Difference between pages "IPTables" and "OpenLDAP"

From Wikislax
(Difference between pages)
Jump to: navigation, search
(Iptables Filtering)
 
(Creating Directory Entries)
 
Line 1: Line 1:
 
{{RightTOC}}
 
{{RightTOC}}
  
Packet filtering affords opening access only to these services you have decided to open. The TCP or UDP packets include a piece of information called the port number, that is used to identify the type of service. Secure ports were defined as SSL counterparts of the native ports but were superseded by [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and are now deprecated due to security weaknesses in the SSL protocol. SSL should not be used any longer. Instead, use TLS. Current version is v1.2.
+
== What is OpenLDAP ? ==
  
{| {{thead}}
+
[http://www.openldap.org OpenLdap] is an open source implementation of the '''Ligthweigth Directory Access Protocol''', a lightweight alternative to the '''X500 Directory Address Protocol'''. In our installation, we use it as an address book and authentication server. To keep it safe, ldap access is restricted to localhost (slapd daemon listening only on localhost, ldap and ldaps ports closed at firewall level). The referecence document to read is the  [http://www.openldap.org/doc/admin24/index.html Open Ldap Admin Guide] but it's lengthy. [http://en.wikipedia.org/wiki/OpenLDAP Wikipedia] has a nice summary page that could help setting up the big view.
|-
 
! {{chead}} width="100" | Protocol
 
! {{chead}} | Port #
 
! {{chead}} | Secure Protocol
 
! {{chead}} | Secure Port #
 
! {{chead}} | Service
 
|-
 
|SMTP||25||SMTPS||465||Mail exchange
 
|-
 
|HTTP||80||HTTPS||443||Web browsing
 
|-
 
|POP3||110||POP3S||995||Mail retrieval
 
|-
 
|NTTP||119||NTTPS||563||News exchange
 
|-
 
|IMAP||143||IMAPS||993||Mail retrieval
 
|-
 
|LDAP||389||LDAPS||636||Ldap Directory
 
|}
 
  
<br clear=all>
+
== Installing OpenLDAP ==
  
On server side, the services are provided by applications that may have vulnerabilities and be attacked. Examples of attacks are buffer overflow or format string attacks, that afford getting full access on the target machine by crafting special strings sent to it. An attacker could then obtain any information present there or modify or destroy the system.
+
There is a chicken-and-egg problem with OpenLdap and CyrusSasl as they reference each other. So first install OpenLdap without '''--enable-spasswd --with-cyrus-sasl''', then after installing Cyrus-sasl (next chapter), reinstall OpenLdap with '''--enable-spasswd --with-cyrus-sasl''' (this will be reminded at next chapter). [http://www.openldap.org/software/download Download OpenLDAP], untar to /usr/local then compile and install as described below :
  
To reduce the number of possible attacks, the number of services authorized, or who can access the system, must be restricted. This is known as packet filtering. It is only an aspect of security (obviously, the applications on the server side must also be secured ...), but it is important. <u>Never *** ever *** connect to the network a computer not protected by a packet filter !</u>
+
# tar -tvf openldap-x.y.z.tgz
 +
# tar -C /usr/local -xvf openldap-x.y.z.tgz
 +
# cd /usr/local
 +
# chown -R root:root openldap-x.y.z
 +
# cd openldap-x.y.z
 +
# ./configure --help | less
 +
# ./configure --libdir=/usr/local/lib64 --mandir=/usr/local/man \
 +
--disable-ipv6 --with-tls
 +
# make depend
 +
# make
 +
# make test
 +
# make install
 +
# make clean
  
To illustrate, let's configure our two-interfaces computer to be its own firewall. '''eth0''' is the Internet interface, it uses network 192.168.0.x, the gateway is an ADSL router/switch at 192.168.0.254. '''eth1''' is the (Intranet) interface to the internal network 192.168.1.x.
+
To prepare running ldap as an unpriviledged user, execute the commands below. <u>Note</u> : it will also be a good idea to review the individual file permissions under the openldap directories and to restrict access to the ldap user :
  
== Iptables Filtering ==
+
# groupadd ldap
 +
# mkdir /var/run/ldap
 +
# useradd -s /bin/false -d /var/run/ldap -g ldap ldap
 +
# chown -R ldap:ldap /etc/openldap /usr/local/etc/openldap /usr/local/var/openldap-data /var/run/ldap
  
Since Linux 2.4, packet filtering is effected inside the kernel, and configuration effected by the '''iptables''' user-space program. In addition to rules for incoming and outgoing packets, iptables affords defining rules for routing between the interfaces. The '''iptables''' command affords entering the rules '''one by one'''. Using a script affords entering all the rules. '''iptable -L -v''' affords viewing the current rules.
+
== Configuring OpenLDAP ==
  
For more information, see the [http://www.netfilter.org/ netfilter] official site. This site has links to various documents, including a simple introduction to packet filtering in this [http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html HOWTO].
+
OpenLdap is made of two daemons but we will use only one. '''slapd''' is the stand-alone LDAP daemon and '''slurpd''' is the stand-alone LDAP update replication daemon, that we will not use. Below is a working example of a '''/usr/local/etc/openldap/slapd.conf''' configuration file that you can use, just replacing the '''domain''' and the '''rootpw''' value. The '''password-hash {CLEARTEXT}''' option is mandatory for SASL to use LDAP (the format is enforced when using the password). The '''authz-regexp''' maps an authentication request to a real entry in the directory. The reason why this mapping is useful is that it avoids knowing anything about the underlying directory structure to authenticate. See [http://www.openldap.org/software/man.cgi?query=slapd.conf&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html man slapd.conf] for more configuration details.
  
In Slackware, the script used is <tt>'''/etc/rc.d/rc.firewall'''</tt>. It is called  automatically when the system starts or stops, using commands <tt>'''./rc.firewall start'''</tt> or <tt>'''./rc.firewall stop'''</tt>.
 
 
#! /bin/sh
 
 
  #
 
  #
  # startup script for local packet filter
+
  # See slapd.conf(5) for details on configuration options.
 +
# This file should NOT be world readable.
 +
#
 +
include        /usr/local/etc/openldap/schema/core.schema
 +
include        /usr/local/etc/openldap/schema/cosine.schema
 +
include        /usr/local/etc/openldap/schema/inetorgperson.schema
 +
 +
# Do not enable referrals until AFTER you have a working directory
 +
# service AND an understanding of referrals.
 +
# referral      ldap://root.openldap.org
 +
 +
pidfile        /var/run/ldap/slapd.pid
 +
argsfile        /var/run/ldap/slapd.args
 +
 +
# Load dynamic backend modules:
 +
# modulepath    /usr/local/libexec/openldap
 +
# moduleload    back_bdb.la
 +
# moduleload    back_hdb.la
 +
# moduleload    back_ldap.la
 +
 +
# Sample security restrictions
 +
#      Require integrity protection (prevent hijacking)
 +
#      Require 112-bit (3DES or better) encryption for updates
 +
#      Require 63-bit encryption for simple bind
 +
# security ssf=1 update_ssf=112 simple_bind=64
 +
 +
# Sample access control policy:
 +
#      Root DSE: allow anyone to read it
 +
#      Subschema (sub)entry DSE: allow anyone to read it
 +
#      Other DSEs:
 +
#              Allow self write access
 +
#              Allow authenticated users read access
 +
#              Allow anonymous users to authenticate
 +
 +
access to dn.base="" by * read
 +
access to dn.base="cn=Subschema" by * read
 +
 +
access to *
 +
        by self write
 +
        by users read
 +
        by anonymous auth
 +
 +
access to attrs=userPassword
 +
        by self =dxw
 +
        by users none
 +
        by anonymous auth
 +
 +
# if no access controls are present, the default policy
 +
# allows anyone and everyone to read anything but restricts
 +
# updates to rootdn.  (e.g., "access to * by * read")
 
  #
 
  #
  fw_start () {
+
  # rootdn can always read and write EVERYTHING!
  echo "Loading packet filter rules"
+
 +
#######################################################################
 +
# proxy user definitions - SASL requires CLEARTEXT
 +
#######################################################################
 +
 +
password-hash  {CLEARTEXT}
 +
 +
authz-regexp
 +
                uid=([^,]*),cn=digest-md5,cn=auth
 +
                cn=$1,dc=domain,dc=com
 +
 +
authz-policy    to
 +
 +
access to attrs=authzTo
 +
        by self none
 +
        by users none
 +
        by anonymous none
 +
 +
#######################################################################
 +
# Berkeley Data Base front end definitions
 +
#######################################################################
 +
 +
database        bdb
 +
suffix          "dc=domain,dc=com"
 +
  rootdn          "cn=Manager,dc=domain,dc=com"
 +
 +
# Cleartext passwords, especially for the rootdn, should
 +
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
 +
# To generate {SSHA} secret : slappasswd -s secret
 +
rootpw          {SSHA}16U2kC8+yDaWDtaKWsyvKSRHMWCUmcKg
 +
 +
# The database directory MUST exist prior to running slapd AND
 +
# should only be accessible by the slapd and slap tools.
 +
# Mode 700 recommended.
 +
directory      /usr/local/var/openldap-data
 +
 +
# Indexing options for database #1
 +
index          objectClass    eq
 +
index          cn,sn          eq
 +
 +
#######################################################################
 +
# TLS Certificates
 +
#######################################################################
 +
 +
TLSCACertificateFile    /etc/ssl/certs/cacert.pem
 +
TLSCACertificatePath    /etc/ssl/certs
 +
TLSCertificateFile      /etc/ssl/certs/mtacert.pem
 +
TLSCertificateKeyFile  /etc/ssl/private/ldap.mtakey.pem.unsecure
  
The flush command affords deleting all the active nat and filtering rules:
+
When using LDAP clients on the same host, the file '''/usr/local/etc/openldap/ldap.conf''' must include a TLS_CACERT directive specifiying the same certificate as in TLSCACertificateFile above :
  
  # flush old rules
+
  #
  iptables -t nat --flush
+
  # LDAP Defaults
iptables -flush
+
  #
 
+
   
The -P option affords defining the default policy. A good practise is to forbid by default everything not authorized. This is done here for packets incoming, outgoing, and routed between the interfaces:
+
  # See ldap.conf(5) for details
 
+
  # This file should be world readable but not world writable.
  # drop by default
 
iptables -P INPUT DROP
 
  iptables -P FORWARD DROP
 
iptables -P OUTPUT DROP
 
 
 
Connections already established are authorized to continue:
 
 
 
  # accept packets that are part of previously OK'ed sessions
 
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
 
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
 
iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
 
 
 
The -A option affords adding a rule. Here all the packets on the loopback interface are accepted:
 
 
 
  # INBOUND POLICY
 
 
   
 
   
  # pass all traffic for network 127.0.0.0/8 on loopback interface
+
  BASE  dc=example,dc=com
  iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+
  URI    ldap://ldap.example.com
 
 
On both interfaces, we forbid communications where the remote address is a private network address, as specified by RFC 1918 (except 192.168.x.x, that we use internally). On the Internet, addresses of RFC 1918 private networks are not routable. So packets with such addresses are not expected on the internal network:
 
 
   
 
   
  # anti-spoofing rules
+
  #SIZELIMIT      12
iptables -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "INPUT spoofed IP "
+
  #TIMELIMIT      15
iptables -A INPUT -s 10.0.0.0/8 -j DROP
+
  #DEREF          never
iptables -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "INPUT spoofed IP "
 
  iptables -A INPUT -s 172.16.0.0/12 -j DROP
 
 
 
The protocols corresponding to services offered or used externally are accepted:
 
 
 
  # services SMTP HTTP HTTPS
 
iptables -A INPUT -p tcp -j ACCEPT --dport 25 -m state --state NEW
 
iptables -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW
 
iptables -A INPUT -p tcp -j ACCEPT --dport 143 -m state --state NEW
 
iptables -A INPUT -p tcp -j ACCEPT --dport 443 -m state --state NEW
 
 
 
We accept VOIP traffic from freephonie.net:
 
 
   
 
   
  # services to freephonie network SIP RTP
+
TLS_CACERT      /etc/ssl/certs/cacert.pem
   iptables -A INPUT -p udp -j ACCEPT --dport 5060:5061 -m state --state NEW -s 212.27.52.0/24
+
TLS_CACERTDIR   /etc/ssl/certs
  # iptables -A INPUT -p udp -j ACCEPT --dport 1024:65535 -m state --state RELATED -s 212.27.52.0/24
 
  
The protocols corresponding to services offered on the local network are accepted:
+
After that it is possible to listen on port ldaps and to use TLS to encapsulate the communications.
  
  # services on local network FTP DNS BOOTP NNTP SUBMIT VNC SIP RTP
+
== Running OpenLDAP ==
  iptables -A INPUT -p tcp -j ACCEPT --dport 20 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p udp -j ACCEPT --dport 53 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 53 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p udp -j ACCEPT --dport 69 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 119 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 587 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 5088 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 5900:5910 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p udp -j ACCEPT --dport 5060:5061 -m state --state NEW -s 192.168.0.0/16
 
  # iptables -A INPUT -p udp -j ACCEPT --dport 1024:65535 -m state --state RELATED -s 192.168.0.0/16
 
  
  # SSH-tunnelled X-Window output appears as input on interface lo
+
Start the stand-alone LDAP server '''slapd''', then check to see if the server is running with '''ps -ef | grep slapd''' and if not use switch '''-d296''' to troubleshoot from '''slapd''' output (see [http://www.openldap.org/software/man.cgi?query=slapd&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html man slapd] for details). When OK try a '''ldapsearch'''.
  iptables -A INPUT -p udp -j ACCEPT --dport 177 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 6000:6063 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -i lo -p tcp -j ACCEPT --dport 6000:6063 -m state --state NEW -s 192.168.0.0/16
 
  
We accept NFS on the local network and fix the NFS ports:
+
# /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
 +
# ps -ef | grep slapd
 +
# /usr/local/bin/ldapsearch -x -H ldap://localhost/ -b "" -s base "(objectclass=*)" namingContexts
  
  # NFS ports
+
Slapd runs as a daemon so must be launched at startup and stopped at shutdown. Update /etc/rc.d/rc.local and /etc/rc.d/rc.local_shutdown accordingly :
  iptables -A INPUT -p udp -j ACCEPT --dport 111 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 111 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p udp -j ACCEPT --dport 2049 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 2049 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p udp -j ACCEPT --dport 32764 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 32764 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p udp -j ACCEPT --dport 32765 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 32765 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p udp -j ACCEPT --dport 32766 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 32766 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p udp -j ACCEPT --dport 32767 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 32767 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p udp -j ACCEPT --dport 32768 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 32768 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p udp -j ACCEPT --dport 32769 -m state --state NEW -s 192.168.0.0/24
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 32769 -m state --state NEW -s 192.168.0.0/24
 
  
We accept samba traffic on the local network:
+
# vi /etc/rc.d/rc.local
 +
. . .
 +
# start slapd
 +
if [ -x /usr/local/libexec/slapd ]; then
 +
        echo "Starting slapd daemon: /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/"
 +
        /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
 +
fi
 +
  <esc>
 +
:x
 +
# vi /etc/rc.d/rc.local_shutdown
 +
. . .
 +
# stop slapd
 +
if [ -r /var/run/ldap/slapd.pid ]; then
 +
        echo "Stopping slapd: kill -INT `cat /var/run/ldap/slapd.pid`"
 +
        kill -INT `cat /var/run/ldap/slapd.pid`
 +
fi
 +
<esc>
 +
:x
  
  # samba ports
+
== Creating Directory Entries ==
  iptables -A INPUT -p tcp -j ACCEPT --dport 135 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p udp -j ACCEPT --dport 135 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 137 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p udp -j ACCEPT --dport 137 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p udp -j ACCEPT --dport 138 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 139 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p tcp -j ACCEPT --dport 445 -m state --state NEW -s 192.168.0.0/16
 
  iptables -A INPUT -p udp -j ACCEPT --dport 445 -m state --state NEW -s 192.168.0.0/16
 
  
We accept X-Window traffic on the local network:
+
To add entries to the directory, create an '''ldif''' file. Run '''ldapadd''' to add the entries, then run '''ldapsearch''' to make sure it worked.
  
Broadcast traffic is also OK:
+
# cd /usr/local/etc/openldap
 
+
# vi create.ldif
  # pass all broadcast traffic
+
i
  iptables -A INPUT -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT -m state --state NEW
+
dn: dc=studioware,dc=com
 
+
objectClass: dcObject
We accept pings on the local network:
+
objectClass: organization
 
+
o: organization
  # accept echo-request icmp packets
+
dc: studioware
  iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -m state --state NEW -s 192.168.0.0/16
+
   
 
+
  dn: cn=Manager,dc=studioware,dc=com
We accept antispam dcc answers:
+
objectclass: organizationalRole
 
+
  cn: Manager
  # accept dcc answers (dcc antispam service)
 
  iptables -A INPUT -p udp -j ACCEPT --dport 1024:65535 --sport 6277 -m state --state NEW
 
 
 
We log anything not accepted above:
 
 
 
  # log anything not accepted above
 
  # iptables -A INPUT -j LOG --log-prefix "INPUT bad traffic "
 
 
 
We accept all outbound packets, which would for example afford using a network scanner. In a production environment, there would be a stricter policy:
 
 
 
  # OUTBOUND POLICY
 
 
   
 
   
  # accept all outbound packets
+
  dn: cn=proxyUser,dc=studioware,dc=com
  iptables -A OUTPUT -j ACCEPT
+
  objectclass: person
 
+
cn: proxyUser
For routing between the interfaces, everything is accepted. In a production environment, there might be a stricter policy:
+
sn: proxyUser
 
+
userPassword: proxyPassword
  # FORWARD POLICY
+
  authzTo: ldap:///dc=studioware,dc=com??sub?(objectclass=person)
 
   
 
   
  # forward all outbound packets
+
  dn: cn=postmaster,dc=studioware,dc=com
  iptables -A FORWARD -j ACCEPT
+
  objectclass: person
 
+
cn: postmaster
The Network Address Translation rule below affords replacing the source address in the packets coming from the internal interface by the source address of the external interface. The packets outgoing to the Internet then all seem to come from the external interface, whatever their real origin (this translation affords hiding to the outside the addresses used internally):
+
sn: postmaster
 
+
  userPassword: postmasterPassword
  # POSTROUTING POLICY
 
 
   
 
   
  # nat traffic going to internet with our local network address
+
  dn: cn=myUser,dc=studioware,dc=com
  iptables -t nat -A POSTROUTING -o br0 -j SNAT --to 192.168.0.1
+
  objectclass: person
  }
+
  cn: myUser
 +
sn: myUser
 +
userPassword: myUserPassword
 
   
 
   
After the fw_start() function ends, the fw_stop() function is defined to authorize everything:
+
dn: cn=news,dc=studioware,dc=com
 
+
objectclass: person
  fw_stop () {
+
cn: news
  echo "Unloading all packet filter rules"
+
  sn: news
  iptables -t nat --flush
+
userPassword: newsPassword
  iptables -flush
 
 
   
 
   
  # accept by default
+
dn: cn=xen,dc=studioware,dc=com
  iptables -P INPUT ACCEPT
+
objectclass: person
  iptables -P FORWARD ACCEPT
+
cn: xen
  iptables -P OUTPUT ACCEPT
+
sn: xen
  }
+
userPassword: xenPassword
 +
<esc>
 +
# chmod go-rx create.ldif
 +
  # vi delete.ldif
 +
i
 +
cn=xen,dc=studioware,dc=com
 +
cn=news,dc=studioware,dc=com
 +
cn=myUser,dc=studioware,dc=com
 +
cn=postmaster,dc=studioware,dc=com
 +
cn=proxyUser,dc=studioware,dc=com
 +
cn=Manager,dc=studioware,dc=com
 +
dc=studioware,dc=com
 +
<esc>
 
   
 
   
  case "$1" in
+
  # ldapadd -x -H ldap://localhost/ -D "cn=Manager,dc=studioware,dc=com" -W -f create.ldif
  ‘start’)
+
  # ldapsearch -x -H ldap://localhost/ -D "cn=Manager,dc=studioware,dc=com" -W -b "dc=studioware,dc=com" "(objectclass=*)"
  fw_start
+
# ldapdelete -x -H ldap://localhost/ -D "cn=Manager,dc=studioware,dc=com" -W -f delete.ldif
  ;;
 
’stop’)
 
  fw_stop
 
  ;;
 
’restart’)
 
  fw_start
 
  ;;
 
*)
 
  echo "usage $0 start | stop | restart"
 
 
 
== Testing the firewall ==
 
 
 
Use '''nmap -sU hostname''' (UDP) and '''nmap -sT hostname''' (TCP) to make sure what ports are visible locally and do the same from the outside.
 
 
 
== Download example ==
 
  
[{{SERVER}}/wikislax/download/rc.firewall Download file rc.firewall]
+
the '''authzTo:''' item above defines an OpenLdap proxy user. Once authenticated, an OpenLdap proxy user can impersonate other OpenLdap users. This affords e.g. checking passwords (needed by SASL) or updating data for other users.
  
<br/>
+
<br>
  
{{pFoot|[[Configuration files]]|[[Main Page]]|[[X11 configuration]]}}
+
{{pFoot|[[OpenSSL]]|[[Main Page]]|[[Cyrus-SASL]]}}

Latest revision as of 15:15, 24 November 2018

What is OpenLDAP ?

OpenLdap is an open source implementation of the Ligthweigth Directory Access Protocol, a lightweight alternative to the X500 Directory Address Protocol. In our installation, we use it as an address book and authentication server. To keep it safe, ldap access is restricted to localhost (slapd daemon listening only on localhost, ldap and ldaps ports closed at firewall level). The referecence document to read is the Open Ldap Admin Guide but it's lengthy. Wikipedia has a nice summary page that could help setting up the big view.

Installing OpenLDAP

There is a chicken-and-egg problem with OpenLdap and CyrusSasl as they reference each other. So first install OpenLdap without --enable-spasswd --with-cyrus-sasl, then after installing Cyrus-sasl (next chapter), reinstall OpenLdap with --enable-spasswd --with-cyrus-sasl (this will be reminded at next chapter). Download OpenLDAP, untar to /usr/local then compile and install as described below :

# tar -tvf openldap-x.y.z.tgz
# tar -C /usr/local -xvf openldap-x.y.z.tgz
# cd /usr/local
# chown -R root:root openldap-x.y.z
# cd openldap-x.y.z
# ./configure --help | less
# ./configure --libdir=/usr/local/lib64 --mandir=/usr/local/man \
--disable-ipv6 --with-tls
# make depend
# make
# make test
# make install
# make clean

To prepare running ldap as an unpriviledged user, execute the commands below. Note : it will also be a good idea to review the individual file permissions under the openldap directories and to restrict access to the ldap user :

# groupadd ldap
# mkdir /var/run/ldap
# useradd -s /bin/false -d /var/run/ldap -g ldap ldap
# chown -R ldap:ldap /etc/openldap /usr/local/etc/openldap /usr/local/var/openldap-data /var/run/ldap

Configuring OpenLDAP

OpenLdap is made of two daemons but we will use only one. slapd is the stand-alone LDAP daemon and slurpd is the stand-alone LDAP update replication daemon, that we will not use. Below is a working example of a /usr/local/etc/openldap/slapd.conf configuration file that you can use, just replacing the domain and the rootpw value. The password-hash {CLEARTEXT} option is mandatory for SASL to use LDAP (the format is enforced when using the password). The authz-regexp maps an authentication request to a real entry in the directory. The reason why this mapping is useful is that it avoids knowing anything about the underlying directory structure to authenticate. See man slapd.conf for more configuration details.

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
# referral       ldap://root.openldap.org

pidfile         /var/run/ldap/slapd.pid
argsfile        /var/run/ldap/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_hdb.la
# moduleload    back_ldap.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read

access to *
        by self write
        by users read
        by anonymous auth

access to attrs=userPassword
        by self =dxw
        by users none
        by anonymous auth

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# proxy user definitions - SASL requires CLEARTEXT
#######################################################################

password-hash   {CLEARTEXT}

authz-regexp
                uid=([^,]*),cn=digest-md5,cn=auth
                cn=$1,dc=domain,dc=com

authz-policy    to

access to attrs=authzTo
        by self none
        by users none
        by anonymous none

#######################################################################
# Berkeley Data Base front end definitions
#######################################################################

database        bdb
suffix          "dc=domain,dc=com"
rootdn          "cn=Manager,dc=domain,dc=com"

# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# To generate {SSHA} secret : slappasswd -s secret
rootpw          {SSHA}16U2kC8+yDaWDtaKWsyvKSRHMWCUmcKg

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/var/openldap-data

# Indexing options for database #1
index           objectClass     eq
index           cn,sn           eq

#######################################################################
# TLS Certificates
#######################################################################

TLSCACertificateFile    /etc/ssl/certs/cacert.pem
TLSCACertificatePath    /etc/ssl/certs
TLSCertificateFile      /etc/ssl/certs/mtacert.pem
TLSCertificateKeyFile   /etc/ssl/private/ldap.mtakey.pem.unsecure

When using LDAP clients on the same host, the file /usr/local/etc/openldap/ldap.conf must include a TLS_CACERT directive specifiying the same certificate as in TLSCACertificateFile above :

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE   dc=example,dc=com
URI    ldap://ldap.example.com

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLS_CACERT      /etc/ssl/certs/cacert.pem
TLS_CACERTDIR   /etc/ssl/certs

After that it is possible to listen on port ldaps and to use TLS to encapsulate the communications.

Running OpenLDAP

Start the stand-alone LDAP server slapd, then check to see if the server is running with ps -ef | grep slapd and if not use switch -d296 to troubleshoot from slapd output (see man slapd for details). When OK try a ldapsearch.

# /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
# ps -ef | grep slapd
# /usr/local/bin/ldapsearch -x -H ldap://localhost/ -b "" -s base "(objectclass=*)" namingContexts

Slapd runs as a daemon so must be launched at startup and stopped at shutdown. Update /etc/rc.d/rc.local and /etc/rc.d/rc.local_shutdown accordingly :

# vi /etc/rc.d/rc.local
. . .
# start slapd
if [ -x /usr/local/libexec/slapd ]; then
        echo "Starting slapd daemon: /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/"
        /usr/local/libexec/slapd -u ldap -g ldap -h ldap://localhost/
fi
 <esc>
:x
# vi /etc/rc.d/rc.local_shutdown
. . .
# stop slapd
if [ -r /var/run/ldap/slapd.pid ]; then
        echo "Stopping slapd: kill -INT `cat /var/run/ldap/slapd.pid`"
        kill -INT `cat /var/run/ldap/slapd.pid`
fi
<esc>
:x

Creating Directory Entries

To add entries to the directory, create an ldif file. Run ldapadd to add the entries, then run ldapsearch to make sure it worked.

# cd /usr/local/etc/openldap
# vi create.ldif
i
dn: dc=studioware,dc=com
objectClass: dcObject
objectClass: organization
o: organization
dc: studioware

dn: cn=Manager,dc=studioware,dc=com
objectclass: organizationalRole
cn: Manager

dn: cn=proxyUser,dc=studioware,dc=com
objectclass: person
cn: proxyUser
sn: proxyUser
userPassword: proxyPassword
authzTo: ldap:///dc=studioware,dc=com??sub?(objectclass=person)

dn: cn=postmaster,dc=studioware,dc=com
objectclass: person
cn: postmaster
sn: postmaster
userPassword: postmasterPassword

dn: cn=myUser,dc=studioware,dc=com
objectclass: person
cn: myUser
sn: myUser
userPassword: myUserPassword

dn: cn=news,dc=studioware,dc=com
objectclass: person
cn: news
sn: news
userPassword: newsPassword

dn: cn=xen,dc=studioware,dc=com
objectclass: person
cn: xen
sn: xen
userPassword: xenPassword
<esc>
# chmod go-rx create.ldif
# vi delete.ldif
i
cn=xen,dc=studioware,dc=com
cn=news,dc=studioware,dc=com
cn=myUser,dc=studioware,dc=com
cn=postmaster,dc=studioware,dc=com
cn=proxyUser,dc=studioware,dc=com
cn=Manager,dc=studioware,dc=com
dc=studioware,dc=com
<esc>

# ldapadd -x -H ldap://localhost/ -D "cn=Manager,dc=studioware,dc=com" -W -f create.ldif
# ldapsearch -x -H ldap://localhost/ -D "cn=Manager,dc=studioware,dc=com" -W -b "dc=studioware,dc=com" "(objectclass=*)"
# ldapdelete -x -H ldap://localhost/ -D "cn=Manager,dc=studioware,dc=com" -W -f delete.ldif

the authzTo: item above defines an OpenLdap proxy user. Once authenticated, an OpenLdap proxy user can impersonate other OpenLdap users. This affords e.g. checking passwords (needed by SASL) or updating data for other users.


OpenSSL Main Page Cyrus-SASL