Difference between revisions of "LDAP"
From Stadm
Jump to navigationJump to search (→TLS) |
(→Server) |
||
| (11 intermediate revisions by the same user not shown) | |||
| Line 4: | Line 4: | ||
==Firewall== | ==Firewall== | ||
*firewall settings | *firewall settings | ||
| + | |||
==Install== | ==Install== | ||
yum install openldap-servers openldap-clients | yum install openldap-servers openldap-clients | ||
| Line 70: | Line 71: | ||
**LDAPS is directed at port 636 | **LDAPS is directed at port 636 | ||
**ldap + start_tls is directed at port 389 | **ldap + start_tls is directed at port 389 | ||
| + | |||
| + | *create .db files | ||
| + | mkdir /etc/openldap/certs | ||
| + | modutil -create -dbdir /etc/openldap/certs | ||
| + | |||
| + | echo "password" > /etc/openldap/certs/password | ||
| + | echo falkdjfdajkhfaksj >> noise.txt | ||
| + | |||
| + | certutil -N -d . -f /etc/openldap/certs/password | ||
| + | certutil -G -d . -z noise.txt -f /etc/openldap/certs/password | ||
| + | certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password | ||
| + | pk12util -d . -o cacert.p12 -n "CA certificate" | ||
| + | pk12util -d . -o servercert.p12 -n "OpenLDAP Server" | ||
| + | certutil -L -d . -n "CA certificate" -a > /etc/openldap/certs/cacert.pem | ||
| + | chmod 644 * | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
*make sure openssl is insatlled and navigate to /etc/pki/tls/misc | *make sure openssl is insatlled and navigate to /etc/pki/tls/misc | ||
cd /etc/pki/tls/misc | cd /etc/pki/tls/misc | ||
| Line 89: | Line 112: | ||
chmod 400 /etc/pki/tls/misc/slapd-* | chmod 400 /etc/pki/tls/misc/slapd-* | ||
| − | *now navigate to /etc/openldap/ and open | + | *now navigate to /etc/openldap/slapd.d and open cn=config.ldif |
| − | vim /etc/openldap/ | + | vim /etc/openldap/slapd.conn |
| − | + | *change or add the following attributes | |
| − | + | olcTLSCipherSuite HIGH | |
| − | + | olcTLSCACertificatePath /etc/openldap/cacerts/ | |
| − | + | olcTLSCertificateFile /etc/openldap/slapdcert.pem | |
| − | + | olcTLSCertificateKeyFile /etc/openldap/slapdkey.pem | |
| − | TLS_CACERTDIR /etc/openldap/cacerts | + | olcTLSVerifyClient: True |
| − | TLS_REQCERT | + | *add the following to /etc/openldap/ldap.conf |
| − | ssl start_tls | + | TLS_CACERTDIR /etc/openldap/cacerts |
| − | tls_checkpeer yes | + | TLS_REQCERT demand |
| − | tls_cacertfile /etc/openldap/cacerts/cacert.pem | + | ssl start_tls |
| − | + | tls_checkpeer yes | |
| − | + | tls_cacertfile /etc/openldap/cacerts/cacert.pem | |
| − | # rootdn can always read and write EVERYTHING! | + | *and access settings to ldap.conf |
| − | # enable on-the-fly configuration (cn=config) | + | # rootdn can always read and write EVERYTHING! |
| − | database config | + | # enable on-the-fly configuration (cn=config) |
| − | access to * | + | database config |
| − | + | access to * | |
| − | + | by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage | |
| − | # enable server status monitoring (cn=monitor) | + | by * none |
| − | database monitor | + | #enable server status monitoring (cn=monitor) |
| − | access to * | + | database monitor |
| − | + | access to * | |
| − | + | by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read | |
| − | + | by dn.exact="cn=Manager,dc=domain,dc=name,dc=com" read | |
| − | access to attrs=shadowLastChange,userPassword | + | by * none |
| − | + | access to attrs=shadowLastChange,userPassword | |
| − | + | by self write | |
| − | access to * | + | by * auth |
| − | + | access to * | |
| + | by * read | ||
==Server== | ==Server== | ||
| Line 131: | Line 155: | ||
vim slapd.conf | vim slapd.conf | ||
*make sure samba schema is included | *make sure samba schema is included | ||
| − | + | cd ~/samba-master/example/ldap | |
| + | cp ~/samba-master/example/ldap/samba.schema /etc/openldap/schema | ||
| + | cp ~/samba-master/example/ldap/samba.ldif /etc/openldap/schema | ||
| + | |||
*in slapd.conf, proper access settings!!!!! | *in slapd.conf, proper access settings!!!!! | ||
*must copy over schema and configure properly in cn=config | *must copy over schema and configure properly in cn=config | ||
| Line 185: | Line 212: | ||
*http://www.6tech.org/2013/01/ldap-server-and-centos-6-3/ | *http://www.6tech.org/2013/01/ldap-server-and-centos-6-3/ | ||
*http://www.overclockers.com/forums/showthread.php?t=726947 | *http://www.overclockers.com/forums/showthread.php?t=726947 | ||
| + | *LDAP | ||
| + | *http://www.refamco.ca/14-centos-6-4-ldap-authentication | ||
| + | *http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html. | ||
| + | *http://spectlog.com/content/Create_Certificate_Authority_(CA)_instead_of_using_self-signed_Certificates | ||
==ldap commands== | ==ldap commands== | ||
Latest revision as of 13:21, 12 November 2013
OpenLDAP
Firewall
- firewall settings
Install
yum install openldap-servers openldap-clients
- ldap needs a parameter(DB_CONFIG.example) file to start new database, located /usr/share/openldap-servers/
- copy parameter file to the ldap directory /var/lib/ldap
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
- change owner of ldap directory or just ldap user
chown -R ldap:ldap /var/lib/ldap
- create password hash using slappasswd to set Administrator Password
slappasswd
- after typing in password twice save the output hash to set it as your administrator password
- change to config directory of slapd
cd /etc/openldap/slapd.d/cn\=config
- edit the bdb.ldif
vim olcDatabase\=\{2\}bdb.ldif
- substitute dc=my-domain,dc=com to dc=domain,dc=name,dc=edu
:%s/dc=my-domain,dc=com/dc=domain,dc=name,dc=edu
- create the attribute olcRootPW if not in the file already and paste the password hash rite next to it
olcRootPW; {SSHA}4MOp5CcslBEaMQLVRSfloqwvF/QIV5K1
- do not use hash above, just a hash for "text" to show example
- save the file
- modify olcDatabase={1}monitor.ldif so that the root iser matches the changes you made to bdb.ldif
vim olcDatabase\=\{1\}monitor.ldif
:%s/dc=my-domain,dc=com/dc=domain,dc=name,dc=edu
- your new root user for ldap is the user you created (Manager) under your domain and the password is set with the hash under olcRootPW
- Now edit bdb.ldif again so that you can hide password hashes from users in the ldap
vim olcDatabase\=\{2\}bdb.ldif
- add these two lines at the bottom of the file
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=domain,dc=name,dc=edu" write by anonymous auth by * none
olcAccess: {1}to * by dn.base="cn=Manager,dc=domain,dc=name,dc=edu" write by self write by * read
- now it is time to manually create the head of the ldap tree, navigate to /etc/openldap and create a directory called setup
mkdir /etc/openldap/setup cd /etc/openldap/setup
- in this directory create an ldif file with filename base.ldif in setup directory
vim base.ldif
- in this file include the following lines, replacing dc=domain,dc=name,dc=edu with the name of your domain
dn: dc=domain,dc=name,dc=edu dc: domainname objectClass: top objectClass: domain dn: ou=People,dc=domain,dc=name,dc=edu ou: People objectClass: top objectClass: organizationalUnit dn: ou=Groups,dc=domain,dc=name,dc=edu ou: Groups objectClass: top objectClass: organizationalUnit dn: ou=Computers,dc=domain,dc=name,dc=edu ou: Computers objectClass: top objectClass: organizationalUnit
- add the base ou to the ldap using the administrator account created in the steps above
ldapadd -D "cn=Manager,dc=domain,dc=name,dc=edu" -W -f base.ldif
- if you get an error "ldapadd: command not found", you need to install openldap-clients to get the ldapadd and search commnads
- verify that the ou got added by performing an ldap search
ldapsearch -x -b dc=domain,dc=name,dc=edu
- return results should be the ou's you added with base.ldif
TLS
- the following shows how to enable start_tls with your ldap server
- important things to remember:
- LDAPS is directed at port 636
- ldap + start_tls is directed at port 389
- create .db files
mkdir /etc/openldap/certs modutil -create -dbdir /etc/openldap/certs echo "password" > /etc/openldap/certs/password echo falkdjfdajkhfaksj >> noise.txt certutil -N -d . -f /etc/openldap/certs/password certutil -G -d . -z noise.txt -f /etc/openldap/certs/password certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password pk12util -d . -o cacert.p12 -n "CA certificate" pk12util -d . -o servercert.p12 -n "OpenLDAP Server" certutil -L -d . -n "CA certificate" -a > /etc/openldap/certs/cacert.pem chmod 644 *
- make sure openssl is insatlled and navigate to /etc/pki/tls/misc
cd /etc/pki/tls/misc ./CA -newca openssl req -new -nodes -subj '/CN=ldap.domain.name.edu/O=University of California Santa Barbara/C=US/ST=California/L=Santa Barbara' -keyout slapd-key.pem -out slapd-req.pem -days 3650 openssl ca -out slapd-cert.pem -infiles slapd-req.pem
- copy over certs to appropriate directories, enforce strict permissions onto who can read these files
cp -p slapd-key.pem /etc/openldap/slapdkey.pem cp -p slapd-cert.pem /etc/openldap/slapdcert.pem chown ldap:ldap /etc/openldap/slapdcert.pem chmod 644 /etc/openldap/slapdcert.pem chown ldap:ldap /etc/openldap/slapdkey.pem chmod 400 /etc/openldap/slapdkey.pem mkdir /etc/openldap/cacerts/ cp /etc/pki/CA/cacert.pem /etc/openldap/cacerts/cacert.pem chown ldap:ldap /etc/openldap/cacerts/cacert.pem chmod 644 /etc/openldap/cacerts/cacert.pem chmod 400 /etc/pki/tls/misc/slapd-*
- now navigate to /etc/openldap/slapd.d and open cn=config.ldif
vim /etc/openldap/slapd.conn
- change or add the following attributes
olcTLSCipherSuite HIGH olcTLSCACertificatePath /etc/openldap/cacerts/ olcTLSCertificateFile /etc/openldap/slapdcert.pem olcTLSCertificateKeyFile /etc/openldap/slapdkey.pem olcTLSVerifyClient: True
- add the following to /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT demand ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem
- and access settings to ldap.conf
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
#enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=domain,dc=name,dc=com" read
by * none
access to attrs=shadowLastChange,userPassword
by self write
by * auth
access to *
by * read
Server
cd /etc/opendlap
- configuration ldap.conf
URI ldap://servername.domainl.name.edu/ BASE dc=domain,dc=name,dc=edu TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT allow
- CA certs generated and stored in certs folder
vim slapd.conf
- make sure samba schema is included
cd ~/samba-master/example/ldap cp ~/samba-master/example/ldap/samba.schema /etc/openldap/schema cp ~/samba-master/example/ldap/samba.ldif /etc/openldap/schema
- in slapd.conf, proper access settings!!!!!
- must copy over schema and configure properly in cn=config
vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}bdb.ldif
- change olcSuffix, olcRootDN, olcRootPW
- add samba schema ldif to appropitae location
cd /etc/openldap/slapd.d/cn=config/cn=schema
- samba.schema ldif should be named cn={##}samba.ldif //## is line number in ldap.conf
Client
vim /etc/ldap.conf
TLS_REQCERT allow TLS_CACERTDIR /etc/openldap/cacerts URI ldap://servername.domain.name.edu BASE dc=domain,dc=name,dc=edu
vim pam_ldap.conf
tls_checkpeer yes tls_cacertdir /etc/openldap/cacerts uri ldap://servename.domain.name.edu base dc=domain,dc=name,dc=edu host 128.***.***.*** ssl start_tls pam_password exop nss_base_passwd ou=People,dc=domain,dc=name,dc=edu nss_base_shadow ou=People,dc=domain,dc=name,dc=edu nss_base_group ou=Groups,dc=domain,dc=name,dc=edu
- vim /etc/smbldap-tools/smbldap.conf
- vim /etc/smbldap-tools/smbldap_bind.conf
- yum install sssd
authconfig --enablesssd --enablesssdauth --enablecachecreds --enableldap --enableldaptls --enableldapauth --ldapserver=ldap://servername.domain.name.edu --ldapbasedn=dc=domain,dc=name,dc=edu --disablenis --disablekrb5 --enableshadow --enablemkhomedir --enablelocauthorize --passalgo=sha512 --updateall
- add the following to sssd.conf in /etc/sssd/
ldap_tls_reqcert = allow ldap_schema = rfc2307bis ldap_user_fullname = displayName ldap_user_search_base = ou=People,dc=domain,dc=name,dc=edu ldap_group_search_base = ou=Group,dc=domain,dc=name,dc=edu ldap_group_member = member ldap_group_nesting_level = 4 ldap_default_bind_dn = cn=Manager,dc=domain,dc=name,dc=edu ldap_default_authtok_type = password ldap_default_authtok = secret debug_level = 8
- test an ldap user using id command to verify working
Links
- http://wiki.bluelightav.org/display/BLUE/How+to+integrate+Samba+with+LDAP
- http://wiki.openiam.com/pages/viewpage.action?pageId=7635198
- http://www.unixmen.com/setup-directory-serverldap-in-centos-6-4-rhel-6-4/
- http://docs.adaptivecomputing.com/viewpoint/hpc/Content/topics/1-setup/installSetup/settingUpOpenLDAPOnCentos6.htm
- http://www.6tech.org/2013/01/ldap-server-and-centos-6-3/
- http://www.overclockers.com/forums/showthread.php?t=726947
- LDAP
- http://www.refamco.ca/14-centos-6-4-ldap-authentication
- http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html.
- http://spectlog.com/content/Create_Certificate_Authority_(CA)_instead_of_using_self-signed_Certificates
ldap commands
- useful:
- delete by dn, enter every dn you want to delete
ldapdelete -v -c -D "cn=Manager,dc=domain,dc=name,dc=edu" -W
- populate ldap with Windows accounts
smbldap-populate
