Openldap

OpenLDAP

OpenLDAP Configuration

This implementation is for Ubuntu 8.10. Additional information can be found in these links:

• http://help.ubuntu.com/8.10/serverguide/C/openldap-server.html
• http://ubuntuforums.org/showthread.php?t=597056

OpenLDAP Server

LDAP means Lightweight Directory Access Protocol, a simplified version of X500 protocol. LDAP is a way to make certain kinds of information available across a network. In this example, the information is user logins- their passwords, user IDs, and various details.

If you NFS export /home on a large, protected machine to the local network, then use LDAP on that machine to decide who logs in, then all the machines on the local net become special. It's like every user has an account on all machines...and all their data is always there.

Installation

First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:

bash$ sudo apt-get install slapd ldap-utils

The installation process will prompt you for the LDAP directory admin password and confirmation.

By default the directory suffix will match the domain name of the server. For example, if the machine's Fully Qualified Domain Name (FQDN) is ldapserver.example.com, the default suffix will be dc=example,dc=com. If you require a different suffix, the directory can be reconfigured using dpkg-reconfigure. Enter the following in a terminal prompt:

bash$ sudo dpkg-reconfigure slapd

Adding Additional Scheme

Adding additional schemas to slapd requires the schema to be converted to LDIF format. Fortunately, the slapd program can be used to automate the conversion. The following example will add the misc.schema:

First, create a conversion schema_convert.conf file containing the following lines:

include /etc/ldap/schema/core.schema

include /etc/ldap/schema/collective.schema

include /etc/ldap/schema/corba.schema

include /etc/ldap/schema/cosine.schema

include /etc/ldap/schema/duaconf.schema

include /etc/ldap/schema/dyngroup.schema

include /etc/ldap/schema/inetorgperson.schema

include /etc/ldap/schema/java.schema

include /etc/ldap/schema/misc.schema

include /etc/ldap/schema/nis.schema

include /etc/ldap/schema/openldap.schema

include /etc/ldap/schema/ppolicy.schema

Next, create a temporary directory to hold the output:

bash$ mkdir /tmp/ldif_output

Now using slaptest convert the schema files to LDIF:

bash$ slaptest -f schema_convert.conf -F /tmp/ldif_output

Adjust the configuration file name and temporary directory names if yours are different. Also, it may be worthwhile to keep the ldif_output directory around in case you want to add additional schemas in the future.

Edit the /tmp/ldif_output/cn=config/cn=schema/cn={8}misc.ldif file, changing the following attributes:

dn: cn=misc,cn=schema,cn=config

...

cn: misc

And remove the following lines from the bottom of the file:

structuralObjectClass: olcSchemaConfig

entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757

creatorsName: cn=config

createTimestamp: 20080826021140Z

entryCSN: 20080826021140.791425Z#000000#000#000000

modifiersName: cn=config

modifyTimestamp: 20080826021140Z

Finally, using the ldapadd utility, add the new schema to the directory:

bash$ ldapadd -x -D cn=admin,cn=config -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{8\}misc.ldif -W

There should now be a dn: cn={4}misc,cn=schema,cn=config entry in the cn=config tree.

TLS and SSL

When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL).

The first step in the process is to obtain or create a certificate. See the OpenSSL for details. Once you have a certificate, key, and CA cert installed, use ldapmodify to add the new configuration options:

bash$ ldapmodify -x -D cn=admin,cn=config -W

Enter LDAP Password:

dn: cn=config

add: olcTLSCACertificateFile

olcTLSCACertificateFile: /etc/ssl/certs/solncert.pem

-

add: olcTLSCertificateFile

olcTLSCertificateFile: /etc/ssl/certs/SERVER_FQDN.pem

-

add: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/ssl/private/SERVER_FQDN.key

modifying entry "cn=config"

Now the openldap user needs access to the certificate:

bash$ sudo adduser openldap ssl-cert

bash$ sudo chgrp ssl-cert /etc/ssl/private/SERVER_FQDN.key

Note: If the /etc/ssl/private and /etc/ssl/private/SERVERNAME_FQDN.key have different permissions, adjust the commands appropriately.

Starting the slapd services

Edit the line below in the: /etc/default/slapd

SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps://SERVER_FQDN/"

Finally, restart slapd:

bash$ sudo /etc/init.d/slapd restart

The slapd daemon should now be listening for LDAPS connections and be able to use STARTTLS during authentication.

Adding User

There are 2 ways to add the user:

From the website via http://LDAPSERVER/phpldapadmin/ by copying the existing user "example" and modified it.

Logon to the LDAPSERVER and run this command:

bash$ sudo /etc/ldap/adduser.sh

OpenLDAP Replication

OpenLDAP Client

Once you have a working LDAP server, the auth-client-config and libnss-ldap packages take the pain out of configuring an Ubuntu client to authenticate using LDAP. To install the packages from, a terminal prompt enter:

bash$ sudo aptitude install libnss-ldap

During the install a menu dialog will ask you connection details about your LDAP server.

• Use the debconf: YES
• Please enter the URI of the LDAP server to use: ldaps://SERVER_FQDN/
• Please enter the distinguished name of the LDAP search base: dc=example,dc=com
• LDAP version to use: 3
• Make local root Database admin: YES
• Does the LDAP database require login?: NO
• LDAP account for root: cn=admin,dc=example,dc=com
• LDAP root account password: PASSWORD
• Local crypt to use when changing passwords: md5

If you make a mistake when entering your information you can execute the dialog again using:

bash$ sudo dpkg-reconfigure ldap-auth-config

The results of the dialog can be seen in /etc/ldap.conf. If your server requires options not covered in the menu edit this file accordingly.

Copy the file from $SCRIPTS_HOME/configs/openldap/soln-config to /etc/auth-client-config/profile.d/. Then enable the auth-client-config LDAP profile by entering:

bash$ sudo auth-client-config -a -p soln_ldap

-a: applies the specified profile.

-p: name of the profile to enable, disable, etc.

soln_ldap : the auth-client-config profile that is used by Smart Online.

Copy the solncert.crt from $SCRIPTS_HOME/configs/openldap/ssl to /usr/share/ca-certificates and add the solncert.crt into /etc/ca-certificates.conf file. Then update the system CA:

bash$ sudo update-ca-certificates

Edit the /etc/ldap/ldap.conf:

BASE dc=example,dc=com

URI ldaps://SERVER_FQDN

TLS_REQCERT allow

You should now be able to login using user credentials stored in the LDAP directory.

Useful Commands

The configuration options for the hdb backend database. Which in this case containes the dc=example,dc=com suffix.

bash$ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb

show only indexed attributes:

bash$ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb olcDbIndex