Difference between revisions of "LDAP"
From Stadm
Jump to navigationJump to search (→Server) |
|||
(25 intermediate revisions by the same user not shown) | |||
Line 4: | Line 4: | ||
==Firewall== | ==Firewall== | ||
*firewall settings | *firewall settings | ||
+ | |||
==Install== | ==Install== | ||
yum install openldap-servers openldap-clients | yum install openldap-servers openldap-clients | ||
Line 22: | Line 23: | ||
*create the attribute olcRootPW if not in the file already and paste the password hash rite next to it | *create the attribute olcRootPW if not in the file already and paste the password hash rite next to it | ||
olcRootPW; {SSHA}4MOp5CcslBEaMQLVRSfloqwvF/QIV5K1 | olcRootPW; {SSHA}4MOp5CcslBEaMQLVRSfloqwvF/QIV5K1 | ||
− | *do not use hash above, just a hash for " | + | *do not use hash above, just a hash for "text" to show example |
*save the file | *save the file | ||
*modify olcDatabase={1}monitor.ldif so that the root iser matches the changes you made to bdb.ldif | *modify olcDatabase={1}monitor.ldif so that the root iser matches the changes you made to bdb.ldif | ||
Line 64: | Line 65: | ||
ldapsearch -x -b dc=domain,dc=name,dc=edu | ldapsearch -x -b dc=domain,dc=name,dc=edu | ||
*return results should be the ou's you added with base.ldif | *return results should be the ou's you added with base.ldif | ||
+ | |||
+ | ==TLS== | ||
+ | *the following shows how to enable start_tls with your ldap server | ||
+ | *important things to remember: | ||
+ | **LDAPS is directed at port 636 | ||
+ | **ldap + start_tls is directed at port 389 | ||
+ | |||
+ | *create .db files | ||
+ | mkdir /etc/openldap/certs | ||
+ | modutil -create -dbdir /etc/openldap/certs | ||
− | ===Server | + | echo "password" > /etc/openldap/certs/password |
+ | echo falkdjfdajkhfaksj >> noise.txt | ||
+ | |||
+ | certutil -N -d . -f /etc/openldap/certs/password | ||
+ | certutil -G -d . -z noise.txt -f /etc/openldap/certs/password | ||
+ | certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password | ||
+ | pk12util -d . -o cacert.p12 -n "CA certificate" | ||
+ | pk12util -d . -o servercert.p12 -n "OpenLDAP Server" | ||
+ | certutil -L -d . -n "CA certificate" -a > /etc/openldap/certs/cacert.pem | ||
+ | chmod 644 * | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | *make sure openssl is insatlled and navigate to /etc/pki/tls/misc | ||
+ | cd /etc/pki/tls/misc | ||
+ | ./CA -newca | ||
+ | openssl req -new -nodes -subj '/CN=ldap.domain.name.edu/O=University of California Santa Barbara/C=US/ST=California/L=Santa Barbara' -keyout slapd-key.pem -out slapd-req.pem -days 3650 | ||
+ | openssl ca -out slapd-cert.pem -infiles slapd-req.pem | ||
+ | *copy over certs to appropriate directories, enforce strict permissions onto who can read these files | ||
+ | |||
+ | cp -p slapd-key.pem /etc/openldap/slapdkey.pem | ||
+ | cp -p slapd-cert.pem /etc/openldap/slapdcert.pem | ||
+ | chown ldap:ldap /etc/openldap/slapdcert.pem | ||
+ | chmod 644 /etc/openldap/slapdcert.pem | ||
+ | chown ldap:ldap /etc/openldap/slapdkey.pem | ||
+ | chmod 400 /etc/openldap/slapdkey.pem | ||
+ | mkdir /etc/openldap/cacerts/ | ||
+ | cp /etc/pki/CA/cacert.pem /etc/openldap/cacerts/cacert.pem | ||
+ | chown ldap:ldap /etc/openldap/cacerts/cacert.pem | ||
+ | chmod 644 /etc/openldap/cacerts/cacert.pem | ||
+ | chmod 400 /etc/pki/tls/misc/slapd-* | ||
+ | |||
+ | *now navigate to /etc/openldap/slapd.d and open cn=config.ldif | ||
+ | vim /etc/openldap/slapd.conn | ||
+ | *change or add the following attributes | ||
+ | olcTLSCipherSuite HIGH | ||
+ | olcTLSCACertificatePath /etc/openldap/cacerts/ | ||
+ | olcTLSCertificateFile /etc/openldap/slapdcert.pem | ||
+ | olcTLSCertificateKeyFile /etc/openldap/slapdkey.pem | ||
+ | olcTLSVerifyClient: True | ||
+ | *add the following to /etc/openldap/ldap.conf | ||
+ | TLS_CACERTDIR /etc/openldap/cacerts | ||
+ | TLS_REQCERT demand | ||
+ | ssl start_tls | ||
+ | tls_checkpeer yes | ||
+ | tls_cacertfile /etc/openldap/cacerts/cacert.pem | ||
+ | *and access settings to ldap.conf | ||
+ | # rootdn can always read and write EVERYTHING! | ||
+ | # enable on-the-fly configuration (cn=config) | ||
+ | database config | ||
+ | access to * | ||
+ | by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage | ||
+ | by * none | ||
+ | #enable server status monitoring (cn=monitor) | ||
+ | database monitor | ||
+ | access to * | ||
+ | by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read | ||
+ | by dn.exact="cn=Manager,dc=domain,dc=name,dc=com" read | ||
+ | by * none | ||
+ | access to attrs=shadowLastChange,userPassword | ||
+ | by self write | ||
+ | by * auth | ||
+ | access to * | ||
+ | by * read | ||
+ | |||
+ | ==Server== | ||
cd /etc/opendlap | cd /etc/opendlap | ||
*configuration ldap.conf | *configuration ldap.conf | ||
Line 75: | Line 155: | ||
vim slapd.conf | vim slapd.conf | ||
*make sure samba schema is included | *make sure samba schema is included | ||
− | + | cd ~/samba-master/example/ldap | |
+ | cp ~/samba-master/example/ldap/samba.schema /etc/openldap/schema | ||
+ | cp ~/samba-master/example/ldap/samba.ldif /etc/openldap/schema | ||
+ | |||
*in slapd.conf, proper access settings!!!!! | *in slapd.conf, proper access settings!!!!! | ||
*must copy over schema and configure properly in cn=config | *must copy over schema and configure properly in cn=config | ||
Line 84: | Line 167: | ||
*samba.schema ldif should be named cn={##}samba.ldif //## is line number in ldap.conf | *samba.schema ldif should be named cn={##}samba.ldif //## is line number in ldap.conf | ||
− | + | ==Client== | |
vim /etc/ldap.conf | vim /etc/ldap.conf | ||
TLS_REQCERT allow | TLS_REQCERT allow | ||
Line 122: | Line 205: | ||
*test an ldap user using id command to verify working | *test an ldap user using id command to verify working | ||
− | + | ==Links== | |
*http://wiki.bluelightav.org/display/BLUE/How+to+integrate+Samba+with+LDAP | *http://wiki.bluelightav.org/display/BLUE/How+to+integrate+Samba+with+LDAP | ||
*http://wiki.openiam.com/pages/viewpage.action?pageId=7635198 | *http://wiki.openiam.com/pages/viewpage.action?pageId=7635198 | ||
Line 129: | Line 212: | ||
*http://www.6tech.org/2013/01/ldap-server-and-centos-6-3/ | *http://www.6tech.org/2013/01/ldap-server-and-centos-6-3/ | ||
*http://www.overclockers.com/forums/showthread.php?t=726947 | *http://www.overclockers.com/forums/showthread.php?t=726947 | ||
+ | *LDAP | ||
+ | *http://www.refamco.ca/14-centos-6-4-ldap-authentication | ||
+ | *http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html. | ||
+ | *http://spectlog.com/content/Create_Certificate_Authority_(CA)_instead_of_using_self-signed_Certificates | ||
==ldap commands== | ==ldap commands== |
Latest revision as of 13:21, 12 November 2013
OpenLDAP
Firewall
- firewall settings
Install
yum install openldap-servers openldap-clients
- ldap needs a parameter(DB_CONFIG.example) file to start new database, located /usr/share/openldap-servers/
- copy parameter file to the ldap directory /var/lib/ldap
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
- change owner of ldap directory or just ldap user
chown -R ldap:ldap /var/lib/ldap
- create password hash using slappasswd to set Administrator Password
slappasswd
- after typing in password twice save the output hash to set it as your administrator password
- change to config directory of slapd
cd /etc/openldap/slapd.d/cn\=config
- edit the bdb.ldif
vim olcDatabase\=\{2\}bdb.ldif
- substitute dc=my-domain,dc=com to dc=domain,dc=name,dc=edu
:%s/dc=my-domain,dc=com/dc=domain,dc=name,dc=edu
- create the attribute olcRootPW if not in the file already and paste the password hash rite next to it
olcRootPW; {SSHA}4MOp5CcslBEaMQLVRSfloqwvF/QIV5K1
- do not use hash above, just a hash for "text" to show example
- save the file
- modify olcDatabase={1}monitor.ldif so that the root iser matches the changes you made to bdb.ldif
vim olcDatabase\=\{1\}monitor.ldif :%s/dc=my-domain,dc=com/dc=domain,dc=name,dc=edu
- your new root user for ldap is the user you created (Manager) under your domain and the password is set with the hash under olcRootPW
- Now edit bdb.ldif again so that you can hide password hashes from users in the ldap
vim olcDatabase\=\{2\}bdb.ldif
- add these two lines at the bottom of the file
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=domain,dc=name,dc=edu" write by anonymous auth by * none olcAccess: {1}to * by dn.base="cn=Manager,dc=domain,dc=name,dc=edu" write by self write by * read
- now it is time to manually create the head of the ldap tree, navigate to /etc/openldap and create a directory called setup
mkdir /etc/openldap/setup cd /etc/openldap/setup
- in this directory create an ldif file with filename base.ldif in setup directory
vim base.ldif
- in this file include the following lines, replacing dc=domain,dc=name,dc=edu with the name of your domain
dn: dc=domain,dc=name,dc=edu dc: domainname objectClass: top objectClass: domain dn: ou=People,dc=domain,dc=name,dc=edu ou: People objectClass: top objectClass: organizationalUnit dn: ou=Groups,dc=domain,dc=name,dc=edu ou: Groups objectClass: top objectClass: organizationalUnit dn: ou=Computers,dc=domain,dc=name,dc=edu ou: Computers objectClass: top objectClass: organizationalUnit
- add the base ou to the ldap using the administrator account created in the steps above
ldapadd -D "cn=Manager,dc=domain,dc=name,dc=edu" -W -f base.ldif
- if you get an error "ldapadd: command not found", you need to install openldap-clients to get the ldapadd and search commnads
- verify that the ou got added by performing an ldap search
ldapsearch -x -b dc=domain,dc=name,dc=edu
- return results should be the ou's you added with base.ldif
TLS
- the following shows how to enable start_tls with your ldap server
- important things to remember:
- LDAPS is directed at port 636
- ldap + start_tls is directed at port 389
- create .db files
mkdir /etc/openldap/certs modutil -create -dbdir /etc/openldap/certs echo "password" > /etc/openldap/certs/password echo falkdjfdajkhfaksj >> noise.txt certutil -N -d . -f /etc/openldap/certs/password certutil -G -d . -z noise.txt -f /etc/openldap/certs/password certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z /etc/openldap/certs/noise.txt -f /etc/openldap/certs/password pk12util -d . -o cacert.p12 -n "CA certificate" pk12util -d . -o servercert.p12 -n "OpenLDAP Server" certutil -L -d . -n "CA certificate" -a > /etc/openldap/certs/cacert.pem chmod 644 *
- make sure openssl is insatlled and navigate to /etc/pki/tls/misc
cd /etc/pki/tls/misc ./CA -newca openssl req -new -nodes -subj '/CN=ldap.domain.name.edu/O=University of California Santa Barbara/C=US/ST=California/L=Santa Barbara' -keyout slapd-key.pem -out slapd-req.pem -days 3650 openssl ca -out slapd-cert.pem -infiles slapd-req.pem
- copy over certs to appropriate directories, enforce strict permissions onto who can read these files
cp -p slapd-key.pem /etc/openldap/slapdkey.pem cp -p slapd-cert.pem /etc/openldap/slapdcert.pem chown ldap:ldap /etc/openldap/slapdcert.pem chmod 644 /etc/openldap/slapdcert.pem chown ldap:ldap /etc/openldap/slapdkey.pem chmod 400 /etc/openldap/slapdkey.pem mkdir /etc/openldap/cacerts/ cp /etc/pki/CA/cacert.pem /etc/openldap/cacerts/cacert.pem chown ldap:ldap /etc/openldap/cacerts/cacert.pem chmod 644 /etc/openldap/cacerts/cacert.pem chmod 400 /etc/pki/tls/misc/slapd-*
- now navigate to /etc/openldap/slapd.d and open cn=config.ldif
vim /etc/openldap/slapd.conn
- change or add the following attributes
olcTLSCipherSuite HIGH olcTLSCACertificatePath /etc/openldap/cacerts/ olcTLSCertificateFile /etc/openldap/slapdcert.pem olcTLSCertificateKeyFile /etc/openldap/slapdkey.pem olcTLSVerifyClient: True
- add the following to /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT demand ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem
- and access settings to ldap.conf
# rootdn can always read and write EVERYTHING! # enable on-the-fly configuration (cn=config) database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none #enable server status monitoring (cn=monitor) database monitor access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=domain,dc=name,dc=com" read by * none access to attrs=shadowLastChange,userPassword by self write by * auth access to * by * read
Server
cd /etc/opendlap
- configuration ldap.conf
URI ldap://servername.domainl.name.edu/ BASE dc=domain,dc=name,dc=edu TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT allow
- CA certs generated and stored in certs folder
vim slapd.conf
- make sure samba schema is included
cd ~/samba-master/example/ldap cp ~/samba-master/example/ldap/samba.schema /etc/openldap/schema cp ~/samba-master/example/ldap/samba.ldif /etc/openldap/schema
- in slapd.conf, proper access settings!!!!!
- must copy over schema and configure properly in cn=config
vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}bdb.ldif
- change olcSuffix, olcRootDN, olcRootPW
- add samba schema ldif to appropitae location
cd /etc/openldap/slapd.d/cn=config/cn=schema
- samba.schema ldif should be named cn={##}samba.ldif //## is line number in ldap.conf
Client
vim /etc/ldap.conf
TLS_REQCERT allow TLS_CACERTDIR /etc/openldap/cacerts URI ldap://servername.domain.name.edu BASE dc=domain,dc=name,dc=edu
vim pam_ldap.conf
tls_checkpeer yes tls_cacertdir /etc/openldap/cacerts uri ldap://servename.domain.name.edu base dc=domain,dc=name,dc=edu host 128.***.***.*** ssl start_tls pam_password exop nss_base_passwd ou=People,dc=domain,dc=name,dc=edu nss_base_shadow ou=People,dc=domain,dc=name,dc=edu nss_base_group ou=Groups,dc=domain,dc=name,dc=edu
- vim /etc/smbldap-tools/smbldap.conf
- vim /etc/smbldap-tools/smbldap_bind.conf
- yum install sssd
authconfig --enablesssd --enablesssdauth --enablecachecreds --enableldap --enableldaptls --enableldapauth --ldapserver=ldap://servername.domain.name.edu --ldapbasedn=dc=domain,dc=name,dc=edu --disablenis --disablekrb5 --enableshadow --enablemkhomedir --enablelocauthorize --passalgo=sha512 --updateall
- add the following to sssd.conf in /etc/sssd/
ldap_tls_reqcert = allow ldap_schema = rfc2307bis ldap_user_fullname = displayName ldap_user_search_base = ou=People,dc=domain,dc=name,dc=edu ldap_group_search_base = ou=Group,dc=domain,dc=name,dc=edu ldap_group_member = member ldap_group_nesting_level = 4 ldap_default_bind_dn = cn=Manager,dc=domain,dc=name,dc=edu ldap_default_authtok_type = password ldap_default_authtok = secret debug_level = 8
- test an ldap user using id command to verify working
Links
- http://wiki.bluelightav.org/display/BLUE/How+to+integrate+Samba+with+LDAP
- http://wiki.openiam.com/pages/viewpage.action?pageId=7635198
- http://www.unixmen.com/setup-directory-serverldap-in-centos-6-4-rhel-6-4/
- http://docs.adaptivecomputing.com/viewpoint/hpc/Content/topics/1-setup/installSetup/settingUpOpenLDAPOnCentos6.htm
- http://www.6tech.org/2013/01/ldap-server-and-centos-6-3/
- http://www.overclockers.com/forums/showthread.php?t=726947
- LDAP
- http://www.refamco.ca/14-centos-6-4-ldap-authentication
- http://www.couyon.net/1/post/2012/04/enabling-ldap-usergroup-support-and-authentication-in-centos-6.html.
- http://spectlog.com/content/Create_Certificate_Authority_(CA)_instead_of_using_self-signed_Certificates
ldap commands
- useful:
- delete by dn, enter every dn you want to delete
ldapdelete -v -c -D "cn=Manager,dc=domain,dc=name,dc=edu" -W
- populate ldap with Windows accounts
smbldap-populate