(SimpleBind + SSL/TLS/start_tls + without-sasl + automount + netgroup + sudo + apache)
(See also related documents at http://web.singnet.com.sg/~garyttt/ )
http://www.openldap.org/project/
Purpose:
This document describes the steps involved in installing and configuring an OpenLDAP Directory Server on Soalris8/9. This is to be accessed by RedHat Linux or Solaris8/9 LDAP Client. Many useful productivity UNIX Shell scripts are also provided in this document.
To use LDAP centralized authentication with nss_ldap and pam_ldap, i.e. to use LDAP "uid" and "userPassword" for UNIX account id and password lookup, you must also complete the setup documented in “Installing and configuring OpenSSH with pam_ldap for Solaris9” and/or "Installing and configuring OpenSSH with pam_ldap for RedHat Enterprise Linux3"
Another related document "Deploying Solaris Native LDAP Client by using automated scripts", describes the steps involved in building up an infrastructure environment for rapid deployment of Native LDAP Client.
Useful URLs:
· Solaris (10) LDAP Client with OpenLDAP: http://docs.lucidinteractive.ca/index.php/Solaris_LDAP_client_with_OpenLDAP_server
· QuickStart to OpenLDAP: http://www.openldap.org/doc/admin23/quickstart.html
· Replication with slurpd: http://www.openldap.org/doc/admin23/replication.html
· How to install and configure Solaris 9 for Authentication with OpenLDAP 2.1 http://netmojo.ca/howto/solaris-openldap.html
· OpenLDAP SSL/TLS How-To: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
· Replacing NIS with Kerberos and LDAP: http://ofb.net/~jheiss/krbldap/
· Replacing NIS with Kerberos and LDAP: http://www.ofb.net/~jheiss/krbldap/kerberos_and_ldap.html
· SUN Solaris9's “System Administration Guide: Naming and Directory Services - May 2002”: http://docs.sun.com/app/docs/doc/816-4856
· SUN Solaris10's “System Administration Guide: Naming and Directory Services”: http://docs.sun.com/app/docs/doc/816-4556
· Using TLS (from OpenLDAP Admin. Guide)
http://www.openldap.org/doc/admin23/tls.html
· Chinese version of OpenLDAP HOW-TO
http://www.ringkee.com/note/opensource/openldap.htm
· Highly Available LDAP
http://linuxjournal.com/article/5505
· OpenSSH LDAP Public Key Patch
http://www.opendarwin.org/projects/openssh-lpk/
· BIND9.NET LDAP Page
· LDAP Error and Status Codes
http://www.directory-info.com/LDAP/LDAPErrorCodes.html
· LDAP Client Login Authentication
http://yolinux.com/TUTORIALS/LDAP_Authentication.html
· Integrating AIX into Heterogenous LDAP Environments
http://www.redbooks.ibm.com/redbooks/pdfs/sg247165.pdf
· Integrating UNIX/Linux LDAP Clients into Active Directory – ad4unix
http://sourceforge.net/projects/ad4unix/
· Integrating Windows Clients into UNIX/Linux LDAP Server - pGina
http://sourceforge.net/projects/pgina/
The following web sites provide “FREE” issue reportings and discussions:
http://lists.fini.net/mailman/listinfo/ldap-interop
http://www.openldap.org/lists/openldap-software (please search FAQ/MailList archives before posting)
http://www.dbforums.com (comp.unix.solaris)
http://bbs.chinaunix.net/ (Chinese web site)
Freeware tools used:
· Berkeley DB 4.2.52 or later - http://www.sleepycat.com
· NSS_LDAP 2.2.0 and PAM_LDAP 1.6.9 or later – http://www.padl.com
· OpenSSL 0.9.7e or later – http://www.openssl.org
· OpenLDAP 2.3.XX or later - http://www.openldap.org
· BIND9.NET LDAP Tools: http://www.bind9.net/ldap-tools
· LDAP Browser/Editor: http://www-unix.mcs.anl.gov/~gawor/ldap/
· JXplorer Java LDAP Browser/Editor: http://pegacat.com/jxplorer/ (can do SSL connection)
· PHP-LDAP-ADMIN: http://freshmeat.net/projects/phpldapadmin/
· Other Graphical LDAP Tools: http://en.tldp.org/HOWTO/LDAP-HOWTO/graphicaltools.html
· Novell LDAP CoolTools http://www.novell.com/coolsolutions/tools/bycategory/168.html
· LDAP Account Manager http://lam.sf.net
Example used:
· MASTER OpenLDAP Server: ldap1.example.com, 192.168.1.168
· SLAVE OpenLDAP Server: ldap2.example.com, 192.168.1.178
· RedHat EL3 LDAP Client: client1.example.com, 192.168.1.188
· Solaris8 LDAP Client: client2.example.com, 192.168.1.198
· Solaris9 LDAP Client: client3.example.com, 192.168.1.208
It is highly recommended that OS level Security Hardening be applied to all LDAP Servers. Note that MASTER and SLAVE OpenLDAP Server can be based on RedHat Linux or Solaris operating system.
Preparation Steps:
This step is for BOTH OpenLDAP Server(s) as well as Clients
Please ensure that IP addresses of LDAP Server(s) are defined in DNS and/or /etc/hosts
It is important that the Fully Qualified Domain Name (eg: ldap1.example.com) be listed as the first entry right after the IP address, as shown below:
192.168.1.168 ldap1.example.com ldap1
Please ensure that LDAP domain example.com is defined in /etc/resolv.conf, in case of Solaris LDAP clients and servers, /etc/defaultdomain should contain "example.com" as the LDAP domain.
Run the following command to set LDAP domainname
# domainname example.com
The procedures in this document are also applicable to Solaris8 provided that patch 108993 has been applied, note that Solaris8 has different syntax for “ldapclient” command. For Solaris9, LDAP library patch 112960 are highly recommended.
They are also applicable to Solaris10, there is specific step for “crle” command, you may like to refer to this URL:
http://forum.sun.com/thread.jspa?threadID=25822&messageID=93864#93864
For Solaris10 LDAP Client, it is noted that the entry “ipnodes: files ldap” in /etc/nsswitch.conf should be replaced with just “ipnodes: files” or else ldapclient initialization will hang.
This step is for OpenLDAP Server(s) ONLY. Not for LDAP Clients. Latest RedHat Client like RHFC3 or later will most likely have a workable supported OpenLDAP Client, PADL, BDB and OpenSSL library RPMs, for Solaris LDAP Client, I recommend using its Native LDAP Library.
IMPORTANT: It is highly recommended that these configuration steps be carried up at the LOCAL SYSTEM CONSOLE while logging in as root, ON TOP OF THIS, MULTIPLE REMOTE root sessions should be opened. In case of any incorrect configuration that messes up your system, it can be repaired.
Log in as root.
If you are using 4.2.52, please apply these four patches:
# cd /var/tmp
# wget http://downloads.sleepycat.com/db-4.2.52.tar.gz
# wget http://www.sleepycat.com/update/4.2.52/patch.4.2.52.1
# wget http://www.sleepycat.com/update/4.2.52/patch.4.2.52.2
# wget http://www.sleepycat.com/update/4.2.52/patch.4.2.52.3
# wget http://www.sleepycat.com/update/4.2.52/patch.4.2.52.4
# gzip –d db-4.2.52.tar.gz
# tar xvf db-4.2.52.tar
# chmod u+w db-4.2.52/mp/mp_fget.c
# chmod u+w db-4.2.52/lock/lock.c
# cd db-4.2.52
# patch -i ../patch.4.2.52.1
# patch -i ../patch.4.2.52.2
# patch -i ../patch.4.2.52.3
# patch -i ../patch.4.2.52.4
# cd db-4.2.52/build_unix
# env CC=gcc ../dist/configure
# make clean
# make
# make install
# cd openssl-0.9.7e
# ./config shared
# make clean
# make
# make install
IMPORTANT NOTE: For Solaris8, Patch 102438 is required if /dev/random instead of prngd is used to support OpenSSL.
This step is for OpenLDAP Server(s) ONLY. Not for LDAP Clients. Latest RedHat Client like RHFC3 or later will most likely have a workable supported OpenLDAP Client, PADL, BDB and OpenSSL library RPMs, for Solaris LDAP Client, I recommend using its Native LDAP Library.
IMPPORTAN NOTE: If you intend to build OpenLDAP Server and Clients with SSL_TLS support, you MUST download the latest OpenLDAP source and compile it, SSL_TLS requires OpenLDAP 2.1.X or later.
Log in as root.
# cd openldap-2.3.XX
# env LD_LIBRARY_PATH="/usr/lib:/usr/local/lib:/usr/local/BerkeleyDB.4.2/lib:/usr/local/ssl/lib" LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.4.2/lib -L/usr/local/ssl/lib -R/usr/local/lib -R/usr/local/BerkeleyDB.4.2/lib -R/usr/local/ssl/lib" CPPFLAGS="-I/usr/local/include -I/usr/local/BerkeleyDB.4.2/include -I/usr/local/ssl/include" ./configure --enable-bdb --enable-crypt --with-tls --without-cyrus-sasl
# make depend
# make clean
Optionally, apply “result.c” patch (See Appendix)
# make
# make install
This will install OpenLDAP server and client binaries/libraries, using default configuration directory /usr/local/etc/openldap, default schema directory /usr/local/etc/openldap/schema, and default data directory /usr/local/var/openldap-data
This step is for OpenLDAP Server(s) ONLY.
Create UNIX account for LDAP files' ownership, it could be member of "daemon" of "ldap".
# groupadd –g 55 ldap
# useradd -u 55 -g 55 -d /home/ldap -s /bin/false ldap
Create a blank default OpenLDAP data directory, protect this directory
# mkdir –p /usr/local/var/openldap-data
# chmod 700 /usr/local/var/openldap-data
# chown –R ldap:daemon /usr/local/var/openldap-data
# chown –R ldap:daemon /usr/local/etc/openldap
Copy DUAConfigProfile.schema and solaris.schema provided here in Appendix to /usr/local/etc/openldap/schema directory
# cp DUAConfigProfile.schema /usr/local/etc/openldap/schema
# cp solaris.schema /usr/local/etc/openldap/schema
Create a blank /home/ldap directory, this will be used to keep .ldif generated by the productivity scripts db2ldif_group.sh and db2ldif_People.sh, and used for my script-based LDAP replication scripts, openldap_repl_group.sh and openldap_repl_People.sh. Alternatively, you may also use the OpenLDAP built-in replication feature.
# mkdir -p /home/ldap; chown ldap:ldap /home/ldap
Create SSL self-signing certificates for local LDAP Server, if you intend to use SSL or TLS.
This can be achieved by running this productivity script, cr_ssl_certs_openldap.sh, at the MASTER LDAP Server, which generates a self-signed CA Cert and a signed Server Cert for MASTER LDAP Server. Later on, please use the SAME CA Cert to sign a Server Cert created at SLAVE LDAP Server.
# ./cr_ssl_certs_openldap.sh
Content of cr_ssl_certs_openldap.sh:
#! /bin/sh
#
# cr_ssl_certs_openldap.sh - Create self-signed SSL Certs for OpenLDAP server
#
# Gary Tay, 6-Mar-2004
#
mkdir demoCA >/dev/null 2>&1
cd demoCA
mkdir certs crl newcerts private >/dev/null 2>&1
echo "01" > serial
cp /dev/null index.txt
# Un-comment next two lines for RedHat
#cp /usr/share/ssl/openssl.cnf openssl.cnf
#ETC_OPENLDAP=/etc/openldap
# Un-comment next two lines for Others
cp /usr/local/ssl/openssl.cnf openssl.cnf
ETC_OPENLDAP=/usr/local/etc/openldap
sed -e 's/GB/SG/' \
-e 's/Berkshire/Singapore/' \
-e 's/Newbury/Singapore/' \
-e 's/My Company Ltd/Example Company Ltd/' \
-e '/default_days/s/365/3652/' \
openssl.cnf > openssl.cnf.new
mv openssl.cnf.new openssl.cnf
echo "" >>openssl.cnf
echo "[ usr_cert ] "
>>openssl.cnf
echo
"subjectAltName=DNS:ldap.`domainname`,DNS:loadbalancer.`domainname`"
>>openssl.cnf
echo "" >>openssl.cnf
echo "Creating CA cert..."
echo "Please enter server's FQDN when prompted for Common Name:"
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem \
-days 3652 -config openssl.cnf
echo "Creating server cert..."
echo "Please enter server's FQDN when prompted for Common Name:"
openssl req -new -x509 -nodes -keyout newreq.pem -out newreq.pem \
-days 3652 -config openssl.cnf
echo "Self signing server cert..."
echo "Please enter server's FQDN when prompted for Common Name:"
openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
cd ..
openssl ca -config demoCA/openssl.cnf -policy policy_anything \
-out demoCA/newcert.pem -infiles demoCA/tmp.pem
rm -f demoCA/tmp.pem
echo "Please copy CA Cert, New Cert and Key to OpenLDAP config dir..."
echo "using the following commands" echo "cp demoCA/cacert.pem $ETC_OPENLDAP"
echo "cp demoCA/newcert.pem $ETC_OPENLDAP/slapd-cert-ldap1.pem"
echo "cp demoCA/newreq.pem $ETC_OPENLDAP/slapd-key-ldap1.pem"
echo "chmod 640 $ETC_OPENLDAP/slapd-key-ldap1.pem"
# Uncomment for RedHat
#echo "chown ldap:ldap $ETC_OPENLDAP/*.pem"
# Uncomment for Others
echo "chown ldap:daemon $ETC_OPENLDAP/*.pem"
echo ""
The following is the output of running cr_ssl_certs_openldap.sh
# ./cr_ssl_certs_openldap.sh
Creating CA cert...
Please enter server's FQDN when prompted for Common Name:
Generating a 1024 bit RSA private key
.....................................................++++++
....++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase: secret
Verifying - Enter PEM pass phrase: secret
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SG]:
State or Province Name (full name) [Singapore]:
Locality Name (eg, city) [Singapore]:
Organization Name (eg, company) [Example Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ldap1.example.com
Email Address []: first_last@example.com
Creating server cert...
Please enter server's FQDN when prompted for Common Name:
Generating a 1024 bit RSA private key
....................++++++
..................................................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SG]:
State or Province Name (full name) [Singapore]:
Locality Name (eg, city) [Singapore]:
Organization Name (eg, company) [Example Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ldap1.example.com
Email Address []: first_last@example.com
Self-signing server cert...
Please enter server's FQDN when prompted for Common Name:
Getting request Private Key
Generating certificate request
Using configuration from demoCA/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: secret
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 15 05:50:15 2004 GMT
Not After : Mar 15 05:50:15 2005 GMT
Subject:
countryName = SG
stateOrProvinceName = Singapore
localityName = Singapore
organizationName = Example Ltd
commonName = ldap1.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
51:F4:FB:11:07:35:79:56:B8:11:DA:5F:54:16:2C:3A:95:1C:03:2C
X509v3 Authority Key Identifier:
keyid:CC:95:06:D3:EF:09:13:57:1F:A2:75:B4:28:AC:E2:B7:5C:1B:5D:66
DirName:/C=SG/ST=Singapore/L=Singapore/O=Example Ltd/CN=ldap1.example.com
serial:00
Certificate is to be certified until Mar 15 05:50:15 2015 GMT (3652 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Please copy CA Cert, New Cert and Key to OpenLDAP config dir...
using the following commands:
cp demoCA/cacert.pem /usr/local/etc/openldap
cp demoCA/newcert.pem /usr/local/etc/openldap/slapd-cert-ldap1.pem
cp demoCA/newreq.pem /usr/local/etc/openldap/slapd-key-ldap1.pem
chmod 640 /usr/local/etc/openldap/slapd-key-ldap1.pem
chown ldap:daemon /usr/local/etc/openldap/*.pem
Copy cacart.pem, slapd-cert-ldap1.pem and slapd-key-ldap1.pem created by the above script to /usr/local/etc/openldap and setup file permission protection, i.e. “chown ldap:ldap *.pem”.
Now add these three lines to /usr/local/etc/openldap/slapd.conf.
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem
Next start slapd to listen on BOTH ports 389 and 636, note the two “” enclosing BOTH ldap:/// and ldaps:///.
/usr/local/libexec/slapd -u ldap -h "ldap:/// ldaps:///"
Also please copy cacert.pem to all the LDAP clients that use SSL_TLS to authenticate with this LDAP Server.
IMPORTANT NOTE: Make sure the CommonName (CN) of the SSL Server Certificate is in Fully Qualified Domain Name (FQDN) format, eg: ldap1.example.com, and this FQDN must be defined in DNS AND /etc/hosts file.
ADDITIONAL STEPS if SLAVE LDAP Server is built:
At the SLAVE LDAP Server, login as root and run:
# ./cr_unsigned_ssl_cert.sh
Go back to the MASTER LDAP Server, login as root and run :
# ./ sign_ssl_cert_from_slave.sh
Both scripts could be found in Appendix.
The followings show the expected outputs:
# ./cr_unsigned_ssl_cert.sh
Please enter an
unique number as Certificate Serial Number
Examples: if 01 is reserved for MASTER LDAP Server
02 can
be used for 1st SLAVE LDAP Server
03 can
be used for 2nd SLAVE LDAP Server
02
Creating un-signed SLAVE LDAP Server cert...
Please enter SLAVE LDAP Server's FQDN when prompted for Common Name:
Generating a 1024 bit RSA private key
.................++++++
...............................................++++++
writing new private key to 'newreq_slave.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]: SG
State or Province Name (full name) [New York]: Singapore
Locality Name (eg, city) []: Singapore
Organization Name (eg, company) [Example Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:ldap2.example.com
Email Address []:first_last@example.com
# ./sign_ssl_cert_from_slave.sh
Please enter an
unique number as Certificate Serial Number
Examples: if 01 is reserved for MASTER LDAP Server
02 can
be used for 1st SLAVE LDAP Server
03 can
be used for 2nd SLAVE LDAP Server
02
We must copy the unsigned SSL Server Cert from SLAVE LDAP Server
Enter HOSTNAME/IP of SLAVE LDAP Server: \c
ldap2
Enter directory to locate un-signed server cert/key: \c
/home/gtay/demoCA
Copying un-signed server cert/key from SLAVE LDAP Server...
newreq_slave.pem newreq_slave.pem 100% 2319 627.1KB/s 00:00
Self signing server cert for SLAVE LDAP Server...
Please enter SLAVE LDAP Server's FQDN when prompted for Common Name:
Getting request Private Key
Generating certificate request
Using configuration from demoCA/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: secret
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 22 16:05:32 2004 GMT
Not After : Oct 22 16:05:32 2005 GMT
Subject:
countryName = SG
stateOrProvinceName = Singapore
localityName = Singapore
organizationName = Example Ltd
organizationalUnitName =
commonName = ldap2.example.com
emailAddress = first_last@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F7:C2:5F:54:C1:3F:E3:16:F2:1D:F7:5E:B0:CA:C8:95:35:45:DA:A9
X509v3 Authority Key Identifier:
keyid:25:BC:A0:B3:45:F1:E5:25:7B:46:E5:E7:30:0F:45:EB:98:B8:36:37
DirName:/C=SG/ST=Singapore/L=Singapore/O=Example Ltd/OU=/CN=ldap1.example.com/emailAddress=first_last@example.com
serial:00
X509v3 Subject Alternative Name:
DNS:ldap.example.com, DNS:loadbalancer.example.com
Certificate is to be certified until Oct 22 16:05:32 2015 GMT (3652 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Please copy, New Cert and Key to SLAVE OpenLDAP Server config dir...
Example: assuming ldap2:/etc/openldap is the target directory on SLAVE:
scp demoCA/cacert.pem ldap2:/etc/openldap
scp demoCA/newcert_slave.pem ldap2:/etc/openldap/slapd-cert-ldap2.pem
scp demoCA/newreq_slave.pem ldap2:/etc/openldap/slapd-key-ldap2.pem
ssh ldap2 chmod 640 /etc/openldap/slapd-key-ldap2.pem
ssh ldap2 chown ldap:ldap /etc/openldap/*.pem
Use the following command to show the details of the CA/Chain/Server Certificate(s):
# openssl s_client -connect localhost:636 –showcerts
---
Server certificate
subject=/C=SG/ST=Singapore/L=Singapore/O=Example
Ltd/CN=ldap1.example.com/emailAddress=first_last@example.com
issuer=/C=SG/ST=Singapore/L=Singapore/O=Example Ltd/CN=ldap1.example.com/emailAddress=first_last@example.com
---
<Ctrl-C or Ctrl-Break to exit>
In the above output please ignore these non-critical errors as we self-sign the cert:
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
verify return code: 21 (unable to verify the first certificate)
IMPORTANT NOTE: please ensure that the FQDN (Fully Qualified Domain Name) as shown by CN=<FQDN> match the “host” entry (or entries) in /etc/ldap.conf (nss_ldap) and $ETC_OPENLDAP/ldap.conf (LDAP Client), its IP address MUST be defined in /etc/hosts file.
Also please copy cacert.pem to all the LDAP clients that use TLS to authenticate with this LDAP Server.
Edit /usr/local/etc/openldap/ldap.conf, add the following lines in BLUE, this is for local LDAP commands
# vi /usr/local/etc/openldap/ldap.conf
HOST ldap1.example.com
BASE dc=example,dc=com
# Un-comment for RedHat
#TLS_CACERT /etc/openldap/cacert.pem
# Un-comment for others
TLS_CACERT /usr/local/etc/openldap/cacert.pem
IMPORTANT NOTE:
Some options such as TLS_CACERT are missing from the ldap.conf man pages for some versions of OpenLDAP, see:
http://www.openldap.org/lists/openldap-bugs/200206/msg00092.html
Useful information on START_TLS options is described in:
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
Now we are ready to create configuration file for OpenLDAP server daemon, slapd.
Make a copy of /usr/local/etc/openldap/slapd.conf.default to /usr/local/etc/openldap/slapd.conf, and modify it to include the following lines in BLUE. You should copy DUAConfgProfile.schema and solaris.schema, which are attached in Appendix and needed for Solaris LDAP client/server to the schema directory.
# cp /usr/local/etc/openldap/slapd.conf.default /usr/local/etc/openldap/slapd.conf
# chmod 600 /usr/local/etc/openldap/slapd.conf
# vi /usr/local/etc/openldap/slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/DUAConfigProfile.schema
## solaris.schema provides nisDomainObject, which is absent from nis.schema
include /usr/local/etc/openldap/schema/solaris.schema
# example will NOT work:
# allow bind_v2
# allow bind_anon_dn
# The second entry (bind_anon_dn) overrides the first
# one (bind_v2) since they are in separate lines.
# The line below WILL work.
allow bind_v2 bind_anon_dn
# ACL directives
access to attrs=userPassword
by self write
by * auth
access to
dn.base=""
by * read
access to
dn.base="cn=Subschema" by * read
# Change “anonymous auth” to “anonymous read” or “anonymous none” depending on
your need
access to dn.subtree="ou=People,dc=example,dc=com"
by self write
by dn="cn=proxyagent,ou=profile,dc=example,dc=com" read
by users read
by anonymous auth
access to * by self write
by * read
# DB directives
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
#rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
directory /usr/local/var/openldap-data
index objectClass,uid,uidNumber,gidNumber,ou eq
index cn,mail,surname,givenname eq,subinitial
index memberUid eq
index nisDomain eq
index uniqueMember pres
# Performance tuning directives
sizelimit 5000
threads 8
idletimeout 14400
cachesize 10000
checkpoint 256 15
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem
# Use the following if client authentication is required
#TLSVerifyClient demand
# ... or not desired at all
#TLSVerifyClient never
password-hash {CRYPT}
Note: you may use “slaptest” to (OpenLDAP 2.3.XX) test the syntax of slapd.conf.
Copy/Detach my productivity UNIX scripts (as provided here in Appendix section) to /home/gtay, or any directory you so prefer, eg: /home/ldap, use these scripts to create and rebuild a fully populated MASTER OpenLDAP Server.
Note: before running the scripts, please create a sample People.ldif and group.ldif.
It helps if you would take some times to browse and study all the productivity scripts, especially the two main scripts, i.e. cr_example_com_ldif.sh and rebuild_example_com.sh.
# cp cr_ssl_certs_openldap.sh /home/gtay
# cp cr_unsigned_ssl_cert.sh /home/gtay
# cp sign_ssl_cert_from_slave.sh /home/gtay
# cp cr_People_ldif.sh /home/gtay
# cp cr_group_ldif.sh /home/gtay
# cp cr_example_com_ldif.sh /home/gtay
# cp openldap_add.sh /home/gtay
# cp openldap_delete_Peoples.sh /home/gtay
# cp openldap_delete_groups.sh /home/gtay
# cp openldap_repl_People.sh /home/gtay
# cp openldap_repl_group.sh /home/gtay
# cp openldap_search.sh /home/gtay
# cp rebuild_example_com.sh /home/gtay
Copy these three scripts to /home/ldap as they are meant for LDAP Backup and Replication:
# cp db2ldif_backup.sh /home/ldap
# cp db2ldif_People.sh /home/ldap
# cp db2ldif_group.sh /home/ldap
# cp openldap_add.sh /home/ldap
# cp openldap_delete_groups.sh /home/ldap
# cp openldap_delete_Peoples.sh /home/ldap
# cp openldap_repl_group.sh /home/ldap
# cp openldap_repl_People.sh /home/ldap
Some of these scripts are optional or specific to a particular environment, for instances, cr_People_ldif.sh is used if People.ldif is an exported ldif file created from an existing iPlanet Directory Server; so does cr_group_ldif.sh.
Create and protect LDAP rootdn password file, for OpenLDAP’s “Manager”, in script directories (/home/gtay and /home/ldap in these cases)
# cd /home/gtay
# echo “secret” >mgr.pwd
# chmod 600 mgr.pwd
# cd /home/ldap
# echo “secret” >mgr.pwd
# chmod 600 mgr.pwd
Prepare People.ldif and group.ldif in /home/gtay (or your preferred script directory).
Tips: Use /usr/local/sbin/slappasswd command to find the encrypted format of LDAP userPassword.
A sample People.ldif with only two entries is shown here
dn: uid=gtay, ou=People, dc=example,dc=com
givenName: Gary
sn: Tay
loginShell: /bin/bash
uidNumber: 6167
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: gtay
cn: Gary Tay
homeDirectory: /home/gtay
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Gary Tay
userPassword: {CRYPT}U8bo2twhJ9Kkg
dn: uid=tuser, ou=People, dc=example,dc=com
givenName: Test
sn: User
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: tuser
cn: Test User
homeDirectory: /home/tuser
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Test User
userPassword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=
A sample group.ldif with only one entry is shown here
dn: cn=Users,ou=group,dc=example,dc=com
cn: Users
gidNumber: 102
objectClass: top
objectClass: posixGroup
IMPORTANT NOTE ABOUT LDIF IMPORT FILES:
When you copy and paste the content of People.ldif and group.ldif, or any other .ldif files from this document for preparation of LDAP data import using ldapadd command, please make sure that ALL TRAILING SPACES at every line in the .ldif files be removed or else “openldap_add.sh” which calls “ldapadd” command will throw errors.
Create OpenLDAP server start/stop script /etc/init.d/openldap.server.
# touch /etc/init.d/openldap.server
# chmod 744 /etc/init.d/openldap.server
# vi /etc/init.d/openldap.server
#! /bin/sh
#
# openldap.server - OpenLDAP start script
#
# Gary Tay, 19-Feb-2004
#
# Un-Comment for RedHat
#ETC_OPENLDAP_DIR=/etc/openldap
#SLAPD_DIR=/usr/sbin
# Un-Comment for Others
ETC_OPENLDAP_DIR=/usr/local/etc/openldap
SLAPD_DIR=/usr/local/libexec
# Pls customize
DEBUG=""
# Un-Comment to debug
#DEBUG="-d 10"
case "$1" in
'start')
if [ -f $ETC_OPENLDAP_DIR/slapd.conf -a -f $SLAPD_DIR/slapd ]; then
echo 'OpenLDAP slapd service starting.'
$SLAPD_DIR/slapd $DEBUG -u ldap -h "ldap:/// ldaps:///"
fi
;;
'stop')
PID=`ps -ef | grep slapd | grep -v grep | awk '{print $2}'`
if [ -n "$PID" ]; then
echo 'OpenLDAP slapd service stopping.'
# using INT signal is less drastic and less prone to LDAP data corruption
kill -INT $PID
fi
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
Create cr_example_com_ldif.sh, do not run it as it will be "called" by the other script, rebuild_example_com.sh.
# vi cr_example_com_ldif.sh
Content of cr_example_com_ldif.sh
#! /bin/sh
# cr_example_com_ldif.sh - Create initial ldif entries for dc=example,dc=com
# OpenLDAP initial root entries
cat <<EOF >example_com.ldif
dn: dc=example,dc=com
objectclass: top
# For RedHat use the next line
#objectclass: organization
# For Solaris use the next line
objectclass: domain
objectClass: nisDomainObject
nisDomain: example.com
objectclass: dcObject
o: Example Companies
dc: example
dn: cn=Manager,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
dn: ou=People,dc=example,dc=com
objectclass: organizationalUnit
ou: People
dn: ou=group,dc=example,dc=com
objectclass: organizationalUnit
ou: group
dn: ou=profile,dc=example,dc=com
ou: profile
objectClass: top
objectClass: organizationalUnit
dn: cn=proxyagent,ou=profile,dc=example,dc=com
cn: proxyagent
sn: proxyagent
objectClass: top
objectClass: person
userPassword: {CRYPT}l14aeXtphVSUg
dn: cn=sol8profile,ou=profile,dc=example,dc=com
ObjectClass: top
ObjectClass: SolarisNamingProfile
SolarisLDAPServers: 192.168.1.168
SolarisBindDN: cn=proxyagent,ou=profile,dc=example,dc=com
SolarisBindPassword: {NS1}ecfa88f3a945c411
SolarisSearchBaseDN: dc=example,dc=com
SolarisAuthMethod: NS_LDAP_AUTH_NONE
SolarisTransportSecurity: NS_LDAP_SEC_NONE
SolarisSearchReferral: NS_LDAP_FOLLOWREF
SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit: 30
SolarisCacheTTL: 43200
cn: sol8profile
dn: cn=sol9profile,ou=profile,dc=example,dc=com
objectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: simple
followReferrals: TRUE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
cn: sol9profile
credentialLevel: proxy
bindTimeLimit: 2
dn: cn=default,ou=profile,dc=example,dc=com
objectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: simple
followReferrals: TRUE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
cn: default
credentialLevel: proxy
bindTimeLimit: 2
dn: cn=tls_profile,ou=profile,dc=example,dc=com
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example, dc=com
authenticationMethod: tls:simple
followReferrals: FALSE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
bindTimeLimit: 10
cn: tls_profile
credentialLevel: proxy
serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com
serviceSearchDescriptor: group: ou=group,dc=example,dc=com
serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com
serviceSearchDescriptor: netgroup: ou=netgroup,dc=example,dc=com
EOF
cp example_com.ldif ldap_add.ldif
cp example_com.ldif openldap_add.ldif
Create DB_CONFIG in OpenLDAP data directory (it is usually /usr/local/var/openldap-data, for RedHat, it is /var/lib/ldap), this file contains performance parameters for Berkeley DB, consult Internet or OpenLDAP maillist and adjust the content as per need.
# vi /usr/local/var/openldap-data/DB_CONFIG
or
# vi /var/lib/ldap/DB_CONFIG
Content of DB_CONFIG, below is an example for a LDAP Server with 640MB RAM, 1000 users
set_cachesize 0 20971520 0
set_lg_regionmax
131072
set_lg_bsize
2097152
set_flags DB_LOG_AUTOREMOVE
Create rebuild_example_com.sh, edit and uncomment those OS specific lines.
# vi rebuild_example_com.sh
Content of rebuild_example_com.sh
#! /bin/sh
# rebuild_example_com.sh - ReBuild LDAP Server for dc=example,dc=com
# Un-comment for RedHat
#OPENLDAP_DATA_DIR=/var/lib/ldap
# Un-comment for Others
OPENLDAP_DATA_DIR=/usr/local/var/openldap-data
echo "WARNING: LDAP Data in $OPENLDAP_DATA_DIR will be gzipped!!!"
echo " and rebuilt from scratch, make sure you know what it means"
echo "Press [Ctrl-C] to abort, enter [Yes] to continue..."
read a_key
[ "$a_key" != "Yes" ] && exit 1
/etc/init.d/openldap.server stop
mkdir -p $OPENLDAP_DATA_DIR
chmod 750 $OPENLDAP_DATA_DIR
chown ldap:daemon $OPENLDAP_DATA_DIR
#/bin/rm -f $OPENLDAP_DATA_DIR/*.bdb
#/bin/rm -f $OPENLDAP_DATA_DIR/__db.*
#/bin/rm -f $OPENLDAP_DATA_DIR/log.*
#/bin/rm -f $OPENLDAP_DATA_DIR/alock
gzip -f $OPENLDAP_DATA_DIR/*.bdb
gzip -f $OPENLDAP_DATA_DIR/__db.*[0-9]
gzip -f $OPENLDAP_DATA_DIR/log.*[0-9]
gzip -f $OPENLDAP_DATA_DIR/alock
/etc/init.d/openldap.server start
sleep 3
./cr_example_com_ldif.sh
./openldap_add.sh
./cr_People_ldif.sh
./openldap_add.sh
./cr_group_ldif.sh
./openldap_add.sh
Execute this script:
# ./rebuild_example_com.sh
WARNING: LDAP Data in /var/lib/ldap will be deleted!!!
and rebuilt from scratch, make sure you know what it means
Press [Ctrl-C] to abort, enter [Yes] to continue...
OpenLDAP slapd service stopping.
OpenLDAP slapd service starting.
adding new entry "dc=example,dc=com"
adding new entry "cn=Manager,dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=group,dc=example,dc=com"
adding new entry "uid=gtay,ou=People, dc=example,dc=com"
adding new entry "uid=tuser,ou=People, dc=example,dc=com"
adding new entry "cn=Users,ou=group,dc=example,dc=com"
…
Congratulation!!! You have created an OpenLDAP Server
IMPORTANT Note: rebuild_example_com.sh is a VERY DESTRUCTIVE script, make sure you understand what every step of the script is trying to do, avoid testing this script in production environment.
For massive import of People and group entries, you may use “/usr/sbin/ldapaddent” command, see “man ldapaddent” for more details, or you may use PADL’s MigrationTools.
http://www.padl.com/OSS/MigrationTools.html
Examples of ldapaddent are listed below, note the sequences, passwd DB first then shadow, note also the use of “-p” to create userPassword attribute and the CRYPT password is only added when the DB is shadow.
# cat test.txttest9991:x:9991:102:test9991:/var/tmp:/bin/sh # ldapaddent -v -f test.txt -D "cn=Manager,dc=example,dc=com" -p passwdEnter password:SERVICE = passwdAdding entry : test99911 entries added # cat tests.txttest9991:ElnMr/iU805dA:12881:::::: # ldapaddent -v -f tests.txt -D "cn=Manager,dc=example,dc=com" shadowEnter password:SERVICE = shadowAdding entry : test99911 entries added#
Try stopping and starting OpenLDAP server
# /etc/init.d/openldap.server stop
# /etc/init.d/openldap.server start
Verify:
# ps -ef | grep slapd
root 706 702 0 03:31:03 pts/3 0:00 grep slapd
root 216 1 0 Feb 23 ? 2:11 /usr/local/libexec/slapd -u ldap -h ldap:/// ldaps:///
Tips: whenever you have problem starting OpenLDAP server, i.e. it is not shown in process status, comment out this line in /etc/init.d/openldap.server and re-try.
#DEBUG="-d 10"
Prepare LDAP Client's (LDAP Client local to LDAP Server) ldap.conf file in /usr/local/etc/openldap, the following is a typical content:
HOST ldap1.example.com
BASE dc=example,dc=com
# Un-comment for RedHat
#TLS_CACERT