Fire from a Can of Coke and a Chocolate Bar
Fire from a Can of Coke and a Chocolate Bar
A Wildwood Survival exclusive - featured on Mythbusters (but it was here they got the idea).
And many other places on the Internet. Wildwood Survival is the original source
of this concept.
Page and photos by Walter Muma, with
some input from others.
Copyright by Walter Muma
This article and photographs may not be reproduced without permission
Welcome to the
Here you will find a lot of info about
and related topics.
After you are done reading about how to make fire from a can of coke
and a chocolate bar, please take some time to look around.
There are quite a few unusual methods of
described on this site, such as
much more!
Yes, you CAN make a fire from a can of coke and a chocolate bar!
It really does work -- there are
This idea was originally proposed by Andre Bourbeau to
years ago. I don't know if he is the one that came up with it in the first
place. But thank you to Rob for bringing this method to my attention. The original
concept was to investigate unique and unusual ways of making fire using
everyday objects that one might be carrying around, should one be
unexpectedly stranded
in the wilderness. Of course, prudent hikers will probably be carrying a
lighter or matches! :)
To make fire from a can of coke and a chocolate bar is actually
quite easy, and you don't need any tools.
However, you do need some sunlight and some
when you're actually ready to start a fire!
For the doubters reading this page,
are comments from people
who have actually done it. In addition,
, who passed
this concept on to me, has done it. It's his hands you see in the demo
farther down the page. Please also see his article, &&.
This page has been translated into
(translation by
Please also read &&, for
more info on this fascinating topic!
Ok, let's get to it...
The can....
The key to this is the bottom of the coke can (by the
way, any pop can will do), which is
ideal for reflecting and concentrating the sun's light and energy.
Here is a photo of a coke can bottom. Note that it has a
slightly dull finish. In its present condition it is not shiny enough
to concentrate the sun's rays enough to ignite tinder.
That's where the chocolate bar comes in ....
The chocolate bar....
The can bottom is not shiny enough to function as a good reflector
and concentrator of sunlight. It needs polishing. The chocolate does an excellent
job of this. So, simply break off a piece of chocolate and use it to
polish up the can bottom!
P.S. Any type of chocolate will do. Probably the purer it
is, the better. In that case, maybe a Toblerone bar isn't so great, as
it has nuts and honey in it.
This is a close-up of the surface of an un-polished can's
bottom. Note the fine straight lines in the aluminum.
These fine lines on the unpolished can
are actually the grain of the aluminum roll stock from which the can
is made, indicating a small degree of surface
roughness which limits the can's&reflectivity. These scatter
the sun's rays, and prevent them from being focused together into a
single bright point.
This is why the can needs polishing.
Compare this to the picture below of a polished can
Here is a close-up of a polished can bottom.
Compare this to the picture above of an un-polished can
bottom. There's a big difference.
How can you tell when it's polished enough? What you
are looking for is a &mirror& finish. An object placed near the
bottom of the can should produce a clear (although distorted) image.
A note from A. Robinson, via email:
&DO NOT eat the chocolate after you have used it to polish the
can! It will pick up aluminum from the can, which is toxic. I've done
metalwork with aluminum, and you're actually supposed to handle it with
gloves, since it leaves a black toxic residue on your skin. Once it has
been exposed to air for a few hours, aluminum is safe to handle because
it forms an oxide layer on the surface which is non-toxic. But polishing
it will remove the oxide layer and expose bare metal, and the chocolate
will definitely pick up some aluminum. Not a mortal danger, but not the
best thing in the world to eat!&
Polishing the bottom of the can.
Note: For polishing the can, one needs to
use the wrapper (or something else) in the process. Just rubbing chocolate on the bottom
of the can won't do too much. The process is to smear some chocolate
on the bottom, then use the wrapper (or whatever) as a &cloth& to do the
polishing. Every now and then, one needs to add a bit more of the
&abrasive.& As a reference point, it will probably take
hour or more to finish the process.&
Toothpaste also works as a
good polish. Using the chocolate bar holds to
the initial challenge - but using fine steel wool, some sort of
cleanser or other polishing compound gives much more rapid results.&
Jeweller's rouge will get the bottom of the can
to a mirror finish in a few minutes.& Chocolate at best would take
All polished and shiny.
Note that other polishing agents will work as well, such as toothpaste,
powder cleansers, etc.
How to actually make fire...
On a sunny day (yes, you do need sunlight!), Hold a piece of suitable tinder, such as a fragment of , at the focal point of the can bottom -- about 1 -
1.25& away from the center of the &bowl&.
One doesn't need to use tinder fungus. To
keep to the core of the challenge, one can use pieces of the chocolate
wrapper to get a coal. If the chocolate bar has a black paper insert,
this is of course the best due to the dark colour. It takes a bit
longer with the wrapper - but, as with a magnifying glass, many things
can be used.
It is important to orient the bottom of the can towards the sun. If the
bottom of the can is &off-axis&
from the sun, then the the light gathering will be less optimal.To make
sure that you are finding the optimal focal point, try using some black
newspaper. Take a small strip, and move it towards the focal point. As you
move the paper in and out, you should be able to see the light converge to a
small point. At this time, the newspaper should start to smoke. Wearing
sunglasses is suggested.
It protects the eyes and also reduces the intensity of the light so that it
is easier to identify the sharpest focus.
for more info and photos of how to do this.
Holding the small piece of
is easier with a long thin stick with a small split in the
end, such as is shown in this photos.
Other materials can be used as
Eye safety tip:
Stand facing away from the sun (facing your shadow) and hold the
can above your head so that you are looking at the bottom of the
tinder and the side of the can instead of the top of the tinder and
the mirror. Move the tinder to find the brightest spot.
(Thanks to Thomas for this tip)
After a very short time (only a few seconds
in the bright sun), the
will be smouldering. Then transfer it to a tinder bundle and
blow it into flame (if you're using a large enough piece of ). If you're using a very small piece, then transfer the
ember to a larger piece by holding the two pieces together and blowing
Alternatively, you could use a small bundle of very volatile
For more info about , .
... And that's all there is to it!
If you are new to making fire, and want to actually try to make
a fire using this method, please go read &&.
Please also read &&
Videos on YouTube
Some people have made videos of their attempts to make fire using this
method. There were three of these on YouTube - only one left now, and
unfortunately it is fake (can you figure out what's
wrong with it?). Wildwood Survival is the
original source of this concept, however.
P.S. Can you see what's wrong with the
above video?
Watch it carefully!
You may have thought of using the polished can bottom as a
reflector to signal passing aircraft, vehicles, people, whatever, if you are
in a waiting-to-be-rescued survival situation. However, this probably won't
be very effective.
&What we have created is more or less a parabolic reflector. This means that
it focuses (more or less) parallel rays of light from the sun to (more or
less) a point. If the focused light is not stopped by tinder - the light
beyond the focal point continues outward and becomes unfocused very rapidly.
Have a look at the &focusing& pictures in the && article. As we move the &test strip& upwards,
the &circle& of light gets smaller. It goes to a &point& and then gets
bigger again.
A parabolic reflector is not a good signal mirror. In theory, a very very
very slightly parabolic mirror would be fine. In practice, a &plane& mirror
is probably the best solution. The reflected light does diverge somewhat
(since the sun's rays are not parallel.) But this is OK since if we are
trying to signal something that is miles away, we don't want the light to be
focused to a point - it would be much too hard to aim.
If we &invert the problem& and put a &point& light source at the focal point
of our mirror, then we will produce a beam that has (more or less) parallel
rays of light. This would be a good thing for signalling. This is also what
we call a &flashlight!&
--, May 2005
For something slightly different to do with a pop can, yet still related to
fire, go to
, where the author describes how to make an alcohol
backpacking stove from a Pepsi can.
Emails from people who have done it
Here is an email exchange with &Billy&, who tried this method with
success. At first, he had trouble figuring out how to do it, but with a
little help, he then went out and actually got fire!&
February-March 2003Email received February 25, 2003:
That's pretty neat. Ok guys, I've tried for two days to figure the coke can
fire thing out. You have stumped me to never ending on this one. It's wore
me to the bones now. Has anyone figured it out yet? This would be neat to
know and show youngsters and scouts. It appears that there is a oval shaped
glass in the indention in the bottom of the can. Or a liquid of some kind. I
just can't tell from the picture. Of all the fire making techniques I've
done and learned in the military I've gotta say this one is the neatest
sounding and one I've never heard of. Could you please let me in on it? I'd
like to test it and see if it works before I have to deploy again. Thank you
very much for your time. Billy.
Reply back to &Billy&:
The key question to ask here is ... how did the bottom of the coke can get
shiny? Well, the bottom of the coke can happens to be an excellent
reflector. That is once it is shined up. It's not shiny enough as it comes.
That's the job of the chocolate bar. Apparently chocolate can act as a
polish. :) So, once you've shined it up....you hold a small piece of tinder
at the focal point of the parabolic reflector, in the sun, and you'll get a
Email received on February 26, 2003:
Ohhhhhhhh MAN!!! That &was& my first guess because I know that the
bottom of a can is not shiny like you are mentioning (I didn't think of
using a chocolate bar, I just thought the bottom needed shinning up somehow
first). It appears that there is trees reflecting off of it in the picture.
But I &never& thought of using a chocolate bar to do such a thing.
That is wild. Who would've ever guessed such a thing? That's neater than
sliced bread. I made it harder than it should have been apparently. I'm
going to polish one up to see how it does right now. I'll use some Hershey's
Kisses, they're chocolate, extremely chocolaty at that. I'll have to wait
for the clouds to leave this week to try it though. This will be most
interesting. Wonder if the cold weather will effect the out come even if one
has a bright sunny day. I've never used a reflector method in the winter
time months. I'll let you know eventually how it turns out. You did well :-)
Good stumper bro. That is a good one. Thanks friend for your time and info.
What a deal :-)&
A subsequent email received March 2, 2003:
Soda can & Chocolate bar fire &Does Work& :-)
The coke can (any soda can) and chocolate bar fire &DOES WORK&. I
just now did it. Finally got some sun around here. It's like 45 degrees
outside, partly to mostly sunny today and I just made a nice coal and fire
with red cedar bark over the soda can about 1& to 1 1/4& over the
center of the dish of the can (to concentrate the focal point). I rolled the
small amount of bark up like a thick cigarette a couple inches in length.
Folded it over on itself (like you would see twist tobacco done). Tested
focal point with finger, Ouch! that burned, dang it! Pointed can toward the
sun and brought the bark in from the side (as not to block the suns rays
with my fingers in the way), rolled the bark around a bit to find a good
surface area for the focal point of the light to hit flat and good. Bam! no
time flat that sucker was a small coal. Worked quite well actually. Put in
other tinder ball, made fire. So there ya go, it does work. BBB.
The following email was received from &Bob& in March
2004:We've been teaching &fire without matches& to new Boy
Scouts in our troop (T513, Austin, TX) for several years now. As you might
expect with 11-year-old boys, the kids love it. This year someone brought me
a printout from your website with instructions on the coke can and chocolate
bar method of starting a fire. Looked interesting, so we added it to our
instruction mix and gave it a try...[Later ...]
Worked like a charm. Since we needed to prep a number of cans for our
classes, we cheated a bit and started our polishing with Comet cleanser,
then moved up to a &whitening& toothpaste before finishing off with
chocolate. On a bright Texas winter day, about 60 degrees with no clouds,
the cans gave us flames (not just embers) on pieces of shredded inner bark
from Texas cedar in just 1-2 minutes. Very consistent, if a bit fattening!
A humorous take on this process, from &John& Apr 2005:This is
a joke, right? I tried this several times and found it impossible to complete
this task without eating all of the chocolate. I even tried some cheap
chocolate, like Palmers, that didn't taste very good. I still failed. Any
suggestions? My wife thinks I should put duct tape over my mouth. I think that's
a bit drastic.
Another success story, from &Sarah& July 2005:Dude. This is
awesome. I lit my cigarette off of the flame. God bless the Florida sunlight, and
my OCD which allowed me to polish the damn can for 2 hours.
From &Ed& in San Diego, California, July 31/05:Hello,
Your pages on the Coke can fire starter are great... very interesting. Anything
to do with mirrors and sunlight fascinates me. Our hiking group used to do a lot
of long distance mirror signalling between mountains.
I rough polished my Coke can with 1500 grit wet/dry paper (wet), then finished
polished with Turtle Wax car wax and a piece of terry cloth. I placed the can on
a table so I could really bear down on it. After about 15 minutes if was very
shiny and I managed to light a couple of dead leaves. Neat site... thanks.
Copyright by Walter Muma
This article and photographs may not be reproduced without permission
&&& &Fire from: &
The material on this
page is copyright (C) by the original
author/artist/photographer. This website is created,
maintained & copyright (C) by
Please respect this copyright and
before using or saving any of the content of this page
for any purpose.THANK YOU
FOR VISITING!&LOC Method For Natural HairFrom Linux Home Networking
Many centralized database programs have been developed to allow users to log in on multiple computers using a single password. NIS was one of the first, but it doesn't encrypt the password transaction. It also uses the portmapper daemon, which uses an unpredictable range of TCP ports that are difficult for firewalls to track. LDAP (Lightweight Directory Access Protocol) provides an alternative based on the X.500 standard.
The X.500 standard defines how globally referenced directories of people should be structured. X.500 directories are organized under a common root directory in a tree hierarchy with different levels for each category of information, such as country, state, city, organization, organizational unit, and person. Designed to provide a simpler yet robust implementation of X.500, LDAP was originally used as the backbone of Microsoft's Active Directory Service and Novell's Novell Directory Services (NDS) products. LDAP can also interact with other login programs, such as Remote Authentication Dial-in User Service (RADIUS), which the network equipment of many ISPs uses to manage dialup Internet access.
It was later recognized that LDAP had features that could make it a desirable replacement for NIS in some scenarios. For example, it uses a single TCP port (389) for regular communication and another port (636) for encrypted transactions. LDAP also can interact with many login authentication, authorization, and accounting programs external to Linux and UNIX.
This chapter will first show you how to install and use LDAP on Fedora Linux systems, then go on to explain how LDAP interacts with RADIUS.
Like X.500, LDAP directory entries are arranged in a tree structure. Under the root, there are branches that represent countries, organizations, organizational units, and people.
In complicated LDAP deployments, in which you have to exchange information with the LDAP databases of other companies, you may want to get a formal organization number from the Internet Assigned Numbers Authority (IANA) to reduce any data conflicts. In the chapter's example this won't be necessary. Because there will be no data sharing, I'll just make up one.
These concepts are easier to explain when working from an example, so imagine the IT department in a small organization
has many Linux servers it needs to administer.
The company wants a simple, secure, centralized login scheme for all of the servers.
It has decided to use the LDAP
for its LDAP database, in which one domain component (DC) will be example, and the other will be com.
The database will have only one organizational unit simply called People, which is the LDAP default.
Each person will have such attributes as a username (User ID or UID), password, Linux home directory, and login shell.
The Fedora Linux server named bigboy with the IP address 192.168.1.100 will act as the LDAP server containing the database.
The Fedora Linux server named smallfry will be used to test the system as the LDAP client and has the IP address 192.168.1.102.
Server bigboy has a special user account named ldapuser that will be used to test the LDAP logins.
Here is how all that is accomplished.
Most RedHat and Fedora Linux software products are available in the RPM format. When searching for the file, remember that the FreeRADIUS RPM's filename usually starts with openldap followed by a version number, as in openldap-servers-2.1.22-8.i386.rpm. (For more detail on downloading and installing, see Chapter 6, "")
Make sure these required LDAP Server RPMs are installed on your LDAP server.
You will have to make sure the following packages are installed on your LDAP server.
openldap-clients
openldap-devel
openldap-servers
You will have to make sure the following packages are installed on your LDAP client.
openldap-clients
openldap-devel
The first stage of the project is to correctly configure the LDAP server. To do so, you must create an LDAP database and into which you import the /etc/passwd file. Take a closer look at the steps:
Fedora LDAP defaults to putting all databases in the /var/lib/ldap directory. For the example, create a
directory owned by the user ldap. (The ldap user is always created during the RPM installation process.)
[root@bigboy tmp]# mkdir /var/lib/
[root@bigboy tmp]# chown ldap:ldap /var/lib/
Only the LDAP root user can create, import data, and export data into an LDAP database. This user needs an encrypted password. You can create it with the slappasswd command and use the result in the LDAP configuration file.
[root@bigboy tmp]# slappasswd
New password:
Re-enter new password:
{SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ
[root@bigboy tmp]#
To create the ldapuser account you'll use for testing, type the commands.
[root@bigboy tmp]# useradd -g users ldapuser
[root@bigboy tmp]# passwd ldapuser
Changing password for user ldapuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@bigboy tmp]#
The LDAP server's daemon is named slapd and its configuration file is named /etc/openldap/slapd.conf. Update it with:
A database of the default type bdb using the domain
made up of domain components (DCs) example and com.
The root user with a common name (CN), or nickname, of Manager who, as expected, is part of the example and com DCs.
The encrypted version of the LDAP root password as well as the location of the LDAP database.
The configuration file syntax to do this is:
"dc=example,dc=com"
"cn=Manager,dc=example,dc=com"
{SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ
This process involves migrating your system’s authentication files to the LDAP database you will need to create. Here’s what you need to do:
1. OpenLDAP is maintained by a company named the PADL Software and they have a number of tools that can be used to migrate your /etc/passwd file into LDAP. Visit their site at , search for “migration tools” and download the TAR file listed on the relevant page. In this example we do the download using wget and move the files to the /usr/share/openldap/migration/ directory.
[root@bigboy
tmp]# wget
-- 10:59:19--
Resolving ... 216.154.215.154
Connecting to |216.154.215.154|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21284 (21K) [application/x-gzip]
Saving to: `MigrationTools.tgz'
100%[=======================================&] 21,284
10:59:19 (106 KB/s) - `MigrationTools.tgz' saved []
[root@bigboy
tmp]# tar -xvzf MigrationTools.tgz
MigrationTools-47/
MigrationTools-47/ads/
[root@bigboy
tmp]# mkdir -p /usr/share/openldap/migration/
[root@bigboy
tmp]# cd MigrationTools*
[root@bigboy
MigrationTools-47]# cp -rv * /usr/share/openldap/migration/
`ads' -& `/usr/share/openldap/migration/ads'
[root@bigboy
MigrationTools-47]# cd /tmp
[root@bigboy
2. The password conversion script is named migrate_common.ph. Edit the file and replace all instances of the string “padl” with the string “example”. Padl is the website used by some of the LDAP development team. We need our domain to be “example” instead so it matches our /etc/openldap/slpd.conf file. The migrate_common.ph file will be used later by the migration script.
[root@bigboy tmp]#
vi /usr/share/openldap/migration/migrate_common.ph
For example, at the vi editor’s : prompt, use the command:
%s/padl/example/g
3. Locate the DB_CONFIG.example starter file to your LDAP database directory of /var/lib/. Remember to run the updatedb command so that the locate database is current.
[root@bigboy tmp]# updatedb
[root@bigboy tmp]# locate DB_CONFIG
/usr/share/doc/openldap-servers-2.4.16/DB_CONFIG.example
[root@bigboy tmp]# cp /usr/share/doc/openldap-servers-2.4.16/DB_CONFIG.example
/var/lib//DB_CONFIG
4. Migrate your system authentication files using the migrate_all_offline.sh script that should reside in the same directory as the migrate_common.ph file.
[root@bigboy tmp]# /usr/share/openldap/migration/migrate_all_offline.sh
Creating naming context entries...
Migrating groups...
Migrating hosts...
Preparing LDAP database...
=& bdb_tool_entry_put: id2entry_add failed: DB_KEYEXIST: Key/data pair already exists (-30996)
=& bdb_tool_entry_put: txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry dn="cn=raid-am,ou=Services,dc=example,dc=com"
(line=16432): txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
Migration failed: saving failed LDIF to /tmp/nis.ldif.E14499
[root@bigboy tmp]#
You may get a key pair error for the raid-am service, but it doesn’t appear to affect functionality.
5. LDAP won’t start unless the files in the database directory are owned by the ldap user.
Use the chown command to do this.
[root@bigboy tmp]# chown -R ldap:ldap /var/lib/
6. Start LDAP and make sure it starts on reboot.
[root@bigboy tmp]# service ldap start
Starting slapd: [
[root@bigboy tmp]# chkconfig ldap on
You should be ready to go! The database has been created.
You can view all the LDAP database entries all at once with th this is a good test to make sure you have all the correct functionality.
[root@bigboy tmp]# ldapsearch -x -b 'dc=example,dc=com' \
'(objectclass=*)'
[root@bigboy tmp]#
Now that the LDAP server is configured properly, you can turn your attention to configuring and testing the clients.
LDAP clients are configured using the /etc/openldap/ldap.conf file. You need to make sure that the file refers to the LDAP server's IP address for the . The file should look like this:
HOST 192.168.1.100
BASE dc=example,dc=com
The /etc/nsswitch.conf file defines the order in which the Linux operating system searches login databases for login information.
You want to configure it to first search its /etc/passwd file. If it doesn't find the user password information there, it goes to the LDAP server. The easiest way set this up is to use the /usr/bin/authconfig-tui command:
Run /usr/bin/authconfig-tui. The output of this command may be jumbled because your command line shell's language setting may not be compatible. You can usually avoid this problem by placing the string LANG=C in front of the command as shown here.
[root@smallfry tmp]# env LANG=C authconfig-tui
Select LDAP.
Give the LDAP server's IP address, which is 192.168.1.100 in this case.
Give the base DN as dc=example,dc=com
Do not select TLS.
Use MD5 and shadow passwords.
The screen should look like this:
[*] Use Shadow Passwords
[*] Use MD5 Passwords
[*] Use LDAP
[ ] Use TLS
Server: 192.168.1.100
Base DN: dc=example,dc=com
When finished, look at the /etc/nsswitch.conf file and make sure it has references to LDAP.
Note: In some Linux versions, the authconfig-tui command is replaced with the authconfig command.
You previously created a user named ldapuser in the group users on server bigboy. You now need to make sure that this user has a home directory on the LDAP client smallfry. The example in this section creates the directory and makes ldapuser the owner. As you can see, server smallfry correctly gets its user information about
the chown command doesn't complain about ldapuser not existing in smallfry's /etc/passwd file.
You can look for ldapuser by searching the /etc/passwd file with the grep command. There should be no response.
[root@smallfry tmp]# grep ldapuser /etc/passwd
[root@smallfry tmp]#
In this phase, you create the home directory, copy a BASH login profile file into it, and modify the ownership of the directory and all the files to user ldapuser.
Note: If the chown command fails, it is probably because of an incorrect LDAP configuration in which the LDAP client cannot read the user information from the LDAP server.
In some cases, you may want to use NFS mounts to provide home directories for your users, which will significantly reduce the need to do this step. The benefits and disadvantages of NFS are covered in Chapter 29, "", and Chapter 30, "", covers using NFS for home directories.
[root@smallfry tmp]# mkdir /home/ldapuser
[root@smallfry tmp]# chmod 700 /home/ldapuser/
[root@smallfry tmp]# ll /home
drwx------
2 ldapuser users
4 08:05 ldapuser
[root@smallfry tmp]# cp /etc/skel/.* /home/ldapuser/
cp: omitting directory `/etc/skel/.'
cp: omitting directory `/etc/skel/..'
cp: omitting directory `/etc/skel/.kde'
[root@smallfry tmp]# chown -R ldapuser:users /home/ldapuser
[root@smallfry tmp]#
You next need to do basic testing. For details, see which is covered in the "Troubleshooting LDAP Logins" section.
There are two commonly mentioned methods of encrypting Linux LDAP communications between clients and servers. One method is through the use of the external stunnel utility that protects the data using SSL. The other method also uses SSL, but it is natively supported in LDAP by using its Transport Layer Security (TLS) option and is therefore easier to implement. This section describes both methods.
TLS is an updated version of the Secure Socket Layer (SSL) protocol used by many web browsers to do shopping cart checkouts. Like most certificate based encryption schemes it allows a client and server to talk in a trusted manner without the use of a password.
TLS will require you to create a certificate authority (CA) for your organization. A CA is a server that will manage the issuance and authentication of new server certificates used by the LDAP server for TLS. In the example that follows, the CA and LDAP servers are the same device, but guidelines are also provided on how the functions can be assigned to separate servers.
Note: Unlike the stunnel encryption method described later, TLS runs encrypted on LDAP's TCP port 389.
Before we begin configuration it is important to understand how TLS works. This will be discussed next.
There is a sequence of events that occur prior to the creation of an LDAP communication session using TLS. These include the following steps:
Both the LDAP server and client need to be configured with a shared copy of a CA certificate beforehand.
When the TLS LDAP connection is made, the client and server negotiate their SSL encryption scheme.
The LDAP server then sends its public encryption key and its server certificate.
The LDAP client inspects the server certificate to make sure that it hasn't expired and takes note of the name and key ID of the CA server that issued it. It then checks this CA information with all the CA certificates in its database to determine whether the server certificate should be trusted.
If everything is valid, the LDAP client then creates a random "premaster" secret encryption key that it encrypts with the LDAP server's public key. It then sends the encrypted encryption key to the LDAP server.
When public keys are created, a special "private" key is also simultaneously created. Anything encrypted with the public key can only be decrypted with the private key and vice versa. The server then uses its private key to extract the premaster key.
The client and server then use the premaster key to generate a master secret that will be the same for both, but will never be transmitted so that a third-party cannot intercept it.
The master secret key is then used to create session keys that will be used to encrypt all future communication between client and server for the duration of the TLS session.
Now that you understand the TLS process its time to start configuring secure LDAP.
We are about to create our own CA server to create and sign server certificates. This process is known as creating a self-signed SSL certificate as opposed to having a trusted third party organization, such as Verisign, doing it on your behalf. The latter method is most commonly used by public websites in which the CA certificates of many well known and trusted CA companies already come installed on your PC as part of your Web browser installation.
Configuration of the server isn't hard, but there are many steps. Let's go!
1. First you need to edit your /etc/sysconfig/ldap file to make ldap use its secure TCP port 636. Here we turn off regular SLAPD_LDAP that listens on the unencrypted port 389 and activate secure SLAPD_LDAPS.
# File: /etc/sysconfig/ldap
# Run slapd with -h "... ldap:/// ..."
yes/no, default: yes
SLAPD_LDAP=no
# Run slapd with -h "... ldapi:/// ..."
yes/no, default: no
SLAPD_LDAPI=no
# Run slapd with -h "... ldaps:/// ..."
yes/no, default: no
SLAPD_LDAPS=yes
2. The certificates are sensitive to the hostname of the LDAP server. We need to know what it is, bigboy.
[root@bigboy tmp]# hostname
[root@bigboy tmp]#
3. Enter the /etc/openldap/cacerts/ directory and generate an SSL key with the openssl command. Let’s define the filename as server.pem and give the certificate a lifetime of 10 years, 3650 days. In a business environment, answer as many of the questions as you can.
Note: In all cases the host name must be accurately provided. Make sure the hostname is defined in DNS, or listed in all the clients’ /etc/hosts file.
[root@bigboy tmp]# cd /etc/openldap/cacerts/
[root@bigboy cacerts]# openssl req -newkey rsa:1024 \
-x509 -nodes -out server.pem -keyout server.pem -days 3650
Generating a 1024 bit RSA private key
.............++++++
......................++++++
writing new private key to 'server.pem'
You are about to be asked to enter information that will
be incorporated into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:bigboy
Email Address []:
[root@bigboy cacerts]#
4. Verify the encrypted server.pem file has been created, it should look like this.
[root@bigboy cacerts]# cat server.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDj64XGJe1uA1Ybr/1kWTsQcxktU7W9i29OkbmFwI1hc8qYXuO5
qAAGCFHHupInzy9uoXJVvGW3yEw0gasLR6hzyC2+1b8vfG3Eb0yN+Yt4mGp03iiX
c0pzQrEw+HxYcsA0KAUCQDKCo5OTBB0FLpH+ZgTqkeBabt3lNYFphAqEqLyC6q10
+WMlWY/jvLyQYldbvP3ENgahGKlv99SKytSb9MFQlnc=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIC+DCCAmGgAwIBAgIJAKhuyXeddEVVMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
BAYTAkdCMRIwEAYDVQQIEwlCZXJrc2hpcmUxEDAOBgNVBAcTB05ld2J1cnkxFzAV
5/ncthk9QyZwLrz1/WEC/9qbST/aYGEz4lOMc8tPu9vKh9CAYI42J6zu51Y=
-----END CERTIFICATE-----
[root@bigboy cacerts]#
5. Each LDAP client will need a copy of the CERTIFICATE part of the file. The grep command can easily extract this information and place it into a file named client.pem.
[root@bigboy cacerts]# grep -A 100 CERTIFICATE \
server.pem & client.pem
6. Next we need to edit the /etc/openldap/slapd.conf file to activate TLS encryption of all incoming connections to the server. In the TLS section make reference to your server.pem file.
# File: /etc/openldap/slapd.conf
TLSCipherSuite
HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile
/etc/openldap/cacerts/server.pem
TLSCertificateFile
/etc/openldap/cacerts/server.pem
TLSCertificateKeyFile
/etc/openldap/cacerts/server.pem
TLSVerifyClient
7. Copy the client.pem file to your LDAP client’s /etc/openldap/cacerts/ directory.
[root@bigboy openldap]# scp cacerts/client.pem \
root@smallfry/etc/openldap/cacerts/
root@smallfry's password:
client.pem
[root@bigboy openldap]#
8. The LDAP daemon won’t start properly unless the files in the /etc/openldap/cacerts directory are owned by the ldap user. We need to change this.
[root@bigboy openldap]# chown ldap:ldap cacerts/*
9. Restart the ldap daemon to make these changes take effect.
[root@bigboy openldap]# service ldap restart
Stopping slapd: [
Starting slapd: [
[root@bigboy openldap]#
10. Make sure LDAP is listening on the TCP port reserved for secure ldaps. This can be done using the netstat command and you should get a response showing ldaps is listening for new connections like this.
[root@bigboy openldap]# netstat -a | grep ldap
[root@bigboy openldap]#
It’s now time to take a look at what needs to be done on the client side.
Configuration of the client is much quicker as you will soon see. Here are the steps:
1. Run authconfig-tui and make sure your options match these screens.
-------------------Authentication Configuration -------------------
User Information
Authentication
[ ] Cache Information
[*] Use MD5 Passwords
[ ] Use Hesiod
[*] Use Shadow Passwords
[*] Use LDAP
[*] Use LDAP Authentication
[ ] Use NIS
[ ] Use Kerberos
[ ] Use Winbind
[ ] Use SMB Authentication
[ ] Use Winbind Authentication
[ ] Local authorization is sufficient
----------
| Cancel |
----------
-------------------------------------------------------------------
------------------- LDAP Settings -------------------
[*] Use TLS
Server: bigboy.my-web-site.org__________________ |
| Base DN: dc=example,dc=com_______________________ |
-----------------------------------------------------
2. Review the contents of /etc/ldap.conf and make sure they have the following entries. The host must match the hostname of the certificate.
# File: /etc/ldap.conf
uri ldaps://bigboy/
#ssl start_tls
tls_cacertdir /etc/openldap/cacerts
Note: Comment out the ssl statement as it can cause conflicts which will make remote logins fail while passing all other LDAP tests.
3. Review the contents of /etc/openldap/ldap.conf and make sure they have the following entries. The ldaps:// host must match the hostname of the certificate.
# File: /etc/openldap/ldap.conf
URI ldaps://bigboy/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
4. Test to make sure you can get access to the ldap server with the ldapsearch command using the –x flag.
[root@smallfry tmp]# ldapsearch -x
dn: uid=ldapuser,ou=People,dc=example,dc=com
uid: ldapuser
cn: ldapuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJDRGL2huRzdjZrV2w5cDA=
shadowLastChange: 13942
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 504
gidNumber: 100
homeDirectory: /home/ldapuser
[root@smallfry tmp]#
5. A further test is to see whether you can get the LDAP server to send you a copy of its certificate using the openssl command like this.
[root@smallfry tmp]# openssl s_client -connect bigboy:636 \
-showcerts
CONNECTED()
depth=0 /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=bigboy
verify error:num=18:self signed certificate
verify return:1
Certificate chain
0 s:/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=bigboy
i:/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=bigboy
-----BEGIN CERTIFICATE-----
MIIC+DCCAmGgAwIBAgIJAKhuyXeddEVVMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
BAYTAkdCMRIwEAYDVQQIEwlCZXJrc2hpcmUxEDAOBgNVBAcTB05ld2J1cnkxFzAV
5/ncthk9QyZwLrz1/WEC/9qbST/aYGEz4lOMc8tPu9vKh9CAYI42J6zu51Y=
-----END CERTIFICATE-----
Server certificate
subject=/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=bigboy
issuer=/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=bigboy
Acceptable client certificate CA names
/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=bigboy
SSL handshake has read 1031 bytes and written 343 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
 : AES256-SHA
 : None
Krb5 Principal: None
Verify return code: 18 (self signed certificate)
[root@smallfry tmp]#
6. Test logging into your LDAP client using the ldapuser we created earlier when testing insecure LDAP.
[root@smallfry tmp]# ssh -l ldapuser localhost
ldapuser@localhost's password:
Last login: Sat Mar
8 11:01:01 2008 from bigboy-fc8
[ldapuser@smallfry ~]$ exit
[root@smallfry tmp]#
LDAP is now configured for you, and your home office to use.
You can never be certain about the functioning of any application unless you test it. LDAP is fairly complicated to install and should be as thoroughly tested as possible before you deploy it. Here are some steps you can take to help you sleep better at night.
The first step is to see what type of error massages you are getting on both the LDAP server and client. Lots of valuable information can be obtained using this method and it is covered in much more detail in Chapter 5, "".Here are some messages that refer to common mistakes:
You have an unnecessary “ssl start_tls” statement in your client’s /etc/ldap.conf file.
8 10:58:50 bigboy slapd[14842]: conn=6 op=0 RESULT oid= err=1 text=TLS already started
The very first step is to use TELNET to determine whether your LDAP server is accessible on TCP port 389 (LDAP) or 636 (LDAPS).
Lack of connectivity could be caused by a firewall in the path between the LDAP server and client or there could be firewall software running on the servers themselves.
Other sources of failure include LDAP not being started at all, the server could be down, or there could be a network related failure.
Troubleshooting with Telnet is covered in Chapter 4, "", on network troubleshooting.
Always run the ldapsearch command on both the LDAP client and server to test your LDAP configuration.
[root@smallfry tmp]# ldapsearch -x -b 'dc=example,dc=com' \
'(objectclass=*)'
When LDAP is configured correctly, the command sends a full database listing to your screen.
Try to log in as user ldapuser to the LDAP client Linux system as an alternative test. If it fails, try restarting SSH on the LDAP client so that the /etc/nsswitch.conf file can be reread with the new LDAP information. This step is not required in all versions of Linux.
If the LDAP configuration files appear correct and LDAP still doesn't work, then you should try using the tcpdump command, outlined in Chapter 4, "", to see whether your systems can correctly communicate with one another. A failure to communicate could be due to poor routing, misconfigured firewalls along the way, or possibly LDAP being turned off on the server.
On the LDAP server, use the tcpdump command to listen for traffic on the regular LDAP port 389 or ldap. Run the ldapsearch command on the LDAP client.
[root@bigboy tmp]# tcpdump -n tcp port ldap
If everything is configured correctly, you should see bidirectional LDAP packet flows between the LDAP client and server.
Note: The insecurity of unencrypted LDAP client communication can also be demonstrated by using network packet capture. In this example, the tethereal command is used with the -x flag to view the ASCII contents of LDAP traffic between client and server. The username, password, UID (100), GID (503), shell (/bin/bash) and home directory (/home/ldapuser) of the ldapuser user can all be clearly seen in clear text. It is always a good practice to add an additional layer of security with LDAP TLS encryption which will eliminate this ASCII visibility.
If you are using the stunnel method you would set the tethereal TCP port to ldaps.
[root@bigboy ~]# tethereal -n
-x -i eth0
tcp port ldap
3d 6c 64 61 70 75 73 65 72 2c 6f 75 3d 50
id=ldapuser,ou=P
f 70 6c 65 2c 64 63 3d 65 78 61 6d 70 6c 65
eople,dc=example
63 3d 63 6f 6d 30 82 01 04 30 11 04 03 75
,dc=com0...0...u
31 0a 04 08 6c 64 61 70 75 73 65 72 30 10
id1...ldapuser0.
63 6e 31 0a 04 08 6c 64 61 70 75 73 65 72
..cn1...ldapuser
75 73 65 72 50 61 73 73 77 6f 72 64 31 2b 04 29
userPassword1+.)
7b 63 72 79 70 74 7d 24 31 24 47 53 77 48 53 54
{crypt}$1$GSwHST
24 71 59 4d 65 66 47 32 4f 35 77 6a 7a 70
JI$qYMefG2O5wjzp
2e 32 4b 70 58 48 31 30 19 04 0a 6c 6f 67
wB.2KpXH10...log
e 53 68 65 6c 6c 31 0b 04 09 2f 62 69 6e 2f
inShell1.../bin/
73 68 30 12 04 09 75 69 64 4e 75 6d 62 65
bash0...uidNumbe
05 04 03 35 30 33 30 12 04 09 67 69 64 4e
r1...5030...gidN
d 62 65 72 31 05 04 03 31 30 30 30 21 04 0d
umber1...1000!..
f 6d 65 44 69 72 65 63 74 6f 72 79 31 10 04
homeDirectory1..
f 68 6f 6d 65 2f 6c 64 61 70 75 73 65 72
./home/ldapuser
[root@bigboy ~]#
On the LDAP server, when using stunnel, use the tcpdump command to listen for traffic on the secure LDAP port 636 or ldaps. With TLS you would use the regular LDAP port 389 or ldap with the command. Run the ldapsearch command on the LDAP client and if everything is configured correctly, you should see packet flows such as this one.
[root@bigboy tmp]# tcpdump -n tcp port ldaps
tcpdump: listening on eth0
09:20:02..168.1.102.1345 & 192.168.1.100.ldaps: S :(0) win 5840 &mss 1460,sackOK,timestamp ,nop,wscale 0& (DF)
09:20:02..168.1.100.ldaps & 192.168.1.102.1345: S :(0) ack
win 5792 &mss 1460,sackOK,timestamp 01362,nop,wscale 0& (DF)
[root@bigboy tmp]#
Note: You can also verify the lack of ACSII strings being sent with LDAP encryption using the tetheral example used previously. Remember to use ldap for TLS encryption and ldaps when using stunnel.
[root@bigboy ~]# tethereal -n
-x -i eth0
tcp port ldaps
d0 46 32 71 00 b0 d0 4e f2 18 08 00 45 00
...F2q...N....E.
e 14 2c 40 00 40 06 a1 11 c0 a8 01 64 c0 a8
.&.,@.@......d..
90 ec 01 85 95 c1 c9 95 90 a3 67 01 80 18
............g...
3c 2c 00 00 01 01 08 0a 02 3e d3 b9 02 3e
..&,.......&...&
ea 23 17 03 01 00 20 a4 47 5e c4 54 87 66 a2 5a
.#.... .G^.T.f.Z
5d ef 24 77 7f 9b c5 57 84 a1 b6 f0 10 ef 3e be
].$w...W......&.
bc 91 ec 31 a2 81 5e 17 03 01 00 e0 ee 34 fc 93
...1..^......4..
f9 b9 3f ba e7 fb 97 78 3e a0 25 09 77 bf c9 b0
..?....x&.%.w...
ca 6a e8 e7 7f cc a5 77 db e5 30 e6 34 ac
.0.j.....w..0.4.
e3 d0 84 98 d5 97 1a b5 9f 2b 9c 11 41 b7 ae ed
.........+..A...
0e fc 54 52 89 fd 59 b0 77 42 d4 07 96 83 33 6f
..TR..Y.wB....3o
fb 85 dd e7 90 dc 83 44 41 1f 8f 1d d3 29 60 28
.......DA....)`(
58 a7 22 8e 6e 16 01 5f fa f1 4f 69 31 78 1e 6c
X.".n.._..Oi1x.l
a4 23 9e 89 3a 9c 25 37 da 9d 27 03 d4 17 31 9e
.#..:.%7..'...1.
30 d8 25 d8 95 57 a3 7b 7f 77 20 7b f4 ee cd 7a
0.%..W.{.w {...z
9e 72 6f 21 80 2d d0 4c 66 f3 6f 40 e0 5d 31 43
.ro!.-.Lf.o@.]1C
c d2 2f 60 30 71 66 a4 7e 4a d2 3b b5 7c eb
&./`0qf.~J.;.|.
06 49 ab 00 46 61 b3 a5 76 7e 2c 37 9d 88
...I..Fa..v~,7..
6b f9 5e 72 e7 f3 ad 1a 94 cb 81 40 3a 7b d5 cc
k.^r.......@:{..
ad 82 46 29 a8 38 df 48 ba ea 23 87 15 4b
3#..F).8.H..#..K
88 45 6a 54 e4 5a 54 81 4d bc
X..EjT.ZT.M.
[root@bigboy ~]#
An stunnel LDAPS configuration will default to using regular LDAP if there is an error with the SSL keys. This could be due to:
Incorrect permissions and ownerships on the key file and/or certificates.
Incorrectly configured ldap.conf and slapd.conf configuration files.
With TLS there could be other causes:
The server names in the certificates may not match the host parameters in both of the client's ldap.conf files. A typical symptom of this is the ldapsearch command working when logged in as the root user, but LDAP based logins fail.
Incorrectly configured ldap.conf and slapd.conf configuration files.
The LDAP bind utility is used for each login and can give failure errors that are usually not very descriptive. Two of the main ones that usually occur when running the ldapadd command are
Can't contact LDAP server (81): This is usually caused by not configuring the correct IP address in the LDAP client's ldap.conf file.
Invalid credentials (49): This is usually caused by incorrect dc= statements in the configuration files or in commands used
Here are some explanations of how to do many common LDAP tasks. They are all based on our sample organization with DNs of example and com.
Note: You need to always make sure that there are no entries for regular users in the /etc/passwd files of the LDAP clients. These should only reside on the LDAP server.
You can use the chkconfig command to get ldap configured to start at boot:
[root@bigboy tmp]# chkconfig ldap on
To start, stop, or restart ldap after booting, use
[root@bigboy tmp]# service ldap start
[root@bigboy tmp]# service ldap stop
[root@bigboy tmp]# service ldap restart
Remember to restart the ldap process every time you make a change to the LDAP database file for the changes to take effect on the running process.
LDAP users can modify their LDAP passwords using the regular passwd command.
[ldapuser@smallfry ldapuser]$ passwd
Changing password for user ldapuser.
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information changed for ldapuser
passwd: all authentication tokens updated successfully.
[ldapuser@smallfry ldapuser]$
The following three commands will reset the password for ldapuser's account. The ldappasswd command automatically generates and sets the password unless run with the -S (prompt for new password) or -s (specify new password) command line options. When prompted for the LDAP password, use the unencrypted version of the root password you created and placed in your slapd.conf file.
[root@smallfry tmp]# ldappasswd -x -W -D cn=Manager,dc=example,dc=com" "uid=ldapuser,ou=People,dc=example,dc=com"
Enter LDAP password:
New password: c06Nb/MA
Result: Success (0)
[root@smallfry tmp]#
[root@smallfry tmp]# ldappasswd -S -x -W -D "cn=Manager,dc=example,dc=com" "uid=ldapuser,ou=People,dc=example,dc=com"
New password:
Re-enter new password:
Enter LDAP password:
Result: Success (0)
[root@smallfry tmp]#
[root@smallfry tmp]# ldappasswd -s NewpasS -x -W –D "cn=Manager,dc=example,dc=com" "uid=ldapuser,ou=People,dc=example,dc=com"
Enter LDAP password:
Result: Success (0)
[root@smallfry tmp]#
One easy way for the system administrator to manage LDAP users is to modify the regular Linux users' characteristics on the LDAP server in the regular way and then run a script to automatically modify the LDAP database.
You can use the very simple sample script /usr/local/bin/modifyldapuser to extract a particular user's information from /etc/passwd and import it into your LDAP database.
The script works by using the grep command to extract the /etc/passwd user record to a temporary file. It then runs the migrate_passwd script on this data and outputs the result to a temporary LDIF file. Next, the script replaces the default padl DC with the example DC and exports this to the final LDIF file. Finally, the ldapmodify command does the update, and then the temporary files are deleted.
#!/bin/bash
grep $1 /etc/passwd & /tmp/modifyldapuser.tmp
/usr/share/openldap/migration/migrate_passwd.pl \
/tmp/modifyldapuser.tmp /tmp/modifyldapuser.ldif.tmp
cat /tmp/modifyldapuser.ldif.tmp | sed s/padl/example/ \
& /tmp/modifyldapuser.ldif
ldapmodify -x -D "cn=Manager,dc=example,dc=com" -W -f \
/tmp/modifyldapuser.ldif
rm -f /tmp/modifyldapuser.*
Remember to make the script executable and usable only by user root with the chmod command.
[root@bigboy tmp]# chmod 700 /usr/local/bin/modifyldapuser
[root@bigboy tmp]#
To use the script, modify the Linux user. In this case, modify the password for user ldapuser by running the modifyldapuser script using ldapuser as the argument. You will be prompted for the LDAP root password.
[root@bigboy tmp]# passwd ldapuser
Changing password for user ldapuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@bigboy tmp]# modifyldapuser ldapuser
Enter LDAP Password:
modifying entry "uid=ldapuser,ou=People,dc=example,dc=com"
[root@bigboy tmp]#
You can use the short script in this section to add LDAP users to your database. I'll also provide an example of how to use it.
You can create a /usr/local/bin/addldapuser script based on the modifyldapuser script you created earlier. For example:
#!/bin/bash
grep $1 /etc/passwd & /tmp/changeldappasswd.tmp
/usr/share/openldap/migration/migrate_passwd.pl \
/tmp/changeldappasswd.tmp /tmp/changeldappasswd.ldif.tmp
cat /tmp/changeldappasswd.ldif.tmp | sed s/padl/example/ \
& /tmp/changeldappasswd.ldif
ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f \
/tmp/changeldappasswd.ldif
rm -f /tmp/changeldappasswd.*
Adding the user to database takes three steps:
1. Create the Linux user on the LDAP server.
2. Run the addldapuser script with the username as the only argument. This example imports a previously created Linux user named ldapuser. The script prompts you for your LDAP root password.
[root@bigboy tmp]# addldapuser ldapuser
Enter LDAP Password:
adding new entry "uid=ldapuser,ou=People,dc=example,dc=com"
[root@bigboy tmp]#
3. Create home directories for the user on all the LDAP client Linux boxes.
Remember that this script adds existing Linux users to the LDAP database. The creation of Linux users still requires the use of the adduser command.
Sometimes you want to get rid of users instead of add them. You can create a /usr/local/bin/deleteldapuser script to delete LDAP users from your database. For example
#!/bin/bash
ldapdelete -x -W -D "cn=Manager,dc=example,dc=com" \
"uid=$1,ou=People,dc=example,dc=com"
To delete the user from the database, run the deleteldapuser script with the username as the only argument. This example below deletes a previously created Linux user named ldapuser. The script prompts you for your LDAP root password.
[root@bigboy tmp]# deleteldapuser ldapuser
Enter LDAP Password:
[root@bigboy tmp]#
Once you understand the principles behind LDAP management, you may want to use a graphical tool to help with further administration. If the tool misbehaves, at least you'll now know how to try to fix it behind the scenes from the command line.
The LDAP Account Manager (LAM), which is available at , is a well known, easy-to-use product. After you feel comfortable enough with the background tasks and concepts outlined in this chapter, you should give it a try.
Many network equipment manufacturers use an authorization scheme called RADIUS to filter the types of activities a user can do. The Linux FreeRADIUS server can be configured to talk to a Linux LDAP server to handle login authentication services. In other words, the user logs into the equipment, which then sends a username/password combination to the RADIUS server, the RADIUS server queries the LDAP server to see if the user is a valid one, and then replies to the network equipment with the desired login privileges if the LDAP query is successful.
You'll have to refer to your manufacturer's manuals on how to configure RADIUS, but fortunately researching how the FreeRADIUS server interacts with the Linux LDAP server is much simpler. Here are the steps.
Most RedHat and Fedora Linux software products are available in the RPM format. When searching for the file, remember that the FreeRADIUS RPM's filename usually starts with freeradius followed by a version number, as in freeradius-0.9.1-1.i386.rpm.
You can use the chkconfig command to get the FreeRADIUS daemon, radiusd, configured to start at boot:
[root@bigboy tmp]# chkconfig radiusd on
To start, stop, and restart radiusd after booting, use
[root@bigboy tmp]# service radiusd start
[root@bigboy tmp]# service radiusd stop
[root@bigboy tmp]# service radiusd restart
Remember to restart the radiusd process every time you make a change to the configuration files for the changes to take effect on the running process.
The /etc/raddb/radiusd.conf file stores the main RADIUS configuration parameters. You'll have to update some of the settings to allow LDAP queries from RADIUS.
1. Activate the use of the LDAP module in the authorize section of the file by uncommenting the word ldap.
authorize {
The ldap module will set Auth-Type to LDAP if it has not
already been set
2. Activate the use of the LDAP module in the authenticate section by uncommenting the Auth-Type block for LDAP:
Auth-Type LDAP {
3. Define the LDAP domain, LDAP server, and password methods to be used in the ldap block. In the example, the LDAP and RADIUS server is the same machine, so you set the LDAP server IP address to localhost.
# Define the LDAP server and the base domain name
server = "localhost"
basedn = "dc=example,dc=com"
# Define which attribute from an LDAP "ldapsearch" query
# is the password. Create a filter to extract the password
# from the "ldapsearch" output
password_attribute = "userPassword"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# The following are RADIUS defaults
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
These configuration steps only cover how to configure RADIUS to interact with LDAP. You'll have to define the login attributes and privileges each user will receive and the IP addresses of the varius RADIUS clients. We'll cover these topics next.
The /etc/raddb/users file defines the types of attributes a user receives upon login. In the case of a router, this may include allowing some user groups to login to a device in a privileged mode, while allowing other only basic access.
One of the first entries in this file is to check the local server's /etc/passwd file. The very next entry should be one referring to your LDAP server with a fall through statement that will allow additional authorizations to be granted to the LDAP user further down the file based on other sets of criteria.
# First setup all accounts to be checked against the UNIX /etc/passwd.
DEFAULT Auth-Type = System
Fall-Through = 1
# Defaults for LDAP
DEFAULT Auth-Type := LDAP
Fall-Through = 1
You can define a shared secret password key to be used by the RADIUS server and its clients in the /etc/raddb/clients.conf file.
Passwords can be allocated for ranges of IP addresses in each network block using the secret keyword. The next example defines the password testing123 for all queries from localhost, but s3astar for the 192.168.1.0/24 network and shrtp3nc1l for the 172.16.1.0/24 network. All RADIUS clients have to peer with the RADIUS server from these networks using the correct password before logins are correctly accepted.
client 127.0.0.1 {
secret = testing123
shortname = localhost
client 192.168.1.0/24 {
secret = s3astar
shortname = home-network
client 172.16.1.0/24 {
secret = shrtp3nc1l
shortname = office-network
You can now test the various elements of the RADIUS setup:
To test the server, run radiusd in debug mode to see verbose messages about the status of the RADIUS queries. These messages are much more informative than those provided in the /var/log/messages and /var/log/radius/radius.log files.
[root@bigboy tmp]# /usr/sbin/radiusd -X -A
After testing is complete, you must start the radiusd daemon in the normal manner using the command service radiusd start.
For Linux clients, you can perform RADIUS queries with the radtest command. The arguments are the LDAP username, the LDAP user's password, the LDAP server IP address, an NAS port value (any value between 1 and 100 will work here), and the RADIUS client-server shared secret password key. Successful queries will show an Access-Accept message.
A successful test from the RADIUS server looks like this.
[root@bigboy tmp]# radtest ldapuser "ldapuser-password" \
localhost 2 testing123
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=99, length=20
[root@bigboy tmp]#
A successful test from a Linux RADIUS client looks like this:
[root@smallfry bin]# radtest ldapuser "ldapuser-password" 192.168.1.100 2 s3astar
rad_recv: Access-Accept packet from host 192.168.1.100:1812, id=51, length=20
[root@smallfry bin]#
In this case, freeradius was installed solely for the purposes of testing the shared secret password key from another network. This is a good troubleshooting tip to verify remote client access before deploying network equipment.
Here is a sample snippet of how to set up a Cisco device to use a RADIUS server. You can find full coverage of Cisco authentication, authorization, and accounting (AAA) setup using RADIUS on Cisco's corporate Web site at .
aaa new-model
aaa authentication login default radius enable
aaa authentication ppp default radius
aaa authorization network radius
radius-server host 192.168.1.100
radius-server timeout 10
radius-server key shrtp3nc1l
The important thing to note in relation to our setup is that the radius-server statements define the RADIUS server's IP address and the shared secret password key.
The interaction between LDAP and RADIUS on Fedora Core 2 seems to be plagued with a segmentation fault error that you can see on the RADIUS server when running in debug mode. The error looks like this:
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
Segmentation fault
The only solution I have found is to install the Fedora Core 1 versions of the RADIUS and LDAP RPMs and to edit the /etc/yum.conf file to prevent them from being automatically updated to newer versions.
LDAP is rapidly becoming a defacto standard for remote authentication and authorization of users, not only in the realm of Linux, but also in that of Windows where it is a key component of Active Directory. Usage of LDAP is also becoming increasingly widespread in wireless networking systems. For example in hot spots, ISPs will sacrifice data security for the sake of convenience by not using encryption, but will use LDAP to restrict access to the Internet to people who have purchased pre-paid access codes with a predefined lifetime.
Chapter 32, "", covers the use of the Linux Squid application to cache Web content, restrict Web access by the time of day and via password prompts. Although it is beyond the scope of this book, you should know that you can use LDAP can to complement the functionality of Squid in larger implementations.
This page was last modified on 17 November 2010, at 06:32.
Linux Home Networking Topics
Introduction
to Networking
Networking
Network Troubleshooting
Troubleshooting
Linux with Syslog
Installing
Linux Software
Linux Boot Process
Configuring
the DHCP Server
Users and sudo
Linux and Samba
Resources with Samba
Security and Troubleshooting
Wireless Networking
Firewalls Using iptables
FTP Server Setup
TFTP and xinetd
Remote Logins and File Copying
Configuring
Apache Web Server
Configuring
Linux Mail Servers
Monitoring
Server Performance
MRTG For Linux
NTP Server
Network-Based
Linux Installation
Software RAID
Disk Capacity
Disk Usage with Quotas
Disk Access with NFS
Configuring
Centralized
Logins Using LDAP and RADIUS
Controlling
Web Access with Squid
the Kernel to Improve Performance
MySQL Configuration