Difference between revisions of "LDAP server"

(Created page with "LDAP server =Installation= ==Packages== <syntaxhighlight lang="bash"> apt-get install slapd ldap-utils </syntaxhighlight> You'll have to choose a LDAP admin password. C...")
 
 
(29 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
[[Category:Linux]]
 +
 
LDAP server
 
LDAP server
  
Line 10: Line 12:
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
apt-get install slapd ldap-utils
 
apt-get install slapd ldap-utils
 +
 +
# For SSL - TLS access
 +
apt-get install gnutls-bin
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 39: Line 44:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
* Select NO to the first question = it will create a new database
+
* Select NO to the first question = it will '''create a new database'''
* Put the same domain as before: "'''dev.daxiongmao.eu'''". This must match your (DC=...,DC=....,DC=....)
+
* Current LDAP server: "'''dev.daxiongmao.eu'''". This must match your (DC=...,DC=....,DC=....)
* Put your administrator password - the same as earlier
+
* Name of your organization: '''daxiongmao.eu'''
* Select HDB (Berkley database)
+
* Root LDAP server: put your root or the same value as before.
* Do NOT remove database on package removal
+
* Put your '''administrator password - the same as earlier'''
* Move old database
+
* Select '''HDB''' (Berkley database)
* Do NOT allow LDAP v2
+
* '''Do NOT remove database''' on package removal
 +
* '''Move''' old database
 +
* '''Do NOT allow''' LDAP v2
  
  
Line 57: Line 64:
 
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 636 -j ACCEPT # LDAP over SSL
 
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 636 -j ACCEPT # LDAP over SSL
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
 +
 +
 +
 +
=Add overlays=
 +
 +
By default OpenLDAP does NOT support all the LDAP features.
 +
 +
You should enable:
 +
* the group membership: an user has some group membership (''memberOf'') ; each group has a set of members (''member'' attribute).
 +
* the Referential Integrity: to apply all changes on Cascade
 +
 +
 +
 +
==MemberOf overlay==
 +
 +
This will enable the group memberships attribute "memberOf" for each user
 +
 +
=> This attribute "memberOf" will have the complete DN of all user's groups
 +
 +
 +
===Module setup===
 +
 +
Create the module configuration's file:
 +
 +
<syntaxhighlight lang="bash">
 +
cd /etc/ldap
 +
vim memberof.ldif
 +
</syntaxhighlight>
 +
 +
 +
Put the following content:
 +
 +
<syntaxhighlight lang="scheme">
 +
dn: cn=module{1},cn=config
 +
cn: module{1}
 +
objectClass: olcModuleList
 +
objectClass: top
 +
olcModuleLoad: memberof.la
 +
olcModulePath: /usr/lib/ldap
 +
 +
 +
dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
 +
objectClass: olcConfig
 +
objectClass: olcOverlayConfig
 +
objectClass: olcMemberOf
 +
objectClass: top
 +
olcOverlay: memberof
 +
olcMemberOfDangling: ignore
 +
olcMemberOfRefInt: TRUE
 +
olcMemberOfGroupOC: groupOfNames
 +
olcMemberOfMemberAD: member
 +
olcMemberOfMemberOfAD: memberOf
 +
 +
</syntaxhighlight>
 +
 +
 +
[!] The overlay must be apply on "cn=module{1}" for declaration + automatic appliance.
 +
 +
    otherwise, if "cn=module{0}", the attribute will be supported but not automaticaly used.
 +
 +
 +
[!] Don't forget the empty line at the end
 +
 +
 +
===Apply configuration===
 +
 +
<syntaxhighlight lang="bash">
 +
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof.ldif
 +
service slapd restart
 +
</syntaxhighlight>
 +
 +
 +
===Check results===
 +
 +
<syntaxhighlight lang="bash">
 +
cat /etc/ldap/slapd.d/cn=config/cn=module{1}.ldif
 +
</syntaxhighlight>
 +
 +
 +
 +
 +
=="Referential integrity" overlay==
 +
 +
When enabled, Referential integrity plug-in performs integrity updates on specified attributes immediately after a delete, rename, or move operation.
 +
 +
=> It will apply the "memberOf" on user + "member" on group automaticaly
 +
 +
 +
 +
===Module setup===
 +
 +
Create the module configuration's file:
 +
 +
<syntaxhighlight lang="bash">
 +
cd /etc/ldap
 +
vim referential_integrity.ldif
 +
</syntaxhighlight>
 +
 +
 +
Put the following content:
 +
 +
<syntaxhighlight lang="scheme">
 +
dn: cn=module,cn=config
 +
cn: module
 +
objectClass: olcModuleList
 +
objectClass: top
 +
olcModuleLoad: refint.la
 +
olcModulePath: /usr/lib/ldap
 +
 +
dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
 +
objectClass: olcConfig
 +
objectClass: olcOverlayConfig
 +
objectClass: olcRefintConfig
 +
objectClass: top
 +
olcOverlay: {1}refint
 +
olcRefintAttribute: memberof member manager owner
 +
 +
</syntaxhighlight>
 +
 +
 +
[!] Don't forget the empty line at the end
 +
 +
 +
[!] Unlike "memberOf" you don't need to specify the "cn=module{x}" you can let OpenLDAP decides it for you (== it should be module{2} then !)
 +
 +
 +
 +
===Apply configuration===
 +
 +
<syntaxhighlight lang="bash">
 +
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f referential_integrity.ldif
 +
service slapd restart
 +
</syntaxhighlight>
 +
 +
 +
 +
===Check results===
 +
 +
<syntaxhighlight lang="bash">
 +
cat /etc/ldap/slapd.d/cn=config/cn=module{2}.ldif
 +
</syntaxhighlight>
 +
  
  
  
 
=Maintenance operations=
 
=Maintenance operations=
 +
 +
==Know your configuration==
 +
 +
Display LDAP configuration's structure
 +
 +
<syntaxhighlight lang="bash">
 +
find /etc/ldap/slapd.d/ | sed 's/[^/]*\//|  /g;s/| *\([^| ]\)/+--- \1/'
 +
</syntaxhighlight>
  
  
Line 81: Line 239:
 
==Test==
 
==Test==
  
Install a LDAP client and test to access the server. It should be OK
+
Install a LDAP client and test to access the server. It should be OK ! ^-^
 +
 
 +
See the following page to get more information: [[LDAP client]]
 +
 
  
  
Line 93: Line 254:
 
==Generate server certificates==
 
==Generate server certificates==
  
See SSL documentation to generate a certificate for the current server.
+
See [[SSL server]] documentation to generate a certificate for the current server.
Hints
+
 
Do not encrypt your private key
+
 
You cannot generate 2 certificates with the same server name.
+
-- Hints --
 +
 
 +
* Do not encrypt your private key
 +
* You cannot generate 2 certificates with the same server name.
 +
 
 +
 
 
If you already have a server certificate for the current FQDN, please use it!
 
If you already have a server certificate for the current FQDN, please use it!
Make files accessible for OpenLDAP
+
 
You have to copy / symlink your server private key + server certificate and CA certificate.
+
 
# mkdir /etc/ldap/ssl
+
==Make files accessible for OpenLDAP==
# cd /etc/ldap/ssl
+
 
# ln -s /srv/ssl/private/ldapServer.nopass.key /etc/ldap/ssl/
+
You have to copy your server private key + server certificate and CA certificate.  
# ln -s /srv/ssl/certs/ldapServer.cert.pem /etc/ldap/ssl/
+
 
# ln -s /srv/ssl/cacerts.pem /etc/ldap/ssl/
+
<syntaxhighlight lang="bash">
# chown -R root:openldap /etc/ldap/ssl
+
mkdir /etc/ldap/ssl
Update SLAPD configuration
+
cd /etc/ldap/ssl
TO BE FINISHED
+
cp /srv/ssl/private/ldapServer.nopass.key ldapServer.key
Edit slapd.conf
+
cp /srv/ssl/certs/ldapServer.cert.pem ldapServer.pem
>> Where is it ?!?
+
cp /srv/ssl/cacerts.pem .
Add / update following values:
+
chown -R root:openldap /etc/ldap/ssl
TLSCACertificateFile /etc/ldap/ssl/cacerts.pem
+
</syntaxhighlight>
TLSCertificateFile /etc/ldap/ssl/ldapServer.cert.pem
+
 
TLSCertificateKeyFile /etc/ldap/ssl/ldapServer.nopass.key
+
 
TLSCipherSuite HIGH:MEDIUM:+SSLv2
+
... Symlink might work but you can have some rights issues. It's just simpler - in my case - to copy the data.
Enable SSL
+
 
Edit SLAP service to start in SSL mode
+
 
# vim /etc/default/slapd
+
 
Adjust
+
==Register certificates==
# SLAPD_SERVICES="ldap:/// ldapi:///"
+
 
SLAPD_SERVICES="ldaps:///"
+
 
Restart service
+
===SLAPD service===
# service slapd restart
+
 
Connect to the server on port 686Apache 2
+
Since OpenLDAP 2.4 there is no more "slapd.conf" file.  
Modules
+
 
You have to enable to the following modules:
+
All the configuration is now dynamic and set in database.
# a2enmod authnz_ldap
+
 
Virtual host / service configuration
+
 
List of apache 2.2.x modules with roles and recommended values:
+
 
+
'''Create the .ldif file'''
AuthType
+
 
Role
+
<syntaxhighlight lang="bash">
Value
+
vim /etc/ldap/slapd.d/tls.ldif
Mandatory
+
</syntaxhighlight>
+
 
AuthName
+
Add the following params:
Role
+
 
Value
+
<syntaxhighlight lang="bash">
Mandatory
+
dn: cn=config
+
add: olcTLSCACertificateFile
Value
+
olcTLSCACertificateFile: /etc/ldap/ssl/cacerts.pem
Mandatory
+
-
Value
+
add: olcTLSCertificateFile
Mandatory
+
olcTLSCertificateFile: /etc/ldap/ssl/ldapServer.pem
The distinguished name (DN) of service account.
+
-
This user will be used to scan the LDAP and perform real user authentication
+
add: olcTLSCertificateKeyFile
UID=myUser,OU=myGroup,DC=myServer
+
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldapServer.key
uid=svn,ou=applications,dc=dev,dc=daxiongmao,dc=eu
+
</syntaxhighlight>
No
+
 
AuthLDAPBindPassword
+
 
Role
+
 
Value
+
'''Adjust rights'''
Mandatory
+
 
+
<syntaxhighlight lang="bash">
Tells Apache whether or not a failed authentication request can be passed to other
+
chown openldap:openldap /etc/ldap/slapd.d/tls.ldif
Apache modules
+
</syntaxhighlight>
off
+
 
Yes
+
 
AuthLDAPBindDN
+
 
Role
+
'''Apply the configuration'''
+
 
This tells Apache which authentication module you want to use for
+
<syntaxhighlight lang="bash">
ldap
+
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/tls.ldif
Yes
+
</syntaxhighlight>
AuthzLDAPAuthoritative
+
 
Role
+
 
+
 
Authentication window name
+
'''Allow TLS protocol'''
“Authentication to my service”
+
 
Yes
+
<syntaxhighlight lang="bash">
AuthBasicProvider
+
vim /etc/default/slapd
Role
+
</syntaxhighlight>
Value
+
 
Mandatory
+
 
+
Add the "ldaps" protocol (line 24):
This tells Apache which authentication module you want to use
+
 
basic
+
<syntaxhighlight lang="bash">
Yes
+
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
The password for the user account configured via the AuthLDAPBindDN directive
+
 
No
+
# For more security you can now restrict the LDAP to localhost
AuthLDAPURL
+
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
Role
+
</syntaxhighlight>
Value
+
 
Mandatory
+
 
URL that tells:
+
 
- Where the directory server is,
+
'''Restart the service'''
- Where to look for users at,
+
 
- What user attribute is used to identify a user
+
<syntaxhighlight lang="bash">
ldap://myServer:389/OU=group&,OU=group2,DC=myServer?attribute
+
/etc/init.d/slapd restart
ldap://192.168.1.2:389/cn=users,dc=server2,dc=intranet,dc=myCompany,dc=com
+
</syntaxhighlight>
ldap://localhost:389/ou=people,dc=vehco,dc=com?uid
+
 
Yes
+
 
See Apache 2 documentation to get more infoInstallation # Graphical interface [server side]
+
 
Packages
+
===OpenLDAP configuration===
# apt-get install phpldapadmin
+
 
# apt-get install php-fpdf
+
'''Edit the LDAP configuration'''
Source: http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page
+
 
Edit configuration
+
<syntaxhighlight lang="bash">
# vim /etc/phpldapadmin/config.php
+
vim /etc/ldap/ldap.conf
Edit / adjust following lines:
+
</syntaxhighlight>
278
+
 
282
+
 
286
+
Adjust the TLS certificate path
293
+
 
296
+
<syntaxhighlight lang="bash">
300
+
TLS_CACERT      /etc/ldap/ssl/cacerts.pem
318
+
</syntaxhighlight>
326
+
 
$servers = new Datastore();
+
You have to use the same as before in the "slapd" configuration.
$servers->newServer('ldap_pla');
+
 
$servers->setValue('server','name','DEV daxiongmao.eu LDAP');
+
 
$servers->setValue('server','host','dev.daxiongmao.eu');
+
'''Restart service'''
// $servers->setValue('server','port',389);
+
 
$servers->setValue('server','base',array('dc=dev,dc=daxiongmao,dc=eu'));
+
<syntaxhighlight lang="bash">
$servers->setValue('login','auth_type','session');
+
service slapd restart
$servers->setValue('login','bind_id','cn=admin,dc=dev,dc=daxiongmao,dc=eu');
+
</syntaxhighlight>
Reload apache2 configuration
+
 
# service apache2 reload
+
 
Access service
+
Now you can connect to the server on port 686 and test your LDAP server over TLS!
Then you can access Ldap Account Manager on: http://myServer/phpldapadmin
+
 
Improve security
+
 
For better security you should not use /phpldapadmin but something else.
+
'''Bonus'''
Edit configuration file:
+
 
# vim /etc/phpldapadmin/apache.conf
+
Now you can edit your firewall and close the port 389
Adjust
+
 
# Define /phpldapadmin alias, this is the default
+
 
<IfModule mod_alias.c>
+
 
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
+
=Populate the LDAP db (manual)=
</IfModule>
+
 
Replace phpldapadmin by your own value. For instance: ldapmanager
+
==Create root schema==
Login using Admin password
+
 
Login:
+
<syntaxhighlight lang="bash">
Login user:
+
cd /etc/ldap
cn=admin,{ldap DN}Basic configuration
+
vim daxiongmao.eu_core.ldif
Create Organizational Units
+
</syntaxhighlight>
Create a child entry
+
 
Generic organizational unit [ou=]
+
 
Create:
+
Put the following and adjust:
 people
+
* Domain name (here it's ''daxiongmao.eu'')
 groups
+
* Admin password (here it's ''PASSWORD_ADMIN'')
Create Groups
+
 
Then, create 2 groups called “administrators” & “users”
+
 
Click on ou=groups
+
<syntaxhighlight lang="scheme">
Create a child entry
+
##### LDAP domain declaration
Create a generic posix group [cn=]
+
dn: dc=daxiongmao,dc=eu
Create:
+
objectClass: top
 administrators
+
objectClass: dcObject
 users
+
objectclass: organization
Create Users
+
o: Server Organization
Create some users
+
dc: Daxiongmao
Click on ou=people
+
description: Daxiongmao.eu root LDAP
Create a child entry
+
Create a generic User Account [ua=]Installation # Graphical interface [client side]
+
#### Admin user
On the local machine you can download a LDAP browser to manage it remotely.
+
dn: cn=admin,dc=daxiongmao,dc=eu
I’ll use “LDAP Admin” http://www.ldapadmin.org/
+
objectClass: simpleSecurityObject
Installation
+
objectClass: organizationalRole
 Download the latest version
+
cn: admin
o Choose the EXE version
+
description: LDAP administrator
 Unzip it to the target directory
+
userPassword: PASSWORD_ADMIN
Create new connection
+
 Just run “LdapAdmin.exe”
+
#### People
 Start  Connect
+
# List of LDAP users. An user can be a human or a service account
 Create a new connection
+
dn: ou=people,dc=daxiongmao,dc=eu
o Double click on “new connection”
+
objectClass: organizationalUnit
Fill up the form like this:
+
ou: people
LDAP Dn
+
Then you can connect to the remote server
+
#### Groups
Admin accountConfiguration
+
dn: ou=groups,dc=daxiongmao,dc=eu
Create new Organizational Units
+
objectClass: organizationalUnit
Right click to the root  New  Organizational Unit...
+
ou: groups
Create:
+
+
#### Locations
+
dn: ou=locations,dc=daxiongmao,dc=eu
+
objectClass: organizationalUnit
+
ou: locations
people
+
groups
+
#### hosts
locations
+
dn: ou=hosts,dc=daxiongmao,dc=eu
applications
+
objectClass: organizationalUnit
for users
+
ou: hosts
for users groups
+
 
specific area
+
</syntaxhighlight>
Create new groups
+
 
 Right click on “ou=groups”  New  Group...
+
 
Create:
+
[!] Don't forget the empty line at the end of the file
 administrators
+
 
 users
+
 
 services
+
 
Domain administrators
+
Apply schema
Domain users
+
 
System and services accounts
+
<syntaxhighlight lang="bash">
Create locations structure
+
ldapadd -x -D cn=admin,dc=daxiongmao,dc=eu -W -f daxiongmao.eu_core.ldif
 Right click on “ou=locations”  New  Location...
+
</syntaxhighlight>
You can create a location tree to sort your users.
+
 
Example:
+
 
Create users
+
 
 Right click on “ou=users”  New  User...
+
==Create users==
 You can organized your users by sub organizational units as wellFill up the form
+
 
Mandatory
+
<syntaxhighlight lang="bash">
Home directory must
+
cd /etc/ldap
match username
+
vim daxiongmao.eu_users.ldif
Depending on your local policy, the username might be:
+
</syntaxhighlight>
 FirstName.LastName
+
 
 [1 st letter first name][last name]
+
 
 It doesn’t matter as long as this is the same pattern for all users!
+
Put and adjust the following:
Register the user to some group
+
* user name
Don’t forget to set the
+
* User password
primary group!Edit user
+
* UID number (it must be unique)
To update the user using the same wizard:
+
* UID must match the beginning of the dn (uid=)
 Right click on user  Properties
+
 
The Edit Entry... is a technical link.
+
<syntaxhighlight lang="scheme">
You can add email + address data.
+
#### Users list
 +
dn: uid=guillaume.diaz,ou=people,dc=daxiongmao,dc=eu
 +
objectClass: inetOrgPerson
 +
objectClass: posixAccount
 +
objectClass: shadowAccount
 +
uid: guillaume.diaz
 +
sn: Diaz
 +
givenName: Guillaume
 +
cn: Guillaume Diaz
 +
displayName: Guillaume Diaz
 +
initials: GD
 +
mail: guillaume@qin-diaz.com
 +
title: System Administrator
 +
uidNumber: 1000
 +
gidNumber: 10000
 +
userPassword: PASSWORD_GUILLAUME
 +
loginShell: /bin/bash
 +
homeDirectory: /home/guillaume.diaz
 +
shadowExpire: -1
 +
shadowFlag: 0
 +
 
 +
 
 +
dn: uid=jenkins,ou=people,dc=daxiongmao,dc=eu
 +
objectClass: inetOrgPerson
 +
objectClass: posixAccount
 +
objectClass: shadowAccount
 +
uid: jenkins
 +
sn: Jenkins
 +
cn: Jenkins
 +
displayName: Jenkins
 +
initials: CI
 +
uidNumber: 1001
 +
gidNumber: 10000
 +
userPassword: PASSWORD_JENKINS
 +
shadowExpire: -1
 +
shadowFlag: 0
 +
shadowWarning: 7
 +
 
 +
</syntaxhighlight>
 +
 
 +
 
 +
[!] Note that the GID 10000 is not important. This group doesn't even exists !! You can adjust it later on.  
 +
 
 +
 
 +
 
 +
Apply changes
 +
 
 +
<syntaxhighlight lang="bash">
 +
ldapadd -x -D cn=admin,dc=daxiongmao,dc=eu -W -f daxiongmao.eu_users.ldif
 +
</syntaxhighlight>
 +
 
 +
 
 +
 
 +
==Create a group==
 +
 
 +
By default OpenLDAP will create ''posixGroup'' (~ Unix like).
 +
 
 +
Those are nice but they do NOT support the membership relations. That's a very big limitation !! :(
 +
 
 +
 
 +
 
 +
You should always create '''groupOfNames''' instead of ''posixGroup'' !!
 +
 
 +
 
 +
<syntaxhighlight lang="bash">
 +
cd /etc/ldap
 +
vim daxiongmao.eu_groups.ldif
 +
</syntaxhighlight>
 +
 
 +
 
 +
Put and adjust the following:
 +
* group name
 +
 
 +
<syntaxhighlight lang="scheme">
 +
dn: cn=users,ou=groups,dc=vehco,dc=com
 +
objectClass: groupofnames
 +
cn: users
 +
description: Domain users (humans). This is the list of all the users that are allowed on the domain
 +
member: uid=guillaume.diaz,ou=people,dc=vehco,dc=com
 +
 
 +
 
 +
dn: cn=services,ou=groups,dc=vehco,dc=com
 +
objectClass: groupofnames
 +
cn: services
 +
description: Group for application's users
 +
member: uid=jenkins,ou=people,dc=daxiongmao,dc=eu
 +
 
 +
 
 +
dn: cn=ssh-users,ou=groups,dc=vehco,dc=com
 +
objectClass: groupofnames
 +
cn: ssh-users
 +
description: SSH users
 +
member: uid=guillaume.diaz,ou=people,dc=vehco,dc=com
 +
 
 +
</syntaxhighlight>
 +
 
 +
 
 +
Apply changes
 +
 
 +
<syntaxhighlight lang="bash">
 +
ldapadd -x -D cn=admin,dc=daxiongmao,dc=eu -W -f daxiongmao.eu_groups.ldif
 +
</syntaxhighlight>
 +
 
 +
 
 +
 
 +
 
 +
 
 +
=Populate LDAP db (graphical)=
 +
 
 +
Use your favorite LDAP client (see [[LDAP client]]) to populate the LDAP registry.
 +
 
 +
 
 +
==Create Organizational Units==
 +
 
 +
I advised you to create the following OU=
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Organization !! Description
 +
|-
 +
| OU=people|| for users
 +
|-
 +
| OU=groups|| for groups such as: application | IT | company | project groups
 +
|-
 +
| OU=locations|| specific area
 +
|-
 +
| OU=applications|| for applications' virtual users
 +
|}
 +
 
 +
 
 +
 
 +
==Create Groups==
 +
 
 +
In the "OU=groups" create:
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Group !! Description
 +
|-
 +
| CN=users|| domain users
 +
|-
 +
| CN=administrators|| for system administrators
 +
|-
 +
| CN=services|| System and services accounts
 +
|}
 +
 
 +
 
 +
 
 +
==Create locations==
 +
 
 +
Under 'locations' create a location for each office | home | place that you'll have in your registry.
 +
 
 +
 
 +
In the "OU=location" create:
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Location !! Description
 +
|-
 +
| l=France|| French users
 +
|-
 +
| l=Sweden|| Swedish users
 +
|}
 +
 
 +
 
 +
 
 +
==Create Users==
 +
 
 +
* Inside '''ou=people''' create a new '''UID''' for each user + make that user a member of ''OU=groups,CN=users''
 +
 
 +
 
 +
 
 +
* Inside '''ou=applications''' create a new UID for each application or service that will use the LDAP + make that a member of ''OU=groups,CN=services''
 +
 
 +
 
 +
 
 +
Example of minimal structure:
 +
[[File:LDAP_min_structure.png|none|LDAP minimal structure]]
 +
 
 +
 
 +
 
 +
=Apache 2=
 +
 
 +
See Apache 2 documentation to get more info: [[Apache 2 - LDAP access]]
 +
 
 +
 
 +
 
 +
=References=
 +
 
 +
LDAP explanations (French):
 +
* http://www-sop.inria.fr/members/Laurent.Mirtain/ldap-livre.html
 +
* http://www-sop.inria.fr/members/Laurent.Mirtain/ldap-slide.pdf
 +
 
 +
 
 +
Overlays "memberOf" + "refint" :
 +
* http://www.schenkels.nl/2013/03/how-to-setup-openldap-with-memberof-overlay-ubuntu-12-04/
 +
* http://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/
 +
 
 +
 
 +
LDAP howTo (french)
 +
* http://www.jouvinio.net/wiki/index.php/OpenLDAP_Installation
 +
* http://www.jouvinio.net/wiki/index.php/Accueil

Latest revision as of 13:49, 28 August 2014


LDAP server


Installation

Packages

apt-get install slapd ldap-utils

# For SSL - TLS access
apt-get install gnutls-bin

You'll have to choose a LDAP admin password. Choose a strong password!!


Set domain

Edit configuration file:

vim /etc/ldap/ldap.conf


Uncomment and adjust:

BASE dc=dev,dc=daxiongmao,dc=eu
URI ldap://dev.daxiongmao.eu


Launch LDAP configuration

Launch configuration:

dpkg-reconfigure slapd
  • Select NO to the first question = it will create a new database
  • Current LDAP server: "dev.daxiongmao.eu". This must match your (DC=...,DC=....,DC=....)
  • Name of your organization: daxiongmao.eu
  • Root LDAP server: put your root or the same value as before.
  • Put your administrator password - the same as earlier
  • Select HDB (Berkley database)
  • Do NOT remove database on package removal
  • Move old database
  • Do NOT allow LDAP v2


Open firewall

Add the following rules to your firewall

# LDAP
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 389 -j ACCEPT # LDAP
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 636 -j ACCEPT # LDAP over SSL



Add overlays

By default OpenLDAP does NOT support all the LDAP features.

You should enable:

  • the group membership: an user has some group membership (memberOf) ; each group has a set of members (member attribute).
  • the Referential Integrity: to apply all changes on Cascade


MemberOf overlay

This will enable the group memberships attribute "memberOf" for each user

=> This attribute "memberOf" will have the complete DN of all user's groups


Module setup

Create the module configuration's file:

cd /etc/ldap
vim memberof.ldif


Put the following content:

dn: cn=module{1},cn=config
cn: module{1}
objectClass: olcModuleList
objectClass: top
olcModuleLoad: memberof.la
olcModulePath: /usr/lib/ldap


dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcMemberOf
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf


[!] The overlay must be apply on "cn=module{1}" for declaration + automatic appliance.

   otherwise, if "cn=module{0}", the attribute will be supported but not automaticaly used.


[!] Don't forget the empty line at the end


Apply configuration

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof.ldif
service slapd restart


Check results

cat /etc/ldap/slapd.d/cn=config/cn=module{1}.ldif



"Referential integrity" overlay

When enabled, Referential integrity plug-in performs integrity updates on specified attributes immediately after a delete, rename, or move operation.

=> It will apply the "memberOf" on user + "member" on group automaticaly


Module setup

Create the module configuration's file:

cd /etc/ldap
vim referential_integrity.ldif


Put the following content:

dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
objectClass: top
olcModuleLoad: refint.la
olcModulePath: /usr/lib/ldap

dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner


[!] Don't forget the empty line at the end


[!] Unlike "memberOf" you don't need to specify the "cn=module{x}" you can let OpenLDAP decides it for you (== it should be module{2} then !)


Apply configuration

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f referential_integrity.ldif
service slapd restart


Check results

cat /etc/ldap/slapd.d/cn=config/cn=module{2}.ldif



Maintenance operations

Know your configuration

Display LDAP configuration's structure

find /etc/ldap/slapd.d/ | sed 's/[^/]*\//|   /g;s/| *\([^| ]\)/+--- \1/'


Export database

The whole database may be exported as ldif file using this command:

slapcat


Get current configuration:

slapcat –b cn=config


Test

Install a LDAP client and test to access the server. It should be OK ! ^-^

See the following page to get more information: LDAP client



Installation # Encryption – SSL

By default OpenLDAP communication is not encrypted. Therefore, if some user have clear password anyone can used them.


Generate server certificates

See SSL server documentation to generate a certificate for the current server.


-- Hints --

  • Do not encrypt your private key
  • You cannot generate 2 certificates with the same server name.


If you already have a server certificate for the current FQDN, please use it!


Make files accessible for OpenLDAP

You have to copy your server private key + server certificate and CA certificate.

mkdir /etc/ldap/ssl
cd /etc/ldap/ssl
cp /srv/ssl/private/ldapServer.nopass.key ldapServer.key
cp /srv/ssl/certs/ldapServer.cert.pem ldapServer.pem
cp /srv/ssl/cacerts.pem .
chown -R root:openldap /etc/ldap/ssl


... Symlink might work but you can have some rights issues. It's just simpler - in my case - to copy the data.


Register certificates

SLAPD service

Since OpenLDAP 2.4 there is no more "slapd.conf" file.

All the configuration is now dynamic and set in database.


Create the .ldif file

vim /etc/ldap/slapd.d/tls.ldif

Add the following params:

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/cacerts.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/ldapServer.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldapServer.key


Adjust rights

chown openldap:openldap /etc/ldap/slapd.d/tls.ldif


Apply the configuration

ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/tls.ldif


Allow TLS protocol

vim /etc/default/slapd


Add the "ldaps" protocol (line 24):

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

# For more security you can now restrict the LDAP to localhost
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"


Restart the service

/etc/init.d/slapd restart


OpenLDAP configuration

Edit the LDAP configuration

vim /etc/ldap/ldap.conf


Adjust the TLS certificate path

TLS_CACERT      /etc/ldap/ssl/cacerts.pem

You have to use the same as before in the "slapd" configuration.


Restart service

service slapd restart


Now you can connect to the server on port 686 and test your LDAP server over TLS!


Bonus

Now you can edit your firewall and close the port 389


Populate the LDAP db (manual)

Create root schema

cd /etc/ldap
vim daxiongmao.eu_core.ldif


Put the following and adjust:

  • Domain name (here it's daxiongmao.eu)
  • Admin password (here it's PASSWORD_ADMIN)


##### LDAP domain declaration
dn: dc=daxiongmao,dc=eu
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server Organization
dc: Daxiongmao
description: Daxiongmao.eu root LDAP
 
#### Admin user
dn: cn=admin,dc=daxiongmao,dc=eu
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: PASSWORD_ADMIN
 
#### People 
# List of LDAP users. An user can be a human or a service account
dn: ou=people,dc=daxiongmao,dc=eu
objectClass: organizationalUnit
ou: people
 
#### Groups
dn: ou=groups,dc=daxiongmao,dc=eu
objectClass: organizationalUnit
ou: groups
 
#### Locations
dn: ou=locations,dc=daxiongmao,dc=eu
objectClass: organizationalUnit
ou: locations
 
#### hosts
dn: ou=hosts,dc=daxiongmao,dc=eu
objectClass: organizationalUnit
ou: hosts


[!] Don't forget the empty line at the end of the file


Apply schema

ldapadd -x -D cn=admin,dc=daxiongmao,dc=eu -W -f daxiongmao.eu_core.ldif


Create users

cd /etc/ldap
vim daxiongmao.eu_users.ldif


Put and adjust the following:

  • user name
  • User password
  • UID number (it must be unique)
  • UID must match the beginning of the dn (uid=)
#### Users list
dn: uid=guillaume.diaz,ou=people,dc=daxiongmao,dc=eu
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: guillaume.diaz
sn: Diaz
givenName: Guillaume
cn: Guillaume Diaz
displayName: Guillaume Diaz
initials: GD
mail: guillaume@qin-diaz.com
title: System Administrator
uidNumber: 1000
gidNumber: 10000
userPassword: PASSWORD_GUILLAUME
loginShell: /bin/bash
homeDirectory: /home/guillaume.diaz
shadowExpire: -1
shadowFlag: 0


dn: uid=jenkins,ou=people,dc=daxiongmao,dc=eu
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: jenkins
sn: Jenkins
cn: Jenkins
displayName: Jenkins
initials: CI
uidNumber: 1001
gidNumber: 10000
userPassword: PASSWORD_JENKINS
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7


[!] Note that the GID 10000 is not important. This group doesn't even exists !! You can adjust it later on.


Apply changes

ldapadd -x -D cn=admin,dc=daxiongmao,dc=eu -W -f daxiongmao.eu_users.ldif


Create a group

By default OpenLDAP will create posixGroup (~ Unix like).

Those are nice but they do NOT support the membership relations. That's a very big limitation !! :(


You should always create groupOfNames instead of posixGroup !!


cd /etc/ldap
vim daxiongmao.eu_groups.ldif


Put and adjust the following:

  • group name
dn: cn=users,ou=groups,dc=vehco,dc=com
objectClass: groupofnames
cn: users
description: Domain users (humans). This is the list of all the users that are allowed on the domain
member: uid=guillaume.diaz,ou=people,dc=vehco,dc=com


dn: cn=services,ou=groups,dc=vehco,dc=com
objectClass: groupofnames
cn: services
description: Group for application's users
member: uid=jenkins,ou=people,dc=daxiongmao,dc=eu


dn: cn=ssh-users,ou=groups,dc=vehco,dc=com
objectClass: groupofnames
cn: ssh-users
description: SSH users
member: uid=guillaume.diaz,ou=people,dc=vehco,dc=com


Apply changes

ldapadd -x -D cn=admin,dc=daxiongmao,dc=eu -W -f daxiongmao.eu_groups.ldif



Populate LDAP db (graphical)

Use your favorite LDAP client (see LDAP client) to populate the LDAP registry.


Create Organizational Units

I advised you to create the following OU=

Organization Description
OU=people for users
OU=groups IT | company | project groups
OU=locations specific area
OU=applications for applications' virtual users


Create Groups

In the "OU=groups" create:

Group Description
CN=users domain users
CN=administrators for system administrators
CN=services System and services accounts


Create locations

Under 'locations' create a location for each office | home | place that you'll have in your registry.


In the "OU=location" create:

Location Description
l=France French users
l=Sweden Swedish users


Create Users

  • Inside ou=people create a new UID for each user + make that user a member of OU=groups,CN=users


  • Inside ou=applications create a new UID for each application or service that will use the LDAP + make that a member of OU=groups,CN=services


Example of minimal structure:

LDAP minimal structure


Apache 2

See Apache 2 documentation to get more info: Apache 2 - LDAP access


References

LDAP explanations (French):


Overlays "memberOf" + "refint" :


LDAP howTo (french)