Difference between revisions of "OpenLDAP"
(Created page with "{{RightTOC}} == What is OpenLDAP ? == [http://www.openldap.org OpenLdap] is an open source implementation of the '''Ligthweigth Directory Access Protocol''', a lightweight a...") |
(→Creating Directory Entries) |
||
(One intermediate revision by the same user not shown) | |||
Line 193: | Line 193: | ||
# vi create.ldif | # vi create.ldif | ||
i | i | ||
− | dn: dc= | + | dn: dc=studioware,dc=com |
objectClass: dcObject | objectClass: dcObject | ||
objectClass: organization | objectClass: organization | ||
o: organization | o: organization | ||
− | dc: | + | dc: studioware |
− | dn: cn=Manager,dc= | + | dn: cn=Manager,dc=studioware,dc=com |
objectclass: organizationalRole | objectclass: organizationalRole | ||
cn: Manager | cn: Manager | ||
− | dn: cn=proxyUser,dc= | + | dn: cn=proxyUser,dc=studioware,dc=com |
objectclass: person | objectclass: person | ||
cn: proxyUser | cn: proxyUser | ||
sn: proxyUser | sn: proxyUser | ||
userPassword: proxyPassword | userPassword: proxyPassword | ||
− | authzTo: ldap:///dc= | + | authzTo: ldap:///dc=studioware,dc=com??sub?(objectclass=person) |
− | dn: cn=postmaster,dc= | + | dn: cn=postmaster,dc=studioware,dc=com |
objectclass: person | objectclass: person | ||
cn: postmaster | cn: postmaster | ||
Line 216: | Line 216: | ||
userPassword: postmasterPassword | userPassword: postmasterPassword | ||
− | dn: cn=myUser,dc= | + | dn: cn=myUser,dc=studioware,dc=com |
objectclass: person | objectclass: person | ||
cn: myUser | cn: myUser | ||
Line 222: | Line 222: | ||
userPassword: myUserPassword | userPassword: myUserPassword | ||
− | dn: cn=news,dc= | + | dn: cn=news,dc=studioware,dc=com |
objectclass: person | objectclass: person | ||
cn: news | cn: news | ||
Line 228: | Line 228: | ||
userPassword: newsPassword | userPassword: newsPassword | ||
− | dn: cn=xen,dc= | + | dn: cn=xen,dc=studioware,dc=com |
objectclass: person | objectclass: person | ||
cn: xen | cn: xen | ||
Line 234: | Line 234: | ||
userPassword: xenPassword | userPassword: xenPassword | ||
<esc> | <esc> | ||
− | #vi delete.ldif | + | # chmod go-rx create.ldif |
+ | # vi delete.ldif | ||
i | i | ||
− | cn=xen,dc= | + | cn=xen,dc=studioware,dc=com |
− | cn=news,dc= | + | cn=news,dc=studioware,dc=com |
− | cn=myUser,dc= | + | cn=myUser,dc=studioware,dc=com |
− | cn=postmaster,dc= | + | cn=postmaster,dc=studioware,dc=com |
− | cn=proxyUser,dc= | + | cn=proxyUser,dc=studioware,dc=com |
− | cn=Manager,dc= | + | cn=Manager,dc=studioware,dc=com |
− | dc= | + | dc=studioware,dc=com |
<esc> | <esc> | ||
− | # ldapadd -x -H ldap://localhost/ -D "cn=Manager,dc= | + | # ldapadd -x -H ldap://localhost/ -D "cn=Manager,dc=studioware,dc=com" -W -f create.ldif |
− | # ldapsearch -x -H ldap://localhost/ -D "cn=Manager,dc= | + | # ldapsearch -x -H ldap://localhost/ -D "cn=Manager,dc=studioware,dc=com" -W -b "dc=studioware,dc=com" "(objectclass=*)" |
− | # ldapdelete -x -H ldap://localhost/ -D "cn=Manager,dc= | + | # ldapdelete -x -H ldap://localhost/ -D "cn=Manager,dc=studioware,dc=com" -W -f delete.ldif |
the '''authzTo:''' item above defines an OpenLdap proxy user. Once authenticated, an OpenLdap proxy user can impersonate other OpenLdap users. This affords e.g. checking passwords (needed by SASL) or updating data for other users. | the '''authzTo:''' item above defines an OpenLdap proxy user. Once authenticated, an OpenLdap proxy user can impersonate other OpenLdap users. This affords e.g. checking passwords (needed by SASL) or updating data for other users. |
Latest revision as of 15:15, 24 November 2018
What is OpenLDAP ?
OpenLdap is an open source implementation of the Ligthweigth Directory Access Protocol, a lightweight alternative to the X500 Directory Address Protocol. In our installation, we use it as an address book and authentication server. To keep it safe, ldap access is restricted to localhost (slapd daemon listening only on localhost, ldap and ldaps ports closed at firewall level). The referecence document to read is the Open Ldap Admin Guide but it's lengthy. Wikipedia has a nice summary page that could help setting up the big view.
Installing OpenLDAP
There is a chicken-and-egg problem with OpenLdap and CyrusSasl as they reference each other. So first install OpenLdap without --enable-spasswd --with-cyrus-sasl, then after installing Cyrus-sasl (next chapter), reinstall OpenLdap with --enable-spasswd --with-cyrus-sasl (this will be reminded at next chapter). Download OpenLDAP, untar to /usr/local then compile and install as described below :
# tar -tvf openldap-x.y.z.tgz # tar -C /usr/local -xvf openldap-x.y.z.tgz # cd /usr/local # chown -R root:root openldap-x.y.z # cd openldap-x.y.z # ./configure --help | less # ./configure --libdir=/usr/local/lib64 --mandir=/usr/local/man \ --disable-ipv6 --with-tls # make depend # make # make test # make install # make clean
To prepare running ldap as an unpriviledged user, execute the commands below. Note : it will also be a good idea to review the individual file permissions under the openldap directories and to restrict access to the ldap user :
# groupadd ldap # mkdir /var/run/ldap # useradd -s /bin/false -d /var/run/ldap -g ldap ldap # chown -R ldap:ldap /etc/openldap /usr/local/etc/openldap /usr/local/var/openldap-data /var/run/ldap
Configuring OpenLDAP
OpenLdap is made of two daemons but we will use only one. slapd is the stand-alone LDAP daemon and slurpd is the stand-alone LDAP update replication daemon, that we will not use. Below is a working example of a /usr/local/etc/openldap/slapd.conf configuration file that you can use, just replacing the domain and the rootpw value. The password-hash {CLEARTEXT} option is mandatory for SASL to use LDAP (the format is enforced when using the password). The authz-regexp maps an authentication request to a real entry in the directory. The reason why this mapping is useful is that it avoids knowing anything about the underlying directory structure to authenticate. See man slapd.conf for more configuration details.
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. # referral ldap://root.openldap.org pidfile /var/run/ldap/slapd.pid argsfile /var/run/ldap/slapd.args # Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_hdb.la # moduleload back_ldap.la # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to * by self write by users read by anonymous auth access to attrs=userPassword by self =dxw by users none by anonymous auth # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # proxy user definitions - SASL requires CLEARTEXT ####################################################################### password-hash {CLEARTEXT} authz-regexp uid=([^,]*),cn=digest-md5,cn=auth cn=$1,dc=domain,dc=com authz-policy to access to attrs=authzTo by self none by users none by anonymous none ####################################################################### # Berkeley Data Base front end definitions ####################################################################### database bdb suffix "dc=domain,dc=com" rootdn "cn=Manager,dc=domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # To generate {SSHA} secret : slappasswd -s secret rootpw {SSHA}16U2kC8+yDaWDtaKWsyvKSRHMWCUmcKg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indexing options for database #1 index objectClass eq index cn,sn eq ####################################################################### # TLS Certificates ####################################################################### TLSCACertificateFile /etc/ssl/certs/cacert.pem TLSCACertificatePath /etc/ssl/certs TLSCertificateFile /etc/ssl/certs/mtacert.pem TLSCertificateKeyFile /etc/ssl/private/ldap.mtakey.pem.unsecure
When using LDAP clients on the same host, the file /usr/local/etc/openldap/ldap.conf must include a TLS_CACERT directive specifiying the same certificate as in TLSCACertificateFile above :
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=example,dc=com URI ldap://ldap.example.com #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERT /etc/ssl/certs/cacert.pem TLS_CACERTDIR /etc/ssl/certs
After that it is possible to listen on port ldaps and to use TLS to encapsulate the communications.
Running OpenLDAP
Start the stand-alone LDAP server slapd, then check to see if the server is running with ps -ef | grep slapd and if not use switch -d296 to troubleshoot from slapd output (see man slapd for details). When OK try a ldapsearch.
# /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/ # ps -ef | grep slapd # /usr/local/bin/ldapsearch -x -H ldap://localhost/ -b "" -s base "(objectclass=*)" namingContexts
Slapd runs as a daemon so must be launched at startup and stopped at shutdown. Update /etc/rc.d/rc.local and /etc/rc.d/rc.local_shutdown accordingly :
# vi /etc/rc.d/rc.local . . . # start slapd if [ -x /usr/local/libexec/slapd ]; then echo "Starting slapd daemon: /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/" /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/ fi <esc> :x # vi /etc/rc.d/rc.local_shutdown . . . # stop slapd if [ -r /var/run/ldap/slapd.pid ]; then echo "Stopping slapd: kill -INT `cat /var/run/ldap/slapd.pid`" kill -INT `cat /var/run/ldap/slapd.pid` fi <esc> :x
Creating Directory Entries
To add entries to the directory, create an ldif file. Run ldapadd to add the entries, then run ldapsearch to make sure it worked.
# cd /usr/local/etc/openldap # vi create.ldif i dn: dc=studioware,dc=com objectClass: dcObject objectClass: organization o: organization dc: studioware dn: cn=Manager,dc=studioware,dc=com objectclass: organizationalRole cn: Manager dn: cn=proxyUser,dc=studioware,dc=com objectclass: person cn: proxyUser sn: proxyUser userPassword: proxyPassword authzTo: ldap:///dc=studioware,dc=com??sub?(objectclass=person) dn: cn=postmaster,dc=studioware,dc=com objectclass: person cn: postmaster sn: postmaster userPassword: postmasterPassword dn: cn=myUser,dc=studioware,dc=com objectclass: person cn: myUser sn: myUser userPassword: myUserPassword dn: cn=news,dc=studioware,dc=com objectclass: person cn: news sn: news userPassword: newsPassword dn: cn=xen,dc=studioware,dc=com objectclass: person cn: xen sn: xen userPassword: xenPassword <esc> # chmod go-rx create.ldif # vi delete.ldif i cn=xen,dc=studioware,dc=com cn=news,dc=studioware,dc=com cn=myUser,dc=studioware,dc=com cn=postmaster,dc=studioware,dc=com cn=proxyUser,dc=studioware,dc=com cn=Manager,dc=studioware,dc=com dc=studioware,dc=com <esc> # ldapadd -x -H ldap://localhost/ -D "cn=Manager,dc=studioware,dc=com" -W -f create.ldif # ldapsearch -x -H ldap://localhost/ -D "cn=Manager,dc=studioware,dc=com" -W -b "dc=studioware,dc=com" "(objectclass=*)" # ldapdelete -x -H ldap://localhost/ -D "cn=Manager,dc=studioware,dc=com" -W -f delete.ldif
the authzTo: item above defines an OpenLdap proxy user. Once authenticated, an OpenLdap proxy user can impersonate other OpenLdap users. This affords e.g. checking passwords (needed by SASL) or updating data for other users.
OpenSSL | Main Page | Cyrus-SASL |