openldap_consumer
Table of Contents
CentOS 7 - OpenLDAP 2.4 consumer (slave)
Install SSSd client
TLS Certificate
- Create a certificate and sign with CA, valid for 3 years. You probably need to perform this step on the LDAP provider or CA system:
# certutil -S -n 'OpenLDAP Consumer' -t ",," \ -c LDAP-CA \ -f /etc/openldap/certs/password \ -d /etc/openldap/certs \ -z /tmp/noise.txt \ -s "CN=OpenLDAP Consumer,OU=IT,O=Company,L=City,ST=State,C=NL" \ -8 "ldap.domain.tld,ldap.mgmt.domain.tld-example!" \ -v 36 \ -Z SHA256 \ -g 4096
- Export the signed certificate and key:
# pk12util -d /etc/openldap/certs -o /root/consumer.p12 -n "OpenLDAP Consumer" -k /etc/openldap/certs/password Enter password for PKCS12 file: ... Re-enter password: ... pk12util: PKCS12 EXPORT SUCCESSFUL
- Export the CA certificate:
# certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt
- On the consumer, create the certificate database directory, if it does not already exisist:
# mkdir /etc/openldap/certs
- Generate a secure password:
# pwgen -sy 32 1 > /etc/openldap/certs/password
- Create a new empty database, if it does not already exists:
# certutil -d /etc/openldap/certs -N -f /etc/openldap/certs/password
- Copy the file to the consumer and import it to the NSS database:
# pk12util -d /etc/openldap/certs -i /tmp/consumer.p12 -k /etc/openldap/certs/password Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL
- Import the CA certificate:
# certutil -A -n "LDAP-CA" -t "TCu,Cu,Cu" -i /tmp/ca.crt -d /etc/openldap/certs
- Modify rights so that LDAP can read the NSS database:
# chmod 440 /etc/openldap/certs/password # chown ldap. /etc/openldap/certs/*
Verify
- List all certificates:
# certutil -L -d /etc/openldap/certs/
- List all private keys in the database:
# certutil -K -d /etc/openldap/certs/ -f /etc/openldap/certs/password
- View certificate:
# certutil -L -d /etc/openldap/certs/ -n "OpenLDAP Consumer"
- Verify certificate:
# certutil -V -d /etc/openldap/certs -n "OpenLDAP Consumer" -u C certutil: certificate is valid
- You now have an encrypted private key and signed certificate for the consumer server.
Install and configure OpenLDAP
- Install required packages:
# yum install openldap-clients openldap-servers openldap pam_ldap nss-pam-ldapd pam_krb5 sssd migrationtools openldap-devel
- Activate LDAPS (TLS), change ldap to ldaps, only start LDAPS and LDAPI (IPC socket):
# vi /etc/sysconfig/slapd SLAPD_URLS="ldapi:/// ldaps:///" # Any custom options SLAPD_OPTIONS="-g ldap"
- Modify /etc/openldap/ldap.conf:
# vi /etc/openldap/ldap.conf BASE dc=<domain>,dc=<tld> URI ldaps://<FQDN> TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT demand
- Use the DB config example. You can configure the DB_LOG_AUTOREMOVE directive in DB_CONFIG, but If the log files are removed automatically, recovery after a catastrophic failure is likely to be impossible.:
# install -m 644 -o ldap -g ldap /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
- Start OpenLDAP:
slaptest -u systemctl start slapd systemctl enable slapd
- Add required schema's:
core.schema OpenLDAP core (required) cosine.schema Cosine and Internet X.500 (useful) inetorgperson.schema InetOrgPerson (useful) nis.schema Network Information Services (FYI) # ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif # ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif # ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
- Generate an LDAP root password, you need this hash in the next steps:
# slappasswd New password: <password> Re-enter new password: <password> {SSHA}<hash> - Export variables used in next steps:
# export MYHASH="{SSHA}your-hash" # export MYDOMAIN=your-domain # export MYTLD=your-tld
- olcDatabase={0}config: Add a root password, and modify the olcAccess in order to (at least) require a password using simple authentication
# ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<EOF dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: ${MYHASH} - replace: olcAccess olcAccess: {0}to * by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" manage by * none EOF
- olcDatabase={1}monitor: Change the monitor ACL:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read by * none EOF - olcDatabase={2}hdb: Change the standard DN suffix and root password
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=${MYDOMAIN},dc=${MYTLD} - replace: olcRootDN olcRootDN: cn=Manager,dc=${MYDOMAIN},dc=${MYTLD} - add: olcRootPW olcRootPW: ${MYHASH} EOF - olcDatabase={2}hdb: configure indexing:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcDbIndex olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uid,memberUid,gidNumber eq - EOF - Modify the TLS configuration. …the current implementation doesn't support encrypted keys so the key must not be encrypted and the file itself must be protected carefully.
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: "OpenLDAP Consumer" - replace: olcTLSCipherSuite olcTLSCipherSuite: HIGH - replace: olcTLSProtocolMin olcTLSProtocolMin: 3.1 - replace: olcDisallows olcDisallows: bind_anon - replace: olcIdleTimeout olcIdleTimeout: 120 EOF
- olcDatabase={-1}frontend: Due to a bug i was not able to perform this step… I had to manually edit the olcDatabase={-1}frontend.ldif file and set olcDatabase to “olcDatabase: {-1}frontend”. Then restart slapd!
- Set global options: Some backend types, such as frontend and monitor use a hard-coded suffix which may not be overridden in the configuration. Access controls defined in the frontend are appended to all other databases' controls. Configure password and require LDAPv3:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: ${MYHASH} - add: olcRequires olcRequires: LDAPv3 authc EOF - Accept only TLS:
# ldapmodify -H ldaps://<FQDN> -x -D "cn=config" -W <<EOF dn: cn=config changetype: modify add: olcSecurity olcSecurity: tls=1 EOF
Open firewall port
- Open port 636:
# firewall-cmd --permanent --zone public --add-service=ldaps success # firewall-cmd --reload success
Test and verify
- Test server config, restart and test connectivity:
# slaptest -u # systemctl restart slapd # openssl s_client -connect localhost:636 -showcerts -CAfile /etc/openldap/cacerts/ca.crt ... Verify return code: 0 (ok) # ldapwhoami -H ldaps://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W # ldapsearch -H ldaps://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W # ldapsearch -H ldap://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required or: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Configure replication
- On the provider (master): create a replicator user:
# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF dn: cn=replicator,dc=${MYDOMAIN},dc=${MYTLD} objectClass: simpleSecurityObject objectClass: organizationalRole cn: replicator userPassword: <your replicator password SSHA hash> EOF - On the provider (master): create an ACL for the replicator user:
# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF dn: olcDatabase={2}bdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write by dn.exact="cn=replicator,dc=polaire,dc=nl" read by self =xw by anonymous auth by * none olcAccess: {1}to * by dn.exact="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" write by dn.exact="cn=replicator,dc=polaire,dc=nl" read by self read by users read by * none EOF - On all servers (provider and consumers) install the syncprov module:
# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la EOF - On the provider configure the sync overlay:
# ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov EOF - Configure slave:
ldapadd -H ldaps://ldapconsumer.yourdomain.tld -x -D "cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" -W <<EOF dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncrepl olcsyncrepl: {0}rid=014 provider=ldaps://ldap.yourdomain.tld type=refreshAndPersist retry="5 5 300 +" searchbase="dc=domain,dc=tld" attrs="*,+" bindmethod=simple binddn="cn=replicator,dc=domain,dc=tld" credentials=yourpassword EOF
Monitor replication state
- contextCSN needs to be the same on provider and consumer:
# ldapsearch -H ldaps://provider -x -D "cn=Manager,dc=<basedn>" -w <passwd> -s base contextcsn | grep contextCSN # ldapsearch -H ldaps://consumer -x -D "cn=Manager,dc=<basedn>" -w <passwd> -s base contextcsn | grep contextCSN
openldap_consumer.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1