OpenLDAP w/TLS Installation and Configuration
OpenLDAP is a mature reliable Open Source software package that implement an RFC 2251 service. This allows an organization to have a single point of data for User, Group, Computers and other items in their operating domain. Many other Open Source software packages can be configured to use LDAP for authentication and account information including Apache, Samba, Pure-ftpd, Postfix, Courier and many others. This document describes how to install and perform the baseline configurations necessary for a TLS enabled OpenLDAP server on Gentoo
Install OpenLDAP and Extras
emerge openldap pam_ldap nss_ldap
Create Necessary X.509 Certificates
The Directory will contain data that must remain secure and we will require all communications happen over a TLS connection.
This configuration will not use the non-standard LDAPS options.
We will need certificates and keys for the slapd
server and for any clients that connect to this server.
This list below demonstrates where we are storing keys, it does not cover creating or signing the keys.
- slapd - /etc/ssl/private/slapd.{pem,key}
- ldap tools - ~/.ssl/ldap-client.{pem,key}
- nss_ldap - /etc/ssl/private/nss_ldap.{pem,key}
- pam_ldap - /etc/ssl/private/pam_ldap.{pem,key}
- smbldap-tools - /etc/ssl/private/smbldap-tools.{pem,key}
Configure slapd
Update /etc/openldap/slapd.conf
to contain the following.
Substitute the proper domain information where necessary.
A very key entry here is security tls=1
, this is what forces TLS mode, there are more options here, see the man page.
password-hash {SHA} security tls=1 TLSCACertificateFile /etc/ssl/private/ca.pem TLSCertificateFile /etc/ssl/private/slapd.pem TLSCertificateKeyFile /etc/ssl/private/slapd.key TLSVerifyClient demand suffix "dc=edoceo,dc=com" rootdn "cn=root,dc=edoceo,dc=com" rootpw "{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M="
The value for rootpw
is obtained as below.
slappasswd -h {sha}
Configure OpenLDAP Tools
Configure the system wide LDAP tools. The FQDN used in the URI value must match the CN value of the servers certificate.
/etc/openldap/ldap.conf BASE dc=edoceo, dc=com URI ldap://ldap.edoceo.com/ TLS_CACERT /etc/ssl/private/ca.pem TLS_REQCERT demand
Create a ~/.ldaprc
file in the users home directory.
Create the Client certificate and keys and move them into ~/.ssl/ldap-client.{key,pem}
.
Update ~/.ldaprc
with the following, the paths must be hard coded.
TLS_CERT /home/user/.ssl/ldap-client.pem TLS_KEY /home/user/.ssl/ldap-client.key
Configure PAM and NSS
Update the PAM auth files to look to ldap, merge what's below into the existing PAM file. Ensure to put pam_ldap above pam_deny.
cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so account required pam_ldap.so password sufficient pam_ldap.so use_authtok use_first_pass password required pam_deny.so session optional pam_ldap.so
With newer version of the nss_ldap package be sure to set bind_policy correctly or else boot and slapd restart will be very slow.
/etc/ldap.conf base dc=edoceo,dc=com bind_policy soft ldap_version 3 rootbinddn cn=root,dc=edoceo,dc=com ssl start_tls ssl on scope one suffix "dc=edoceo,dc=com" uri ldap://ldap.edoceo.com/ pam_password exop pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberuid nss_base_passwd ou=People,dc=genfic,dc=com nss_base_shadow ou=People,dc=genfic,dc=com nss_base_group ou=Group,dc=genfic,dc=com nss_base_hosts ou=Hosts,dc=genfic,dc=com
/etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap
Test
Execute this command to run slapd in the foreground.
If the configuration is OK the final line should read slapd starting
.
/usr/lib/openldap/slapd -u ldap -g ldap -d3
If that test is successfult then start the slapd service.
/etc/init.d/slapd start
Now perform queries into the Directory using ldapsearch
.
ldapsearch
This should fail with ldapsearch -Z ldapsearch -ZZ
Backup LDAP Directory
If slapd
is not running use slapcat
to dump the entire directory.
To perform hot-backup of the LDAP system configure a special user and use ldapsearch
Configure a user that can run unlimited queries.
# This is my backup/archive user limits dn.exact="cn=cella,dc=edoceo,dc=lan" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
Dump the entire directory, while running, using ldapsearch
ldapsearch -D 'cn=cella,dc=edoceo,dc=lan' > /var/cella/ldap-dump.ldif
See Also
- Creating and Maintaing an OpenLDAP Directory - Add and Modify users from the command line.
- Gentoo Guide - OpenLDAP
- OpenLDAP with TLS
- NSS_LDAP and the bind_policy
ChangeLog
- 20 Feb 2007 - Created /djb