Difference between pages "OpenSSL" and "OpenLDAP"

From Wikislax
(Difference between pages)
Jump to: navigation, search
(Created page with "{{RightTOC}} == What is OpenSSL ? == [http://www.openssl.org/ OpenSSL] is an OpenSource implementation of the TLS and SSL protocols. It is used as a base for securitizing th...")
 
(Created page with "{{RightTOC}} == What is OpenLDAP ? == [http://www.openldap.org OpenLdap] is an open source implementation of the '''Ligthweigth Directory Access Protocol''', a lightweight a...")
 
Line 1: Line 1:
 
{{RightTOC}}
 
{{RightTOC}}
  
== What is OpenSSL ? ==
+
== What is OpenLDAP ? ==
  
[http://www.openssl.org/ OpenSSL] is an OpenSource implementation of the TLS and SSL protocols. It is used as a base for securitizing the communications (authenticating, cyphering, signing) of the rest of the OpenSource server software. However, following a record of security issues, the security and quality of the software appears more uncertain. In 2013, WikiLeaks published documents obtained by Edward Snowden, which revealed that since 2010, the NSA had effectively broken/bypassed SSL/TLS by possibly exploiting vulnerabilities such as HeartBleed.
+
[http://www.openldap.org OpenLdap] is an open source implementation of the '''Ligthweigth Directory Access Protocol''', a lightweight alternative to the '''X500 Directory Address Protocol'''. In our installation, we use it as an address book and authentication server. To keep it safe, ldap access is restricted to localhost (slapd daemon listening only on localhost, ldap and ldaps ports closed at firewall level). The referecence document to read is the [http://www.openldap.org/doc/admin24/index.html Open Ldap Admin Guide] but it's lengthy. [http://en.wikipedia.org/wiki/OpenLDAP Wikipedia] has a nice summary page that could help setting up the big view.
  
Since OpenSSL 1.0.1g, members of the [http://http://www.openbsd.org/ OpenBSD] project forked OpenSSL to create a project named [http://www.libressl.org/ LibreSSL] that can be used as a plugin replacement for OpenSSL.
+
== Installing OpenLDAP ==
  
To make things a bit less worrying, OpenSSL is part of the base Slackware distribution and so benefits from the [http://www.slackware.com/security/ Slackware security advisories]. The official documentation can be found on the official http site [http://www.openssl.org openssl.org] but is somewhat cryptic. '''man openssl''' is a better option.
+
There is a chicken-and-egg problem with OpenLdap and CyrusSasl as they reference each other. So first install OpenLdap without '''--enable-spasswd --with-cyrus-sasl''', then after installing Cyrus-sasl (next chapter), reinstall OpenLdap with '''--enable-spasswd --with-cyrus-sasl''' (this will be reminded at next chapter). [http://www.openldap.org/software/download Download OpenLDAP], untar to /usr/local then compile and install as described below :
  
From an historic point of view, the SSL suite of protocols was created by Netscape to securitize communications made over TCP/IP. SSL affords encrypting the data and authenticating the parties on the wire using various methods and algorithms. SSL was the base layer to ensure confidentiality of essential TCP protocols such as '''smtp http pop3 nntp imap ldap'''. SSL encapsulates these services (and others…) using alternate protocol names and port numbers. '''BUT''' the SSL protocols were superseded by [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and are now deprecated due to security weaknesses. SSL should not be used any longer. Instead, use TLS. Current version is TLS v1.2.
+
# tar -tvf openldap-x.y.z.tgz
 
+
  # tar -C /usr/local -xvf openldap-x.y.z.tgz
{| {{thead}}
 
|-
 
! {{chead}} | Protocol
 
! {{chead}} | Port #
 
! {{chead}} | Secure Protocol
 
! {{chead}} | Secure Port #
 
! {{chead}} | Service
 
|-
 
|SMTP||25||SMTPS||465||Mail exchange
 
|-
 
|HTTP||80||HTTPS||443||Web browsing
 
|-
 
|POP3||110||POP3S||995||Mail retrieval
 
|-
 
|NTTP||119||NTTPS||563||News exchange
 
|-
 
|IMAP||143||IMAPS||993||Mail retrieval
 
|-
 
|LDAP||389||LDAPS||636||Ldap Directory
 
|}
 
 
 
<br clear=all>
 
 
 
== Use only TLS ==
 
 
 
<u>Please note</u> : the SSL protocols were superseded by [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and are now deprecated due to security weaknesses. SSL should not be used any longer. Instead, use TLS. Current version is v1.2
 
 
 
== Compiling OpenSSL ==
 
 
 
OpenSSL is part of the base Slackware distribution and so benefits from the [http://www.slackware.com/security/ Slackware security advisories], which makes it very easy to upgrade to the most secure version at any time. If for some reason you'd nevertheless like to compile it from source, here's how to do it :
 
 
 
<font color=red>Beware : to avoid breaking other software in the distribution, openssl-x.y.z can be replaced only by a minor fix update. Be sure to check the current version number using '''ls /usr/lib/*ssl*''' first.</font>
 
 
 
Installing OpenSSL is otherwise quite straigthforward :
 
 
 
  # tar -C /usr/local -xvf openssl-x.y.z.tar.gz
 
 
  # cd /usr/local
 
  # cd /usr/local
  # chown -R root openssl-x.y.z
+
  # chown -R root:root openldap-x.y.z
# chgrp -R root openssl-x.y.z
+
  # cd openldap-x.y.z
  # cd openssl-x.y.z
+
  # ./configure --help | less
  # vi README
+
  # ./configure --libdir=/usr/local/lib64 --mandir=/usr/local/man \
# vi INSTALL
+
--disable-ipv6 --with-tls
# make clean
+
# make depend
  # ./config --prefix=/usr/local --openssldir=/etc/ssl shared
 
 
  # make
 
  # make
 
  # make test
 
  # make test
# cd /var/log/packages
 
# removepkg openssl-x.y.z-X86_64-2
 
# removepkg openssl-solibs-x.y.z-X86_64-2
 
# cd /usr/local/openssl-x.y.z
 
 
  # make install
 
  # make install
 
  # make clean
 
  # make clean
# cd ../lib
 
# mv libssl* ../lib64
 
# mv libcrypto* ../lib64
 
# cd pkgconfig
 
# mv *ssl.pc ../../lib64/pkgconfig
 
# mv *crypto.pc ../../lib64/pkgconfig
 
# cd /usr/lib64
 
# ln -sf /usr/local/lib64/libssl.so.1.0.0 libssl.so.1
 
# ln -sf /usr/local/lib64/libcrypto.so.1.0.0 libcrypto.so.1
 
# ldconfig
 
# cd /etc/ssl
 
# cp -r man /usr/local
 
# rm -r man
 
# reboot
 
  
'''reboot''' affords making sure that nothing was missed by the install and that the system is able to boot normally. If anything went wrong be ready to manually fix your system, for example by reinstalling the default Slackware OpenSSL package using '''installpkg'''.
+
To prepare running ldap as an unpriviledged user, execute the commands below. <u>Note</u> : it will also be a good idea to review the individual file permissions under the openldap directories and to restrict access to the ldap user :
  
== Using OpenSSL ==
+
# groupadd ldap
 +
# mkdir /var/run/ldap
 +
# useradd -s /bin/false -d /var/run/ldap -g ldap ldap
 +
# chown -R ldap:ldap /etc/openldap /usr/local/etc/openldap /usr/local/var/openldap-data /var/run/ldap
  
Except for managing certificates (see the next paragraph) OpenSSL is not used directly but thru libraries to encapsulate other protocols such as '''smtp http pop3 nntp imap ldap'''.
+
== Configuring OpenLDAP ==
  
== Using Certificates ==
+
OpenLdap is made of two daemons but we will use only one. '''slapd''' is the stand-alone LDAP daemon and '''slurpd''' is the stand-alone LDAP update replication daemon, that we will not use. Below is a working example of a '''/usr/local/etc/openldap/slapd.conf''' configuration file that you can use, just replacing the '''domain''' and the '''rootpw''' value. The '''password-hash {CLEARTEXT}''' option is mandatory for SASL to use LDAP (the format is enforced when using the password). The '''authz-regexp''' maps an authentication request to a real entry in the directory. The reason why this mapping is useful is that it avoids knowing anything about the underlying directory structure to authenticate. See [http://www.openldap.org/software/man.cgi?query=slapd.conf&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html man slapd.conf] for more configuration details.
  
Using a server certificate will afford remote '''smtp http pop3 nntp imap ldap''' clients to make sure that they are connected to the right site. The server certificate contains the full domain name and other information, signed by a Certificate Authority.
+
#
 
+
# See slapd.conf(5) for details on configuration options.
To effect the real checking the clients need to get copies of the server and Certificate Authority certificates. The server certificate comes as part of the TLS protocol. The Certificate Authority certificate however must be present on the client.
+
# This file should NOT be world readable.
 
+
#
This is the case for most commercial Certificate Authority certificates, that are preinstalled. Being your own Certificate Authority will save the cost of purchasing a server certificate and renewing it yearly, but it will be necessary to install the Certificate Authority certificate on every client using your services.
+
include        /usr/local/etc/openldap/schema/core.schema
 
+
include         /usr/local/etc/openldap/schema/cosine.schema
The home of the '''OpenSSL''' configuration is '''/etc/ssl'''. It initially include directories '''certs misc private''' to store the certificates, and a configuration file '''openssl.cnf''', that must be edited first. You might want to change dir and certificate to these values :
+
include        /usr/local/etc/openldap/schema/inetorgperson.schema
 
+
  dir = /etc/ssl # Where everything is kept
+
# Do not enable referrals until AFTER you have a working directory
  certificate = $dir/certs/cacert.pem # The CA certificate
+
# service AND an understanding of referrals.
 
+
# referral      ldap://root.openldap.org
<big><u>To create a self-signed certification authority certificate :</u></big>
+
 
+
pidfile        /var/run/ldap/slapd.pid
<font color=red>Beware : for the certification to work, it is not possible to create a certification authority certificate and a server certificate with the same DN (X500 Directory Name).</font>
+
  argsfile        /var/run/ldap/slapd.args
 
+
  # '''cd /etc/ssl'''
+
# Load dynamic backend modules:
  # '''openssl req -new -x509 -days 3650 -keyout private/cakey.pem -out certs/cacert.pem -config openssl.cnf'''
+
  # modulepath    /usr/local/libexec/openldap
 +
# moduleload    back_bdb.la
 +
# moduleload    back_hdb.la
 +
# moduleload    back_ldap.la
 +
 +
# Sample security restrictions
 +
#       Require integrity protection (prevent hijacking)
 +
#      Require 112-bit (3DES or better) encryption for updates
 +
#      Require 63-bit encryption for simple bind
 +
# security ssf=1 update_ssf=112 simple_bind=64
 +
 +
# Sample access control policy:
 +
#      Root DSE: allow anyone to read it
 +
#      Subschema (sub)entry DSE: allow anyone to read it
 +
#      Other DSEs:
 +
#              Allow self write access
 +
#              Allow authenticated users read access
 +
#              Allow anonymous users to authenticate
 +
 +
access to dn.base="" by * read
 +
access to dn.base="cn=Subschema" by * read
 +
 +
access to *
 +
        by self write
 +
        by users read
 +
        by anonymous auth
 +
 +
access to attrs=userPassword
 +
        by self =dxw
 +
        by users none
 +
        by anonymous auth
 +
 +
# if no access controls are present, the default policy
 +
# allows anyone and everyone to read anything but restricts
 +
# updates to rootdn.  (e.g., "access to * by * read")
 +
#
 +
# rootdn can always read and write EVERYTHING!
 +
 +
#######################################################################
 +
  # proxy user definitions - SASL requires CLEARTEXT
 +
  #######################################################################
 +
 +
password-hash  {CLEARTEXT}
 +
 +
authz-regexp
 +
                uid=([^,]*),cn=digest-md5,cn=auth
 +
                cn=$1,dc=domain,dc=com
 +
 +
authz-policy    to
 +
 +
access to attrs=authzTo
 +
        by self none
 +
        by users none
 +
        by anonymous none
 +
 +
#######################################################################
 +
# Berkeley Data Base front end definitions
 +
#######################################################################
 +
 +
database        bdb
 +
suffix          "dc=domain,dc=com"
 +
rootdn          "cn=Manager,dc=domain,dc=com"
 +
 +
# Cleartext passwords, especially for the rootdn, should
 +
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
 +
# To generate {SSHA} secret : slappasswd -s secret
 +
rootpw          {SSHA}16U2kC8+yDaWDtaKWsyvKSRHMWCUmcKg
 +
 +
# The database directory MUST exist prior to running slapd AND
 +
# should only be accessible by the slapd and slap tools.
 +
# Mode 700 recommended.
 +
directory      /usr/local/var/openldap-data
 +
 +
# Indexing options for database #1
 +
index          objectClass    eq
 +
index          cn,sn          eq
 +
 +
#######################################################################
 +
# TLS Certificates
 +
#######################################################################
 
   
 
   
  Generating a 1024 bit RSA private key
+
  TLSCACertificateFile    /etc/ssl/certs/cacert.pem
.........++++++
+
  TLSCACertificatePath    /etc/ssl/certs
  .............++++++
+
  TLSCertificateFile      /etc/ssl/certs/mtacert.pem
  writing new private key to 'private/cakey.pem'
+
  TLSCertificateKeyFile  /etc/ssl/private/ldap.mtakey.pem.unsecure
  Enter PEM pass phrase:
 
Verifying - Enter PEM pass phrase:
 
-----
 
You are about to be asked to enter information that will be incorporated
 
into your certificate request.
 
What you are about to enter is what is called a Distinguished Name or a DN.
 
There are quite a few fields but you can leave some blank
 
For some fields there will be a default value,
 
If you enter '.', the field will be left blank.
 
-----
 
Country Name (2 letter code) [AU]:'''FR'''
 
State or Province Name (full name) [Some-State]:'''.'''
 
Locality Name (eg, city) []:'''Rennes'''
 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:'''Studioware'''
 
Organizational Unit Name (eg, section) []:'''CA'''
 
Common Name (eg, YOUR name) []:'''Studioware.com'''
 
Email Address []:'''nospam@studioware.com'''
 
  
<big><u>To create a server certificate request :</u></big>
+
When using LDAP clients on the same host, the file '''/usr/local/etc/openldap/ldap.conf''' must include a TLS_CACERT directive specifiying the same certificate as in TLSCACertificateFile above :
  
<font color=red> Beware : for a server certificate, the common name must be the fully qualified domain name. A reverse DNS entry should also exist.</font>
+
  #
 
+
  # LDAP Defaults
  # '''cd /etc/ssl'''
+
  #
  # '''mkdir newcerts'''
 
  # '''openssl req -new -keyout newcerts/mtakey.pem -out newcerts/mtareq.pem -days 365 -config openssl.cnf'''
 
 
   
 
   
  Generating a 1024 bit RSA private key
+
  # See ldap.conf(5) for details
................................++++++
+
  # This file should be world readable but not world writable.
..................++++++
 
writing new private key to 'newkey.pem'
 
Enter PEM pass phrase:
 
Verifying - Enter PEM pass phrase:
 
-----
 
  You are about to be asked to enter information that will be incorporated
 
into your certificate request.
 
What you are about to enter is what is called a Distinguished Name or a DN.
 
There are quite a few fields but you can leave some blank
 
For some fields there will be a default value,
 
If you enter '.', the field will be left blank.
 
-----
 
Country Name (2 letter code) [AU]:'''FR'''
 
State or Province Name (full name) [Some-State]:'''.'''
 
Locality Name (eg, city) []:'''Rennes'''
 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:'''Studioware'''
 
Organizational Unit Name (eg, section) []:'''MTA'''
 
Common Name (eg, YOUR name) []:'''inner.studioware.com'''
 
Email Address []:'''nospam@studioware.com'''
 
 
   
 
   
  Please enter the following 'extra' attributes
+
  BASE  dc=example,dc=com
  to be sent with your certificate request
+
  URI    ldap://ldap.example.com
A challenge password []:
 
An optional company name []:
 
 
 
<big><u>To sign the server certificate request :</u></big>
 
 
 
# '''cd /etc/ssl'''
 
# '''cat </dev/null >index.txt'''
 
# '''cat >serial'''
 
'''01'''
 
'''<ctrl>d'''
 
# '''cat newcerts/mtareq.pem newcerts/mtakey.pem > newcerts/mta.pem'''
 
# '''openssl ca -policy policy_anything -out newcerts/mtacert.pem -config openssl.cnf -infiles newcerts/mta.pem'''
 
Using configuration from openssl.cnf
 
Enter pass phrase for /etc/ssl/private/cakey.pem:
 
Check that the request matches the signature
 
Signature ok
 
Certificate Details:
 
        Serial Number: 1 (0x1)
 
        Validity
 
            Not Before: Jan  2 13:40:43 2007 GMT
 
            Not After : Jan  2 13:40:43 2008 GMT
 
        Subject:
 
            countryName              = FR
 
            localityName              = Rennes
 
            organizationName          = Studioware
 
            organizationalUnitName    = MTA
 
            commonName                = Jean-Pierre Menicucci
 
            emailAddress              = nospam@studioware.com
 
        X509v3 extensions:
 
            X509v3 Basic Constraints:
 
                CA:FALSE
 
            Netscape Comment:
 
                OpenSSL Generated Certificate
 
            X509v3 Subject Key Identifier:
 
                06:08:16:E7:C0:A3:D3:9A:D1:92:4A:6F:B8:6E:E8:28:47:79:BD:12
 
            X509v3 Authority Key Identifier:
 
                keyid:92:59:DF:C2:26:D6:54:46:46:A8:10:4E:56:CB:09:A2:E9:B4:86:93
 
 
   
 
   
  Certificate is to be certified until Jan 2 13:40:43 2008 GMT (365 days)
+
  #SIZELIMIT      12
  Sign the certificate? [y/n]:'''y'''
+
  #TIMELIMIT      15
 +
  #DEREF          never
 
   
 
   
  1 out of 1 certificate requests certified, commit? [y/n]'''y'''
+
  TLS_CACERT      /etc/ssl/certs/cacert.pem
  Write out database with 1 new entries
+
  TLS_CACERTDIR  /etc/ssl/certs
Data Base Updated
 
  
<big><u>To remove the pass phrase from the server private key :</u></big>
+
After that it is possible to listen on port ldaps and to use TLS to encapsulate the communications.
  
<font color=red>Beware : it is necessary to remove this pass phrase so that sendmail could start without any human intervention.</font>
+
== Running OpenLDAP ==
  
# '''openssl rsa -in newcerts/mtakey.pem -out newcerts/mtakey.pem.unsecure'''
+
Start the stand-alone LDAP server '''slapd''', then check to see if the server is running with '''ps -ef | grep slapd''' and if not use switch '''-d296''' to troubleshoot from '''slapd''' output (see [http://www.openldap.org/software/man.cgi?query=slapd&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html man slapd] for details). When OK try a '''ldapsearch'''.
Enter pass phrase for newcerts/mtakey.pem:
 
writing RSA key
 
  
<big><u>To move the files to the right directories with the right rights and clean up :</u></big>
+
# /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
 +
# ps -ef | grep slapd
 +
# /usr/local/bin/ldapsearch -x -H ldap://localhost/ -b "" -s base "(objectclass=*)" namingContexts
  
# '''cd newcerts'''
+
Slapd runs as a daemon so must be launched at startup and stopped at shutdown. Update /etc/rc.d/rc.local and /etc/rc.d/rc.local_shutdown accordingly :
# '''ls'''
 
01.pem  mta.pem  mtacert.pem  mtakey.pem  mtakey.pem.unsecure  mtareq.pem
 
# '''mv mtacert.pem ../certs'''
 
# '''mv mtakey* ../private'''
 
# '''rm 01.pem mta.pem mtareq.pem'''
 
# '''cd ../certs'''
 
# '''chmod go+r *'''
 
# '''cd ../private'''
 
# '''chmod go-r *'''
 
  
When renewing an existing certificate mtakey.pem, the following commands afford making the required copies :
+
# vi /etc/rc.d/rc.local
 +
. . .
 +
# start slapd
 +
if [ -x /usr/local/libexec/slapd ]; then
 +
        echo "Starting slapd daemon: /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/"
 +
        /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
 +
fi
 +
  <esc>
 +
:x
 +
# vi /etc/rc.d/rc.local_shutdown
 +
. . .
 +
# stop slapd
 +
if [ -r /var/run/ldap/slapd.pid ]; then
 +
        echo "Stopping slapd: kill -INT `cat /var/run/ldap/slapd.pid`"
 +
        kill -INT `cat /var/run/ldap/slapd.pid`
 +
fi
 +
<esc>
 +
:x
  
# '''cp mtakey.pem.unsecure apache.mtakey.pem.unsecure'''
+
== Creating Directory Entries ==
# '''cp mtakey.pem.unsecure asterisk.mtakey.pem.unsecure'''
 
# '''cp mtakey.pem.unsecure ldap.mtakey.pem.unsecure'''
 
# '''cp mtakey.pem.unsecure news.mtakey.pem.unsecure'''
 
# '''cp mtakey.pem.unsecure smmsp.mtakey.pem.unsecure'''
 
# '''chown apache:apache apache.mtakey.pem.unsecure'''
 
# '''chown asterisk:asterisk asterisk.mtakey.pem.unsecure'''
 
# '''chown ldap:ldap ldap.mtakey.pem.unsecure'''
 
# '''chown smmsp:smmsp smmsp.mtakey.pem.unsecure'''
 
# '''chown news:news news.mtakey.pem.unsecure'''
 
# '''cd ../certs'''
 
# '''vi mtacert.pem'''
 
d59d
 
:$
 
:r ../private/mtakey.pem.unsecure
 
:w server.pem
 
:x
 
# '''chown cyrus:mail server.pem'''
 
# '''chmod 600 server.pem'''
 
  
<big><u>To check an external certificate</u></big>
+
To add entries to the directory, create an '''ldif''' file. Run '''ldapadd''' to add the entries, then run '''ldapsearch''' to make sure it worked.
  
For OpenSSL to use an external certification authority certificate, you need to place in your '''/etc/ssl/certs''' directory a copy of it and a symbolic link to this copy. The name of this link must be based on the certificate hash code (see http://www.sendmail.org/~ca/email/starttls.html). This can be done in this way :
+
# cd /usr/local/etc/openldap
 +
# vi create.ldif
 +
i
 +
dn: dc=domain,dc=com
 +
objectClass: dcObject
 +
objectClass: organization
 +
o: organization
 +
dc: domain
 +
 +
dn: cn=Manager,dc=domain,dc=com
 +
objectclass: organizationalRole
 +
cn: Manager
 +
 +
dn: cn=proxyUser,dc=domain,dc=com
 +
objectclass: person
 +
cn: proxyUser
 +
sn: proxyUser
 +
userPassword: proxyPassword
 +
authzTo: ldap:///dc=domain,dc=com??sub?(objectclass=person)
 +
 +
dn: cn=postmaster,dc=domain,dc=com
 +
objectclass: person
 +
cn: postmaster
 +
sn: postmaster
 +
userPassword: postmasterPassword
 +
 +
dn: cn=myUser,dc=domain,dc=com
 +
objectclass: person
 +
cn: myUser
 +
sn: myUser
 +
userPassword: myUserPassword
 +
 +
dn: cn=news,dc=domain,dc=com
 +
objectclass: person
 +
cn: news
 +
sn: news
 +
userPassword: newsPassword
 +
 +
dn: cn=xen,dc=domain,dc=com
 +
objectclass: person
 +
cn: xen
 +
sn: xen
 +
userPassword: xenPassword
 +
<esc>
 +
#vi delete.ldif
 +
i
 +
cn=xen,dc=domain,dc=com
 +
cn=news,dc=domain,dc=com
 +
cn=myUser,dc=domain,dc=com
 +
cn=postmaster,dc=domain,dc=com
 +
cn=proxyUser,dc=domain,dc=com
 +
cn=Manager,dc=domain,dc=com
 +
dc=domain,dc=com
 +
<esc>
 +
 +
# ldapadd -x -H ldap://localhost/ -D "cn=Manager,dc=domain,dc=com" -W -f create.ldif
 +
# ldapsearch -x -H ldap://localhost/ -D "cn=Manager,dc=domain,dc=com" -W -b "dc=domain,dc=com" "(objectclass=*)"
 +
# ldapdelete -x -H ldap://localhost/ -D "cn=Manager,dc=domain,dc=com" -W -f delete.ldif
  
# C=CertificateFileName
+
the '''authzTo:''' item above defines an OpenLdap proxy user. Once authenticated, an OpenLdap proxy user can impersonate other OpenLdap users. This affords e.g. checking passwords (needed by SASL) or updating data for other users.
# ln -s $C `openssl x509 -noout -hash < $C`.0
 
  
 
<br>
 
<br>
  
{{pFoot|[[Creating VMs]]|[[Main Page]]|[[OpenLDAP]]|}}
+
{{pFoot|[[OpenSSL]]|[[Main Page]]|[[Cyrus-SASL]]}}

Revision as of 22:29, 6 December 2017

What is OpenLDAP ?

OpenLdap is an open source implementation of the Ligthweigth Directory Access Protocol, a lightweight alternative to the X500 Directory Address Protocol. In our installation, we use it as an address book and authentication server. To keep it safe, ldap access is restricted to localhost (slapd daemon listening only on localhost, ldap and ldaps ports closed at firewall level). The referecence document to read is the Open Ldap Admin Guide but it's lengthy. Wikipedia has a nice summary page that could help setting up the big view.

Installing OpenLDAP

There is a chicken-and-egg problem with OpenLdap and CyrusSasl as they reference each other. So first install OpenLdap without --enable-spasswd --with-cyrus-sasl, then after installing Cyrus-sasl (next chapter), reinstall OpenLdap with --enable-spasswd --with-cyrus-sasl (this will be reminded at next chapter). Download OpenLDAP, untar to /usr/local then compile and install as described below :

# tar -tvf openldap-x.y.z.tgz
# tar -C /usr/local -xvf openldap-x.y.z.tgz
# cd /usr/local
# chown -R root:root openldap-x.y.z
# cd openldap-x.y.z
# ./configure --help | less
# ./configure --libdir=/usr/local/lib64 --mandir=/usr/local/man \
--disable-ipv6 --with-tls
# make depend
# make
# make test
# make install
# make clean

To prepare running ldap as an unpriviledged user, execute the commands below. Note : it will also be a good idea to review the individual file permissions under the openldap directories and to restrict access to the ldap user :

# groupadd ldap
# mkdir /var/run/ldap
# useradd -s /bin/false -d /var/run/ldap -g ldap ldap
# chown -R ldap:ldap /etc/openldap /usr/local/etc/openldap /usr/local/var/openldap-data /var/run/ldap

Configuring OpenLDAP

OpenLdap is made of two daemons but we will use only one. slapd is the stand-alone LDAP daemon and slurpd is the stand-alone LDAP update replication daemon, that we will not use. Below is a working example of a /usr/local/etc/openldap/slapd.conf configuration file that you can use, just replacing the domain and the rootpw value. The password-hash {CLEARTEXT} option is mandatory for SASL to use LDAP (the format is enforced when using the password). The authz-regexp maps an authentication request to a real entry in the directory. The reason why this mapping is useful is that it avoids knowing anything about the underlying directory structure to authenticate. See man slapd.conf for more configuration details.

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
# referral       ldap://root.openldap.org

pidfile         /var/run/ldap/slapd.pid
argsfile        /var/run/ldap/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_hdb.la
# moduleload    back_ldap.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read

access to *
        by self write
        by users read
        by anonymous auth

access to attrs=userPassword
        by self =dxw
        by users none
        by anonymous auth

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# proxy user definitions - SASL requires CLEARTEXT
#######################################################################

password-hash   {CLEARTEXT}

authz-regexp
                uid=([^,]*),cn=digest-md5,cn=auth
                cn=$1,dc=domain,dc=com

authz-policy    to

access to attrs=authzTo
        by self none
        by users none
        by anonymous none

#######################################################################
# Berkeley Data Base front end definitions
#######################################################################

database        bdb
suffix          "dc=domain,dc=com"
rootdn          "cn=Manager,dc=domain,dc=com"

# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# To generate {SSHA} secret : slappasswd -s secret
rootpw          {SSHA}16U2kC8+yDaWDtaKWsyvKSRHMWCUmcKg

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/var/openldap-data

# Indexing options for database #1
index           objectClass     eq
index           cn,sn           eq

#######################################################################
# TLS Certificates
#######################################################################

TLSCACertificateFile    /etc/ssl/certs/cacert.pem
TLSCACertificatePath    /etc/ssl/certs
TLSCertificateFile      /etc/ssl/certs/mtacert.pem
TLSCertificateKeyFile   /etc/ssl/private/ldap.mtakey.pem.unsecure

When using LDAP clients on the same host, the file /usr/local/etc/openldap/ldap.conf must include a TLS_CACERT directive specifiying the same certificate as in TLSCACertificateFile above :

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE   dc=example,dc=com
URI    ldap://ldap.example.com

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLS_CACERT      /etc/ssl/certs/cacert.pem
TLS_CACERTDIR   /etc/ssl/certs

After that it is possible to listen on port ldaps and to use TLS to encapsulate the communications.

Running OpenLDAP

Start the stand-alone LDAP server slapd, then check to see if the server is running with ps -ef | grep slapd and if not use switch -d296 to troubleshoot from slapd output (see man slapd for details). When OK try a ldapsearch.

# /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
# ps -ef | grep slapd
# /usr/local/bin/ldapsearch -x -H ldap://localhost/ -b "" -s base "(objectclass=*)" namingContexts

Slapd runs as a daemon so must be launched at startup and stopped at shutdown. Update /etc/rc.d/rc.local and /etc/rc.d/rc.local_shutdown accordingly :

# vi /etc/rc.d/rc.local
. . .
# start slapd
if [ -x /usr/local/libexec/slapd ]; then
        echo "Starting slapd daemon: /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/"
        /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
fi
 <esc>
:x
# vi /etc/rc.d/rc.local_shutdown
. . .
# stop slapd
if [ -r /var/run/ldap/slapd.pid ]; then
        echo "Stopping slapd: kill -INT `cat /var/run/ldap/slapd.pid`"
        kill -INT `cat /var/run/ldap/slapd.pid`
fi
<esc>
:x

Creating Directory Entries

To add entries to the directory, create an ldif file. Run ldapadd to add the entries, then run ldapsearch to make sure it worked.

# cd /usr/local/etc/openldap
# vi create.ldif
i
dn: dc=domain,dc=com
objectClass: dcObject
objectClass: organization
o: organization
dc: domain

dn: cn=Manager,dc=domain,dc=com
objectclass: organizationalRole
cn: Manager

dn: cn=proxyUser,dc=domain,dc=com
objectclass: person
cn: proxyUser
sn: proxyUser
userPassword: proxyPassword
authzTo: ldap:///dc=domain,dc=com??sub?(objectclass=person)

dn: cn=postmaster,dc=domain,dc=com
objectclass: person
cn: postmaster
sn: postmaster
userPassword: postmasterPassword

dn: cn=myUser,dc=domain,dc=com
objectclass: person
cn: myUser
sn: myUser
userPassword: myUserPassword

dn: cn=news,dc=domain,dc=com
objectclass: person
cn: news
sn: news
userPassword: newsPassword

dn: cn=xen,dc=domain,dc=com
objectclass: person
cn: xen
sn: xen
userPassword: xenPassword
<esc>
#vi delete.ldif
i
cn=xen,dc=domain,dc=com
cn=news,dc=domain,dc=com
cn=myUser,dc=domain,dc=com
cn=postmaster,dc=domain,dc=com
cn=proxyUser,dc=domain,dc=com
cn=Manager,dc=domain,dc=com
dc=domain,dc=com
<esc>

# ldapadd -x -H ldap://localhost/ -D "cn=Manager,dc=domain,dc=com" -W -f create.ldif
# ldapsearch -x -H ldap://localhost/ -D "cn=Manager,dc=domain,dc=com" -W -b "dc=domain,dc=com" "(objectclass=*)"
# ldapdelete -x -H ldap://localhost/ -D "cn=Manager,dc=domain,dc=com" -W -f delete.ldif

the authzTo: item above defines an OpenLdap proxy user. Once authenticated, an OpenLdap proxy user can impersonate other OpenLdap users. This affords e.g. checking passwords (needed by SASL) or updating data for other users.


OpenSSL Main Page Cyrus-SASL