Professional Documents
Culture Documents
V25766-01(1).zip is the zip file containg the odsee software.The install path of
the odsee directory server is /ldap
[root@odsee ~]# ls
[root@odsee ~]#
Unzip the V25766-01(1).zip file in tmp directory and then unzip the sun-
dsee7.zip in /ldap directory
creating: ODSEE_Identity_Synchronization_for_Windows/jdk/
inflating: ODSEE_Identity_Synchronization_for_Windows/jdk/jdk-1.5.0_29-
fcs.i586.rpm
creating: ODSEE_Identity_Synchronization_for_Windows/144591-01/
inflating: ODSEE_Identity_Synchronization_for_Windows/144591-
01/README.144591-01
inflating: ODSEE_Identity_Synchronization_for_Windows/144591-
01/LEGAL_LICENSE.TXT
extracting: ODSEE_Identity_Synchronization_for_Windows/144591-
01/isw.6.0.sp1.linux.zip
creating: ODSEE_ZIP_Distribution/
inflating: ODSEE_ZIP_Distribution/idsktune
extracting: ODSEE_ZIP_Distribution/sun-dsee7.zip
inflating: README.txt
inflating: THIRDPARTYLICENSEREADME-ODSEE.txt
[root@odsee tmp]#
[root@odsee tmp]# ls
COPYRIGHT.txt ODSEE_ZIP_Distribution
THIRDPARTYLICENSEREADME-ODSEE.txt
ODSEE_Identity_Synchronization_for_Windows README.txt
[root@odsee ODSEE_ZIP_Distribution]# ls
idsktune sun-dsee7.zip
----------------------------------OUTPUT
TRUNCATED------------------------------------------------
[root@odsee ODSEE_ZIP_Distribution]#
[root@odsee dsee7]# ls
[dsadm]
Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
[slapd 32-bit]
Oracle Corporation.
[root@odsee bin]#
For basic configuration of the odsee server we need to create a new instance
listening on port 3891/6361 of the odsee server and a suffix with data on the
server. Please follow the steps given below for the instance creation and
suffix creation
[root@odsee bin]#
[root@odsee bin]#
Owner: root(root)
State: Running
DSCC url: -
[root@odsee bin]#
[root@odsee bin]#
compressed-entries : overflow
compression-mode : none
db-name : ldaphome
db-path : /ldap/instances/masterA/db/ldaphome
enabled : on
entry-cache-count : unlimited
entry-cache-size : 10M
entry-count : 1
entry-crc-enabled : of
index-filter-analyzer-enabled : of
index-filter-analyzer-max-entries : 2000
parent-suffix-dn : undefined
referral-mode : disabled
referral-url : undefined
repl-accept-client-update-enabled : N/A
repl-cl-max-age : N/A
repl-cl-max-entry-count : N/A
repl-id : N/A
repl-manager-bind-dn : N/A
repl-purge-delay : N/A
repl-rewrite-referrals-enabled : N/A
repl-role : not-replicated
require-index-enabled : of
[root@odsee bin]#
Your suffix is ready now load the data into the suffix. Here we add only two
entries into the suffix
-w test123test -a
dn: ou=people,dc=ldaphome,dc=com
objectclass: organizationalunit
ou: people
dn: uid=user.0,ou=people,dc=ldaphome,dc=com
cn: user.0
sn: user.0
userpassword: test123test
objectclass: inetorgperson
[root@odsee bin]#
==============================================
=================================
In this internet world the servers are open to the internet/intranet due to
which any one can connect to the server and perform the add/del/mod
operation on the server. If the server is opened to the network without the
proper access control then it is very risky and any one can steal or damage
your data. There are lots of application which are authenticating by the ldap
server with username and password. So if the ldap server is compromised
then your application may also be compromised.
ODSEE directory server have a very smart ACI facility to secure the server.
With Aci we can permit the user/group/role based access on the suffixes. If
the odsee ldap server does not configured with proper aci rules then
configured it properly
To give the anonymous access on the odsee ldap server allow the read,
search, compare access on the suffix to anyone. Try to search with
anonymous user
# extended LDIF
# LDAPv3
# requesting: ALL
# search result
search: 2
result: 0 Success
# numResponses: 1
[root@odsee bin]#
dn: dc=ldaphome,dc=com
changetype: modify
add: aci
userdn="ldap:///anyone";)
^C
[root@odsee bin]#
# ldaphome.com
dn: dc=ldaphome,dc=com
# people, ldaphome.com
dn: ou=people,dc=ldaphome,dc=com
dn: uid=user.0,ou=people,dc=ldaphome,dc=com
[root@odsee bin]#
dn: dc=ldaphome,dc=com
changetype: modify
add: aci
ou=people,dc=ldaphome,dc=com";)
modifying entry "dc=ldaphome,dc=com"
^C
[root@odsee bin]#
==============================================
====================================
There are two types of network data transfers, clear-text and SSL/TLS. In
clear-text from the communication between the client and server are in plain
text, any snifer can read the data packets on the network and easily know
what is flowing on the network. To overcome this plaintext risk, we can use
the ssl/tls transmission. SSL/TLS are cryptographic schemes used to encrypt
the transmission of data between the server and client or between the server
to server. The encryption is based on the public/private keys.
In SSL/TLS the server can use two types of certificates self sign certificate
and CA sign certifiactes. The later is more robust and trusted by the clients.
Requirements
Certifying Authority
Note:- We configure here our own CA with Openssl, which sign the server
certificates.
[ ca ]
##############################################
######################
[ CA_default ]
umask 77 ; \
...............................................+++
...........................+++
e is 65537 (0x10001)
/usr/bin/openssl req -utf8 -new -key ca.key -x509 -days 365 -out ca.crt
-set_serial 0
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
-----
[root@odsee certs]#
Move the CA private key (ca.key) file to /etc/pki/CA/private and set the
permission 0700. Move the CA certificate file ca.crt to /etc/pki/CA
[root@odsee CA]#
Request a CSR
Request a certificate signing request from the directory server by using the
dsadm request-cert Give the full dns (fqdn)hostname of the server in csr
request command
Operand is missing
odsee.ldaphome.com
[root@odsee bin]#
[root@odsee bin]# ./dsadm request-cert --name odsee.ldaphome.com --org
"LDAPHOME Company Ltd." --org-unit "Directory Services" --city "Noida"
--state "Uttar Pradesh" --country "IN" --phone "9891290666" --email
"support@ldaphome.com" --dns "ldaphome.com" --keysize 1024 -F ascii -o
odsee.csr /ldap/instances/masterA/
[root@odsee bin]#
Run the below command on the CA server, In my case both server are same
odsee.ldaphome.com
[root@odsee bin]# openssl x509 -req -in odsee.csr -out odsee.crt -days
365 -CA /etc/pki/CA/certs/ca.crt -CAkey /etc/pki/CA/private/ca.key
-CAserial /etc/pki/CA/serial
Signature ok
subject=/C=IN/ST=Uttar Pradesh/L=Noida/OU=Directory
Services/O=LDAPHOME Company Ltd./CN=odsee.ldaphome.com
[root@odsee bin]#
The Directory Server will need to be restarted before being able to use the
new certificate.
[root@odsee bin]#
[root@odsee bin]#
[root@odsee bin]#
[root@odsee bin]#
Your server is now configured with CA signed certificate. Check the certificate
with openssl command
CONNECTED(00000003)
verify return:1
verify return:1
---
Certificate chain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDKDCCAhACAQIwDQYJKoZIhvcNAQEFBQAwgacxCzAJBgNVBAYTAklOMQ4wD
AYD
BgNVBAMMCUV4YW1wbGVDQTEiMCAGCSqGSIb3DQEJARYTc3VwcG9ydEBleGF
tcGxl
igC67+9H0HAkQKLfQ9Un5cgtrydCGHF4l2J7GfaV3ovKxumXdAJb5BfY4yuf58o5
CeelQil6opKFyRvEJbcVrFiEQGWTzNjv7fjXA1SYvyGm86AShePMr39WFvs=
-----END CERTIFICATE-----
subject=/C=IN/ST=Uttar Pradesh/L=Noida/OU=Directory
Services/O=LDAPHOME Company Ltd./CN=odsee.ldaphome.com
issuer=/C=IN/ST=Delhi/L=New Delhi/O=Example CA
Authority/OU=Certificates
Section/CN=ExampleCA/emailAddress=support@example.com
---
/O=Sun Microsystems/CN=Directory
Server/CN=6361/CN=odsee.ldaphome.com
---
SSL handshake has read 1083 bytes and written 323 bytes
---
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : CAMELLIA256-SHA
Session-ID:
0F62D9B2C94155A49AE76C88A0E5BD2D6DE19F90C722DDDA9DC8ADACA7
2F3C6B
Session-ID-ctx:
Master-Key:
95F0075D78DCB251A9B97D0201748DB2D6D49D4E449B632E2660B8C2EEE
D863433D15DF6B76D3DD9E61566B567C87977
Key-Arg : None
---
[root@odsee cacerts]# ls
5053cf66.0 ca.crt
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://odsee.ldaphome.com:3891/
BASE dc=ldaphome,dc=com
# extended LDIF
# LDAPv3
# filter: cn=praveen
# requesting: ALL
dn: cn=praveen,ou=people,dc=ldaphome,dc=com
userPassword::
e1NTSEF9Q1hZMlJKdFhYeW45ODQrUUthR3pKaXFBcmFjUWRwNEMweTlITnc9P
Q=
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: kumar
cn: praveen
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@odsee openldap]#
# extended LDIF
# LDAPv3
# filter: cn=praveen
# requesting: ALL
dn: cn=praveen,ou=people,dc=ldaphome,dc=com
userPassword::
e1NTSEF9Q1hZMlJKdFhYeW45ODQrUUthR3pKaXFBcmFjUWRwNEMweTlITnc9P
Q=
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: kumar
cn: praveen
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@odsee openldap]#
Re-enter password:
[root@odsee ~]#
[root@odsee ~]#
version: 1
dn: cn=praveen,ou=people,dc=ldaphome,dc=com
userPassword: {SSHA}CXY2RJtXXyn984+QKaGzJiqAracQdp4C0y9HNw==
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: kumar
cn: praveen
[root@odsee ~]#
version: 1
dn: cn=praveen,ou=people,dc=ldaphome,dc=com
userPassword: {SSHA}CXY2RJtXXyn984+QKaGzJiqAracQdp4C0y9HNw==
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
sn: kumar
cn: praveen
[root@odsee ~]#
==============================================
====================================
Logs are very important in the life of I.T person. As the full game of the
troubleshooting of any server or application is based on the logs provided by
the application/server. The odsee directory server has three types of logs
Acceslogs/Errorlogs/Auditlogs. Each log is giving its specific type of
information related to the server.
Access Logs
Accesslogs are the logs which gives the information related to the clients,
users and operations performed on the server
bufering-enabled : on
enabled : on
level : default
max-age : 1M
max-disk-space-size : 500M
max-file-count : 10
max-size : 100M
min-free-disk-space-size : 5M
path : /ldap/instances/masterA/logs/access
perm : 600
rotation-interval : 1d
rotation-min-file-size : unlimited
rotation-time : undefined
verbose-enabled : N/A
[root@odsee bin]#
[root@odsee bin]#
to 127.0.0.1
dn="cn=directory manager"
attrs="nsslapd-config-magic"
Error Logs
Error logs are logs which gives information about the plugins, fatal, warning
messages about the server
bufering-enabled : N/A
enabled : on
level : default
max-age : 1M
max-disk-space-size : 100M
max-file-count : 2
max-size : 100M
min-free-disk-space-size : 5M
path : /ldap/instances/masterA/logs/errors
perm : 600
rotation-interval : 1w
rotation-min-file-size : unlimited
rotation-time : undefined
verbose-enabled : of
[root@odsee bin]#
You can get the diferent levels of error logs which you can set on the error
logs for getting the diferent types of the logs information about the server.
Run the below command with level having some arbitary value xx
err-search-filter|err-config-file|err-acl|err-ldbm|err-entry-parsing|err-
housekeeping|err-replication|
err-entry-cache|err-plugins|err-dsml|err-dsml-advanced.
[root@odsee bin]
[root@odsee bin]#
Taking backup is a very important task in the directory servers. If your server
is crashed and you did not have a backup to restore it.Then you are in
trouble. We have to take the backup at regular intervals and the interval is
should be less than repl-purge-delay and repl-cl-max-age time period. If the
time period between the two backups are more that the repl-purge-delay and
repl-cl-max-age period then your recent changes are lost.
Binary backup is faster to take and restore as compare to ldif backup. For
taking backup with dsadm the instance should be in stopped state
ldaphome_givenName.db3)
[root@odsee bin]#
[root@odsee bin]#
[16/Oct/2014:22:06:
[root@odsee bin]#
In a ldif backup the backup is taken in ldif text format and you can modify the
backup also.
## Export finished.
version: 1
# entry-id: 1
dn: dc=ldaphome,dc=com
dc: ldaphome
objectClass: top
objectClass: domain
createTimestamp: 20141016115144Z
aci: (targetattr="*")(version 3.0; acl "Anonymous Access"; allow (read, search
, compare) userdn="ldap:///anyone";)
p:///uid=user.1,ou=people,dc=ldaphome,dc=com";)
modifyTimestamp: 20141016143051Z
nsUniqueId: b0bb26a3-552a11e4-8052f89c-f7902c4
## Indexing complete.
## Closing files...
[root@odsee bin]#
Run the ldapsearch command to check the entries are avialable or not
Comments.
==============================================
=====================================
Its a human nature that they do not want to do difficult things and wants easy
things. Changing the password frequently is a headache because we confuse
in remembering the password. But due to this nature of not changing the
passwords frequently makes the password compromise. We apply the
password polices which enforces the users to change the password after a
specific time period, with diferent characters in the password.
Password quality check 2 only two quality checks are enforced like, lower,
upper characters etc.
dn: cn=DefaultPolicy,dc=ldaphome,dc=com
objectClass: top
objectClass: pwdPolicy
objectClass: sunPwdPolicy
objectClass: LDAPsubentry
cn: DefaultPolicy
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxFailure: 3
pwdMustChange: TRUE
pwdMinLength: 8
[root@odsee bin]#
# extended LDIF
# LDAPv3
# filter: (&(objectclass=ldapsubentry)(cn=Defaultpolicy))
# requesting: ALL
# DefaultPolicy, ldaphome.com
dn: cn=DefaultPolicy,dc=ldaphome,dc=com
objectClass: top
objectClass: pwdPolicy
objectClass: sunPwdPolicy
objectClass: LDAPsubentry
objectClass: passwordPolicy
cn: DefaultPolicy
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxFailure: 3
pwdMustChange: TRUE
passwordCheckSyntax: on
passwordLockout: on
passwordUnlock: on
passwordLockoutDuration: 300
passwordMaxFailure: 3
passwordMustChange: on
pwdMinLength: 8
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@odsee bin]#
dn: cn=sunil,ou=people,dc=ldaphome,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=DefaultPolicy,dc=ldaphome,dc=com
[root@odsee bin]#
[root@odsee bin]#
dn: cn=sunil,ou=people,dc=ldaphome,dc=com
pwdpolicysubentry: cn=DefaultPolicy,dc=ldaphome,dc=com
[root@odsee bin]#
dn: oid=1.3.6.1.4.1.4203.1.11.1,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.11.1
[root@odsee bin]#
Reset the cn=sunil user password by directory manager and then try to
search the directory with cn=sunil user
dn: cn=sunil,ou=people,dc=ldaphome,dc=com
changetype: modify
replace: userpassword
userpassword: test123test
^C
# extended LDIF
# LDAPv3
# filter: (cn=sunil)
# requesting: pwdpolicysubentry
# search result
search: 2
# numResponses: 1
[root@odsee bin]#
The ldap server is giving warning that before connecting to the server by user
cn=sunil the password must be changed by the user
Change the password with only less than 8 characters, the server will give
warning
Now change the password having more than 8 characters, the password of
the user will changed
[root@odsee bin]#
==============================================
=======================================
pwd-supported-storage-scheme : CRYPT
pwd-supported-storage-scheme : SHA256
pwd-supported-storage-scheme : SHA512
pwd-supported-storage-scheme : SHA
pwd-supported-storage-scheme : SSHA
pwd-supported-storage-scheme : SSHA256
pwd-supported-storage-scheme : SSHA512
pwd-supported-storage-scheme : CLEAR
==============================================
======
As the main task of the odsee server is to store the username and password
centrally at one locations. All the applications and windows/linux connects to
the odsee server for the authentications
Here we configure the linux to fetch the username and password information
from the odsee server. The users are not present locally on the linux server,
they are stored cetrally on odsee ldap server
Add the entry to directory with proper attributes required for linux
authentication
Configure the Linux server to fetch the user information from ldap directory
Add user entry with proper attributes.There are posix attributes like
loginshell, uidNumber, gidNumber homedirectory, userPassword, which are
required by the linux os to login the user
dn: uid=ldapuser,ou=people,dc=ldaphome,dc=com
uidNumber: 1000
cn: ldapuser
sn: user
gidNumber: 1000
loginshell: /bin/bash
homeDirectory: /home/ldapuser
uid: ldapuser
userPassword: test123test
objectclass: inetorgperson
objectclass: posixAccount
^C
[root@odsee schema]#
Configure the linux server to get the username, password information from
ldap server
Run authconfig-tui on linux and select ldap to get user and password
information. Then give ldap server hostname, port and suffix information
from which the username, password information is fetched
Authconfig
Click on next
Authconfig
[root@station20 ~]#
[ldapuser@station20 ~]$
Create the group also in ldap then this error disapperas. In place of creating
the home directories manually, you can also use the pam module
pam_mkdir.so to create the home directories whenever a user first login to
the system
==============================================
=======================================
Note: For kerberos authentication two things are mandatory DNS name
resolution and Time should be same on all kerberos enabled hosts. For DNS
resolution you can also use /etc/hosts file for name resolution but this is only
for limited not of hosts
kadmin.local:
kadmin.local:
Configure /etc/krb5.conf on odsee.ldaphome.com server to connect to
kerberos server
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LDAPHOME.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
LDAPHOME.COM = {
kdc = kerberos.ldaphome.com
admin_server = kerberos.ldaphome.com
[domain_realm]
.ldaphome.com = LDAPHOME.COM
ldaphome.com = LDAPHOME.COM
:wq
[root@odsee ~]#
Login with kadmin command to kadmin interface of kerberos to get the ldap
keytab file. Save the ldap service principal in /ldap/dsee7/ldap.keytab file
kadmin:
WRFILE:/ldap/dsee7/ldap.keytab.
to keytab WRFILE:/ldap/dsee7/ldap.keytab.
WRFILE:/ldap/dsee7/ldap.keytab.
WRFILE:/ldap/dsee7/ldap.keytab.
WRFILE:/ldap/dsee7/ldap.keytab.
WRFILE:/ldap/dsee7/ldap.keytab.
kadmin:
Read the keytab file
ktutil: l
1 3 ldap/odsee.ldaphome.com@LDAPHOME.COM
2 3 ldap/odsee.ldaphome.com@LDAPHOME.COM
3 3 ldap/odsee.ldaphome.com@LDAPHOME.COM
4 3 ldap/odsee.ldaphome.com@LDAPHOME.COM
5 3 ldap/odsee.ldaphome.com@LDAPHOME.COM
6 3 ldap/odsee.ldaphome.com@LDAPHOME.COM
ktutil:
export KRB5_KTNAME=/ldap/dsee7/ldap.keytab
==============================================
===========================================