1. Overview
This document presents basic configuration for cnMaestro Authentication Server Type with LDAP using the Ubuntu LDAP Server.
2. Introduction
LDAP, or Lightweight Directory Access Protocol, is a protocol for managing related information from a centralized location through the use of a file and directory hierarchy.
It functions in a similar way to a relational database in certain ways, and can be used to organize and store any kind of information. LDAP is commonly used for centralized authentication
3. Installation
Server Requirements:
Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic x86_64)
Assume that our LDAP server will be hosted on a machine with the FQDN of myldap.test.com
Step-1: sudo hostnamectl set-hostname myldap
Step-2: sudo nano /etc/hosts
127.0.1.1 myldap.test.com myldap
127.0.1.1 localhost
Step-3: sudo apt-get update
Step-4: sudo apt-get install slapd ldap-utils
You will be asked below questions about how you'd like to configure
- Omit OpenLDAP server configuration? No
- DNS domain name? test.com
- Organization name? MYCOMPANY Administrator password?
Note: Use the password you configured during installation, or choose another one
- Database backend to use? HDB
- Remove the database when slapd is purged? No
- Move old database? Yes
- Allow LDAPv2 protocol? No
Step-5:
sudo apt-get install phpldapadmin
Step-6: sudo nano /etc/phpldapadmin/config.php
Search for the following sections and modify them accordingly
- $servers->setValue('server','host','domain_nam_or_IP_address');
- $servers->setValue('server','base',array('dc=test,dc=com'));
- $servers->setValue('login','bind_id','cn=admin,dc=test,dc=com');
Save and close the file
Step-7: sudo apt-get install gnutls-bin ssl-cert
Step-8: To create CA Template
sudo mkdir /etc/ssl/templates
cn = LDAP Server CA
ca
cert_signing_key
Step-9: Create the LDAP Service Template
sudo nano /etc/ssl/templates/ldap_server.conf
organization = "MyCOMPANY"
cn = myldap.test.com
tls_www_server
encryption_key
signing_key
expiration_days = 3652
Step-10: Create CA Key and Certificate
- sudo certtool -p --outfile /etc/ssl/private/ca_server.key
- sudo certtool -s --load-privkey /etc/ssl/private/ca_server.key --template /etc/ssl/templates/ca_server.conf --outfile /etc/ssl/certs/ca_server.pem
Step-11: Create Service Key and Certificate
- sudo certtool -p --sec-param high --outfile /etc/ssl/private/ldap_server.key
- sudo certtool -c --load-privkey /etc/ssl/private/ldap_server.key --load-ca-certificate /etc/ssl/certs/ca_server.pem --load-ca-privkey /etc/ssl/private/ca_server.key --template /etc/ssl/templates/ldap_server.conf --outfile /etc/ssl/certs/ldap_server.pem
Step-12: sudo usermod -aG ssl-cert openldap
Step-13: sudo chown :ssl-cert /etc/ssl/private/ldap_server.key
Step-14: sudo chmod 640 /etc/ssl/private/ldap_server.key
Step-15: Configuring LDAP to use the CA and Keys
nano addcerts.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca_server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap_server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap_server.key
Step-16: sudo ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif
Step-17: sudo service slapd force-reload
Step1-18: sudo cp /etc/ssl/certs/ca_server.pem /etc/ldap/ca_certs.pem
Step-19: sudo nano /etc/ldap/ldap.conf
. . .
TLS_CACERT /etc/ldap/ca_certs.pem
. . .
Save and close the File
Step-20: ldapwhoami -H ldap:// -x -ZZ
Step-21: Lastly check /etc/default/slapd and make sure services contains ldaps:///:
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
Restart slapd services
4. Log Into the Web Interface
Step-1: User can log in to Web Interface by using
- domain_name_or_IP_address/phpldapadmin
Step-2: Click Login and enter Login DN and Password used while configurating LDAP setup.
Step-3: After logging in Create OU, Groups and Users
Step-4: Create Organizational Units
Select the specific dc name where the users will be created and click on “Create a child entry”, then select the Generic: Organisational Unit
Step-5: Create Groups
Select OU and click on Create a child entry, then select Generic: Posix Group
Step-6: Create Users
Select User Group created and click on Create a child entry, then select Generic: User Account
Click on “Create Object” and then “Commit” to save the settings.
Step-7: Add a new attribute for users to support as per the “Roles” defined in the cnMaestro
Click on “Add new attribute”, select employee type and enter the role attribute which matches the cnMaestro configuration.
Note:
Value in employeeType should match with the one of the Role Mappings of cnMaestro
Note:
Existing LDAP setup users can add a new custom attribute employeeType and configure the values as per cnMaestro Role mappings values.
5. Configure cnMaestro
Navigate to Application > Users > Authentication Servers in the cnMaestro On-Premises UI to add the LDAP Server details.
- Make sure the IP Address/Hostname field value is the FQDN of LDAP server
- Suffix is the distinguished Name of LDAP server in dc=xyz, dc=xyz format.
Example: dc=camnwk and dc=com
- Base DN is login DN in cn=admin, dc=xyz, dc=xyx format
Example: cn=admin, dc=camnwk and dc=com
- LDAP Password is server password configured during installation.
- Enable SSL/TLS and upload the root certificate.
- The employeeType field must be configured according to role-mappings in cnMaestro configuration authentication configuration page and vice versa.
- Navigate to Application > Users > Authentication and set the Primary Authentication to be the LDAP server just created.
- Secondary Authentication will be automatically set to Local Users, which means if the LDAP server is not reachable, the UI can be accessed using the Local Users database (so it is important to change the default password).
- If you are unable to log into the UI, you can create a One-Time password in the CLI in order to resolve the issue. (See the User Guide for details on Application Account Recovery).
Here is the link to download the user guide:
https://support.cambiumnetworks.com/files/cnmaestro/
6. Log into cnMaestro
-
Open a new browser and log into cnMaestro using the new username and password.
Login should work without any issue for the new user created.