1PalGov © 2011

أكاديمية الحكومة اإللكترونية الفلسطينية

The Palestinian eGovernment Academy

www.egovacademy.ps

Security Tutorial

Session 6

LAB

2PalGov © 2011

About

This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the

Commission of the European Communities, grant agreement 511159-TEMPUS-1-

2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps

University of Trento, Italy

University of Namur, Belgium

Vrije Universiteit Brussel, Belgium

TrueTrust, UK

Birzeit University, Palestine

(Coordinator )

Palestine Polytechnic University, Palestine

Palestine Technical University, PalestineUniversité de Savoie, France

Ministry of Local Government, Palestine

Ministry of Telecom and IT, Palestine

Ministry of Interior, Palestine

Project Consortium:

Coordinator:

Dr. Mustafa Jarrar

Birzeit University, P.O.Box 14- Birzeit, Palestine

Telfax:+972 2 2982935 mjarrar@birzeit.edu

3PalGov © 2011

© Copyright Notes

Everyone is encouraged to use this material, or part of it, but should properly

cite the project (logo and website), and the author of that part.

No part of this tutorial may be reproduced or modified in any form or by any

means, without prior written permission from the project, who have the full

copyrights on the material.

Attribution-NonCommercial-ShareAlike

CC-BY-NC-SA

This license lets others remix, tweak, and build upon your work non-

commercially, as long as they credit you and license their new creations

under the identical terms.

Tutorial 5:

Information Security

Session 6: Authentication Lab

Session 6 Outline:•Install apache and use LDAP authentication and hashed

password files. (windows with administrative rights)

•Install openLDAP

•Apache with LDAP authentications

Tutorial 5:

Session 6: Authentication LAB

This session will contribute to the following

ILOs:

• C: Professional and Practical Skills:• c4: Configure user authentication and authorization services using

LDAP certificates.

• D: General and Transferable Skills• d1: Communication and team work.

• d2: Systems configurations.

• d3: Analysis and identification skills.

OpenLDAP Server

• In this lab, we will explain how to setup OpenLDAP and use it for authentication.

• We will use Ubuntu 11.10 in setting up OpenLDAP server, currently at version 2.4.

• With OpenLDAP, all information is stored in a tree structure, Directory Information Tree (DIT).

• The tree is often determined by a Fully Qualified Domain Name (FQDN). If the domain name is example.com, the root node will be dc=example,dc=com.

• An entry in LDAP directory consists of a set of attributes.

• An attribute has a type (a name/description) and one or more values.

OpenLDAP Server

• Every attribute must be defined in at least one objectClass.

• Attributes and objectclasses are defined in schemas.

• Each entry has a unique identifier: it's Distinguished Name (DN or dn). For example:

• dn: uid=galjabari,dc=example,dc=com

• uid: galjabari

• cn: Ghannam Aljabari

• givenName: Ghannam

• sn: Aljabari

• mail: galjabari@example.com

• objectClass: inetOrgPerson

• The above entry is in LDIF format (LDAP Data Interchange Format)

Installing OpenLDAP

• To install OpenLDAP server and LDAP management utilities

from the command-line run the following command:

• sudo apt-get install slapd ldap-utils

• By default slapd is configured with minimal configuration

option needed to run slapd daemon and will need additional

configuration options in order to populate the directory.

• OpenLDAP uses a separate directory which contains the

cn=config Directory Information Tree (DIT). The cn=config

DIT is used to dynamically configure the slapd daemon.

• During the install you will be prompted for LDAP admin

password.

e-Government Lifelong

Learning

8

Installing OpenLDAP

• To view slapd-config DIT:

• sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:///

-b cn=config dn

• To setup initial configuration for (dc=example,dc=com)

database/DIT:

• sudo dpkg-reconfigure slapd

• You will be prompted to enter the domain name, organization

name, and password for the rootDN. By default, this user's DN is cn=admin,dc=example,dc=com.

• To view dc=example,dc=com DIT:

• ldapsearch -x -LLL -H ldap:/// -b

dc=example,dc=com dn

Populating LDAP

• Create a frontend.ldif with the following contents:• dn: ou=users, dc=example,dc=com

• ou: users

• objectclass: organizationalunit

• dn: uid=galjabari,ou=Users,dc=example,dc=com

• objectClass: inetOrgPerson

• uid: galjabari

• sn: Aljabari

• givenName: Ghannam

• cn: Ghannam Aljabari

• mail: galjabari@example.com

• userPassword: test

Populating LDAP

• Add the entries to the LDAP directory:

• sudo ldapadd -x -D

cn=admin,dc=example,dc=com -W -f

frontend.ldif

• To check that the content has been correctly added,

execute a search of the LDAP directory:

• ldapsearch -xLLL -b "dc=example,dc=com"

uid=galjabari sn givenName cn

LDAP Authentication in Apache

• LDAP directory can be used to authenticate users for a

website.

• Edit /etc/hosts and add LDAP hostname:

• 127.0.0.1 ldap.example.com

• To configure Apache for LDAP authentication, edit default

configuration file in /etc/apache2/sites-available as follows:

• <Directory /var/www/example.com/secret>

• AuthType Basic

• AuthName "Restricted Files

• AuthLDAPURL

"ldap://ldap.example.com/ou=users,dc=example,dc=com

?uid?

• AuthBasicProvider ldap

• Require valid-user

• </Directory>

• Next, enable ldap module in Apache:

• sudo a2enmod authnz_ldap

• With Apache now configured for LDAP authentication,

restart the service to enable the new settings:

• sudo /etc/init.d/apache2 restart

• The last step is to check access to the directory by runing

the web browser and enter http://example.com/secret in

the address bar. The browser should ask for username

and password to load the page.

e-Government Lifelong

Learning

13

Summary

• In this session we discussed the

following:

– introduced user authentication

– LDAP LAB

Thanks

Eng. Ghannam Aljabary