Ldap for organization
Preface
OpenLdap is a nice solution for user authentication needs. There is some nice documentation at http://www.openldap.org/
and http://sapiens.wustl.edu/~sysmain/info/openldap/
This is documentation of my struggle to get everything working correctly. In stable, openldap was broken out of the box. I decided I wanted a newer version, so I grabbed the backport. Lets start there.
Assumptions: You are familiar with Debian, and understand the file structure. You know when root is needed.
Getting the backport
Your friendly Open Source Lab has a backport mirror, http://backports.osuosl.org/
Add this to your sources list
then
apt-get update
apt-get install slapd
You now have an unconfigured, unpopulated ldap server.
Configuring slapd
One goal of our ldap server was to have a SSL connection. This part gave me alot of trouble. After a few days of troubleshooting, I discovered it was a syntax error that died silently. I would like to blame it on the documentation I was copy and pasting from, but I should have been more keen as to what was going on. On that note, here is some documentation to copy and paste from (you might want to double check it).
Basic config
Check out http://sapiens.wustl.edu/~sysmain/info/openldap/openldap_configure.html. The documentation there is really well done. I am going to leave you to do that and focus more on detailing my OpenSSL trouble.
Set up your base
This was the part that I seemed to have missed in my documentation reading.
base.ldif
dn: dc=yourhost,dc=com
dc: yourhost
objectClass: top
objectClass: domain
SSL/TLS config
Assuming you got a basic config from http://sapiens.wustl.edu/~sysmain/info/openldap/openldap_configure.html working, it is time to get the SSL certs working.
This time I found documents at http://www.openldap.org/faq/data/cache/185.html, then modified them
Make new localCA and sign the certs
This will be to sign your cert with a homebrew CA.
Note: Original documents at http://www.openldap.org/faq/data/cache/185.html, Below are Debian specific.
Create the CA
cd /usr/lib/ssl/misc
CA.sh -newca
Create the Server Key
Remember that the Common Name for this cert should be the fully qualified domain name of the server:
openssl req -new -nodes -keyout newreq.pem -out newcert.pem
Sign the new server cert
Move the certs to a secure location (this can be any where)
mv demoCA /etc/myCA
cp cacert.pem /etc/myCA/cacert.pem
mv newcert.pem /etc/myCA/servercrt.pem
mv newreq.pem /etc/myCA/serverkey.pem
chmod 600 /etc/myCA/serverkey.pem
Let OpenLdap know about the new certs
Update your /etc/ldap/slapd.conf with the following
TLSCACertificateFile /etc/myCA/cacert.pem
TLSCertificateFile /etc/myCA/servercrt.pem
TLSCertificateKeyFile /etc/myCA/serverkey.pem
Update your /etc/ldap/ldap.conf with the following
BASE dc=yourhost,dc=com
URI ldaps:
TLS_CACERT /etc/myCA/cacert.pem
TLS_REQCERT demand
NOTE: ldap.conf is a client side configuration. However, sometimes your server needs to be a client so it is important to have on both. Along with the ldap.conf, you will have to copy the cacert.pem to all the clients that you are configuring.
Startup slapd!
The quotes are important.
This starts ldap on the default port of 636.
Check that slapd is running
ps aux | grep slapd
output (or something similiar):
root 13555 0.0 0.7 16536 8236 ? S 21:39 0:00 slapd -h ldaps:root 13556 0.0 0.7 16536 8236 ? S 21:39 0:00 slapd -h ldaps:root 13557 0.1 0.7 16536 8236 ? S 21:39 0:07 slapd -h ldaps:root 13569 0.0 0.7 16536 8236 ? S 21:40 0:01 slapd -h ldaps:
netstat -ln |grep 636
output:
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
Test an ssl connection
If you have everything setup in config files
will dump all things ldap.
Clientside Configuration
Its all about the clients
This is a setup for ldap authentication, autofs, and various other tools. It is incomplete, but these are the gist of my configs.
Get required libraries
apt-get install libnss-ldap libpam-ldap autofs-ldap
Change your config's!
/etc/ldap.conf
Here are the things we are changing:
- location of ldap server
- location of CA certificate
BASE dc=yourhost, dc=com
URI ldaps:
TLS_CACERT /etc/ldap/ssl/cacert.pem
TLS_REQCERT demand
Then put cacert.pem into /etc/ldap/ssl/ (attached)
/etc/nsswitch.conf
You file should look like:
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns ldap
networks: files ldap
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/libnss-ldap.conf
base dc=yourhost,dc=com
uri ldaps:
ldap_version 3
/etc/pam_ldap.conf
This is very similiar to libnss-ldap.conf
base dc=yourhost,dc=com
uri ldaps:
ldap_version 3
pam_password md5
/etc/pam.d/common-auth && /etc/pam.d/common-passwd && /etc/pam.d/common-account
Will look identical after they are modified.
account sufficient pam_ldap.so
account required pam_unix.so try_first_pass
/etc/pam.d/sudo
auth required pam_ldap.so
/etc/pam.d/*
If you look in /etc/pam.d/ you will notice that other services that need authentication have files there. Services such as xlock need to be configured. To make them play nice with ldap you simply need to comment out what is currently in there. This way they will look at the common-files for authentication.
/etc/autofs
/etc/default/autofs
# Timeout value in seconds (default: 300)
TIMEOUT=300
# The LDAP URI for auto.master
# (e. g. LDAPURI="ldap:)
LDAPURI=ldaps:
# The LDAP base for auto.master
# (e. g. LDAPBASE="ou=auto.master,ou=Automount,dc=example,dc=com")
LDAPBASE="ou=Automount,dc=yourhost,dc=com"
