| | |
| | |
| | |
| | h1. Ldap for organization |
| | h3. Preface |
| | OpenLdap is a nice solution for user authentication needs. There is some nice documentation at [http://www.openldap.org/] and [http://sapiens.wustl.edu/~sysmain/info/openldap/] |
| | |
| | This is documentation of my struggle to get everything working correctly. In stable, openldap was broken out of the box. I decided I wanted a newer version, so I grabbed the backport. Lets start there. |
| | |
| | Assumptions: You are familiar with Debian, and understand the file structure. You know when root is needed. |
| | |
| | h3. Getting the backport |
| | Your friendly Open Source Lab has a backport mirror, [http://backports.osuosl.org/] |
| | |
| | Add this to your sources list |
| | {code} |
| | deb http://backports.osuosl.org/debian/ woody openldap2 |
| | {code} |
| | |
| | then |
| | {code} |
| | apt-get update |
| | apt-get install slapd |
| | {code} |
| | |
| | You now have an unconfigured, unpopulated ldap server. |
| | |
| | h1. Configuring slapd |
| | One goal of our ldap server was to have a SSL connection. This part gave me alot of trouble. After a few days of troubleshooting, I discovered it was a syntax error that died silently. I would like to blame it on the documentation I was copy and pasting from, but I should have been more keen as to what was going on. On that note, here is some documentation to copy and paste from (you might want to double check it). |
| | |
| | h3. Basic config |
| | Check out [http://sapiens.wustl.edu/~sysmain/info/openldap/openldap_configure.html]. The documentation there is really well done. I am going to leave you to do that and focus more on detailing my OpenSSL trouble. |
| | h5. Set up your base |
| | This was the part that I seemed to have missed in my documentation reading. |
| | base.ldif |
| | {code} |
| | dn: dc=yourhost,dc=com |
| | dc: yourhost |
| | objectClass: top |
| | objectClass: domain |
| | {code} |
| | h3. SSL/TLS config |
| | *Assuming* you got a basic config from [http://sapiens.wustl.edu/~sysmain/info/openldap/openldap_configure.html] working, it is time to get the SSL certs working. |
| | |
| | This time I found documents at [http://www.openldap.org/faq/data/cache/185.html], then modified them |
| | |
| | h5. Make new localCA and sign the certs |
| | |
| | This will be to sign your cert with a homebrew CA. |
| | |
| | Note: Original documents at [http://www.openldap.org/faq/data/cache/185.html], Below are Debian specific. |
| | |
| | Create the CA |
| | {code} |
| | cd /usr/lib/ssl/misc |
| | CA.sh -newca |
| | {code} |
| | |
| | Create the Server Key |
| | Remember that the +Common Name for this cert should be the fully qualified domain name of the server+: |
| | {code} |
| | | openssl req -new -nodes -keyout newreq.pem -out newreq.pem |
| | | openssl req -new -nodes -keyout newreq.pem -out newcert.pem |
| | {code} |
| | |
| | Sign the new server cert |
| | {code} |
| | CA.sh -sign |
| | {code} |
| | |
| | Move the certs to a secure location (this can be any where) |
| | {code} |
| | mv demoCA /etc/myCA |
| | cp cacert.pem /etc/myCA/cacert.pem |
| | mv newcert.pem /etc/myCA/servercrt.pem |
| | mv newreq.pem /etc/myCA/serverkey.pem |
| | chmod 600 /etc/myCA/serverkey.pem |
| | {code} |
| | |
| | h5. Let OpenLdap know about the new certs |
| | Update your /etc/ldap/*slapd.conf* with the following |
| | {code} |
| | TLSCACertificateFile /etc/myCA/cacert.pem |
| | TLSCertificateFile /etc/myCA/servercrt.pem |
| | TLSCertificateKeyFile /etc/myCA/serverkey.pem |
| | {code} |
| | |
| | Update your /etc/ldap/*ldap.conf* with the following |
| | {code} |
| | BASE dc=yourhost,dc=com |
| | URI ldaps://fully-qualified-domain-name-of-the-server/ |
| | |
| | TLS_CACERT /etc/myCA/cacert.pem |
| | TLS_REQCERT demand |
| | {code} |
| | |
| | *NOTE*: ldap.conf is a client side configuration. However, sometimes your server needs to be a client so it is important to have on both. Along with the ldap.conf, you will have to copy the cacert.pem to all the clients that you are configuring. |
| | |
| | h5. Startup slapd! |
| | The quotes are important. |
| | {code} |
| | slapd -h "ldaps:///" |
| | {code} |
| | This starts ldap on the default port of 636. |
| | |
| | h5. Check that slapd is running |
| | {code} |
| | ps aux | grep slapd |
| | |
| | output (or something similiar): |
| | root 13555 0.0 0.7 16536 8236 ? S 21:39 0:00 slapd -h ldaps:/// |
| | root 13556 0.0 0.7 16536 8236 ? S 21:39 0:00 slapd -h ldaps:/// |
| | root 13557 0.1 0.7 16536 8236 ? S 21:39 0:07 slapd -h ldaps:/// |
| | root 13569 0.0 0.7 16536 8236 ? S 21:40 0:01 slapd -h ldaps:/// |
| | {code} |
| | {code} |
| | netstat -ln |grep 636 |
| | |
| | output: |
| | tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN |
| | {code} |
| | |
| | h5. Test an ssl connection |
| | If you have everything setup in config files |
| | {code} |
| | ldapsearch -x |
| | {code} |
| | will dump all things ldap. |
| | |
| | h1. Clientside Configuration |
| | |
| | h3. Its all about the clients |
| | |
| | This is a setup for ldap authentication, autofs, and various other tools. It is incomplete, but these are the gist of my configs. |
| | |
| | h5. Get required libraries |
| | {code} |
| | apt-get install libnss-ldap libpam-ldap autofs-ldap |
| | {code} |
| | h3. Change your config's! |
| | |
| | h5. /etc/ldap.conf |
| | Here are the things we are changing: |
| | * location of ldap server |
| | * location of CA certificate |
| | {code} |
| | BASE dc=yourhost, dc=com |
| | URI ldaps://ldap.yourhost.com |
| | |
| | TLS_CACERT /etc/ldap/ssl/cacert.pem |
| | TLS_REQCERT demand |
| | {code} |
| | |
| | Then put cacert.pem into /etc/ldap/ssl/ (attached) |
| | |
| | h5. /etc/nsswitch.conf |
| | You file should look like: |
| | {code} |
| | passwd: files ldap |
| | group: files ldap |
| | shadow: files ldap |
| | |
| | hosts: files dns ldap |
| | networks: files ldap |
| | |
| | protocols: db files |
| | services: db files |
| | ethers: db files |
| | rpc: db files |
| | |
| | netgroup: nis |
| | {code} |
| | |
| | h5. /etc/libnss-ldap.conf |
| | {code} |
| | base dc=yourhost,dc=com |
| | |
| | uri ldaps://ldap.yourhost.com/ |
| | |
| | ldap_version 3 |
| | {code} |
| | |
| | h5. /etc/pam_ldap.conf |
| | This is very similiar to libnss-ldap.conf |
| | {code}base dc=yourhost,dc=com |
| | |
| | uri ldaps://ldap.yourhost.com/ |
| | |
| | ldap_version 3 |
| | |
| | pam_password md5 |
| | {code} |
| | |
| | h5. /etc/pam.d/common-auth && /etc/pam.d/common-passwd && /etc/pam.d/common-account |
| | Will look identical after they are modified. |
| | {code} |
| | account sufficient pam_ldap.so |
| | account required pam_unix.so try_first_pass |
| | {code} |
| | |
| | h5. /etc/pam.d/sudo |
| | {code} |
| | auth required pam_ldap.so |
| | {code} |
| | |
| | h5. /etc/pam.d/* |
| | If you look in /etc/pam.d/ you will notice that other services that need authentication have files there. Services such as *xlock* need to be configured. To make them play nice with ldap you simply need to comment out what is currently in there. This way they will look at the common-files for authentication. |
| | |
| | h5. /etc/autofs |
| | {code} |
| | ldap:auto.master |
| | {code} |
| | |
| | h5. /etc/default/autofs |
| | {code} |
| | # Timeout value in seconds (default: 300) |
| | TIMEOUT=300 |
| | |
| | # The LDAP URI for auto.master |
| | # (e. g. LDAPURI="ldap://ldapserver.example.com/") |
| | LDAPURI=ldaps://ldap.yourhost.com/ |
| | |
| | # The LDAP base for auto.master |
| | # (e. g. LDAPBASE="ou=auto.master,ou=Automount,dc=example,dc=com") |
| | LDAPBASE="ou=Automount,dc=yourhost,dc=com" |
| | {code} |
