[Network Administration]: LDAP Directory Service – Frontend and Scripts

I’ve got my authentication service and directory set up and running. Now it needs to be populated. In addition to keeping user and group records, I’m going to be using this for a couple of different services in addition to keeping user and group records such as automount maps and information for a mail server (currently in a MySQL database) as well as more traditional directory information. I’ve created the directory to be more deep than wide putting daemon information under it’s own organizational unit. There are also some packages to manage the entries in Perl.

I’ve broken the top level into these groups

  • users
  • groups
  • daemon
  • config

I’ve got organizationalUnits for the users and the groups which are needed for managing logins and users. There is also a OU for information needed by daemons such as the automounter, and a separate OU for configuration information. This will be used later, particularly for OSX. Before it’s populated, an top-level organizational LDIF looks like:

# Create top-level object in domain
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: EXAMPLE
dc: example
description: EXAMPLE LDAP

# Create top level organizational units

# Container for posix groups
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
description: Container for posix groups

# Container for posix users
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users
description: Container for posix users

# Container for daemon objects
dn: ou=daemon,dc=example,dc=com
objectClass: organizationalUnit
ou: daemon
description: Container for daemon processes

# Container for configuration objects
dn: ou=config,dc=example,dc=com
objectClass: organizationalUnit
ou: config
description: Container for configuration objects

Scripting
I can interact with the Kerberos database through Perl using the Authen::Krb5 and Authen::Krb5::Admin packages. The Authen::Krb5::Admin package allows interaction with the Kerberos Administration Server, but only for the MIT distribution. To initialize, a proper context needs to be initialized, and then the admin server connection initialized :

  my $krb5Context = Authen::Krb5::init_context( );
  Authen::Krb5::init_ets( );

  my $kadmin = Authen::Krb5::Admin->init_with_password(
                                                    "admin/admin",
                                                    )
    or confess "[$FindBin::Script] : ERROR : Cannot init connection to admin server ".Authen::Krb5::Admin::error;

Once the connection is established, all of the admin operations can be performed such as listing principals:

  my $admin = $self->{'kadmin'};
  my @princs = $admin->get_principals( );
  foreach my $n (@princs) { print "$n\n"; }

Or adding a principal if it doesn’t exist:

  my @princs = $self->get_principal(
                                    'name' => $name,
                                   );
  if (scalar(@princs)) {
    carp "[$FindBin::Script] : WARNING : principal $name already exists in the KRB5 database, skipping creation...";
    return 1;
  } else {
    print "[$FindBin::Script] : INFO : Creating user $name\n";
    my $princ = Authen::Krb5::parse_name($name) or
      confess "[$FindBin::Script] : ERROR : Could not create principal ; ".Authen::Krb5::error;
    my $adminPrinc = Authen::Krb5::Admin::Principal->new or
      confess "[$FindBin::Script] : ERROR : Could not create Admin principal ; ".Authen::Krb5::error;
    $adminPrinc->principal($princ) or
      confess "[$FindBin::Script] : ERROR : Could set principal ; ".Authen::Krb5::error;
    $admin->create_principal($adminPrinc,$password)
      or confess "[$FindBin::Script] : ERROR : Failed to create user $name in Kerberos database";
  }

To manage the entries in my LDAP directory, I’ve been using the Net::LDAP perl package. It provides useful functions to interact with the directory itself, and with LDIF files. Mainly, I use the package to read in LDIF files and compare them to the directory, and to modify entries in the directory. I bind to my directory (running on Linux) using the EXTERNAL SASL mechanism as the root user (we set up connecting over SASL and the root account in the previous post)

print "Binding to local ldap connection\n";
# Open a connection to the host and bind to it
use Net::LDAP;
use Authen::SASL;

my $msg;
my $ldap = Net::LDAP->new('ldapi://%2fsrv%2frun%2fldapi') 
  or confess "[$FindBin::Script] : ERROR : Cannot crate new LDAP instance: $! $@";
my $sasl;
$sasl = Authen::SASL->new(
                          'mechanism' => 'EXTERNAL',
                          );
$msg = $ldap->bind('gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth',
                   'sasl' => $sasl,
                   );
$msg->code && confess "[$FindBin::Script] : ERROR : Failed to bind : ",$msg->error;

The rest of using the package to interact with the database and LDIF entries is described pretty well on the package documentation page.

Advertisements

One thought on “[Network Administration]: LDAP Directory Service – Frontend and Scripts

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s