OpenLDAP + Replica + StartTLS encryption on Fedora in 10 minutes
I wouldn’t do it this way for a production network, but i’ve set up similar configurations for testing in vmware, in a research environment, and in a production environment. So instead of a step by step, here’s a quick run through… It should clear up some of the missing pieces when you try to go from a basic ldap server to multiple servers with startTLS encryption.
If you haven’t done this before, you might want to break it into pieces like getting just the primary LDAP server up with no encryption first. But you can find those how-to’s anywhere. Go big or go home right?
On the Server, become root and install OpenLDAP packages.
The machine you designate as the ’server’ will need “openldap-servers” and “openldap-clients” because you’ll want the server to be a client of itself. You’ll also need “nss_ldap” which, from yum info, allows LDAP to be used as a primary source of aliases, ethers, groups, hosts, networks, protocol, users, RPCs, services, and shadow passwords, and contains PAM support for password changes, V2 clients, Netscape’s SSL, ypldapd, Netscape Directory Server password policies, access authorization, and crypted hashes.
$ sudo su -
# yum install openldap-server openldap-clients nss_ldap
Generate a master password using slappasswd, copy and paste this password into slapd.conf
# /usr/sbin/slappasswd
New password:
Re-enter new password:
{SSHA}kc20D+e1Q25OXi39YnfVvj8zSrSto3TT
My LDAP primary server’s hostname is “server1″. I’ll also set up a replica server named “server2″. My network’s domain is “mydomain.com”. So your /etc/openldap/slapd.conf. I’m going to setup both servers and the encryption all at the same time. If you run into issues after all this, you might not know which part you’ve messed up at, but starting ldap using lots of logging will let us figure out where it’s hung up. This should all come out fine and work like a charm, so just go for it. But if you really don’t like that approach, feel free to skip the encyption and/or replica server parts (comment them out and delete the “tls_ssf=256″ parts iin slapd.conf) and come back to them later. Only the last section stating with comment “Replica” will be different on your replica server2. They’ll point to your primary server, server1, of course!
The finished version of /etc/openldap/slapd.conf should look like this:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.argsTLSRandFile /dev/random
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCACertificateFile /etc/openldap/cacerts/slapd1.pem
TLSCertificateFile /etc/openldap/cacerts/slapd1.pem
TLSCertificateKeyFile /etc/openldap/cacerts/slapd1.pemaccess to attrs=shadowLastChange,userPassword,shadowMax,shadowWarning
by tls_ssf=256 ssf=256 self write
by tls_ssf=256 ssf=256 anonymous auth
by * none
access to *
by tls_ssf=256 ssf=256 users read
by tls_ssf=256 ssf=256 self write
by tls_ssf=256 ssf=256 * read
by * nonedatabase bdb
suffix “dc=mydomain.com”
rootdn “cn=Manager,dc=mydomain.com”
rootpw {SSHA}kc20D+e1Q25OXi39YnfVvj8zSrSto3TT
directory /var/lib/ldaptimeout 30
cachesize 2500
checkpoint 256 30
searchstack 8# Indices to maintain
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub# Replicas
replica uri=ldap://server2.mydomain.com:389
bindmethod=simple
binddn=”cn=Manager,dc=mydomain.com”
credentials=PlainTextPassword
replogfile /var/lib/ldap/master-replog
The replica’s slapd.conf will include this part instead of the last section:
updatedn "uid=Manager,dc=mydomiain.com" updateref ldaps://server1.mydomain.com
Create a self signed certificate on server1 and do it again on server2.
Put both pem files on both servers and on all clients. Clients need the public part so they can talk to either server in case one goes kaboom! and a replica server has to take over for awhile. Make sure you use the server’s hostname for “Common Name” when you’re creating them. You can fill in the rest with whatever junk you want.
# cd /etc/openldap/cacerts/
# openssl req -newkey rsa:2048 -x509 -nodes \
-out server.pem -keyout server.pem -days 3650
You’ll get a server.pem file with the private key and certificate together. The clients only need the certificate part in their /etc/openldap/cacerts/ directory in order to communicate with the servers. If you want to save time and it’s just for demo installation, you can just leave the keys in there and copy the files to everyone. NO I DO NOT RECOMMEND THIS FOR ANY TYPE OF PRODUCTION ENVIRONMENT! I’m just saying that if you want to save time and you’re just testing this stuff out in virtual machines or a private network, then it will work!
Import the local accounts into the LDAP database.
It’s easiest if you just create all the local accounts you want to start with, using whatever method you normally use to make them. I use useradd from the commandline.
# useradd -u 1234 -g 1234 -G wheel zerocool
Run the migration script to fill the ldap database with your accounts.
# /usr/share/openldap/migration/migrate_all_offline.sh
Creating naming context entries…
Migrating groups…
Migrating hosts…
…
Don’t panic! They’re not actually migrating, they’re replicating. Your local accounts will still be there and they’ll actually be looked at first on any machine because you’ll put “ldap” at the end of any lines in /etc/nsswitch.conf. This means ldap will be considered after everything lese defined. Think of it like how /etc/hosts supercedes DNS lookups.
Make sure the ldap user (automatically created by your openldap package installation) owns the files in your database directory and the certificates.
# chown -R ldap:ldap /var/lib/ldap
# chown ldap:ldap /etc/openldap/cacerts/*.pem
Edit /etc/sysconfig/ldap
You want to make it start LDAP and LDAPS so it will listen on ports 389 and 689. It’s probably not necessary, but maybe you’ll run into a legacy application that uses encryption but doesn’t like StartTLS.
# cat /etc/sysconfig/ldap
…
# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to ‘yes’!
#
# Run slapd with -h “… ldap:/// …”
# yes/no, default: yes
SLAPD_LDAP=yes# Run slapd with -h “… ldapi:/// …”
# yes/no, default: no
SLAPD_LDAPI=no# Run slapd with -h “… ldaps:/// …”
# yes/no, default: no
SLAPD_LDAPS=yes
Copy DB_CONFIG.example to the database directory.
If you don’t have this file or something like it, renamed to “DB_CONFIG” in there, you will see warnings when you try to start the ldap service. So just copy and forget about it.
# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/
At this point, the server side of things is done, however, you won’t be able to verify this until you set up the server as a client. So continue on with server1. Edit /etc/ldap.conf and tell it the server, where in the tree to start searching from, and where to get encryption info from. Or you can just run /usr/bin/authconfig-tui which is provided by package “authconfig”. This will prompt you for all the fields necessary to configure the machine for ldap. I use “localhost” for the server, but the actual dns name or ip address for the server for the clients.
Configure /etc/ldap.conf on the clients (and the server so it can be a client of itself)
# cat /etc/ldap.conf
base dc=mydomain.com
uri ldap://localhost
timelimit 3
bind_timelimit 3
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,tomcat,radiusd,news,mailman,nscd
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/slapd.pem
tls_randfile /dev/random
tls_cacertdir /etc/openldap/cacerts
pam_password md5
Configure the OS to actually acknowledge LDAP’s existence
Add “ldap” to the passwd, shadow, and group lines in /etc/nsswitch.conf and edit PAM settings. If you used authconfig-tui, this will get added automagically for you. When you’re done nsswitch should include this:
# grep ldap /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
Start the ldap service on the primary and replica servers. You should see the primary server start both slapd and slurpd while the replica just starts slapd. That’s it.
Recent Comments