Setting Up Institutional IDP | Lanka Education and Research Network

Phase 01 - Setting up Linux Virtul Machines for Institutional IDP and IRS

You are going to create and run two Linux (Ubuntu) VMs for the institutional LDAP server (IDP) and the Radius Server (IRS) on Oracle VirtualBox

Installation of VirtualBox and Downloading Ubuntu CD image

Download Ubuntu CD image from the LEARN mirror
http://ftp.learn.ac.lk/ubuntu/releases/16.04/ubuntu-16.04-server-amd64.iso

Note down the location of downloaded iso file

Creating Two Ubuntu VMs

New

Enter name of the VM as: idp."your domain prefix".ac.lk

eg: idp.rjt.ac.lk

Select OS Type: Linux
Select Version: Ubuntu (64-bit)

Then click on Continue button

Set VM's memory size to 1GB and click on Continue button
Set VM's hard disk option to

Create a virtual hard disk now

and then click on Continue
Select disk type to VDI
Select storage type to Fixed size
Make sure virtual hard disk file name in following format
idp."institution domain prefix".ac.lk
adjust the disk size to 10.0GB
and click on Create to create the VM

This might take couple of minutes
(Note down the location of vdi image file when VirtualBox flashes it on the screen)

Setting up boot device

Settings

Storage

icon

Controller:IDE

icon

Attribute

Choose Virtual Optical Disk File

Setting up Network Interface

Network

Enable Network Adapter

Attached to

Bride Adapter

Turn on VM for your IDP

Normal Start

Installation of Ubuntu Linux

Initial Installation options

English

Ubuntu Server

English

Others->Asia->Sri Lanka

United States

English (US)

Now it might take sometime to detect the hardware and load the necessary Linux modules

Note that it configure network with DCHP

8. type host name as: idp."your domain prefix".ac.lk
9.When it asked, add a User by entering Your Name, your username, password
10. You may select No for not to encrypt home directory
11. Select Yes confirm the time-zone

Disk Configuration

Manual

"SCSI3(0,0,0) (sda) - 10.0 GB ATA VBOX HARDDISK"

Yes

idp

Get above partitions mounted as /, /usr and /var with the file system EXT4 selected.
Then finish the partitioning and confirm it to write to the disk

Now it might take sometime to install the OS base.

Final Configuration

Continue

No automatic updates

standard system utilities

OpenSSH server

Wait until it finished the installation of software
18. Finally install/setup the GRUB boot loader by selecting Yes
19. Finish the installation of Ubuntu by selecting Continue
VM now should restart with the newly installed OS.

You may now login using your credentials

Playing with Linux

df -h to see the disk configuration
ifconfig to see the network configuration
ls / to see the directory structure
nano -w "filename" to edit a text/configuration file
vi "filename" to edit a file if you are familiar with vi
reboot to restart the VM
halt to turn of the VM

Create the Second VM for your IRS

First Power off/shutdown your IDP VM
Right click on the VM to select Clone option
Assign new name as irs."your institute domain prefix".ac.lk
Check "Reinitialize the MAC address for all network cards
And then click on Continue
Select Full clone
This might take sometime to create the new virtual disk image (vdi) file. Note that your new VM is same as your previous one. You have to change host name, ip addresses, etc accordingly.
When the cloning finished, start you new VM and do following to change the host name

edit /etc/hostname file and change host name to irs. You may use vi or nano editor.

also edit /etc/hosts file to change 127.0.0.1 idp.inst.ac.lk idp to 127.0.0.1 irs.inst.ac.lk irs

Setting UP IP Addresses

Please use following IPs for your idp and irs

Institute	Domain prefix under ac.lk	IDP IP	IRS IP
Industrial Technology Institute	iti	192.248.4.101	192.248.4.102
National Engineering Research & Development Center	nerdc	192.248.4.103	192.248.1.104
Wayamba University of Sri Lanka	wyb	192.248.4.105	192.248.4.106
University Grant Commission	ugc	192.248.4.107	192.248.4.108
University of Vocational Technology	univotec	192.248.4.109	192.248.4.110
National Institute of Social Development	nisd	192.248.4.111	192.248.4.112
University of Peradeniya	pdn	192.248.4.113	192.248.4.114
General Sir John Kotelawala Defence University	kdu	192.248.4.115	192.248.4.116
Sri Palee Campus, University of Colombo	spc	192.248.4.117	192.248.4.118
Rajarata University of Sri Lanka	rjt	192.248.4.119	192.248.4.120
Uva Wellassa University of Sri Lanka	uwu	192.248.4.121	192.248.4.122
University College of Kuliyapitiya	uck	192.248.4.123	192.248.4.124
Buddhist & Pali University of Sri Lanka	bpu	192.248.4.125	192.248.4.126
University of Jaffna	jfn	192.248.4.127	192.248.4.128
Open University of Sri Lanka	ou	192.248.4.129	192.248.4.130
Bhiksu University of Sri Lanka	busl	192.248.4.131	192.248.4.132
National Center for Advanced Studies	ncas	192.248.4.133	192.248.4.134
Informatics Institute of Technology	iit	192.248.4.135	192.248.4.136
Sabaragamuwa University of Sri Lanka	sab	192.248.4.137	192.248.4.138
Eastern University	esn	192.248.4.139	192.248.4.140
University of Ruhuna	ruh	192.248.4.141	192.248.4.142
University of Sri Jayawardenepura	sjp	192.248.4.143	192.248.4.144
University of Colombo UCSC	ucsc	192.248.4.145	192.248.4.146
South Eastern University of Sri Lanka	seu	192.248.4.147	192.248.4.148
University of Kelaniya	kln	192.248.4.149	192.248.4.150
University of Visual & Performing Arts	vpa	192.248.4.151	192.248.4.152
University of Moratuwa	mrt	192.248.4.153	192.248.4.154
Sri Lanka Institute of Advanced Technological Education	sliate	192.248.4.155	192.248.4.156
Arthur C Clark Center	accmt	192.248.4.157	192.248.4.158
University of Colombo	cmb	192.248.4.165	192.248.4.166

Edit /etc/network/interfaces files to include your IP addresses in your IDP and IRS

iface eth0 inet static

address 192.248.4.your idp/irs IP
netmask 255.255.255.0
network 192.248.4.0
broadcast 192.248.4.255
gateway 192.248.4.254
dns-nameservers 192.248.1.161
dns-search yourdmain

When you completed the IP settings of both VMs, restart them and then login to confirm correct IP settings.

Also confirm whether you could reach your idp and irs by their DNS. For example you may ping to

If not LEARN manages your DNS, you may add the relevant entries to your primary DNS server.

Getting you Ubuntu OS up to date

sudo apt-get update && sudo apt-get dist-upgrade

Phase 02 - Setting up OpenLDAP and Encrypt OpenLDAP connections using STARTTLS

OpenLDAP provides an LDAP directory service that is flexible and well-supported. In this lab, we will demonstrate how to encrypt connections to OpenLDAP using STARTTLS.

Setting the Hostname and FQDN

Before you get started, make sure you set up our server so that it correctly resolves its hostname and fully qualified domain name (FQDN). This will be necessary in order for our certificates to be validated by clients.

hostname -f

Install the OpenLDAP Server

sudo apt-get update
sudo apt-get install slapd ldap-utils

Note: if your apt-get trying to use IPv6 and it does not get connected, you may add following flag at the of the apt-get command

-o Acquire::ForceIPv4=true

You will be asked to provide an LDAP administrative password. Feel free to skip the prompt, as we will be reconfiguring immediately after.

In order to access some additional prompts that we need, we'll reconfigure the package after installation. To do so, type:

sudo dpkg-reconfigure slapd

Answer the prompts appropriately, using the information below as a starting point:

Omit OpenLDAP server configuration? No (we want an initial database and configuration)
DNS domain name: inst.ac.lk (use the server's domain name, minus the hostname. This will be used to create the base entry for the information tree)
Organization name: Example Inc (This will simply be added to the base entry as the name of your institute)
Administrator password: [whatever you'd like]
Confirm password: [must match the above]
Database backend to use: HDB (out of the two choices, this has the most functionality)
Do you want the database to be removed when slapd is purged? (your choice. Choose "Yes" to allow a completely clean removal, choose "No" to save your data even when the software is removed)
Move old database? Yes
Allow LDAPv2 protocol? No

Install the SSL Components

sudo apt-get install gnutls-bin ssl-cert

With all of our tools installed, we can begin creating the certificates and keys needed to encrypt our connections.

Create the Certificate Templates

To encrypt our connections, we'll need to configure a certificate authority and use it to sign the keys for the LDAP server(s) in our infrastructure. So for our single server setup, we will need two sets of key/certificate pairs: one for the certificate authority itself and one that is associated with the LDAP service.

To create the certificates needed to represent these entities, we'll create some template files. These will contain the information that the certtool utility needs in order to create certificates with the appropriate properties.

Start by making a directory to store the template files:

sudo mkdir /etc/ssl/templates

Create the CA Template

Create the template for the certificate authority first. We'll call the file ca_server.conf. Create and open the file in your text editor:

sudo nano /etc/ssl/templates/ca_server.conf

We only need to provide a few pieces of information in order to successfully create a certificate authority. We need to specify that the certificate will be for a CA (certificate authority) by adding the ca option. We also need the cert_signing_key option to give the generated certificate the ability to sign additional certificates. We can set the cn to whatever descriptive name we'd like for our certificate authority:

cn = LDAP Server CA
ca
cert_signing_key

Save and close the file.

Create the LDAP Service Template

Next, we can create a template for our LDAP server certificate called ldap_server.conf. Create and open the file in your text editor with sudo privileges:

sudo nano /etc/ssl/templates/ldap_server.conf

Here, we'll provide a few different pieces of information. We'll provide the name of our organization and set the tls_www_server, encryption_key, and signing_key options so that our cert has the basic functionality it needs.

The cn in this template must match the FQDN of the LDAP server. If this value does not match, the client will reject the server's certificate. We will also set the expiration date for the certificate. We'll create a 10 year certificate to avoid having to manage frequent renewals:
ldapserver.conf

organization = "Name of your institution"
cn = idp.inst.ac.lk
tls_www_server
encryption_key
signing_key
expiration_days = 3652

Save and close the file when you're finished.

Create CA Key and Certificate

Now that we have our templates, we can create our two key/certificate pairs. We need to create the certificate authority's set first.

Use the certtool utility to generate a private key. The /etc/ssl/private directory is protected from non-root users and is the appropriate location to place the private keys we will be generating. We can generate a private key and write it to a file called ca_server.key within this directory by typing:

sudo certtool -p --outfile /etc/ssl/private/ca_server.key

Now, we can use the private key that we just generated and the template file we created in the last section to create the certificate authority certificate. We will write this to a file in the /etc/ssl/certs directory called ca_server.pem:

sudo certtool -s --load-privkey /etc/ssl/private/ca_server.key --template /etc/ssl/templates/ca_server.conf --outfile /etc/ssl/certs/ca_server.pem

We now have the private key and certificate pair for our certificate authority. We can use this to sign the key that will be used to actually encrypt the LDAP session.

Create LDAP Service Key and Certificate

Next, we need to generate a private key for our LDAP server. We will again put the generated key in the /etc/ssl/private directory for security purposes and will call the file ldap_server.key for clarity.

We can generate the appropriate key by typing:

sudo certtool -p --sec-param high --outfile /etc/ssl/private/ldap_server.key

Once we have the private key for the LDAP server, we have everything we need to generate a certificate for the server. We will need to pull in almost all of the components we've created thus far (the CA certificate and key, the LDAP server key, and the LDAP server template).

We will put the certificate in the /etc/ssl/certs directory and name it ldap_server.pem. The command we need is:

sudo certtool -c --load-privkey /etc/ssl/private/ldap_server.key --load-ca-certificate /etc/ssl/certs/ca_server.pem --load-ca-privkey /etc/ssl/private/ca_server.key --template /etc/ssl/templates/ldap_server.conf --outfile /etc/ssl/certs/ldap_server.pem

Give OpenLDAP Access to the LDAP Server Key

We now have all of the certificates and keys we need. However, currently, our OpenLDAP process will be unable to access its own key.

A group called ssl-cert already exists as the group-owner of the /etc/ssl/private directory. We can add the user our OpenLDAP process runs under (openldap) to this group:

sudo usermod -aG ssl-cert openldap

Now, our OpenLDAP user has access to the directory. We still need to give that group ownership of the ldap_server.key file though so that we can allow read access. Give the ssl-cert group ownership over that file by typing:

sudo chown :ssl-cert /etc/ssl/private/ldap_server.key

Now, give the ssl-cert group read access to the file:

sudo chmod 640 /etc/ssl/private/ldap_server.key

Our OpenSSL process can now access the key file properly.
Configure OpenLDAP to Use the Certificate and Keys

We have our files and have configured access to the components correctly. Now, we need to modify our OpenLDAP configuration to use the files we've made. We will do this by creating an LDIF file with our configuration changes and loading it into our LDAP instance.

Move to your home directory and open a file called addcerts.ldif. We will put our configuration changes in this file:

cd ~
nano addcerts.ldif

To make configuration changes, we need to target the cn=config entry of the configuration DIT. We need to specify that we are wanting to modify the attributes of the entry. Afterwards we need to add the olcTLSCACertificateFile, olcCertificateFile, and olcCertificateKeyFile attributes and set them to the correct file locations.

The end result will look like this:
addcerts.ldif

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca_server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap_server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap_server.key

Save and close the file when you are finished. Apply the changes to your OpenLDAP system using the ldapmodify command:

sudo ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif

We can reload OpenLDAP to apply the changes:

sudo service slapd force-reload

Our clients can now be configured to encrypt their connections to the server over the conventional ldap:// port by using STARTTLS.

Setting up the Client Machines

In order to connect to the LDAP server and initiate a STARTTLS upgrade, the clients must have access to the certificate authority certificate and must request the upgrade.
On the OpenLDAP Server

If you are interacting with the OpenLDAP server from the server itself, you can set up the client utilities by copying the CA certificate and adjusting the client configuration file.

First, copy the CA certificate from the /etc/ssl/certs directory to a file within the /etc/ldap directory. We will call this file ca_certs.pem. This file can be used to store all of the CA certificates that clients on this machine may wish to access. For our purposes, this will only contain a single certificate:

sudo cp /etc/ssl/certs/ca_server.pem /etc/ldap/ca_certs.pem

Now, we can adjust the system-wide configuration file for the OpenLDAP utilities. Open up the configuration file in your text editor with sudo privileges:

sudo nano /etc/ldap/ldap.conf

Adjust the value of the TLS_CACERT option to point to the file we just created:
/etc/ldap/ldap.conf

TLS_CACERT /etc/ldap/ca_certs.pem
TLS_REQCERT allow

Save and close the file.

You should now be able to upgrade your connections to use STARTTLS by passing the -Z option when using the OpenLDAP utilities. You can force STARTTLS upgrade by passing it twice. Test this by typing:

ldapwhoami -H ldap:// -x -ZZ

This forces a STARTTLS upgrade. If this is successful, you should see:

STARTTLS success

anonymous

If you mis-configured something, you will likely see an error like this:

STARTTLS failure

ldap_start_tls: Connect error (-11)
additional info: (unknown error code)

Configuring Remote Clients

sudo apt-get install ldap-utils
sudo apt-get install gnutls-bin ssl-cert

Use following command to copy the CA CERT from IDP to IRS. Use following command on IDP

sudo scp /etc/ldap/ca_certs.pem user@irs.inst.ac.lk:/home/your_username

Then on IRS, copy the file to /etc/ldap

sudo cp /home/your_username/ca_certs.pem /etc/ldap

Then modify /etc/ldap/ldap.conf as done above

Test the STARTTLS upgrade by typing this:

ldapwhoami -H ldap://idp.inst.ac.lk -x -ZZ

Force Connections to Use TLS

We've successfully configured our OpenLDAP server so that it can seamlessly upgrade normal LDAP connections to TLS through the STARTTLS process. However, this still allows unencrypted sessions, which may not be what you want.

We will use an LDIF file to make the changes. Create the LDIF file in your home directory of IDP. We will call it forcetls.ldif:

nano forcetls.ldif

Inside, target the DN you want to force TLS on. In our case, this will be dn: olcDatabase={1}hdb,cn=config. We will set the changetype to "modify" and add the olcSecurity attribute. Set the value of the attribute to "tls=1" to force TLS for this DIT:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1

Save and close the file when you are finished.

To apply the change, type:

sudo ldapmodify -H ldapi:// -Y EXTERNAL -f forcetls.ldif

Reload the OpenLDAP service by typing:

sudo service slapd force-reload

Now, if you search the dc=inst,dc=ac,dc=lk DIT, you will be refused if you do not use the -Z option to initiate a STARTTLS upgrade:

ldapsearch -H ldap:// -x -b "dc=example,dc=com" -LLL dn

TLS required failure

Confidentiality required (13)
Additional information: TLS confidentiality required

We can demonstrate that STARTTLS connections still function correctly:

ldapsearch -H ldap:// -x -b "dc=example,dc=com" -LLL -Z dn

TLS required success

dn: dc=inst,dc=ac,dc=lk

dn: cn=admin,dc=inst,dc=ac,dc=lk

Adding Initial Identity to your LDAP Directory Service

The LDAP Data Interchange Format (LDIF) is a standard plain text data interchange format for representing LDAP directory content and update requests. LDIF conveys directory content as a set of records, one record for each object (or entry). It also represents update requests, such as Add, Modify, Delete, and Rename, as a set of records, one record for each update request.

Creating initial LDIF
Open a new file named as initial.ldif using nano or vi editor. Then copy following ldif content and do necessary adjustments to match with you institute.

# adm staf, group, inst.ac.lk
dn: cn=adm,ou=group,dc=inst,dc=ac,dc=lk
cn: adm
description: System Admin Staff
gidNumber: 1000
objectClass: posixGroup
objectClass: top

# acadamic staf, group, inst.ac.lk
dn: cn=acd,ou=group,dc=inst,dc=ac,dc=lk
cn: acd
description: Acadamic Staff
gidNumber: 2000
objectClass: posixGroup
objectClass: top

# students, group, inst.ac.lk
dn: cn=std,ou=group,dc=inst,dc=ac,dc=lk
cn: bod
description: Students
gidNumber: 5000
objectClass: posixGroup
objectClass: top

# servers, inst.ac.lk
dn: ou=servers,dc=inst,dc=ac,dc=lk
description: inst servers that are LDAP clients
objectClass: top
objectClass: organizationalUnit
ou: servers

# idp, servers, inst.ac.lk
dn: cn=idp,ou=servers,dc=inst,dc=ac,dc=lk
cn: idp
description: Identity Server
ipHostNumber: 192.248.4.72
objectClass: top
objectClass: device
objectClass: ipHost
objectClass: simpleSecurityObject
userPassword: {crypt}idpldap

# irs, servers, inst.ac.lk
dn: cn=irs,ou=servers,dc=inst,dc=ac,dc=lk
cn: irs
description: IRS Server
ipHostNumber: 192.248.4.73
objectClass: top
objectClass: device
objectClass: ipHost
objectClass: simpleSecurityObject
userPassword: {crypt}irsldap

# people, inst.ac.lk
dn: ou=people,dc=inst,dc=ac,dc=lk
description: inst users
objectClass: top
objectClass: organizationalUnit
ou: people

# testme, people, inst.ac.lk
dn: uid=testme,ou=people,dc=inst,dc=ac,dc=lk
cn: Test Me
departmentNumber: LEARN
employeeNumber: 02
employeeType: Test Account
facsimileTelephoneNumber: 081 2003032
gecos: Test Me
gidNumber: 1000
givenName: Test Me
homeDirectory: /home/testme
homePhone: none
homePostalAddress: none
initials: T M
jpegPhoto: none
labeledURI: none
loginShell: /usr/local/bin/bash
mobile: none
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowExpire: 14940
shadowFlag: 134538484
shadowInactive: 0
shadowLastChange: 14483
shadowMax: 13100
shadowMin: 0
shadowWarning: 7
sn: Test
telephoneNumber: 3032
uid: testme
uidNumber: 1001
userPassword: testme

Note that user passwords are not encrypted (in clear text format).

Adding LDIF to LDAP
Use ldapadd command to add new entries to your LDAP server. You may need to enter LDAP admin password.

ldapadd -H ldap:// -x -D "cn=admin,dc=inst,dc=ac,dc=lk" -W -Z -f initial.ldif

LDAP Bind

Deleting ldap entity

ldapdelete -H ldap:// "uid=user,ou=people,dc=inst,dc=ac,dc=lk" -D "cn=admin,dc=inst,dc=ac,dc=lk" -Z -W

Setting LDAP Access Control

You can simply see the existing ACLs by

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config 'olcDatabase={1}hdb'

Create new file named acc1.ldif with following modification to ACLs. This will provide your irs to read users passwords.

replace: olcAccess
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn.children="ou=servers,dc=inst,dc=ac,dc=lk" read by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read

Use following command to externally modify the ACLs

ldapmodify -Y EXTERNAL -H ldapi:/// -f acc1.ldif

Optional
If your have finished above LDAP configuration, you may optionally try to install PHPLDAPAdmin

Install phpLDAPadmin to Manage LDAP with a Web Interface

Although it is very possible to administer LDAP through the command line, most users will find it easier to use a web interface. We're going to install phpLDAPadmin, which provides this functionality, to help remove some of the friction of learning the LDAP tools.

The Ubuntu repositories contain the phpLDAPadmin package. You can install it by first login to your IDP and then typing:

sudo apt-get install phpldapadmin apache2-utils

Edit configuration file to make following adjustments

nano /etc/phpldapadmin/config.php

$servers->setValue('server','host','localhost');
$servers->setValue('server','base',array('dc=inst,dc=ac,dc=lk'));
$servers->setValue('login','bind_id','cn=admin,dc=inst,dc=ac,dc=lk');
$config->custom->appearance['hide_template_warning'] = true;
$servers->setValue('server','tls',true);

Create SSL Certificate for you apache web server

sudo mkdir /etc/apache2/ssl

Next, we can create the key and certificate in one movement by typing:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

Create a Password Authentication File

We also want to password protect our phpLDAPadmin location. Even though phpLDAPadmin has password authentication, this will provide an extra level of protection.

sudo htpasswd -c /etc/apache2/htpasswd testme

Then enter your password.

Secure Apache

The first thing we should do is enable the SSL module in Apache. We can do this by typing:

sudo a2enmod ssl

This will enable the module, allowing us to use it. We still need to configure Apache to take advantage of this though.

Currently, Apache is reading a file called 000-default.conf for regular, unencrypted HTTP connections. We need to tell it to redirect requests for our phpLDAPadmin interface to our HTTPS interface so that the connection is encrypted.

When we redirect traffic to use our SSL certificates, we'll also implement the password file to authenticate users. While we're modifying things, we'll also change the location of the phpLDAPadmin interface itself to minimize targeted attacks.

Configure the HTTP Virtual Host

Next, we need to modify our current Virtual Hosts file. Open it with root privileges in your editor:

sudo nano /etc/apache2/sites-enabled/000-default.conf

The changes we discussed will end up looking like this. Modify the items in bold with your own values:

<VirtualHost *:80/>
ServerAdmin webmaster@inst.ac.lk
DocumentRoot /var/www/html
ServerName idp.inst.ac.lk
Redirect permanent /phpldapadmin https://idp.inst.ac.lk/phpldapadmin
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Configure the HTTPS Virtual Host File

Apache includes a default SSL Virtual Host file. However, it is not enabled by default.

We can enable it by typing:

sudo a2ensite default-ssl.conf

This will link the file from the sites-available directory into the sites-enabled directory. We can edit this file now by typing:

sudo nano /etc/apache2/sites-enabled/default-ssl.conf

This file is a bit more involved than the last one, so we will only discuss the changes that we have to make. All of the changes below should go within the Virtual Host block in the file.

First of all, set the ServerName value to your server's domain name or IP address again and change the ServerAdmin directive as well:

ServerAdmin webmaster@inst.ac.lk
ServerName idp.inst.ac.lk

Next, we need to set the SSL certificate directives to point to the key and certificate that we created. The directives should already exist in your file, so just modify the files they point to:

SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

The last thing we need to do is set up the location block that will implement our password protection for the entire phpLDAPadmin installation.

We do this by referencing the location where we are serving the phpLDAPadmin and setting up authentication using the file we generated. We will require anyone attempting to access this content to authenticate as a valid user:

<Location /phpldapadmin>
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/apache2/htpasswd
Require valid-user
</Location>

Save and close the file when you are finished.

Restart Apache to implement all of the changes that we have made:

sudo service apache2 restart

We can now move on to the actual interface.

https://idp.inst.ac.lk/phpldapadmin/

Enter your apache password first and then ldap admin password

Phase 03 - Linking Your IRS with IDP

Before you continue with the rest of the lab exercise below, you need a working Radius server in your IRS. It is going to be installed and configured tomorrow at the eduroam session. So wait till tomorrow afternoon.

Then you need to install freeradius ldap modules by

sudo service freeradius stop
sudo apt-get install freeradius-ldap

sudo service freeradius start

Configure your FreeRadius to use LDAP authentication

Edit /etc/freeradius/mods-available/ldap to add following lines needed for IRS to connect with your IDP (LDAP). Add them in where appropriate.

server = 'idp.inst.ac.lk'
identity = 'cn=irs,ou=servers,dc=inst,dc=ac,dc=lk'
password = irsldap
base_dn = 'ou=people,dc=inst,dc=ac,dc=lk'

Find the ttls block down below the same file to uncomment

start_tls=yes

Locate edir_qutz=no and change it to edir_autz = yes

Create a symbolic link as

ln -s /etc/freeradius/mods-available/ldap /etc/freeradius/mods-enabled/ldap

Edit mods-available/eap to change tls default_eap_type to mschapv2

locate ttls{ block down below the file and modify as follows

default_eap_type = mschapv2

Edit sites-available/eduroam-inner-tunnel to locate ldap directive in Authorize section and then uncomment it.

Then restart your freeradius service

If nothing went wrong, you should be able to do a radius eap test to verify authontication by your IDP.

./rad_eap_test -H 127.0.0.1 -S testing123 -P 1812 -u testme@learn.ac.lk -p Ask_LEARN -e PEAP -m WPA-EAP -c

Setting up Wireless APs

First you need to add your WAP as client to freeradius server. Add following to the end of /etc/freeradius/clients file

client waps {
ipaddr = 192.248.4.0/24
secret = labpass
}

It is now time to quickly setup your WAPs to use 802.1X radius authentication through your IRS. One AP is going to be shared by four people. Each can create a eduroam SSID to get your IRS attached.

SSIDs should be as follows

AP - 01 - 192.248.4.181

AP - 02 - 192.248.4.182

AP - 03 - 192.248.4.183
...
...
AP - 10 - 192.248.4.190

Login to Your WAP
Login to your AP by entering IP address of the AP as the URL in you web browser

Then login using following credentials
User name: admin
Password: admin

Creating SSID for Aruba WAPs

Locate Network Tab on the left of your web GUI and Click on New to add new SSID.
At the New WLAN dialog box
Enter Name (SSID): eduroam1XX and click on Next
Click no Next again to accept default setting for VLAN
at the Security tab, move the pointer in your left to Enterprise
then set

Authentication server

IP address

Secret (labpass)

(Note that at this point you have to add your WAP as client to your clients configuration file of your freeRadius)

then click Next and then Finish

Now try you laptop or mobile device to connect your SSID

Congratulation !!. You have done

Quick links

Recent News

Phase 01 - Setting up Linux Virtul Machines for Institutional IDP and IRS

Phase 02 - Setting up OpenLDAP and Encrypt OpenLDAP connections using STARTTLS

Phase 03 - Linking Your IRS with IDP