Tag Archive: ldap


LDAP Configuration

——–Server side———:

Install the required packages using “yum” :

openldap*, nfs*, portmap*

Generate the ldap admin password :

#  slappasswd  -s  [password]  -h  {MD5}

{MD5}*****************

Copy the above password. The hash type can be changed to SHA, SSHA,SMD5(the brackets are required).

Edit “slapd.conf” :

#  vi  /etc/openldap/slapd.conf

At about line no. 87:

suffix               “dc=abc,dc=com”

At about line no. 88:

rootdn              “cn=Manager,dc=abc,dc=com”

At about line no. 94:

rootpw             {MD5}****************

Add the following lines at the bottom :

access to attrs=userPassword by self write
by dn=”cn=Manager,dc=abc,dc=com” write
by anonymous auth
by * none

access to * by self write
by dn=”cn=Manager,dc=abc,dc=com” write
by * read

Save and exit.

#  cp  /etc/openldap/DB_CONFIG.example  /var/lib/ldap/DB_CONFIG

#  service ldap start

#  chkconfig  ldap  on

Adding initial information in “base.ldif” :

#  cd  /usr/share/openldap/migration

#  vi  migrate_common.ph

At about line no. 71:

$DEFAULT_MAIL_DOMAIN  =  “abc.com”;

At about line no. 74:

$DEFAULT_BASE  =  “dc=abc,dc=com”;

Save and exit.

#  ./migrate_base.pl  >  base.ldif

#  vi  base.ldif [you can edit the sections according to your environment]

dn: dc=abc,dc=com

dc: abc

objectClass: top

objectClass: domain

dn: ou=Hosts,dc=abc,dc=com

ou: Hosts

objectClass: top

objectClass: organizationalUnit

dn: ou=Services,dc=abc,dc=com

ou: Services

objectClass: top

objectClass: organizationalUnit

dn: ou=Networks,dc=abc,dc=com

ou: Networks

objectClass: top

objectClass: organizationalUnit

dn: ou=People,dc=abc,dc=com

ou: People

objectClass: top

objectClass: organizationalUnit

dn: ou=Group,dc=abc,dc=com

ou: Group

objectClass: top

objectClass: organizationalUnit

#  ldapadd  -x  -W  -D  “cn=Manager,dc=abc,dc=com”  -f  base.ldif

Enter LDAP Password: [provide ldap admin password]

Adding existing users and groups to ldap server :

#  grep  “x:[5-9][0-9][0-9]”  /etc/passwd  >  passwd

#  grep  “x:[5-9][0-9][0-9]”  /etc/group  >  group

#  ./migrate_passwd.pl  passwd  >  passwd.ldif

#  ./migrate_group.pl  group  >  group.ldif

Now, add users and groups to ldap server :

#  ldapadd  -x  -W  -D  “cn=Manager,dc=abc,dc=com”  -f  passwd.ldif

#  ldapadd  -x  -W  -D  “cn=Manager,dc=abc,dc=com”  -f  group.ldif

Sharing home directory via nfs :

#  vi  /etc/exports

/home * (rw,sync)

Save and exit.

#  service nfs start

#  service portmap start

#  chkconfig nfs on

#  chkconfig portmap on

Export the nfs share :

#  exportfs  -av

——-Client side (Linux)———:

Mount the server home directory on client side :

#  mount  [IP of server]:/home   /home

Permanent mount in fstab :

#  vi  /etc/fstab

[IP of server]:/home                /home             nfs                   defaults           0          0

Install openldap-clients*

#  system-config-authentication

Select user information

Enable LDAP support

Specify LDAP suffix and IP address.

Now, select authentication.

Enable LDAP support and provide suffix and server IP address.

——-Client side (Windows)——- :

Download pGina and ldapauth plugin for pGina.

Install pGina and copy ldapauth plugin in plugins folder.

Now start the pGina configuration tool and under plugin section provide the path for ldapauth_plus.dll and click configure.

Use Map Mode

LDAP Server: [IP of LDAP Server]

Port: 389

Admin User: “cn=Manager,dc=abc,dc=com”

Admin Password: [ldap admin password]

PrePend: uid=

Append: ou=People,dc=abc,dc=com

Squid configuration

#  vi  /etc/squid/squid.conf

Look for ACCESS_CONTROL section.

Look for the line at about line no. 635 , which looks like this:                             {line no. may change}.

http_access allow localhost

http_access deny all

In between the two lines define your settings.

To allow/deny particular ip series :

acl   xyz   src   192.168.7.0/24    192.168.6.0/24

http_access allow xyz

http_access deny xyz

To deny access to URL containing a particular word :

acl   blockurl   url_regex  -i   [word1]   [word2]   [word3]   [….]

http_access deny blockurl

#  service  squid  start {service named should be ON to start squid}.

To block files using squid content filtering acl.

Add following lines to your squid ACL section :

acl blockfiles urlpath_regex “/etc/squid/blocks.files.acl”

{You want display custom error message when a file is blocked} :

# Deny all blocked extension
deny_info ERR_BLOCKED_FILES blockfiles
http_access deny blockfiles

Create custom error message HTML file called ERR_BLOCKED_FILES in /etc/squid/error/ directory OR /usr/share/squid/errors/English directory.

#  vi  ERR_BLOCKED_FILES

[HTML]
[HEAD]
[TITLE]ERROR: Blocked file content[/TITLE]
[/HEAD]
[BODY]
[H1]File is blocked due to new IT policy[/H1]
[p]Please contact help desk for more information:[/p]
Phone: 123456789 (ext 44)

Email: helpdesk@yourcorp.com

:wq [press enter]

Note : Do not include HTML close tags [/HTML] [/BODY] as it will be closed by squid.

Now create /etc/squid/blocks.files.acl file :

#  vi  /etc/squid/blocks.files.acl

\.[Ee][Xx][Ee]$
\.[Aa][Vv][Ii]$
\.[Mm][Pp][Gg]$
\.[Mm][Pp][Ee][Gg]$
\.[Mm][Pp]3$

:wq [press enter]

#  service  squid  reload

To limit the no. of simultaneous web connections from a client.

In the ACCESS CONTROL section append the following :

acl    department    src    192.168.4.0/24

acl    limitusercon    maxconn    3 {maximum 3 simultaneous web access from same client}.

http_access deny department limitusercon

#  service  squid  reload


——Squid – LDAP Authentication——- :

Configure the LDAP server.

Test whether squid can contact LDAP server or not, type the following :

# /usr/lib/squid/squid_ldap_auth  -b  “dc=abc,dc=com”  -f  “uid=%s”     -h  [IP of LDAP server]

Provide [username][one blankspace][password]

After hitting “enter”, if it is able to contact the LDAP server, it gives OK, otherwise ERR.

If it gives OK then edit “squid.conf”

#  vi  /etc/squid/squid.conf

At about line no. 273 edit the following :

auth_param  basic  program  /usr/lib/squid/squid_ldap_auth  -b  “dc=abc,dc=com”  -f  “uid=%s”     -h  [IP of LDAP server]

Apply ACL :

At about line no. 635, you will find :

http_access  allow  localhost

http_access  deny  all

Above these two lines add the following :

acl  [acl name]  proxy_auth  REQUIRED

http_access  allow  [acl name]

save and exit.

#  service  squid  start