lpic210 - slapd

labs/lpic2/lpic210

Overview [LAB LPIC2 210]

In this lab we are going to setup an Active Domain - Domain Controller (ADC) using samba4 and a slapd instance that we will configure as a proxy to the ADC.

LAB Config:

https://github.com/oxdeca/ctlabs/blob/main/labs/lpic2/lpic210.yml

Starting the Lab Environment: ctlabs.rb

ansible playbook:

https://github.com/oxdeca/ctlabs-ansible/blob/main/playbooks/lpic2.yml

Subnets:

natgw: 192.168.15.0/24
sw1 : 192.168.10.0/24
sw2 : 192.168.20.0/24
sw3 : 192.168.30.0/24

Post-Provisioning with ansible

With ansible we can provision all the nodes, or we could just provision a part of them, so that we can focus on whatever we want to work on, e.g.

tls-configuration
os-specifc node configuration
authentication
...

Flexible Post-Provisioning using tags:

setup - create local facts
ca - role ctlabs_ca
bind - role ctlabs_bind
smbadc - role ctlabs_smbadc
slapd - role ctlabs_slapd

sh$ ./ctlabs.rb -c ../labs/lpic2/lpic210.yml -p'ansible-playbook -i ./inventories/lpic210.ini ./playbooks/lpic2.yml -Dt setup,ca,bind,smbadc,slapd -lns1,h1,slapd1,dc1'

sh$ ./ctlabs.rb -p'ansible-playbook -i ./inventories/lpic210.ini ./playbooks/lpic2.yml -Dt setup,ca,bind'

Post-provision half of the environment, e.g. all centos nodes, so we can focus on the debian nodes.

Post-provision is limited to:

setup local facts

create certificates for each node
setup name servers

Debian Node - Manual Post-Provision

Packages:

slapd
ldap-utils

Redhat Node - Manual Post-Provision

Packages:

openldap-servers
openldap-clients

/etc/ldap/slapd.conf

The following configuration will create a proxy to the backend servers dc1.ctlab.internal , dc2.ctlab.internal. We use a dedicated username to connect to the backend servers. The credentials for this dedicated user are configured in the idassert-bind section. By setting idassert-authzFrom to "*" we basically enable anonymous access to the backend servers via the proxy, i.e. everyone able to connect to the slapd server is allowed to access the backend servers via the proxy.

We also configure the backend database config which enables us to use olc-style configuration via ldif. We have to be aware that all changes via the config backend is in-memory only, i.e. slapd.conf willl be read on the next restart of slapd.

Global Configuration

cn=config

Schemas;

cn=schema

Modules:

cn=module{0}

Databases:

olcDatabase={0}config
olcDatabase={1}ldap
olcDatabase={2}monitor

Overlays:

olcOverlay=[0]rwm

Converting slapd.conf to Online Configuration - slapd.d/

In case that the directory /etc/ldap/slapd.d already exists, we need to make sure the slapd process isn't running.

Debian: /etc/ldap/
Redhat: /etc/openldap/

To convert from slapd.conf to slapd.d/ we use the command slaptest.

We also have to make sure that the slapd.d/ directory is owned by the slapd process user which is often openldap:openldap.

Debian:
- user : openldap
- group : openldap

Redhat:
- user : ldap
- group : ldap

Below on the left we can see an outline of the directory structure within slapd.d/. On the right we list which ldif-file corresponds to which section in the traditional slapd.conf configuration.

Global Configuration:
- cn=config.ldif

Schema Configuration:
- cn=config/cn=schema.ldif

Modules Configuration:
- cn=config/cn=module{0}ldif

Databases Configuration:
- cn=config/olcDatabase={-1}frontend.ldif
- cn=config/olcDatabase={0}config.ldif
- cn=config/olcDatabase={1}ldap.ldif
- cn=config/olcDatabase={2}monitor.ldif

Overlays Configuration:
cn=config/olcDatabase={1}ldap/olcOverlay=[0]rwm.ldif

OLC (OnLine Configuration) - /etc/ldap/slapd.d/

We have seen in the previous section that the OLC Configuration is also stored in ldif-files for persistency.

Below we see the ldif-file for the ldap database configuration. The file was generated by the slaptest command described in the previous section. The ldif-file will be updated upon changes, e.g. via ldapmodify.

For configuration changes we have to use LDIF files which we can provide via STDIN or as flat files. E.g. to change the LogLevel on the fly from level stats to none we would use following LDIF file:

We can also see that change reflected in the file config.ldif which is used by slapd-config for persistence.

Authentication

The easiest Authentication method on the local system where slapd is running is EXTERNAL which uses unix domain sockets to connect to the slapd service. It maps the uid and gid of the logged in user to gidNumber=<GID>+uidNumber=<UID>,cn=peercred,cn=external,cn=auth.

Authentication Methods:

Simple
GSSAPI
KERBEROS
EXTERNAL (IPC-Socket)
DIGEST-MD5

We can test the mapping with the ldapwhoami command.

We can see user1 is mapped to uid=1000, gid=1000.

Access Control

The general syntax for an access rule is

access to <WHAT> [by <WHO> [<ACCESS_LEVEL>][<CONTROL>]]+

E.g. following rule would deny access to everthing for everyone which happens to be the default rule.

access to * by * none

What:

entries and/or attributes to which we grant/deny access to

Who:

entities that are allowed/denied access

Access Levels:

none
disclose
auth
compare
search
read
write
manage

Let's take a look at the access rule we used earlier in the global configuration section :

access to *

by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage

by * none

The attributes gidNumber=0+uidNumber=0 are a mapping of the root users uid and gid on the local system.

We are basically limiting access to everything to the root user only from the system slapd is running on. Below we can see 2 ldapsearch command output. The first one with the root and the second one with user1

user=root
uid=0
gid=0

We can see below that user1 isn't allowed to query the config database as we expected.

user=user1
uid=1000
gid=1000

Logging

By default slapd is writing logs to syslog with the recommended log level 256 aka stats. To demonstrate that we will execute a ldapsearch as shown below and look at the generated logs.

LogLevel:

none
trace
packets
args
conns
BER
filter
config
ACL
stats
stats2
shell
parse
sync

By default slapd writes log entries to syslog, so to open the logs we execute: journalctl -fu slapd

Searching

We can retrieve objects from the DIT via the ldapsearch command. We usually have to specify at least

authentication method
credentials
hostname/ip of the ldap server we want to query
optional filters and attributes to limit the result set

auth method
auth credentials
slapd hostname
object filter
attributes filter

L : return in ldif format
Y SASL_METHOD
-H <URI>
cn=slapd (attribute filter)

Monitoring

TLS configuration

# /etc/ldap/slapd.conf

# -------------------------------------------------------------------------

# Global Configuration

# -------------------------------------------------------------------------

TLSCACertificateFile /etc/ldap/certs/ca.crt

TLSCertificateFile /etc/ldap/certs/slapd.crt

TLSCertificateKeyFile /etc/ldap/certs/slapd.key

...