LPIC-2 [202-450]
openldap - slapd
Installation
[root@centos-7 slapd.d]# yum install openldap-server openldap-clients
After the packages are installed you would normally start the ldap server with
[root@centos-7 slapd.d]# systemctl start slapd
Unfortunately the start does not work because it is configured to use TLS, but it did not generate the necessary certificates.
[root@centos-7 slapd.d]# systemctl start slapd
Job for slapd.service failed because the control process exited with error code. See "systemctl status slapd.service" and "journalctl -xe" for details.
[root@centos-7 slapd.d]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2020-03-07 00:58:48 UTC; 5s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 2179 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
Process: 2151 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Mar 07 00:58:48 centos-7 runuser[2177]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Mar 07 00:58:48 centos-7 runuser[2177]: pam_unix(runuser:session): session closed for user ldap
Mar 07 00:58:48 centos-7 slapd[2179]: @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 18:29:13) $
mockbuild@armhfp-03.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
Mar 07 00:58:48 centos-7 slapd[2179]: main: TLS init def ctx failed: -1
Mar 07 00:58:48 centos-7 slapd[2179]: slapd stopped.
Mar 07 00:58:48 centos-7 slapd[2179]: connections_destroy: nothing to destroy.
Mar 07 00:58:48 centos-7 systemd[1]: slapd.service: control process exited, code=exited status=1
Mar 07 00:58:48 centos-7 systemd[1]: Failed to start OpenLDAP Server Daemon.
Mar 07 00:58:48 centos-7 systemd[1]: Unit slapd.service entered failed state.
Mar 07 00:58:48 centos-7 systemd[1]: slapd.service failed.
Disable TLS configuration
To disable the tls configuration we have to open the cn=config.ldif file and comment the TLS directives.
sh# cd /etc/openldap/slapd.d/
sh# vi cn\=config.ldif
...
#olcTLSCACertificatePath: /etc/openldap/certs
#olcTLSCertificateFile: "OpenLDAP Server"
#olcTLSCertificateKeyFile: /etc/openldap/certs/password
...
Now we are able to start the server
sh# systemctl start slapd
[root@centos-7 slapd.d]# vi cn\=config.ldif
[root@centos-7 slapd.d]# systemctl start slapd
[root@centos-7 slapd.d]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)
Active: active (running) since Sat 2020-03-07 01:03:13 UTC; 3s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Process: 2216 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
Process: 2188 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
Main PID: 2217 (slapd)
CGroup: /system.slice/slapd.service
└─2217 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
Mar 07 01:03:12 centos-7 runuser[2210]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Mar 07 01:03:12 centos-7 runuser[2210]: pam_unix(runuser:session): session closed for user ldap
Mar 07 01:03:12 centos-7 runuser[2212]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Mar 07 01:03:12 centos-7 runuser[2212]: pam_unix(runuser:session): session closed for user ldap
Mar 07 01:03:12 centos-7 runuser[2214]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Mar 07 01:03:12 centos-7 runuser[2214]: pam_unix(runuser:session): session closed for user ldap
Mar 07 01:03:12 centos-7 slapd[2216]: @(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 18:29:13) $
mockbuild@armhfp-03.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
Mar 07 01:03:12 centos-7 slapd[2216]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config.ldif"
Mar 07 01:03:13 centos-7 slapd[2217]: slapd starting
Mar 07 01:03:13 centos-7 systemd[1]: Started OpenLDAP Server Daemon.
Configuration
Changing the admin password
First we have to generate a new hash that we can use to update the database.
[root@ubuntu-18.04]# slappasswd -h '{SSHA512}' -o module-load=pw-sha2.la -o module-path=/usr/lib/ldap
New password:
Re-enter new password:
{SSHA512}MZLWVLIMBr4RA1Eruk6TvFtKyIRLtYNX95GOp2yg96TQRe9b8XI2m1dZ6NJU6cKsODn2nC1BSveUOFk/mXu09hP3SYsoFFbY
Now we can update the database to use the new generated password.
[root@ubuntu-18.04]# ldapmodify -Q -Y EXTERNAL -H ldapi:///
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA512}MZLWVLIMBr4RA1Eruk6TvFtKyIRLtYNX95GOp2yg96TQRe9b8XI2m1dZ6NJU6cKsODn2nC1BSveUOFk/mXu09hP3SYsoFFbY
modifying entry "olcDatabase={1}mdb,cn=config"
[root@centos-7 cn=config]# slappasswd -h '{SSHA512}' -o module-load=pw-sha2.la -o module-path=/usr/lib/openldap
New password:
Re-enter new password:
{SSHA512}9LQip9f0r/DuSfpM2z5T/eNl2CNN0sXwOAuP1j103ph5+preROw6HL5bnHXksdUWVg3xVK4o4FBQoCirtRgsAca6fxuI6ovx
[root@centos-7 cn=config]# ldapmodify -Q -Y EXTERNAL -H ldapi:///
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA512}9LQip9f0r/DuSfpM2z5T/eNl2CNN0sXwOAuP1j103ph5+preROw6HL5bnHXksdUWVg3xVK4o4FBQoCirtRgsAca6fxuI6ovx
modifying entry "olcDatabase={2}hdb,cn=config"
Logging
Mar 17 11:00:58 slapd1 slapd[1364]: conn=1000 fd=12 ACCEPT from PATH=/var/run/ldapi (PATH=/var/run/ldapi)
Mar 17 11:00:58 slapd1 slapd[1364]: conn=1000 op=0 BIND dn="" method=163
Mar 17 11:00:58 slapd1 slapd[1364]: conn=1000 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
Mar 17 11:00:58 slapd1 slapd[1364]: conn=1000 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
Mar 17 11:00:58 slapd1 slapd[1364]: conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000015 etime=0.000322 text=
Mar 17 11:00:58 slapd1 slapd[1364]: conn=1000 op=1 SRCH base="dc=ctlabs,dc=internal" scope=2 deref=0 filter="(cn=slapd)"
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "INSTANCETYPE" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "WHENCREATED" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "USNCREATED" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "OBJECTGUID" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "BADPWDCOUNT" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "CODEPAGE" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "COUNTRYCODE" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "BADPASSWORDTIME" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "LASTLOGOFF" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "LASTLOGON" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "PRIMARYGROUPID" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "OBJECTSID" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "ACCOUNTEXPIRES" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "LOGONCOUNT" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "SAMACCOUNTNAME" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "SAMACCOUNTTYPE" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "USERPRINCIPALNAME" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "OBJECTCATEGORY" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "USERACCOUNTCONTROL" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "PWDLASTSET" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "LASTLOGONTIMESTAMP" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "WHENCHANGED" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: PROXIED attributeDescription "USNCHANGED" inserted.
Mar 17 11:00:58 slapd1 slapd[1364]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000016 etime=0.093014 nentries=1 text=
Mar 17 11:00:58 slapd1 slapd[1364]: conn=1000 op=2 UNBIND
Mar 17 11:00:58 slapd1 slapd[1364]: conn=1000 fd=12 closed
conn=1001 : every connection gets a unique connection number assigned
op=0 : per connection multiple operations can be executed; the operation count starts with zero
BIND, RESULT, SRCH, SEARCH RESULT, UNBIND : the name/step of the executed LDAP OPERATION; an LDAP OPERATION usually exists of multiple steps, e.g. the BIND operation is split into BIND-REQUEST and BIND-RESULT.
tag=101 : application ber_type (basic encoding rule type) 101=SEARCH_RESULT_DONE, 97=BIND_RESPONSE
err=0 : return code of the LDAP OPERATION; ( 0=success, 1=operations error, 2=protocol error, ... )
Mar 17 11:03:56 slapd1 slapd[1364]: conn=1001 fd=12 ACCEPT from PATH=/var/run/ldapi (PATH=/var/run/ldapi)
Mar 17 11:03:56 slapd1 slapd[1364]: conn=1001 op=0 BIND dn="" method=163
Mar 17 11:03:56 slapd1 slapd[1364]: conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
Mar 17 11:03:56 slapd1 slapd[1364]: conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
Mar 17 11:03:56 slapd1 slapd[1364]: conn=1001 op=0 RESULT tag=97 err=0 qtime=0.000015 etime=0.000082 text=
Mar 17 11:03:56 slapd1 slapd[1364]: conn=1001 op=1 SRCH base="dc=ctlabs,dc=internal" scope=2 deref=0 filter="(cn=slapd)"
Mar 17 11:03:56 slapd1 slapd[1364]: conn=1001 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000009 etime=0.003740 nentries=1 text=
Mar 17 11:03:56 slapd1 slapd[1364]: conn=1001 op=2 UNBIND
Mar 17 11:03:56 slapd1 slapd[1364]: conn=1001 fd=12 closed
Monitoring
To enable monitoring we have to configure the monitoring database, e.g.
# /etc/ldap/slapd.conf
database monitor