e gov security_tut_session_6_lab
TRANSCRIPT
1PalGov © 2011
أكاديمية الحكومة اإللكترونية الفلسطينية
The Palestinian eGovernment Academy
www.egovacademy.ps
Security Tutorial
Session 6
LAB
2PalGov © 2011
About
This tutorial is part of the PalGov project, funded by the TEMPUS IV program of the
Commission of the European Communities, grant agreement 511159-TEMPUS-1-
2010-1-PS-TEMPUS-JPHES. The project website: www.egovacademy.ps
University of Trento, Italy
University of Namur, Belgium
Vrije Universiteit Brussel, Belgium
TrueTrust, UK
Birzeit University, Palestine
(Coordinator )
Palestine Polytechnic University, Palestine
Palestine Technical University, PalestineUniversité de Savoie, France
Ministry of Local Government, Palestine
Ministry of Telecom and IT, Palestine
Ministry of Interior, Palestine
Project Consortium:
Coordinator:
Dr. Mustafa Jarrar
Birzeit University, P.O.Box 14- Birzeit, Palestine
Telfax:+972 2 2982935 [email protected]
3PalGov © 2011
© Copyright Notes
Everyone is encouraged to use this material, or part of it, but should properly
cite the project (logo and website), and the author of that part.
No part of this tutorial may be reproduced or modified in any form or by any
means, without prior written permission from the project, who have the full
copyrights on the material.
Attribution-NonCommercial-ShareAlike
CC-BY-NC-SA
This license lets others remix, tweak, and build upon your work non-
commercially, as long as they credit you and license their new creations
under the identical terms.
Tutorial 5:
Information Security
Session 6: Authentication Lab
Session 6 Outline:•Install apache and use LDAP authentication and hashed
password files. (windows with administrative rights)
•Install openLDAP
•Apache with LDAP authentications
Tutorial 5:
Session 6: Authentication LAB
This session will contribute to the following
ILOs:
• C: Professional and Practical Skills:• c4: Configure user authentication and authorization services using
LDAP certificates.
• D: General and Transferable Skills• d1: Communication and team work.
• d2: Systems configurations.
• d3: Analysis and identification skills.
OpenLDAP Server
• In this lab, we will explain how to setup OpenLDAP and use it for authentication.
• We will use Ubuntu 11.10 in setting up OpenLDAP server, currently at version 2.4.
• With OpenLDAP, all information is stored in a tree structure, Directory Information Tree (DIT).
• The tree is often determined by a Fully Qualified Domain Name (FQDN). If the domain name is example.com, the root node will be dc=example,dc=com.
• An entry in LDAP directory consists of a set of attributes.
• An attribute has a type (a name/description) and one or more values.
OpenLDAP Server
• Every attribute must be defined in at least one objectClass.
• Attributes and objectclasses are defined in schemas.
• Each entry has a unique identifier: it's Distinguished Name (DN or dn). For example:
• dn: uid=galjabari,dc=example,dc=com
• uid: galjabari
• cn: Ghannam Aljabari
• givenName: Ghannam
• sn: Aljabari
• mail: [email protected]
• objectClass: inetOrgPerson
• The above entry is in LDIF format (LDAP Data Interchange Format)
Installing OpenLDAP
• To install OpenLDAP server and LDAP management utilities
from the command-line run the following command:
• sudo apt-get install slapd ldap-utils
• By default slapd is configured with minimal configuration
option needed to run slapd daemon and will need additional
configuration options in order to populate the directory.
• OpenLDAP uses a separate directory which contains the
cn=config Directory Information Tree (DIT). The cn=config
DIT is used to dynamically configure the slapd daemon.
• During the install you will be prompted for LDAP admin
password.
e-Government Lifelong
Learning
8
Installing OpenLDAP
• To view slapd-config DIT:
• sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:///
-b cn=config dn
• To setup initial configuration for (dc=example,dc=com)
database/DIT:
• sudo dpkg-reconfigure slapd
• You will be prompted to enter the domain name, organization
name, and password for the rootDN. By default, this user's DN is cn=admin,dc=example,dc=com.
• To view dc=example,dc=com DIT:
• ldapsearch -x -LLL -H ldap:/// -b
dc=example,dc=com dn
Populating LDAP
• Create a frontend.ldif with the following contents:• dn: ou=users, dc=example,dc=com
• ou: users
• objectclass: organizationalunit
• dn: uid=galjabari,ou=Users,dc=example,dc=com
• objectClass: inetOrgPerson
• uid: galjabari
• sn: Aljabari
• givenName: Ghannam
• cn: Ghannam Aljabari
• mail: [email protected]
• userPassword: test
Populating LDAP
• Add the entries to the LDAP directory:
• sudo ldapadd -x -D
cn=admin,dc=example,dc=com -W -f
frontend.ldif
• To check that the content has been correctly added,
execute a search of the LDAP directory:
• ldapsearch -xLLL -b "dc=example,dc=com"
uid=galjabari sn givenName cn
LDAP Authentication in Apache
• LDAP directory can be used to authenticate users for a
website.
• Edit /etc/hosts and add LDAP hostname:
• 127.0.0.1 ldap.example.com
• To configure Apache for LDAP authentication, edit default
configuration file in /etc/apache2/sites-available as follows:
• <Directory /var/www/example.com/secret>
• AuthType Basic
• AuthName "Restricted Files
• AuthLDAPURL
"ldap://ldap.example.com/ou=users,dc=example,dc=com
?uid?
• AuthBasicProvider ldap
• Require valid-user
• </Directory>
• Next, enable ldap module in Apache:
• sudo a2enmod authnz_ldap
• With Apache now configured for LDAP authentication,
restart the service to enable the new settings:
• sudo /etc/init.d/apache2 restart
• The last step is to check access to the directory by runing
the web browser and enter http://example.com/secret in
the address bar. The browser should ask for username
and password to load the page.
e-Government Lifelong
Learning
13
Summary
• In this session we discussed the
following:
– introduced user authentication
– LDAP LAB
Thanks
Eng. Ghannam Aljabary