○ # slapcat
○ # ldapsearch -x -H ldap://ldap.itnsa.id -D "cn=admin,dc=itnsa,dc=id" -W
● Disabled Anonymous Login Bind
○ Verify first :
■ # ldapsearch -x -H ldap://ldap.itnsa.id
○ Create Schema for disabled Anon
■ # mkdir -p /etc/ldap/schema/itnsa
■ # vim /etc/ldap/schema/itnsa/disable_anon.ldif
SLAPD on Debian
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
○ Import / Modify Config
■ # ldapmodify -Y EXTERNAL -H ldapi:// -f /etc/ldap/schema/itnsa/disable_anon.ldif
○ Verify
■ # ldapsearch -x -H ldap://ldap.itnsa.id
■ # ldapsearch -x -H ldap://ldap.itnsa.id -D "cn=admin,,dc=itnsa,dc=id" -W
SLAPD on Debian
● Add OU
○ # vim /etc/ldap/schema/itnsa/ou_people.ldif

dn: ou=People,dc=itnsa,dc=id
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: People

○ # ldapadd -W -D "cn=admin,dc=itnsa,dc=id" -f /etc/ldap/schema/itnsa/ou_people.ldif

SLAPD on Debian
● Install ldapscripts for make life easier to add user
○ # apt install ldapscripts
● Configure ldapscripts
○ # vim /etc/ldapscripts/ldapscripts.conf

SERVER="ldap://ldap.itnsa.id"
SUFFIX="dc=itnsa,dc=id"
GSUFFIX="ou=People"

BINDDN="cn=admin,dc=itnsa,dc=id"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
● Input ldapscripts password
○ # rm /etc/ldapscripts/ldapscripts.passwd
○ # echo -n "admin" > /etc/ldapscripts/ldapscripts.passwd
○ # chmod 400 /etc/ldapscripts/ldapscripts.passwd
SLAPD on Debian
● ldapscript add group
○ # ldapaddgroup my_group
● ldapscript add user
○ # ldapadduser vpn my_group
○ # ldapadduser admin my_group
○ # ldapadduser ops my_group
○ # ldapadduser dev my_group
● ldapscript set password user
○ # ldapsetpasswd vpn
○ # ldapsetpasswd admin
○ # ldapsetpasswd ops
○ # ldapsetpasswd dev
NSLCD on Debian
● Install nslcd service enables you to configure your local system to load users and groups from an LDAP
directory
○ # apt install libnss-ldapd
NSLCD on Debian

○ # pam-auth-update --enable mkhomedir

○ # vim /etc/nslcd.conf

binddn cn=admin,dc=itnsa,dc=id
bindpw admin
○ # systemctl stop nslcd && systemctl start nslcd
Reference
https://www.techtarget.com/searchmobilecomputing/definition/LDAP

https://www.openldap.org/