Difference between revisions of "LDAP"

From Stadm
Jump to navigationJump to search
 
(43 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
[[Category:Projects]]
 +
 
==OpenLDAP==
 
==OpenLDAP==
===Server===
+
==Firewall==
 +
*firewall settings
 +
 
 +
==Install==
 +
yum install openldap-servers openldap-clients
 +
*ldap needs a parameter(DB_CONFIG.example) file to start new database, located /usr/share/openldap-servers/
 +
*copy parameter file to the ldap directory /var/lib/ldap
 +
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
 +
*change owner of ldap directory or just ldap user
 +
chown -R ldap:ldap /var/lib/ldap
 +
*create password hash using slappasswd to set Administrator Password
 +
slappasswd
 +
*after typing in password twice save the output hash to set it as your administrator password
 +
*change to config directory of slapd
 +
cd /etc/openldap/slapd.d/cn\=config
 +
*edit the bdb.ldif
 +
vim olcDatabase\=\{2\}bdb.ldif
 +
*substitute dc=my-domain,dc=com to dc=domain,dc=name,dc=edu
 +
:%s/dc=my-domain,dc=com/dc=domain,dc=name,dc=edu
 +
*create the attribute olcRootPW if not in the file already and paste the password hash rite next to it
 +
olcRootPW; {SSHA}4MOp5CcslBEaMQLVRSfloqwvF/QIV5K1
 +
*do not use hash above, just a hash for "text" to show example
 +
*save the file
 +
*modify olcDatabase={1}monitor.ldif so that the root iser matches the changes you made to bdb.ldif
 +
vim olcDatabase\=\{1\}monitor.ldif
 +
:%s/dc=my-domain,dc=com/dc=domain,dc=name,dc=edu
 +
*your new root user for ldap is the user you created (Manager) under your domain and the password is set with the hash under olcRootPW
 +
*Now edit bdb.ldif again so that you can hide password hashes from users in the ldap
 +
  vim olcDatabase\=\{2\}bdb.ldif
 +
*add these two lines at the bottom of the file
 +
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=domain,dc=name,dc=edu" write by anonymous auth by * none
 +
olcAccess: {1}to * by dn.base="cn=Manager,dc=domain,dc=name,dc=edu" write by self write by * read
 +
*now it is time to manually create the head of the ldap tree, navigate to /etc/openldap and create a directory called setup
 +
mkdir /etc/openldap/setup
 +
cd /etc/openldap/setup
 +
*in this directory create an ldif file with filename base.ldif in setup directory
 +
vim base.ldif
 +
*in this file include the following lines, replacing dc=domain,dc=name,dc=edu with the name of your domain
 +
dn: dc=domain,dc=name,dc=edu
 +
dc: domainname
 +
objectClass: top
 +
objectClass: domain
 +
 +
dn: ou=People,dc=domain,dc=name,dc=edu
 +
ou: People
 +
objectClass: top
 +
objectClass: organizationalUnit
 +
 +
dn: ou=Groups,dc=domain,dc=name,dc=edu
 +
ou: Groups
 +
objectClass: top
 +
objectClass: organizationalUnit
 +
 +
dn: ou=Computers,dc=domain,dc=name,dc=edu
 +
ou: Computers
 +
objectClass: top
 +
objectClass: organizationalUnit
 +
*add the base ou to the ldap using the administrator account created in the steps above
 +
ldapadd -D "cn=Manager,dc=domain,dc=name,dc=edu" -W -f base.ldif
 +
*if you get an error "ldapadd: command not found", you need to install openldap-clients to get the ldapadd and search commnads
 +
*verify that the ou got added by performing an ldap search
 +
ldapsearch -x -b dc=domain,dc=name,dc=edu
 +
*return results should be the ou's you added with base.ldif
 +
 
 +
==TLS==
 +
*the following shows how to enable start_tls with your ldap server
 +
*important things to remember:
 +
**LDAPS is directed at port 636
 +
**ldap + start_tls is directed at port 389
 +
 
 +
*create .db files
 +
mkdir /etc/openldap/certs
 +
modutil -create -dbdir /etc/openldap/certs
 +
 +
echo "password" > /etc/openldap/certs/password
 +
echo falkdjfdajkhfaksj >> noise.txt
 +
 +
certutil -N -d . -f /etc/openldap/certs/password
 +
certutil -G -d . -z noise.txt -f /etc/openldap/certs/password
 +
certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password
 +
pk12util -d . -o cacert.p12 -n "CA certificate"
 +
pk12util -d . -o servercert.p12 -n "OpenLDAP Server"
 +
certutil -L -d . -n "CA certificate" -a > /etc/openldap/certs/cacert.pem
 +
chmod 644 *
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
*make sure openssl is insatlled and navigate to /etc/pki/tls/misc
 +
cd /etc/pki/tls/misc
 +
./CA -newca
 +
openssl req -new -nodes -subj '/CN=ldap.domain.name.edu/O=University of California Santa Barbara/C=US/ST=California/L=Santa Barbara' -keyout slapd-key.pem -out slapd-req.pem -days 3650
 +
openssl ca -out slapd-cert.pem -infiles slapd-req.pem
 +
*copy over certs to appropriate directories, enforce strict permissions onto who can read these files
 +
 
 +
cp -p slapd-key.pem /etc/openldap/slapdkey.pem
 +
cp -p slapd-cert.pem /etc/openldap/slapdcert.pem
 +
chown ldap:ldap /etc/openldap/slapdcert.pem
 +
chmod 644 /etc/openldap/slapdcert.pem
 +
chown ldap:ldap /etc/openldap/slapdkey.pem
 +
chmod 400 /etc/openldap/slapdkey.pem
 +
mkdir /etc/openldap/cacerts/
 +
cp /etc/pki/CA/cacert.pem /etc/openldap/cacerts/cacert.pem
 +
chown ldap:ldap /etc/openldap/cacerts/cacert.pem
 +
chmod 644 /etc/openldap/cacerts/cacert.pem
 +
chmod 400 /etc/pki/tls/misc/slapd-*
 +
 
 +
*now navigate to /etc/openldap/slapd.d and open cn=config.ldif
 +
vim /etc/openldap/slapd.conn
 +
*change or add the following attributes
 +
olcTLSCipherSuite HIGH
 +
olcTLSCACertificatePath /etc/openldap/cacerts/
 +
olcTLSCertificateFile /etc/openldap/slapdcert.pem
 +
olcTLSCertificateKeyFile /etc/openldap/slapdkey.pem
 +
olcTLSVerifyClient: True
 +
*add the following to /etc/openldap/ldap.conf
 +
TLS_CACERTDIR /etc/openldap/cacerts
 +
TLS_REQCERT demand
 +
ssl start_tls
 +
tls_checkpeer yes
 +
tls_cacertfile /etc/openldap/cacerts/cacert.pem
 +
*and access settings to ldap.conf
 +
# rootdn can always read and write EVERYTHING!
 +
# enable on-the-fly configuration (cn=config)
 +
database config
 +
access to *
 +
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
 +
        by * none
 +
#enable server status monitoring (cn=monitor)
 +
database monitor
 +
access to *
 +
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
 +
        by dn.exact="cn=Manager,dc=domain,dc=name,dc=com" read
 +
        by * none
 +
access to attrs=shadowLastChange,userPassword
 +
    by self write
 +
    by * auth
 +
access to *
 +
    by * read
 +
 
 +
==Server==
 
  cd /etc/opendlap
 
  cd /etc/opendlap
 
*configuration ldap.conf
 
*configuration ldap.conf
Line 10: Line 155:
 
  vim slapd.conf
 
  vim slapd.conf
 
*make sure samba schema is included
 
*make sure samba schema is included
  include /etc/openldap/schema/samba.schema
+
  cd ~/samba-master/example/ldap
 +
cp ~/samba-master/example/ldap/samba.schema    /etc/openldap/schema
 +
cp ~/samba-master/example/ldap/samba.ldif    /etc/openldap/schema
 +
 
 
*in slapd.conf, proper access settings!!!!!
 
*in slapd.conf, proper access settings!!!!!
 
*must copy over schema and configure properly in cn=config
 
*must copy over schema and configure properly in cn=config
Line 19: Line 167:
 
*samba.schema ldif should be named cn={##}samba.ldif      //## is line number in ldap.conf
 
*samba.schema ldif should be named cn={##}samba.ldif      //## is line number in ldap.conf
  
===Client===
+
==Client==
 
vim /etc/ldap.conf
 
vim /etc/ldap.conf
 
  TLS_REQCERT allow
 
  TLS_REQCERT allow
Line 56: Line 204:
 
  debug_level = 8
 
  debug_level = 8
 
*test an ldap user using id command to verify working
 
*test an ldap user using id command to verify working
 +
 +
==Links==
 +
*http://wiki.bluelightav.org/display/BLUE/How+to+integrate+Samba+with+LDAP
 +
*http://wiki.openiam.com/pages/viewpage.action?pageId=7635198
 +
*http://www.unixmen.com/setup-directory-serverldap-in-centos-6-4-rhel-6-4/
 +
*http://docs.adaptivecomputing.com/viewpoint/hpc/Content/topics/1-setup/installSetup/settingUpOpenLDAPOnCentos6.htm
 +
*http://www.6tech.org/2013/01/ldap-server-and-centos-6-3/
 +
*http://www.overclockers.com/forums/showthread.php?t=726947
 +
*LDAP
 +
*http://www.refamco.ca/14-centos-6-4-ldap-authentication
 +
*http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html.
 +
*http://spectlog.com/content/Create_Certificate_Authority_(CA)_instead_of_using_self-signed_Certificates
 +
 
==ldap commands==
 
==ldap commands==
 
*useful:
 
*useful:
 
*delete by dn, enter every dn you want to delete
 
*delete by dn, enter every dn you want to delete
 
  ldapdelete -v -c -D "cn=Manager,dc=domain,dc=name,dc=edu" -W
 
  ldapdelete -v -c -D "cn=Manager,dc=domain,dc=name,dc=edu" -W
 +
*populate ldap with Windows accounts
 +
smbldap-populate

Latest revision as of 13:21, 12 November 2013


OpenLDAP

Firewall

  • firewall settings

Install

yum install openldap-servers openldap-clients
  • ldap needs a parameter(DB_CONFIG.example) file to start new database, located /usr/share/openldap-servers/
  • copy parameter file to the ldap directory /var/lib/ldap
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
  • change owner of ldap directory or just ldap user
chown -R ldap:ldap /var/lib/ldap
  • create password hash using slappasswd to set Administrator Password
slappasswd
  • after typing in password twice save the output hash to set it as your administrator password
  • change to config directory of slapd
cd /etc/openldap/slapd.d/cn\=config
  • edit the bdb.ldif
vim olcDatabase\=\{2\}bdb.ldif
  • substitute dc=my-domain,dc=com to dc=domain,dc=name,dc=edu
:%s/dc=my-domain,dc=com/dc=domain,dc=name,dc=edu
  • create the attribute olcRootPW if not in the file already and paste the password hash rite next to it
olcRootPW; {SSHA}4MOp5CcslBEaMQLVRSfloqwvF/QIV5K1
  • do not use hash above, just a hash for "text" to show example
  • save the file
  • modify olcDatabase={1}monitor.ldif so that the root iser matches the changes you made to bdb.ldif
vim olcDatabase\=\{1\}monitor.ldif
:%s/dc=my-domain,dc=com/dc=domain,dc=name,dc=edu
  • your new root user for ldap is the user you created (Manager) under your domain and the password is set with the hash under olcRootPW
  • Now edit bdb.ldif again so that you can hide password hashes from users in the ldap
 vim olcDatabase\=\{2\}bdb.ldif
  • add these two lines at the bottom of the file
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=domain,dc=name,dc=edu" write by anonymous auth by * none
olcAccess: {1}to * by dn.base="cn=Manager,dc=domain,dc=name,dc=edu" write by self write by * read
  • now it is time to manually create the head of the ldap tree, navigate to /etc/openldap and create a directory called setup
mkdir /etc/openldap/setup 
cd /etc/openldap/setup
  • in this directory create an ldif file with filename base.ldif in setup directory
vim base.ldif
  • in this file include the following lines, replacing dc=domain,dc=name,dc=edu with the name of your domain
dn: dc=domain,dc=name,dc=edu
dc: domainname
objectClass: top
objectClass: domain

dn: ou=People,dc=domain,dc=name,dc=edu
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Groups,dc=domain,dc=name,dc=edu
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: ou=Computers,dc=domain,dc=name,dc=edu
ou: Computers
objectClass: top
objectClass: organizationalUnit
  • add the base ou to the ldap using the administrator account created in the steps above
ldapadd -D "cn=Manager,dc=domain,dc=name,dc=edu" -W -f base.ldif
  • if you get an error "ldapadd: command not found", you need to install openldap-clients to get the ldapadd and search commnads
  • verify that the ou got added by performing an ldap search
ldapsearch -x -b dc=domain,dc=name,dc=edu
  • return results should be the ou's you added with base.ldif

TLS

  • the following shows how to enable start_tls with your ldap server
  • important things to remember:
    • LDAPS is directed at port 636
    • ldap + start_tls is directed at port 389
  • create .db files
mkdir /etc/openldap/certs
modutil -create -dbdir /etc/openldap/certs

echo "password" > /etc/openldap/certs/password
echo falkdjfdajkhfaksj >> noise.txt

certutil -N -d . -f /etc/openldap/certs/password
certutil -G -d . -z noise.txt -f /etc/openldap/certs/password
certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password
pk12util -d . -o cacert.p12 -n "CA certificate"
pk12util -d . -o servercert.p12 -n "OpenLDAP Server"
certutil -L -d . -n "CA certificate" -a > /etc/openldap/certs/cacert.pem
chmod 644 *




  • make sure openssl is insatlled and navigate to /etc/pki/tls/misc
cd /etc/pki/tls/misc
./CA -newca
openssl req -new -nodes -subj '/CN=ldap.domain.name.edu/O=University of California Santa Barbara/C=US/ST=California/L=Santa Barbara' -keyout slapd-key.pem -out slapd-req.pem -days 3650
openssl ca -out slapd-cert.pem -infiles slapd-req.pem
  • copy over certs to appropriate directories, enforce strict permissions onto who can read these files
cp -p slapd-key.pem /etc/openldap/slapdkey.pem
cp -p slapd-cert.pem /etc/openldap/slapdcert.pem
chown ldap:ldap /etc/openldap/slapdcert.pem
chmod 644 /etc/openldap/slapdcert.pem
chown ldap:ldap /etc/openldap/slapdkey.pem
chmod 400 /etc/openldap/slapdkey.pem
mkdir /etc/openldap/cacerts/
cp /etc/pki/CA/cacert.pem /etc/openldap/cacerts/cacert.pem
chown ldap:ldap /etc/openldap/cacerts/cacert.pem
chmod 644 /etc/openldap/cacerts/cacert.pem
chmod 400 /etc/pki/tls/misc/slapd-*
  • now navigate to /etc/openldap/slapd.d and open cn=config.ldif
vim /etc/openldap/slapd.conn
  • change or add the following attributes
olcTLSCipherSuite HIGH
olcTLSCACertificatePath /etc/openldap/cacerts/
olcTLSCertificateFile /etc/openldap/slapdcert.pem
olcTLSCertificateKeyFile /etc/openldap/slapdkey.pem
olcTLSVerifyClient: True
  • add the following to /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT demand
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem
  • and access settings to ldap.conf
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none
#enable server status monitoring (cn=monitor)
database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=Manager,dc=domain,dc=name,dc=com" read
        by * none
access to attrs=shadowLastChange,userPassword
   by self write
   by * auth
access to *
   by * read

Server

cd /etc/opendlap
  • configuration ldap.conf
URI     ldap://servername.domainl.name.edu/
BASE    dc=domain,dc=name,dc=edu
TLS_CACERTDIR   /etc/openldap/certs
TLS_REQCERT     allow
  • CA certs generated and stored in certs folder
vim slapd.conf
  • make sure samba schema is included
cd ~/samba-master/example/ldap
cp ~/samba-master/example/ldap/samba.schema     /etc/openldap/schema
cp ~/samba-master/example/ldap/samba.ldif     /etc/openldap/schema
  • in slapd.conf, proper access settings!!!!!
  • must copy over schema and configure properly in cn=config
vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}bdb.ldif
  • change olcSuffix, olcRootDN, olcRootPW
  • add samba schema ldif to appropitae location
cd /etc/openldap/slapd.d/cn=config/cn=schema
  • samba.schema ldif should be named cn={##}samba.ldif //## is line number in ldap.conf

Client

vim /etc/ldap.conf 

TLS_REQCERT allow
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://servername.domain.name.edu
BASE dc=domain,dc=name,dc=edu

vim pam_ldap.conf 

tls_checkpeer yes
tls_cacertdir /etc/openldap/cacerts
uri ldap://servename.domain.name.edu
base dc=domain,dc=name,dc=edu
host 128.***.***.***
ssl start_tls
pam_password exop
nss_base_passwd ou=People,dc=domain,dc=name,dc=edu
nss_base_shadow ou=People,dc=domain,dc=name,dc=edu
nss_base_group  ou=Groups,dc=domain,dc=name,dc=edu
  • vim /etc/smbldap-tools/smbldap.conf
  • vim /etc/smbldap-tools/smbldap_bind.conf
  • yum install sssd

authconfig --enablesssd --enablesssdauth --enablecachecreds --enableldap --enableldaptls --enableldapauth --ldapserver=ldap://servername.domain.name.edu --ldapbasedn=dc=domain,dc=name,dc=edu --disablenis --disablekrb5 --enableshadow --enablemkhomedir --enablelocauthorize --passalgo=sha512 --updateall

  • add the following to sssd.conf in /etc/sssd/
ldap_tls_reqcert = allow
ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_search_base = ou=People,dc=domain,dc=name,dc=edu
ldap_group_search_base = ou=Group,dc=domain,dc=name,dc=edu
ldap_group_member = member
ldap_group_nesting_level = 4
ldap_default_bind_dn = cn=Manager,dc=domain,dc=name,dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = secret
debug_level = 8
  • test an ldap user using id command to verify working

Links

ldap commands

  • useful:
  • delete by dn, enter every dn you want to delete
ldapdelete -v -c -D "cn=Manager,dc=domain,dc=name,dc=edu" -W
  • populate ldap with Windows accounts

smbldap-populate

Retrieved from "http://wiki-stadm.eri.ucsb.edu/index.php?title=LDAP&oldid=2331"