{{tag>[centos7 linux ldap openldap consumer replication security]}}
=====CentOS 7 - OpenLDAP 2.4 consumer (slave)=====
====Install SSSd client====
* [[ldap:centos7client|First, configure this consumer as client.]]
====TLS Certificate====
* Create a certificate and sign with CA, valid for 3 years. **You probably need to perform this step on the LDAP provider or CA system**:# certutil -S -n 'OpenLDAP Consumer' -t ",," \
-c LDAP-CA \
-f /etc/openldap/certs/password \
-d /etc/openldap/certs \
-z /tmp/noise.txt \
-s "CN=OpenLDAP Consumer,OU=IT,O=Company,L=City,ST=State,C=NL" \
-8 "ldap.domain.tld,ldap.mgmt.domain.tld-example!" \
-v 36 \
-Z SHA256 \
-g 4096
* Export the signed certificate and key:# pk12util -d /etc/openldap/certs -o /root/consumer.p12 -n "OpenLDAP Consumer" -k /etc/openldap/certs/password
Enter password for PKCS12 file: ...
Re-enter password: ...
pk12util: PKCS12 EXPORT SUCCESSFUL
* Export the CA certificate:# certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt
* **On the consumer,** create the certificate database directory, if it does not already exisist:# mkdir /etc/openldap/certs
* Generate a secure password:# pwgen -sy 32 1 > /etc/openldap/certs/password
* Create a new empty database, if it does not already exists:# certutil -d /etc/openldap/certs -N -f /etc/openldap/certs/password
* Copy the file to the consumer and import it to the NSS database:# pk12util -d /etc/openldap/certs -i /tmp/consumer.p12 -k /etc/openldap/certs/password
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
* Import the CA certificate:# certutil -A -n "LDAP-CA" -t "TCu,Cu,Cu" -i /tmp/ca.crt -d /etc/openldap/certs
* Modify rights so that LDAP can read the NSS database:# chmod 440 /etc/openldap/certs/password
# chown ldap. /etc/openldap/certs/*
===Verify===
* List all certificates:# certutil -L -d /etc/openldap/certs/
* List all private keys in the database:# certutil -K -d /etc/openldap/certs/ -f /etc/openldap/certs/password
* View certificate:# certutil -L -d /etc/openldap/certs/ -n "OpenLDAP Consumer"
* Verify certificate:# certutil -V -d /etc/openldap/certs -n "OpenLDAP Consumer" -u C
certutil: certificate is valid
* You now have an encrypted private key and signed certificate for the consumer server.
====Install and configure OpenLDAP====
* Install required packages:# yum install openldap-clients openldap-servers openldap pam_ldap nss-pam-ldapd pam_krb5 sssd migrationtools openldap-devel
* Activate LDAPS (TLS), change ldap to ldap**s**, only start LDAPS and LDAPI (IPC socket):# vi /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldaps:///"
# Any custom options
SLAPD_OPTIONS="-g ldap"
* Modify /etc/openldap/ldap.conf:# vi /etc/openldap/ldap.conf
BASE dc=,dc=
URI ldaps://
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
* Use the DB config example. You can configure the DB_LOG_AUTOREMOVE directive in DB_CONFIG, but //If the log files are removed automatically, recovery after a catastrophic failure is likely to be impossible.//:# install -m 644 -o ldap -g ldap /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
* Start OpenLDAP:slaptest -u
systemctl start slapd
systemctl enable slapd
* Add required schema's:core.schema OpenLDAP core (required)
cosine.schema Cosine and Internet X.500 (useful)
inetorgperson.schema InetOrgPerson (useful)
nis.schema Network Information Services (FYI)
# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
* Generate an LDAP root password, you need this hash in the next steps:# slappasswd
New password:
Re-enter new password:
{SSHA}
* Export variables used in next steps:# export MYHASH="{SSHA}your-hash"
# export MYDOMAIN=your-domain
# export MYTLD=your-tld
* **olcDatabase={0}config**: Add a root password, and modify the olcAccess in order to (at least) require a password using simple authentication# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <
* **olcDatabase={1}monitor**: Change the monitor ACL:# ldapmodify -H ldapi:/// -x -D "cn=config" -W <
* **olcDatabase={2}hdb**: Change the standard DN suffix and root password# ldapmodify -H ldapi:/// -x -D "cn=config" -W <
* **olcDatabase={2}hdb**: configure indexing:# ldapmodify -H ldapi:/// -x -D "cn=config" -W <
* Modify the TLS configuration. //...the current implementation doesn't support encrypted keys so the key must not be encrypted and the file itself must be protected carefully.//# ldapmodify -H ldapi:/// -x -D "cn=config" -W <
* **olcDatabase={-1}frontend:** Due to a [[http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8150;page=10|bug]] i was not able to perform this step... I had to manually edit the olcDatabase={-1}frontend.ldif file and set olcDatabase to "olcDatabase: {-1}frontend". Then restart slapd!
* Set global options: //Some backend types, such as frontend and monitor use a hard-coded suffix which may not be overridden in the configuration. Access controls defined in the frontend are appended to all other databases' controls.// Configure password and require LDAPv3:# ldapmodify -H ldapi:/// -x -D "cn=config" -W <
* Accept only TLS:# ldapmodify -H ldaps:// -x -D "cn=config" -W <
====Open firewall port====
* Open port 636:# firewall-cmd --permanent --zone public --add-service=ldaps
success
# firewall-cmd --reload
success
====Test and verify====
* Test server config, restart and test connectivity:# slaptest -u
# systemctl restart slapd
# openssl s_client -connect localhost:636 -showcerts -CAfile /etc/openldap/cacerts/ca.crt
...
Verify return code: 0 (ok)
# ldapwhoami -H ldaps:// -x -D "cn=Manager,dc=,dc=" -W
# ldapsearch -H ldaps:// -x -D "cn=Manager,dc=,dc=" -W
# ldapsearch -H ldap:// -x -D "cn=Manager,dc=,dc=" -W
ldap_bind: Confidentiality required (13)
additional info: TLS confidentiality required
or:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
====Configure replication====
* **On the provider (master):** create a replicator user:# ldapadd -H ldaps:// -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <
EOF
* **On the provider (master):** create an ACL for the replicator user:# ldapadd -H ldaps:// -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <
* **On all servers (provider and consumers)** install the syncprov module:# ldapadd -H ldaps:// -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <
* **On the provider** configure the sync overlay:# ldapadd -H ldaps:// -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <
* Configure **slave**:ldapadd -H ldaps://ldapconsumer.yourdomain.tld -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <
====Monitor replication state====
* contextCSN needs to be the same on provider and consumer:
# ldapsearch -H ldaps://provider -x -D "cn=Manager,dc=" -w -s base contextcsn | grep contextCSN
# ldapsearch -H ldaps://consumer -x -D "cn=Manager,dc=" -w -s base contextcsn | grep contextCSN