OpenLDAP

From wiki.techunit.org
Jump to: navigation, search

Introduction

  • Realized on Debian 8 (Jessie).
  • slapd version : 2.4.40

The aim of this page is to provide a simple guide to configure and manage a LDAP directory.

Basic configuration

Install packages

aptitude install slapd ldap-utils -y

Configure server

LDAP configuration

To configure server type this command.

dpkg-reconfigure slapd

Reply to prompted questions

  • Omit OpenLDAP server configuration? No
  • DNS domain name? example.com
  • Organization name? example
  • Administrator password?
  • Database backend? HDB
  • Remove the database when slapd is purged? No
  • Move old database? Yes
  • Allow LDAPv2 protocol? Yes

Indexes

For better performance do more indexing than the default.

  • Add the following to /etc/ldap/slapd.conf
index   objectClass             eq
index   cn                      pres,sub,eq
index   sn                      pres,sub,eq
index   uid                     pres,sub,eq
index   displayName             pres,sub,eq
index   default                 sub
index   uidNumber               eq
index   gidNumber               eq
index   mail,givenName          eq,subinitial
index   dc                      eq
  • Recreate te indexes
service slapd stop
slapindex
chown -R openldap:openldap /var/lib/ldap
service slapd start

Object Creation

OU creation

  • OU = Organizational Unit
  • Create a file named ou.ldif and create your OU in it:
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users

dn: ou=computers,dc=example,dc=com
objectClass: organizationalUnit
ou: computers

Once the file created, import your objects with the following

ldapadd -x -D cn=admin,dc=example,dc=com -W -f ou.ldif
  • -x do not user SASL
  • -D Use the Distinguished Name to bind to the LDAP directory
  • -W Prompt for simple authentication. This is used instead of specifying the password on the command line
  • -f Read the entry modification information from file

Groups creation

  • Edit a file named : groups.ldif
dn: cn=sysadmin,ou=technical,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: sysadmin
gidNumber: 10000

Create Users

  • Create a encrypted password
[samba] /etc/ldap # slappasswd 
New password: 
Re-enter new password: 
{SSHA}nHphlVd6HXv7CPSCPVl2RcKFCK0rBt8x
  • Edit a file named : johndoe.ldif
dn: uid=john,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 1000
gidNumber: 10000
userPassword: {SSHA}nHphlVd6HXv7CPSCPVl2RcKFCK0rBt8x  #Copy your password here
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: john.doe@example.com
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: JD

Once the file created, import your objects with the following

ldapadd -x -D cn=admin,dc=example,dc=com -W -f johndoe.ldif

Client configuration

  • Now you need to choose your connector
    • libnss-ldapd
    • sssd (I prefer this one)

libnss-ldapd

Install libnss-ldapd package

aptitude install libnss-ldapd

Configuration

  • Edit /etc/libnss-ldap.conf
# The distinguished name of the search base.
base dc=example,dc=com

# Another way to specify your LDAP server is to provide an
uri ldap:///10.0.0.1
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/   
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
# Please do not put double quotes around it as they
# would be included literally.
binddn cn=admin,dc=example,dc=com

# The credentials to bind with. 
# Optional: default is no credential.
bindpw password
  • restart nslcd
  • Edit /etc/nsswitch.conf
passwd:         ldap compat
group:          ldap compat
shadow:         ldap compat
gshadow:        files

hosts:          files dns ldap
networks:       files ldap

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
  • Users/groups from ldap should be there
getent passwd
getent group

sssd

Install sssd package

aptitude install sssd

sssd configuration

  • Create /etc/sssd/sssd.conf and adapt this configuration
[domain/default]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_default_bind_dn = cn=admin,dc=example,dc=com
ldap_default_authtok = YourPassphraseHere
ldap_default_authtok_type = password
ldap_id_use_start_tls = False
ldap_tls_reqcert = never
ldap_search_base = dc=example,dc=com
cache_credentials = True
cache_sensitive = False
enumerate = True

[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd

[pam]

[sudo]

[autofs]

[ssh]

[pac]
  • Apply rights : chmod 600 /etc/sssd/sssd.conf
  • restart sssd
  • Edit /etc/nsswitch.conf

Backup/Restore

Backup

DST_DIR="/path/to/backup/dir"
/usr/sbin/slapcat -n 0 -l $DST_DIR/config-$(date +%Y-%m-%d).ldif
/usr/sbin/slapcat -n 1 -l $DST_DIR/data-$(date +%Y-%m-%d).ldif

Restore

service slapd stop
rm -rf /var/lib/ldap/*
rm -rf /etc/ldap/slapd.d/*
#Restore config
slapadd -F /etc/ldap/slapd.d -n 0 -l /path/to/config-$(date +%Y-%m-%d).ldif
#Restore data
slapadd -l /path/to/data-$(date +%Y-%m-%d).ldif
chown -R openldap: /var/lib/ldap/
chown -R openldap: /etc/ldap/slapd.d/
service slapd start

Migration

For the migration, we will use the same method to restore config and data. But you could encounter error messages.

Restore ldap

service slapd stop
rm -rf /var/lib/ldap/*
rm -rf /etc/ldap/slapd.d/*
#Restore config
slapadd -F /etc/ldap/slapd.d -n 0 -l /path/to/config-$(date +%Y-%m-%d).ldif
#Restore data
slapadd -l /path/to/data-$(date +%Y-%m-%d).ldif
chown -R openldap: /var/lib/ldap/
chown -R openldap: /etc/ldap/slapd.d/
service slapd start

Errors

hostname mismatch

  • Error
#/var/log/syslog
Mar  8 10:26:35 samba slapd[1520]: read_config: no serverID / URL match found. Check slapd -h arguments.
Mar  8 10:26:35 samba slapd[1520]: slapd stopped.
Mar  8 10:26:35 samba slapd[1520]: connections_destroy: nothing to destroy.
Mar  8 10:26:35 samba slapd[1516]: Starting OpenLDAP: slapd failed!
  • Fix
#hotfix
echo "oldhostname.example.com" > /proc/sys/kernel/hostname
#permanent
echo "oldhostname.example.com" > /etc/hostname

TLS error

  • Error
#/var/log/syslog
mars 08 10:28:02 oldhostname.example.com slapd[1533]: main: TLS init def ctx failed: -1
mars 08 10:28:02 oldhostname.example.com slapd[1533]: DIGEST-MD5 common mech free
mars 08 10:28:02 oldhostname.example.com slapd[1533]: slapd stopped.
mars 08 10:28:02 oldhostname.example.com slapd[1533]: connections_destroy: nothing to destroy.
mars 08 10:28:02 oldhostname.example.com slapd[1529]: Starting OpenLDAP: slapd failed!
  • Fix

Restore your certificates in the same directory as your initial server. Refer to /etc/ldap/ldap.conf

Secure LDAP with SSL/TLS

  • Create a server certificate (refer to OpenSSL or easy-rsa)
  • Required
    • Server private key
    • Server certificate
    • CA certificate
mkdir /etc/ldap/ssl
cp /etc/ssl/CA/cacert.pem /etc/ldap/ssl
cp /etc/ssl/CA/private/wildcard_example_com.key.pem /etc/ldap/ssl
cp /etc/ssl/CA/certs/wildcard_example_com.crt.pem /etc/ldap/ssl
chown -R openldap: /etc/ldap/ssl
chmod 770 /etc/ldap/ssl
chmod 640 /etc/ldap/ssl/*

Enable LDAPS

  • Edit /etc/default/slapd
#LDAP + LDAPS
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
#LDAPS ONLY
SLAPD_SERVICES="ldaps:/// ldapi:///"
  • Edit olcSSL.ldif
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/cacert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/wildcard_example_com.key.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/wildcard_example_com.crt.pem
  • and import the settings with ldapmodify:
ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcSSL.ldif
  • Restart server
service slapd restart
  • Add the path to CA cert in /etc/ldap/ldap.conf
TLS_CACERT      /etc/ldap/ssl/cacert.pem
  • Check ldaps
ldapsearch -x -H ldaps://ldap.example.com -s base -b dc=example,dc=com

#---

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Client config

  • Add the path to CA cert in /etc/ldap/ldap.conf
TLS_CACERT      /etc/ldap/ssl/cacert.pem
  • Update certificates
cp cacert.pem /usr/local/share/ca-certificates/example.crt
update-ca-certificates
  • Modify /etc/libnss-ldap.conf

TODO

  • phpldapadmin
  • Replication

Sources

Elliot
techUnit's cofounder