OpenLDAP

From Secure Computing Wiki
Revision as of 10:19, 11 February 2008 by Ecrist (Talk | contribs) (create link for replication page.)

Jump to: navigation, search

So, at work, we've finally got enough systems and users that we're seriously considering an OpenLDAP server for authentication, as well as for our customer/client contact lists, etc. I've never before successfully rolled out an LDAP system, and I've for certain never rolled one out that does authentication for any systems.

Hopefully, this, when finished, will lay out the entire process of installed OpenLDAP Server 2.4.6 on a FreeBSD 6.2 system. Being that FreeBSD 6.3 and 7.0 are due out in short order, I should be able to update this page and make note of any differences you may come across.

Please note, while I'm working through this, this page is a work-in-progress. That means there may be some funny looking edits, and I use these pages as scratch paper of sorts during my installation, to make certain all of the necessary notes get made.

Ecrist 12:56, 4 February 2008 (CST): With a few weeks since my initial post here, I'm going to finally finish this document. There have been quite a few things to work through and I've finally got a broader picture of what's going on.

System Overview

As we're big fans of ezjail, we're going to install an LDAP system with one master server, and one slave. All of our email clients will be pointed to the slave for read operations, with that server redirecting any writes to the master server. With version 2.4.x of OpenLDAP, replication is implemented in a couple unique ways. [1] We're going to setup a system with one master and one slave, with all writes directed to the master.

To keep things simpler, I'm only going to cover setting up a single server on this page. For the replication portion, please see OpenLDAP/replication.

Installation

In our setup, we're going to have two OpenLDAP servers (one master, one slave). In addition, we're going to install phpldapadmin on our master server to help us get a better view of our directory structure.

To begin, we install the following ports:

  • net/openldap-server23
    • enable SASL
    • other defaults should be fine
  • www/apache22
    • enable LDAP
  • lang/php5
    • enable APACHE (apache module)
  • lang/php5-extensions
    • enable LDAP
    • enable PCRE
    • enable SESSION

Configuration

/etc/rc.conf

Now that we have all the ports installed, edit /etc/rc.conf and add the following lines:

apache22_enable="YES"
slapd_enable="YES"

/usr/local/etc/apache22/httpd.conf

Add the following lines:

Around line 107 add:

AddType application/x-httpd-php .php .inc
AddType application/x-httpd-php-source .phps

Around line 183 add:

Alias /phpldapadmin "/usr/local/www/phpldapadmin/htdocs"

<Directory "/usr/local/www/phpldapadmin/htdocs">
        Options Indexes
        AllowOverride none
        
        Order allow,deny
        Allow from all
</Directory>

Around line 228, edit to read:

    DirectoryIncex index.html index.php

OpenLDAP Configuration

Now that we have openldap, php5 and apache22 installed, we need to setup our slapd.conf file. The first thing to take into consideration is the function of your directory. In our installation, we're going to use it for an address book and an authentication server. As such, we're going to need the following schemas:

  • core.schema
  • cosine.schema
  • inetorgperson.schema
  • nis.schema

You can look to ldap schemas for more information about the different types.

Our configuration file (/usr/local/etc/openldap/slapd.conf) looks like this, with explanation:

## MASTER LDAP SERVER
# Specify the location of the file to append changes to.

Here, we define our included schemas, as discussed above.

# Global Section
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema

OpenLDAP uses a bit-based method for determining log level. A value of 296 gives us good verbosity for testing and initial configuration. See the man page for more information on this value.

loglevel        296

Leave these at their default value.

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

The SSHA password hash is default for OpenLDAP. We're going to use this in our setup. 3DES, DES, and MD5 are other valid options.

# Misc Security Settings
password-hash   {SSHA}

We're using the Berkely Database engine, which is defined here. You can also use SQL and others.

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb

#######################################################################
# BDB database definitions
#######################################################################

database        bdb

Here, we need to define our directory root and our rootdn.

suffix          "dc=claimlynx,dc=com"
rootdn          "cn=root,dc=claimlynx,dc=com"

For the rootpw, you have a couple options for entering your password. For our demonstration, we're entering a clear-text password. In a production setup, you should run the slappasswd command, and enter your password. Assuming the password is secret, the output from slappasswd would be similar to:

# slappasswd <enter>
New password: secret <enter>  (text is echo off)
Re-enter new password:  secret <enter> (text is echo off)
{SSHA}0H+zTv8o4MR4H43n03eCsvw1luG8LdB7

If we wanted a hashed version stored in our configuration file, we'd enter the text {SSHA}0H+zTv8o4MR4H43n03eCsvw1luG8LdB7 in place of secret below:

# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret

Create the directory you want your OpenLDAP directory stored in and set the permissions to 0600.

# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/db/claimlynx.com
mode 0600

This section defines the fields we want to index.

# Indices to maintain
index   objectClass     eq
index   cn,sn,mail      eq,sub
index   uidNumber       eq
index   gidNumber       eq

Our configuration is going to use TLS to encrypt the data between systems. We don't want user credentials flying around our network in clear text. See our page on OpenSSL for information on creating a root CA, and the associated certificates.

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/etc/openldap/ca.crt
TLSCertificateFile /usr/local/etc/openldap/client.crt
TLSCertificateKeyFile /usr/local/etc/openldap/client.key

TLCVerifyClient demand

Access control lists are what defines what each authenticated or anonymous user is able to do within the directory. These should go at the end of the configuration file. Here, we have two access control lists. The first ACL states that access to the userPassword attribute, within ou=people,dc=example,dc=com is only writable by the owner, is available for authentication by anyone, and is writable by ou=admins,ou=staff,ou=people,dc=example,dc=com. The second ACL states that all fields a readable by anyone, including anonymous users.

## ACLs
#

# Restrict userPassword to be used for authentication only,
# but allow users to update their own password.
access to dn.children="ou=people,dc=example,dc=com"
 attrs=userPassword
 by self write
 by * auth
 by dn.children="ou=admins,ou=staff,ou=people,dc=example,dc=com" write

# Read access to the world.
access to *
 by * read

The completed file, without comments, looks so:

## MASTER LDAP SERVER
# Specify the location of the file to append changes to.

replogfile      /var/log/slapd/slapd.replog
replica         host=servername:389
                suffix="dc=example,dc=com"
                binddn="cn=replica,dc=example,dc=com"
                credentials=MyPass
                bindmethod=simple
                tls=yes

# Global Section
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema

loglevel        296

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Misc Security Settings
password-hash   {SSHA}

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb

#######################################################################
# BDB database definitions
#######################################################################

database        bdb

suffix          "dc=claimlynx,dc=com"
rootdn          "cn=root,dc=claimlynx,dc=com"

# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret

# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/db/claimlynx.com
mode 0600

# Indices to maintain
index   objectClass     eq
index   cn,sn,mail      eq,sub
index   uidNumber       eq
index   gidNumber       eq

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/etc/openldap/ca.crt
TLSCertificateFile /usr/local/etc/openldap/client.crt
TLSCertificateKeyFile /usr/local/etc/openldap/client.key

TLCVerifyClient demand

## ACLs
#

# Restrict userPassword to be used for authentication only,
# but allow users to update their own password.
access to dn.children="ou=people,dc=example,dc=com"
 attrs=userPassword
 by self write
 by * auth
 by dn.children="ou=admins,ou=staff,ou=people,dc=example,dc=com" write

# Read access to the world.
access to *
 by * read

Once we've got this file saved, create the directory you referenced for the database store, set permissions to 0600 and chown to your openldap users (ldap/ldap if you installed OpenLDAP from ports). Lastly, go ahead and try to start slapd from it's rc.d script:

# /usr/local/etc/rc.d/slapd start

Check that it's running (sockstat | grep slapd is my method). If you do not see slapd listed as running, check your log files for any errors. If you've followed my directions up to this point, you should be good to go. At this point, stop slapd with the following command:

# /usr/local/etc/rc.d/slapd stop

It can't be running for our initial load of the database.