Difference between revisions of "LDAP"
From Stadm
Jump to navigationJump to search (→TLS) |
(→TLS) |
||
Line 104: | Line 104: | ||
tls_cacertfile /etc/openldap/cacerts/cacert.pem | tls_cacertfile /etc/openldap/cacerts/cacert.pem | ||
*and access settings to ldap.conf | *and access settings to ldap.conf | ||
− | + | # rootdn can always read and write EVERYTHING! | |
− | # rootdn can always read and write EVERYTHING! | + | # enable on-the-fly configuration (cn=config) |
− | # enable on-the-fly configuration (cn=config) | + | database config |
− | database config | + | access to * |
− | access to * | + | by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage |
− | + | by * none | |
− | |||
# enable server status monitoring (cn=monitor) | # enable server status monitoring (cn=monitor) | ||
− | database monitor | + | database monitor |
− | access to * | + | access to * |
− | + | by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read | |
− | + | by dn.exact="cn=Manager,dc=openiam,dc=com" read | |
− | + | by * none | |
− | access to attrs=shadowLastChange,userPassword | + | access to attrs=shadowLastChange,userPassword |
− | + | by self write | |
− | + | by * auth | |
− | access to * | + | access to * |
− | + | by * read | |
==Server== | ==Server== |
Revision as of 13:57, 21 October 2013
OpenLDAP
Firewall
- firewall settings
Install
yum install openldap-servers openldap-clients
- ldap needs a parameter(DB_CONFIG.example) file to start new database, located /usr/share/openldap-servers/
- copy parameter file to the ldap directory /var/lib/ldap
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
- change owner of ldap directory or just ldap user
chown -R ldap:ldap /var/lib/ldap
- create password hash using slappasswd to set Administrator Password
slappasswd
- after typing in password twice save the output hash to set it as your administrator password
- change to config directory of slapd
cd /etc/openldap/slapd.d/cn\=config
- edit the bdb.ldif
vim olcDatabase\=\{2\}bdb.ldif
- substitute dc=my-domain,dc=com to dc=domain,dc=name,dc=edu
:%s/dc=my-domain,dc=com/dc=domain,dc=name,dc=edu
- create the attribute olcRootPW if not in the file already and paste the password hash rite next to it
olcRootPW; {SSHA}4MOp5CcslBEaMQLVRSfloqwvF/QIV5K1
- do not use hash above, just a hash for "text" to show example
- save the file
- modify olcDatabase={1}monitor.ldif so that the root iser matches the changes you made to bdb.ldif
vim olcDatabase\=\{1\}monitor.ldif :%s/dc=my-domain,dc=com/dc=domain,dc=name,dc=edu
- your new root user for ldap is the user you created (Manager) under your domain and the password is set with the hash under olcRootPW
- Now edit bdb.ldif again so that you can hide password hashes from users in the ldap
vim olcDatabase\=\{2\}bdb.ldif
- add these two lines at the bottom of the file
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=domain,dc=name,dc=edu" write by anonymous auth by * none olcAccess: {1}to * by dn.base="cn=Manager,dc=domain,dc=name,dc=edu" write by self write by * read
- now it is time to manually create the head of the ldap tree, navigate to /etc/openldap and create a directory called setup
mkdir /etc/openldap/setup cd /etc/openldap/setup
- in this directory create an ldif file with filename base.ldif in setup directory
vim base.ldif
- in this file include the following lines, replacing dc=domain,dc=name,dc=edu with the name of your domain
dn: dc=domain,dc=name,dc=edu dc: domainname objectClass: top objectClass: domain dn: ou=People,dc=domain,dc=name,dc=edu ou: People objectClass: top objectClass: organizationalUnit dn: ou=Groups,dc=domain,dc=name,dc=edu ou: Groups objectClass: top objectClass: organizationalUnit dn: ou=Computers,dc=domain,dc=name,dc=edu ou: Computers objectClass: top objectClass: organizationalUnit
- add the base ou to the ldap using the administrator account created in the steps above
ldapadd -D "cn=Manager,dc=domain,dc=name,dc=edu" -W -f base.ldif
- if you get an error "ldapadd: command not found", you need to install openldap-clients to get the ldapadd and search commnads
- verify that the ou got added by performing an ldap search
ldapsearch -x -b dc=domain,dc=name,dc=edu
- return results should be the ou's you added with base.ldif
TLS
- the following shows how to enable start_tls with your ldap server
- important things to remember:
- LDAPS is directed at port 636
- ldap + start_tls is directed at port 389
- make sure openssl is insatlled and navigate to /etc/pki/tls/misc
cd /etc/pki/tls/misc ./CA -newca openssl req -new -nodes -subj '/CN=ldap.domain.name.edu/O=University of California Santa Barbara/C=US/ST=California/L=Santa Barbara' -keyout slapd-key.pem -out slapd-req.pem -days 3650 openssl ca -out slapd-cert.pem -infiles slapd-req.pem
- copy over certs to appropriate directories, enforce strict permissions onto who can read these files
cp -p slapd-key.pem /etc/openldap/slapdkey.pem cp -p slapd-cert.pem /etc/openldap/slapdcert.pem chown ldap:ldap /etc/openldap/slapdcert.pem chmod 644 /etc/openldap/slapdcert.pem chown ldap:ldap /etc/openldap/slapdkey.pem chmod 400 /etc/openldap/slapdkey.pem mkdir /etc/openldap/cacerts/ cp /etc/pki/CA/cacert.pem /etc/openldap/cacerts/cacert.pem chown ldap:ldap /etc/openldap/cacerts/cacert.pem chmod 644 /etc/openldap/cacerts/cacert.pem chmod 400 /etc/pki/tls/misc/slapd-*
- now navigate to /etc/openldap/slapd.d and open cn=config.ldif
vim /etc/openldap/slapd.conn
- change or add the following attributes
olcTLSCipherSuite HIGH olcTLSCACertificatePath /etc/openldap/cacerts/ olcTLSCertificateFile /etc/openldap/slapdcert.pem olcTLSCertificateKeyFile /etc/openldap/slapdkey.pem olcTLSVerifyClient: True
- add the following to /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT demand ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem
- and access settings to ldap.conf
# rootdn can always read and write EVERYTHING! # enable on-the-fly configuration (cn=config) database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
- enable server status monitoring (cn=monitor)
database monitor access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=openiam,dc=com" read by * none access to attrs=shadowLastChange,userPassword by self write by * auth access to * by * read
Server
cd /etc/opendlap
- configuration ldap.conf
URI ldap://servername.domainl.name.edu/ BASE dc=domain,dc=name,dc=edu TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT allow
- CA certs generated and stored in certs folder
vim slapd.conf
- make sure samba schema is included
include /etc/openldap/schema/samba.schema
- in slapd.conf, proper access settings!!!!!
- must copy over schema and configure properly in cn=config
vim /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}bdb.ldif
- change olcSuffix, olcRootDN, olcRootPW
- add samba schema ldif to appropitae location
cd /etc/openldap/slapd.d/cn=config/cn=schema
- samba.schema ldif should be named cn={##}samba.ldif //## is line number in ldap.conf
Client
vim /etc/ldap.conf
TLS_REQCERT allow TLS_CACERTDIR /etc/openldap/cacerts URI ldap://servername.domain.name.edu BASE dc=domain,dc=name,dc=edu
vim pam_ldap.conf
tls_checkpeer yes tls_cacertdir /etc/openldap/cacerts uri ldap://servename.domain.name.edu base dc=domain,dc=name,dc=edu host 128.***.***.*** ssl start_tls pam_password exop nss_base_passwd ou=People,dc=domain,dc=name,dc=edu nss_base_shadow ou=People,dc=domain,dc=name,dc=edu nss_base_group ou=Groups,dc=domain,dc=name,dc=edu
- vim /etc/smbldap-tools/smbldap.conf
- vim /etc/smbldap-tools/smbldap_bind.conf
- yum install sssd
authconfig --enablesssd --enablesssdauth --enablecachecreds --enableldap --enableldaptls --enableldapauth --ldapserver=ldap://servername.domain.name.edu --ldapbasedn=dc=domain,dc=name,dc=edu --disablenis --disablekrb5 --enableshadow --enablemkhomedir --enablelocauthorize --passalgo=sha512 --updateall
- add the following to sssd.conf in /etc/sssd/
ldap_tls_reqcert = allow ldap_schema = rfc2307bis ldap_user_fullname = displayName ldap_user_search_base = ou=People,dc=domain,dc=name,dc=edu ldap_group_search_base = ou=Group,dc=domain,dc=name,dc=edu ldap_group_member = member ldap_group_nesting_level = 4 ldap_default_bind_dn = cn=Manager,dc=domain,dc=name,dc=edu ldap_default_authtok_type = password ldap_default_authtok = secret debug_level = 8
- test an ldap user using id command to verify working
Links
- http://wiki.bluelightav.org/display/BLUE/How+to+integrate+Samba+with+LDAP
- http://wiki.openiam.com/pages/viewpage.action?pageId=7635198
- http://www.unixmen.com/setup-directory-serverldap-in-centos-6-4-rhel-6-4/
- http://docs.adaptivecomputing.com/viewpoint/hpc/Content/topics/1-setup/installSetup/settingUpOpenLDAPOnCentos6.htm
- http://www.6tech.org/2013/01/ldap-server-and-centos-6-3/
- http://www.overclockers.com/forums/showthread.php?t=726947
ldap commands
- useful:
- delete by dn, enter every dn you want to delete
ldapdelete -v -c -D "cn=Manager,dc=domain,dc=name,dc=edu" -W
- populate ldap with Windows accounts
smbldap-populate