(SimpleBind + SSL/TLS/start_tls + without-sasl + automount + netgroup + sudo + apache)
(See also related documents at http://web.singnet.com.sg/~garyttt/)
http://www.openldap.org/project/
Purpose:
This document describes the steps involved in installing and configuring an OpenLDAP Directory Server on RedHat EL3. This is to be accessed by RedHat or Solaris8/9 LDAP Client. Many useful productivity UNIX Shell scripts are also provided in this document.
To use LDAP centralized authentication with nss_ldap and pam_ldap, i.e. to use LDAP "uid" and "userPassword" for UNIX account id and password lookup, you must also complete the setup documented in “Installing and configuring OpenSSH with pam_ldap for RedHat Enterprise Linux3” and/or " Installing and configuring OpenSSH with pam_ldap for Solaris9".
Another related document "Deploying Solaris Native LDAP Client by using automated scripts", describes the steps involved in building up an infrastructure environment for rapid deployment of Native LDAP Client.
Useful URLs:
· QuickStart to OpenLDAP: http://www.openldap.org/doc/admin23/quickstart.html
· Replication with slurpd: http://www.openldap.org/doc/admin23/replication.html
· How to install and configure Solaris 9 for Authentication with OpenLDAP 2.1 http://netmojo.ca/howto/solaris-openldap.html
· OpenLDAP SSL/TLS How-To: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
· Replacing NIS with Kerberos and LDAP: http://ofb.net/~jheiss/krbldap/
· Replacing NIS with Kerberos and LDAP: http://www.ofb.net/~jheiss/krbldap/kerberos_and_ldap.html
· SUN Solaris9's “System Administration Guide: Naming and Directory Services - May 2002”: http://docs.sun.com/app/docs/doc/816-4856
· SUN Solaris10's “System Administration Guide: Naming and Directory Services”: http://docs.sun.com/app/docs/doc/816-4556
· Using TLS (from OpenLDAP Admin. Guide)
http://www.openldap.org/doc/admin23/tls.html
· Chinese version of OpenLDAP HOW-TO
http://www.ringkee.com/note/opensource/openldap.htm
· Highly Available LDAP
http://linuxjournal.com/article/5505
· OpenSSH LDAP Public Key Patch
http://www.opendarwin.org/projects/openssh-lpk/
· BIND9.NET LDAP Page
· LDAP Error and Status Codes
http://www.directory-info.com/LDAP/LDAPErrorCodes.html
· LDAP Client Login Authentication
http://yolinux.com/TUTORIALS/LDAP_Authentication.html
· Integrating AIX into Heterogenous LDAP Environments
http://www.redbooks.ibm.com/redbooks/pdfs/sg247165.pdf
· Integrating UNIX/Linux LDAP Clients into Active Directory – ad4unix
http://sourceforge.net/projects/ad4unix/
· Integrating Windows Clients into UNIX/Linux LDAP Server - pGina
http://sourceforge.net/projects/pgina/
Public Mail Lists:
http://lists.fini.net/mailman/listinfo/ldap-interop
http://www.openldap.org/lists/openldap-software (please search FAQ/MailList archives before posting)
http://www.dbforums.com (comp.unix.solaris)
http://bbs.chinaunix.net/ (Chinese web site)
Freeware tools used:
· Berkeley DB 4.2.52 or later - http://www.sleepycat.com
· NSS_LDAP 2.2.X and PAM_LDAP 1.6.X or later – http://www.padl.com
· OpenSSL 0.9.7e or later – http://www.openssl.org
· OpenLDAP 2.3.XX or later - http://www.openldap.org
· BIND9.NET LDAP Tools: http://www.bind9.net/ldap-tools
· LDAP Browser/Editor: http://www-unix.mcs.anl.gov/~gawor/ldap/
· JXplorer Java LDAP Browser/Editor: http://pegacat.com/jxplorer/ (can do SSL connection)
· PHP-LDAP-ADMIN: http://freshmeat.net/projects/phpldapadmin/
· Other Graphical LDAP Tools: http://en.tldp.org/HOWTO/LDAP-HOWTO/graphicaltools.html
· Novell LDAP CoolTools http://www.novell.com/coolsolutions/tools/bycategory/168.html
Example used:
· MASTER OpenLDAP Server: ldap1.example.com, 192.168.1.168
· SLAVE OpenLDAP Server: ldap2.example.com, 192.168.1.178
· RedHat EL3 LDAP Client: client1.example.com, 192.168.1.188
· Solaris8 LDAP Client: client2.example.com, 192.168.1.198
· Solaris9 LDAP Client: client3.example.com, 192.168.1.208
It is highly recommended that OS level Security Hardening be applied to all LDAP Servers. Note that MASTER and SLAVE OpenLDAP Server can be based on RedHat Linux or Solaris operating system.
Preparation Steps:
This step is for BOTH OpenLDAP Server(s) as well as Clients
Please ensure that IP addresses of LDAP Servers are defined in DNS and/or /etc/hosts
It is important that the Fully Qualified Domain Name (eg: ldap1.example.com) be listed as the first entry right after the IP address, as shown below:
192.168.1.168 ldap1.example.com ldap1
Please ensure that LDAP domain example.com is defined in /etc/resolv.conf
Run the following command to set LDAP domainname
# domainname example.com
# rpm -qa | grep openldap
openldap-devel-2.X.XX-X
openldap-servers-2.X.XX-X
openldap-2.X.XX-X
openldap-clients-2.X.XX-X
# mv /etc/init.d/ldap /etc/init.d/ldap.saved
# rpm -e --nodeps openldap-servers-2.0.27-1X
# rpm -e --nodeps openldap-clients-2.0.27-1X
# mv /etc/init.d/ldap.saved /etc/init.d/ldap
Add two lines to the “start” function in /etc/init.d/ldap, this is to fix slapd start issue complaining about file permissions of slapd.pid and slapd.args.
function start() {
# gtay, 23-Jan-2006, added 2 lines to fix OpenLDAP 2.3.XX startup issue
touch /var/run/slapd.pid; chown ldap:ldap /var/run/slapd.pid
touch /var/run/slapd.args; chown ldap:ldap /var/run/slapd.args
# Start daemons.
prog=`basename ${slapd}`
echo -n $"Starting $prog: "
…
}
Optional steps as "rpm -e" of openldap-servers rpm renamed the
existing files with .rpmsave extentions
# cd /etc/openldap
# mv slapd.conf.rpmsave slapd.conf
# cd schema/redhat
# mv autofs.schema.rpmsave autofs.schema
# chown -R ldap:ldap /etc/openldap
Note 1: RHEL3 has OpenLDAP 2.0.27-XX rpm and RHEL4 has OpenLDAP 2.2.13-XX rpm.
Note 2: In case “rpm –e” invokes post-removal script and removes the useful /etc/init.d/ldap script, the two “mv” commands are used to retain it.
===For those who does not want to build from source:
Buchan has done a great job building RHEL/Mandriva OpenLDAP 2.3.XX RPMS for us, see:
For the future, either:
a)Upgrade to 2.3 which doesn't/shouldn't need the operations listed
below (hint: http://anorien.csc.warwick.ac.uk/mirrors/buchan/openldap/ has
packages which are parallel installable with the original RH packages and affect
no other aspects of the OS or any packages provided by it)
b)Do some things RH missed out which are necessary on 2.2: -ensure
database recover is run any time that it is likely that slapd has been
shut down uncleanly. The strategy I prefer is doing database recovery in
the start() function of the initscript (not restart though). -ensure the
database is checkpointed (run db_checkpoint with appropriate
options from and as the appropriate user from cron)
Regards,
Buchan
===
This step is for OpenLDAP Server(s) ONLY. Not for LDAP Clients. Latest RedHat Client like RHFC3 or later will most likely have a workable supported OpenLDAP Client, PADL, BDB and OpenSSL library RPMs, for Solaris LDAP Client, I recommend using its Native LDAP Library.
IMPORTANT: It is highly recommended that these configuration steps be carried up at the LOCAL SYSTEM CONSOLE while logging in as root, ON TOP OF THIS, MULTIPLE REMOTE root sessions should be opened. In case of any incorrect configuration that messes up your system, it can be repaired.
Installing these packages are OPTIONAL as RedHat EL3 comes bundled with them, you may also OPTIONALLY compile/install OpenSSL 0.9.7e from source and overwrite the OpenSSL 0.9.7a comes with RedHat EL3.
Log in as root at ldap1.example.com
If you are using 4.2.52, please apply these four patches:
# cd /var/tmp
# wget http://downloads.sleepycat.com/db-4.2.52.tar.gz
# wget http://www.sleepycat.com/update/4.2.52/patch.4.2.52.1
# wget http://www.sleepycat.com/update/4.2.52/patch.4.2.52.2
# wget http://www.sleepycat.com/update/4.2.52/patch.4.2.52.3
# wget http://www.sleepycat.com/update/4.2.52/patch.4.2.52.4
# gzip –d db-4.2.52.tar.gz
# tar xvf db-4.2.52.tar
# chmod u+w db-4.2.52/mp/mp_fget.c
# chmod u+w db-4.2.52/lock/lock.c
# cd db-4.2.52
# patch -p0 -i ../patch.4.2.52.1
# patch -p0 -i ../patch.4.2.52.2
# patch -p0 -i ../patch.4.2.52.3
# patch -p0 -i ../patch.4.2.52.4
Otherwise,
# cd db-4.X.XX/build_unix
# ../dist/configure --prefix=/usr
# make clean
# make
# make install
# cd openssl-0.9.7e
# ./config shared --prefix=/usr # Build shared library
# make clean
# make
# make install
Note 1: --prefix=/usr is required so as to overwrite RedHat EL3 built-in rpm.
Note 2: db-4.X.XX in the above case overwrites the db-4.X.XX-XX built-into RedHat EL3
Note 3: openssl-0.9.7e in the above case overwrites the openssl-0.9.7a built-into RedHat EL3
Additional steps shown bellow are required to rename and hide openssl-0.9.7a original files (due to the fact that RedHat stores libssl and libcrypto shared object files at odd location, i.e. /lib), and to edit /etc/man.config to include /usr/ssl/man
# cd /lib
# mv -f libssl.so.4 libssl.so.4.orig
# ln -s /usr/lib/libssl.so.0.9.7 libssl.so.4
# mv -f libcrypto.so.4 libcrypto.so.4.orig
# ln -s /usr/lib/libcrypto.so.0.9.7 libcrypto.so.4
Note: if OpenSSL is installed in other prefix location, please make sure it could be referenced by editing /etc/ld.so.conf and run "ldconfig" to effect the changes.
# vi /etc/ld.so.conf
# ldconfig
Optionally setting up MANPATH for OpenSSL:
# vi /etc/man.config
Add /usr/ssl/man in front of other MANPATHs
Verify the version of OpenSSL:
# /usr/bin/openssl version
OpenSSL 0.9.7X DD Mmm YYYY
This step is for OpenLDAP Server(s) ONLY. Not for LDAP Clients. Latest RedHat Client like RHFC3 or later will most likely have a workable supported OpenLDAP Client, PADL, BDB and OpenSSL library RPMs, for Solaris LDAP Client, I recommend using its Native LDAP Library.
If you have done the Preparation Steps stated above, you may skip this step, otherwise you may want to try out the following steps to gain the experience of compiling and installing it from source.
Log in as root at ldap1.example.com
# cd openldap-2.3.XX
# ./configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/sbin --mandir=/usr/share/man --enable-bdb --enable-crypt --with-tls --without-cyrus-sasl --enable-ldbm
(Note: enable-ldbm if you need older DB backend)
# make depend
# make clean
Optionally, apply “result.c” patch (See Appendix)
# make
# make install
This will install OpenLDAP server and client binaries/libraries, using default configuration directory /etc/openldap, default schema directory /etc/openldap/schema, and default data directory /usr/var/openldap-data, you may change the default data directory in /etc/openldap/slapd.conf to RedHat default, i.e., /var/lib/ldap by editing the "directory" directive.
IMPORTANT NOTE: Whenever RedHat “up2date” is run and if it overwrites the version you have built from source codes, remember to restore your intended version back by running “make install” from the build directory again. Alternatively, you may choose to remove “openldap*.rpm” by using “rpm -e --nodeps --force” options prior to building OpenLDAP from source.
This step is for OpenLDAP Server(s).
If you did not install RedHat OpenLDAP RPMs and choose to compile/install the package from source, then please create a user for the OpenLDAP owner of data/binary files, prior to anything. User id of 55 and Group id of 55 are intentionally chosen to tally with the ldap:ldap user created by installing from RedHat RPMs.
# groupadd –g 55 ldap
# useradd -u 55 -g 55 -d /var/lib/ldap -s /bin/false ldap
Create a blank default OpenLDAP data directory, protect this directory
# mkdir -p /var/lib/ldap # directory already exists if RedHat rpms are installed
# chmod 700 /var/lib/ldap
# chown -R ldap:ldap /var/lib/ldap # user ldap:ldap already exists if RH rpms are installed
# chown -R ldap:ldap /etc/openldap
Create a blank /home/ldap directory, this will be used to keep .ldif generated by the productivity scripts db2ldif_group.sh and db2ldif_People.sh, and used for my script-based LDAP replication scripts, openldap_repl_group.sh and openldap_repl_People.sh. Alternatively, you may also use the OpenLDAP built-in replication feature.
# mkdir -p /home/ldap; chown ldap:ldap /home/ldap
Create SSL self-signing certificates for local LDAP Server, if you intend to use SSL or TLS.
This can be achieved by running this productivity script, cr_ssl_certs_openldap.sh, at the MASTER LDAP Server, which generates a self-signed CA Cert and a signed Server Cert for MASTER LDAP Server. Later on, please use the SAME CA Cert to sign a Server Cert created at SLAVE LDAP Server.
# ./cr_ssl_certs_openldap.sh
Content of cr_ssl_certs_openldap.sh:
#! /bin/sh
#
# cr_ssl_certs_openldap.sh - Create self-signed SSL Certs for OpenLDAP server
#
# Gary Tay, 6-Mar-2004
#
mkdir demoCA >/dev/null 2>&1
cd demoCA
mkdir certs crl newcerts private >/dev/null 2>&1
echo "01" > serial
cp /dev/null index.txt
# Un-comment next two lines for RedHat
cp /usr/share/ssl/openssl.cnf openssl.cnf
ETC_OPENLDAP=/etc/openldap
# Un-comment next two lines for Others
#cp /usr/local/ssl/openssl.cnf openssl.cnf
#ETC_OPENLDAP=/usr/local/etc/openldap
sed -e 's/GB/SG/' \
-e 's/Berkshire/Singapore/' \
-e 's/Newbury/Singapore/' \
-e 's/My Company Ltd/Example Company Ltd/' \
-e '/default_days/s/365/3652/' \
openssl.cnf > openssl.cnf.new
mv openssl.cnf.new openssl.cnf
echo "" >>openssl.cnf
echo "[ usr_cert ] "
>>openssl.cnf
echo
"subjectAltName=DNS:ldap.`domainname`,DNS:loadbalancer.`domainname`"
>>openssl.cnf
echo "" >>openssl.cnf
echo "Creating CA cert..."
echo "Please enter server's FQDN when prompted for Common Name:"
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem \
-days 3652 -config openssl.cnf
echo "Creating server cert..."
echo "Please enter server's FQDN when prompted for Common Name:"
openssl req -new -x509 -nodes -keyout newreq.pem -out newreq.pem \
-days 3652 -config openssl.cnf
echo "Self signing server cert..."
echo "Please enter server's FQDN when prompted for Common Name:"
openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
cd ..
openssl ca -config demoCA/openssl.cnf -policy policy_anything \
-out demoCA/newcert.pem -infiles demoCA/tmp.pem
rm -f demoCA/tmp.pem
echo "Please copy CA Cert, New Cert and Key to OpenLDAP config dir..."
echo "using the following commands" echo "cp demoCA/cacert.pem $ETC_OPENLDAP"
echo "cp demoCA/newcert.pem $ETC_OPENLDAP/slapd-cert-ldap1.pem"
echo "cp demoCA/newreq.pem $ETC_OPENLDAP/slapd-key-ldap1.pem"
echo "chmod 640 $ETC_OPENLDAP/slapd-key-ldap1.pem"
# Uncomment for RedHat
echo "chown ldap:ldap $ETC_OPENLDAP/*.pem"
# Uncomment for Others
#echo "chown ldap:daemon $ETC_OPENLDAP/*.pem"
echo ""
The following is the output of running cr_ssl_certs_openldap.sh
# ./cr_ssl_certs_openldap.sh
Creating CA cert...
Please enter server's FQDN when prompted for Common Name:
Generating a 1024 bit RSA private key
.....................................................++++++
....++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase: secret
Verifying - Enter PEM pass phrase: secret
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SG]:
State or Province Name (full name) [Singapore]:
Locality Name (eg, city) [Singapore]:
Organization Name (eg, company) [Example Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ldap1.example.com
Email Address []: first_last@example.com
Creating server cert...
Please enter server's FQDN when prompted for Common Name:
Generating a 1024 bit RSA private key
....................++++++
..................................................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SG]:
State or Province Name (full name) [Singapore]:
Locality Name (eg, city) [Singapore]:
Organization Name (eg, company) [Example Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ldap1.example.com
Email Address []: first_last@example.com
Self -signing server cert...
Please enter server's FQDN when prompted for Common Name:
Getting request Private Key
Generating certificate request
Using configuration from demoCA/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: secret
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 15 05:50:15 2004 GMT
Not After : Mar 15 05:50:15 2005 GMT
Subject:
countryName = SG
stateOrProvinceName = Singapore
localityName = Singapore
organizationName = Example Ltd
commonName = ldap1.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
51:F4:FB:11:07:35:79:56:B8:11:DA:5F:54:16:2C:3A:95:1C:03:2C
X509v3 Authority Key Identifier:
keyid:CC:95:06:D3:EF:09:13:57:1F:A2:75:B4:28:AC:E2:B7:5C:1B:5D:66
DirName:/C=SG/ST=Singapore/L=Singapore/O=Example Ltd/CN=ldap1.example.com
serial:00
Certificate is to be certified until Mar 15 05:50:15 2015 GMT (3652 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Please copy CA Cert, New Cert and Key to OpenLDAP config dir...
using the following commands:
cp demoCA/cacert.pem /etc/openldap
cp demoCA/newcert.pem /etc/openldap/slapd-cert-ldap1.pem
cp demoCA/newreq.pem /etc/openldap/slapd-key-ldap1.pem
chmod 640 /etc/openldap/slapd-key-ldap1.pem
chown ldap:ldap /etc/openldap/*.pem
Copy cacart.pem, slapd-cert-ldap1.pem and slapd-key-ldap1.pem created by the above script to /etc/openldap and setup file permission protection.
Also please copy cacert.pem to all the LDAP clients that use SSL_TLS to authenticate with this LDAP Server.
IMPORTANT NOTE: Make sure the CommonName (CN) of the SSL Server Certificate is in Fully Qualified Domain Name (FQDN) format, eg: ldap1.example.com, and this FQDN must be defined in DNS AND /etc/hosts file.
ADDITIONAL STEPS if SLAVE LDAP Server is built:
At the SLAVE LDAP Server, login as root and run:
# ./cr_unsigned_ssl_cert.sh
Go back to the MASTER LDAP Server, login as root and run :
# ./ sign_ssl_cert_from_slave.sh
Both scripts could be found in Appendix.
The followings show the expected outputs:
# ./cr_unsigned_ssl_cert.sh
Please enter an
unique number as Certificate Serial Number
Examples: if 01 is reserved for MASTER LDAP Server
02 can
be used for 1st SLAVE LDAP Server
03 can
be used for 2nd SLAVE LDAP Server
02
Creating un-signed SLAVE LDAP Server cert...
Please enter SLAVE LDAP Server's FQDN when prompted for Common Name:
Generating a 1024 bit RSA private key
.................++++++
...............................................++++++
writing new private key to 'newreq_slave.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]: SG
State or Province Name (full name) [New York]: Singapore
Locality Name (eg, city) []: Singapore
Organization Name (eg, company) [Example Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:ldap2.example.com
Email Address []:first_last@example.com
# ./sign_ssl_cert_from_slave.sh
Please enter an
unique number as Certificate Serial Number
Examples: if 01 is reserved for MASTER LDAP Server
02 can
be used for 1st SLAVE LDAP Server
03 can
be used for 2nd SLAVE LDAP Server
02
We must copy the unsigned SSL Server Cert from SLAVE LDAP Server
Enter HOSTNAME/IP of SLAVE LDAP Server: \c
ldap2
Enter directory to locate un-signed server cert/key: \c
/home/gtay/demoCA
Copying un-signed server cert/key from SLAVE LDAP Server...
newreq_slave.pem newreq_slave.pem 100% 2319 627.1KB/s 00:00
Self signing server cert for SLAVE LDAP Server...
Please enter SLAVE LDAP Server's FQDN when prompted for Common Name:
Getting request Private Key
Generating certificate request
Using configuration from demoCA/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: secret
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 22 16:05:32 2004 GMT
Not After : Oct 22 16:05:32 2005 GMT
Subject:
countryName = SG
stateOrProvinceName = Singapore
localityName = Singapore
organizationName = Example Ltd
organizationalUnitName =
commonName = ldap2.example.com
emailAddress = first_last@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F7:C2:5F:54:C1:3F:E3:16:F2:1D:F7:5E:B0:CA:C8:95:35:45:DA:A9
X509v3 Authority Key Identifier:
keyid:25:BC:A0:B3:45:F1:E5:25:7B:46:E5:E7:30:0F:45:EB:98:B8:36:37
DirName:/C=SG/ST=Singapore/L=Singapore/O=Example Ltd/OU=/CN=ldap1.example.com/emailAddress=first_last@example.com
serial:00
X509v3 Subject Alternative Name:
DNS:ldap.example.com, DNS:loadbalancer.example.com
Certificate is to be certified until Oct 22 16:05:32 2015 GMT (3652 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Please copy, New Cert and Key to SLAVE OpenLDAP Server config dir...
Example: assuming ldap2:/etc/openldap is the target directory on SLAVE:
scp demoCA/cacert.pem ldap2:/etc/openldap
scp demoCA/newcert_slave.pem ldap2:/etc/openldap/slapd-cert-ldap2.pem
scp demoCA/newreq_slave.pem ldap2:/etc/openldap/slapd-key-ldap2.pem
ssh ldap2 chmod 640 /etc/openldap/slapd-key-ldap2.pem
ssh ldap2 chown ldap:ldap /etc/openldap/*.pem
Now add these three lines to /etc/openldap/slapd.conf.
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /etc/openldap/slapd-key-ldap1.pem
Next start slapd to listen on BOTH ports 389 and 636, note the two “” enclosing BOTH ldap:/// and ldaps:///.
/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:///"
Use the following command to show the details of the CA/Chain/Server Certificate(s):
# openssl s_client -connect localhost:636 –showcerts
---
<Ctrl-C or Ctrl-Break to exit>
In the above output please ignore these non-critical errors as we sign-self the certs:
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
verify return code: 21 (unable to verify the first certificate)
IMPORTANT NOTE: please ensure that the FQDN (Fully Qualified Domain Name) as shown by CN=<FQDN> match the “host” entry (or entries) in /etc/ldap.conf (nss_ldap) and $ETC_OPENLDAP/ldap.conf (LDAP Client), its IP address MUST be defined in /etc/hosts file.
Also please copy cacert.pem to all the LDAP clients that use TLS to authenticate with this LDAP Server.
Edit /etc/openldap/ldap.conf, add the following lines in BLUE, this is for local LDAP commands
# vi /etc/openldap/ldap.conf
HOST ldap1.example.com
BASE dc=example,dc=com
# Un-comment for RedHat
TLS_CACERT /etc/openldap/cacert.pem
# Un-comment for others
#TLS_CACERT /usr/local/etc/openldap/cacert.pem
IMPORTANT NOTE:
Some options such as TLS_CACERT are missing from the ldap.conf man pages for some versions of OpenLDAP, see:
http://www.openldap.org/lists/openldap-bugs/200206/msg00092.html
Useful information on START_TLS options is described in:
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
Now we are ready to create configuration file for OpenLDAP server daemon, slapd.
Make a copy of /etc/openldap/slapd.conf.default to /etc/openldap/slapd.conf, and modify it to include the following lines in BLUE. You should copy DUAConfgProfile.schema and solaris.schema, which are attached in Appendix and needed for Solaris LDAP client/server to the schema directory.
# cp /etc/openldap/slapd.conf.default /etc/openldap/slapd.conf
# chmod 600 /etc/openldap/slapd.conf
# vi /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/DUAConfigProfile.schema
## solaris.schema provides nisDomainObject, which is absent from nis.schema
include /etc/openldap/schema/solaris.schema
# example will NOT work:
# allow bind_v2
# allow bind_anon_dn
# The second entry (bind_anon_dn) overrides the first
# one (bind_v2) since they are in separate lines.
# The line below WILL work.
allow bind_v2 bind_anon_dn
# ACL directives
access to attrs=userPassword
by self write
by * auth
access to
dn.base=""
by * read
access to
dn.base="cn=Subschema" by * read
# Change “anonymous auth” to “anonymous read” or “anonymous none” depending on
your need
access to dn.subtree="ou=People,dc=example,dc=com"
by self write
by dn="cn=proxyagent,ou=profile,dc=example,dc=com" read
by users read
by anonymous auth
access to * by self write
by * read
# DB directives
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
#rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
directory /var/lib/ldap
index objectClass,uid,uidNumber,gidNumber,ou eq
index cn,mail,surname,givenname eq,subinitial
index memberUid eq
index nisDomain eq
index uniqueMember pres
# Performance tuning directives
sizelimit 5000
threads 8
idletimeout 14400
cachesize 10000
checkpoint 256 15
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /etc/openldap/slapd-key-ldap1.pem
# Use the following if client authentication is required
#TLSVerifyClient demand
# ... or not desired at all
#TLSVerifyClient never
password-hash {CRYPT}
Note: you may use “slaptest” (OpenLDAP 2.3.XX) to test the syntax of slapd.conf.
Copy/Create my productivity UNIX scripts (as provided here in Appendix section) to/in /home/gtay, or any directory you so prefer, eg: /home/ldap, use the scripts to create and rebuild a fully populated MASTER OpenLDAP Server.
Note: before running the scripts, please create a sample People.ldif and group.ldif.
It helps if you would take some times to browse and study all the productivity scripts, especially the two main scripts, i.e. cr_example_com_ldif.sh and rebuild_example_com.sh.
# cp cr_ssl_certs_openldap.sh /home/gtay
# cp cr_unsigned_ssl_cert.sh /home/gtay
# cp sign_ssl_cert_from_slave.sh /home/gtay
# cp cr_People_ldif.sh /home/gtay
# cp cr_group_ldif.sh /home/gtay
# cp cr_example_com_ldif.sh /home/gtay
# cp openldap_add.sh /home/gtay
# cp openldap_delete_Peoples.sh /home/gtay
# cp openldap_delete_groups.sh /home/gtay
# cp openldap_repl_People.sh /home/gtay
# cp openldap_repl_group.sh /home/gtay
# cp openldap_search.sh /home/gtay
# cp rebuild_example_com.sh /home/gtay
Copy/Create these three scripts to/in /home/ldap as they are meant for LDAP Backup and Replication:
# cp db2ldif_backup.sh /home/ldap
# cp db2ldif_People.sh /home/ldap
# cp db2ldif_group.sh /home/ldap
# cp openldap_add.sh /home/ldap
# cp openldap_delete_groups.sh /home/ldap
# cp openldap_delete_Peoples.sh /home/ldap
# cp openldap_repl_group.sh /home/ldap
# cp openldap_repl_People.sh /home/ldap
Some of these scripts are optional or specific to a particular environment, for instances, cr_People_ldif.sh is used if People.ldif is an exported ldif file created from an existing iPlanet Directory Server; so does cr_group_ldif.sh.
Create and protect LDAP rootdn password file, for OpenLDAP’s “Manager”, in script directories (/home/gtay and /home/ldap in these cases)
# cd /home/gtay
# echo “secret” >mgr.pwd
# chmod 600 mgr.pwd
# cd /home/ldap
# echo “secret” >mgr.pwd
# chmod 600 mgr.pwd
Prepare People.ldif and group.ldif in /home/gtay (or your preferred script directory).
Tips: Use /usr/local/sbin/slappasswd command to find the encrypted format of LDAP userPassword.
A sample People.ldif with only two entries is shown here
dn: uid=gtay, ou=People, dc=example,dc=com
givenName: Gary
sn: Tay
loginShell: /bin/bash
uidNumber: 6167
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: gtay
cn: Gary Tay
homeDirectory: /home/gtay
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Gary Tay
userPassword: {CRYPT}U8bo2twhJ9Kkg
dn: uid=tuser, ou=People, dc=example,dc=com
givenName: Test
sn: User
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: tuser
cn: Test User
homeDirectory: /home/tuser
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Test User
userPassword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=
A sample group.ldif with only one entry is shown here
dn: cn=Users,ou=group,dc=example,dc=com
cn: Users
gidNumber: 102
objectClass: top
objectClass: posixGroup
IMPORTANT NOTE ABOUT LDIF IMPORT FILES:
When you copy and paste the content of People.ldif and group.ldif, or any other .ldif files from this document for preparation of LDAP data import using ldapadd command, please make sure that ALL TRAILING SPACES at every line in the .ldif files be removed or else “openldap_add.sh” which calls “ldapadd” command will throw errors.
Create OpenLDAP server start/stop script /etc/init.d/openldap.server, this step is OPTIONAL and you may want to use the original RedHat EL3 OpenLDAP start/stop script instead, i.e. /etc/init.d/ldap
If you prefer to use RedHat original start/stop script /etc/init.d/ldap, please customize it to work by editing /etc/sysconfig/ldap.
Tips: You may also add this line to /etc/sysconfig/ldap ONLY when you are debugging /etc/init.d/ldap
SLAPD_OPTIONS="-d 10"
Otherwise, create your own OpenLDAP start/stop script
# touch /etc/init.d/openldap.server
# chmod 744 /etc/init.d/openldap.server
# vi /etc/init.d/openldap.server
#! /bin/sh
#
# openldap.server - OpenLDAP start script
#
# Gary Tay, 19-Feb-2004
#
# Un-Comment for RedHat
ETC_OPENLDAP_DIR=/etc/openldap
SLAPD_DIR=/usr/sbin
# Un-Comment for Others
#ETC_OPENLDAP_DIR=/usr/local/etc/openldap
#SLAPD_DIR=/usr/local/libexec
# Pls customize
DEBUG=""
# Un-Comment to debug
#DEBUG="-d 10"
case "$1" in
'start')
if [ -f $ETC_OPENLDAP_DIR/slapd.conf -a -f $SLAPD_DIR/slapd ]; then
echo 'OpenLDAP slapd service starting.'
$SLAPD_DIR/slapd $DEBUG -u ldap -h "ldap:/// ldaps:///"
fi
;;
'stop')
PID=`ps -ef | grep slapd | grep -v grep | awk '{print $2}'`
if [ -n "$PID" ]; then
echo 'OpenLDAP slapd service stopping.'
# using INT signal is less drastic and less prone to LDAP data corruption
kill -INT $PID
fi
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
Create cr_example_com_ldif.sh, do not run it as it will be "called" by the other script, rebuild_example_com.sh.
# vi cr_example_com_ldif.sh
Content of cr_example_com_ldif.sh
#! /bin/sh
# cr_example_com_ldif.sh - Create initial ldif entries for dc=example,dc=com
# OpenLDAP initial root entries
cat <<EOF >example_com.ldif
dn: dc=example,dc=com
objectclass: top
# For RedHat use the next line
objectclass: organization
# For Solaris use the next line
#objectclass: domain
objectClass: nisDomainObject
nisDomain: example.com
objectclass: dcObject
o: Example Companies
dc: example
dn: cn=Manager,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
dn: ou=People,dc=example,dc=com
objectclass: organizationalUnit
ou: People
dn: ou=group,dc=example,dc=com
objectclass: organizationalUnit
ou: group
dn: ou=profile,dc=example,dc=com
ou: profile
objectClass: top
objectClass: organizationalUnit
dn: cn=proxyagent,ou=profile,dc=example,dc=com
cn: proxyagent
sn: proxyagent
objectClass: top
objectClass: person
userPassword: {CRYPT}l14aeXtphVSUg
dn: cn=sol8profile,ou=profile,dc=example,dc=com
ObjectClass: top
ObjectClass: SolarisNamingProfile
SolarisLDAPServers: 192.168.1.168
SolarisBindDN: cn=proxyagent,ou=profile,dc=example,dc=com
SolarisBindPassword: {NS1}ecfa88f3a945c411
SolarisSearchBaseDN: dc=example,dc=com
SolarisAuthMethod: NS_LDAP_AUTH_NONE
SolarisTransportSecurity: NS_LDAP_SEC_NONE
SolarisSearchReferral: NS_LDAP_FOLLOWREF
SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit: 30
SolarisCacheTTL: 43200
cn: sol8profile
dn: cn=sol9profile,ou=profile,dc=example,dc=com
objectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: simple
followReferrals: TRUE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
cn: sol9profile
credentialLevel: proxy
bindTimeLimit: 2
dn: cn=default,ou=profile,dc=example,dc=com
objectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: simple
followReferrals: TRUE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
cn: default
credentialLevel: proxy
bindTimeLimit: 2
dn: cn=tls_profile,ou=profile,dc=example,dc=com
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example, dc=com
authenticationMethod: tls:simple
followReferrals: FALSE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
bindTimeLimit: 10
cn: tls_profile
credentialLevel: proxy
serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one
serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: netgroup: ou=netgroup,dc=example,dc=com?one
EOF
cp example_com.ldif ldap_add.ldif
cp example_com.ldif openldap_add.ldif
Create DB_CONFIG in OpenLDAP data directory (it is usually /usr/local/var/openldap-data, for RedHat, it is /var/lib/ldap , this file contains performance parameters for Berkeley DB, consult Internet or OpenLDAP maillist and adjust the content as per need.
# vi /usr/local/var/openldap-data/DB_CONFIG
or
# vi /var/lib/ldap/DB_CONFIG
Content of DB_CONFIG, below is an example for a LDAP Server with 640MB RAM, 1000 users
set_cachesize 0 20971520 0
set_lg_regionmax
131072
set_lg_bsize
2097152
set_flags DB_LOG_AUTOREMOVE
Create rebuild_example_com.sh, edit and uncomment those OS specific lines.
# vi rebuild_example_com.sh
Content of rebuild_example_com.sh
#! /bin/sh
# rebuild_example_com.sh - ReBuild LDAP Server for dc=example,dc=com
# Un-comment for RedHat
OPENLDAP_DATA_DIR=/var/lib/ldap
# Un-comment for Others
#OPENLDAP_DATA_DIR=/usr/local/var/openldap-data
echo "WARNING: LDAP Data in $OPENLDAP_DATA_DIR will be gzipped!!!"
echo " and rebuilt from scratch, make sure you know what it means"
echo "Press [Ctrl-C] to abort, enter [Yes] to continue..."
read a_key
[ "$a_key" != "Yes" ] && exit 1
/etc/init.d/openldap.server stop
mkdir -p $OPENLDAP_DATA_DIR
chmod 750 $OPENLDAP_DATA_DIR
chown ldap:daemon $OPENLDAP_DATA_DIR
#/bin/rm -f $OPENLDAP_DATA_DIR/*.bdb
#/bin/rm -f $OPENLDAP_DATA_DIR/__db.*
#/bin/rm -f $OPENLDAP_DATA_DIR/log.*
#/bin/rm -f $OPENLDAP_DATA_DIR/alock
gzip -f $OPENLDAP_DATA_DIR/*.bdb
gzip -f $OPENLDAP_DATA_DIR/__db.*[0-9]
gzip -f $OPENLDAP_DATA_DIR/log.*[0-9]
gzip -f $OPENLDAP_DATA_DIR/alock
/etc/init.d/openldap.server start
sleep 3
./cr_example_com_ldif.sh
./openldap_add.sh
./cr_People_ldif.sh
./openldap_add.sh
./cr_group_ldif.sh
./openldap_add.sh
Execute this script:
# ./rebuild_example_com.sh
WARNING: LDAP Data in /usr/local/var/openldap-data will be deleted!!!
and rebuilt from scratch, make sure you know what it means
Press [Ctrl-C] to abort, enter [Yes] to continue...
OpenLDAP slapd service stopping.
OpenLDAP slapd service starting.