OpenLDAP w/TLS Installation and Configuration

OpenLDAP is a mature reliable Open Source software package that implement an RFC 2251 service. This allows an organization to have a single point of data for User, Group, Computers and other items in their operating domain. Many other Open Source software packages can be configured to use LDAP for authentication and account information including Apache, Samba, Pure-ftpd, Postfix, Courier and many others. This document describes how to install and perform the baseline configurations necessary for a TLS enabled OpenLDAP server on Gentoo

Install OpenLDAP and Extras

emerge openldap pam_ldap nss_ldap

Create Necessary X.509 Certificates

The Directory will contain data that must remain secure and we will require all communications happen over a TLS connection. This configuration will not use the non-standard LDAPS options. We will need certificates and keys for the slapd server and for any clients that connect to this server. This list below demonstrates where we are storing keys, it does not cover creating or signing the keys.

Configure slapd

Update /etc/openldap/slapd.conf to contain the following. Substitute the proper domain information where necessary. A very key entry here is security tls=1, this is what forces TLS mode, there are more options here, see the man page.

password-hash {SHA}
security tls=1

TLSCACertificateFile /etc/ssl/private/ca.pem
TLSCertificateFile /etc/ssl/private/slapd.pem
TLSCertificateKeyFile /etc/ssl/private/slapd.key
TLSVerifyClient demand

suffix	"dc=edoceo,dc=com"
rootdn	"cn=root,dc=edoceo,dc=com"
rootpw	"{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M="

The value for rootpw is obtained as below.

slappasswd -h {sha}

Configure OpenLDAP Tools

Configure the system wide LDAP tools. The FQDN used in the URI value must match the CN value of the servers certificate.

/etc/openldap/ldap.conf
BASE    dc=edoceo, dc=com
URI     ldap://ldap.edoceo.com/

TLS_CACERT /etc/ssl/private/ca.pem
TLS_REQCERT demand

Create a ~/.ldaprc file in the users home directory. Create the Client certificate and keys and move them into ~/.ssl/ldap-client.{key,pem}. Update ~/.ldaprc with the following, the paths must be hard coded.

TLS_CERT /home/user/.ssl/ldap-client.pem
TLS_KEY /home/user/.ssl/ldap-client.key

Configure PAM and NSS

Update the PAM auth files to look to ldap, merge what's below into the existing PAM file. Ensure to put pam_ldap above pam_deny.

cat /etc/pam.d/system-auth
auth       required     pam_env.so
auth       sufficient   pam_ldap.so use_first_pass
auth       required     pam_deny.so

account    required     pam_unix.so
account    required     pam_ldap.so

password   sufficient   pam_ldap.so use_authtok use_first_pass
password   required     pam_deny.so

session    optional     pam_ldap.so

With newer version of the nss_ldap package be sure to set bind_policy correctly or else boot and slapd restart will be very slow.

/etc/ldap.conf
base dc=edoceo,dc=com
bind_policy	soft
ldap_version	3
rootbinddn	cn=root,dc=edoceo,dc=com
ssl	start_tls
ssl	on
scope	one
suffix	"dc=edoceo,dc=com"
uri	ldap://ldap.edoceo.com/

pam_password	exop
pam_filter	objectclass=posixAccount
pam_login_attribute	uid
pam_member_attribute	memberuid

nss_base_passwd	ou=People,dc=genfic,dc=com
nss_base_shadow	ou=People,dc=genfic,dc=com
nss_base_group	ou=Group,dc=genfic,dc=com
nss_base_hosts	ou=Hosts,dc=genfic,dc=com
/etc/nsswitch.conf
passwd:	files ldap
group:	files ldap
shadow:	files ldap

Test

Execute this command to run slapd in the foreground. If the configuration is OK the final line should read slapd starting.

/usr/lib/openldap/slapd -u ldap -g ldap -d3

If that test is successfult then start the slapd service.

/etc/init.d/slapd start

Now perform queries into the Directory using ldapsearch.

ldapsearch

This should fail with ldapsearch -Z ldapsearch -ZZ

Backup LDAP Directory

If slapd is not running use slapcat to dump the entire directory. To perform hot-backup of the LDAP system configure a special user and use ldapsearch

Configure a user that can run unlimited queries.

# This is my backup/archive user
limits dn.exact="cn=cella,dc=edoceo,dc=lan" 
    time.soft=unlimited
    time.hard=unlimited
    size.soft=unlimited
    size.hard=unlimited

Dump the entire directory, while running, using ldapsearch

ldapsearch -D 'cn=cella,dc=edoceo,dc=lan' > /var/cella/ldap-dump.ldif

See Also

ChangeLog