Centralized Account Management using LDAP

Why

At work, I found it frustrating that I needed to remember different passwords for different services. In the cases where I was allowed to use the same password, I have found it annoying that I needed to synchronize the passwords myself. Therefore, at home, I wanted to be able to use the same account for all services.

What

While it is likely that I could have used any one of several backends, I chose LDAP, because I wanted to learn LDAP. For GNU/Linux in general and CentOS in particular, the LDAP server of choice is OpenLDAP. Therefore, that is what I chose.

A GUI based LDAP client makes it much easier to view and manipulate the LDAP directory. I use both GQ and phpLDAPadmin. ATrpms contains the GQ package. EPEL contains the phpLDAPadmin package.

OpenLDAP

Configuration

Our configuration files (/etc/openldap/ldap.conf and /etc/openldap/slapd.conf) and my directory hirearchy (bendercasa.net.ldif (removed for security reasons)) have some things the benefit from explaining.

For security reasons, I restrict access to LDAP information. All communications with the LDAP server must be strongly encrypted and LDAP directory data are only available after an authenticated bind.

In order to access information needed to provide their service, a service binds using the appropiate account in the ou=users,ou=ldap,dc=bendercasa,dc=net subtree. The information that the service account can reat/write is controlled using the groups in the ou=groups,ou=ldap,dc=bendercasa,dc=net subtree.

In order to access their account and group infromation, a user must bind using their account in the ou=users,dc=bendercasa,dc=net subtree. Once they bind, they have read access to the informaiton in groups to which they are members, write access to their account's passwords and read access to their remaining account information. They are granted write access to their account's passwords so that they can change their passwords.

For security reasons, I only store hashed passwords in the LDAP directory. In order to ensure that LDAP userPassword updates will be hashed passwords, I added the line "password-hash {SSHA}" to /etc/openldap/slapd.conf the line "pam_password exop" to /etc/ldap.conf. The line in /etc/ldap.conf. causes pam_ldap to update passwords using LDAP password modify extended operations. The line in /etc/openldap/slapd.conf causes OpenLDAP to store passwords updated using LDAP password modify extended operations in SSHA format. At this time "pam_password exop" has been removed as it is not working correctly.