LDAP Test VLAN

Install and configure openldap server

The following guide sets up two openldap servers with host name and  ip address as follow. the host address are not resolved by DNS currently, so they have to be specified in the /etc/hosts file for ever machine:
sophia.blueprint.org    10.0.11.5    master ldap server
brass.blueprint.org    10.0.11.6    slave ldap server
Both of the servers would be running openldap version 2.3.27 on centos 5.1
 
The following is used set up the server machine (brass in this case), the reference is at
 
The reference to migrate password and group information is at 

Install openldap using yum command

#yum install openldap openldap-servers openldap-clients db4-utils gq nss_ldap
After install openldap, a user and group for ldap is created automatically

Using slappasswd command to generate a encrypted password for slapd:

slappasswd -h {SSHA}
A prompt will pop out for you to enter a new password, enter the same pass word twice and the encrypted passwords in the form of :
{SSHA}********************* would appear in the screen.

Configure the /etc/openldap/slapd.conf file

Make sure there are no spaces at the start of a line. For a minimum testing environment the following modification is enough.
 
suffix   "dc= blueprint,dc= org"                     // line 69: specify domain name
 
rootdn   "cn=Manager,dc= blueprint,dc= org" // line 70: specify domain name
 
rootpw   {MD5}************************                    // line 76: add password that is set in (2)
 // add these lines at the bottom for access control
access to attrs=userPassword
    by self write
    by dn="cn=Manager,dc=blueprint,dc=org" write
    by anonymous auth
    by * none
 
access to *
    by dn="cn=Manager,dc=blueprint,dc=blueprint" write
    by self write
    by * read
 

Open the ports for LDAP services: 

iptables -I INPUT -p tcp --dport 389 -j ACCEPT
iptables -I OUTPUT -p tcp --sport 389 -j ACCEPT
iptables -I INPUT -p tcp --dport 636 -j ACCEPT
iptables -I OUTPUT -p tcp --sport 636 -j ACCEPT
service iptables save

File permissions:

make sure the files in /var/lib/ldap are owned by the ldap user by:
chown -R ldap:ldap /var/lib/ldap
if there are not /var/lib/ldap/DB_CONFIG file, create an empty one.:
touch /var/lib/ldap/DB_CONFIG
This file is used to tune the performance of the directory database by setting up optimized value for parameters such as cache size.

Start slapd:

/etc/init.d/ldap start
or
service ldap start

Testing the configuration:

If the ldap service starts successfully, The basic entries of the directory can be added to test if things are working. Put the following in to a text file named "base.ldif"
dn: dc=blueprint,dc=org
objectClass: dcObject
objectClass: organization
o: blueprint Organization
dc: blueprint
 
dn: cn=Manager,dc=blueprint,dc=org
objectClass: organizationalRole
cn: manager
 
dn: ou=People,dc=blueprint,dc=org
objectClass: organizationalUnit
ou: People
 
dn: ou=Groups,dc=blueprint,dc=org
objectClass: organizationalUnit
ou: Groups
dn: ou=DSA,dc=blueprint,dc=org
objectClass: organizationalUnit
ou: DSA
dn: ou=Imaps,dc=blueprint,dc=org
objectClass: organizationalUnit
ou: Imaps
 
dn: cn=replicator,ou=DSA,dc=blueprint,dc=org
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: replicatorsecretpwd
cn: replicator
 

Add the ldif file to the ldap directory by:

ldapadd -h localhost -x -D "cn=Manager,dc=blueprint,dc=org" -W -f base.ldif
There would be prompt asking for password, enter the password for "cn=Manager,dc=blueprint,dc=org" entered in the previous section. To verify whether the entries are added successfully, use the following command:
ldapsearch -x "cn=Manager"
And the following should be the output:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: cn=Manager
# requesting: ALL
#
# Manager, blueprint.org
dn: cn=Manager,dc=blueprint,dc=org
objectClass: organizationalRole
cn: manager
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
 

Securing openldap connection by tls

Self-signed certificate:

By default openldap server send data through network uncrypted, which could be vulnerable to attacks. openldap allows secured connection using ssl server and client certificates. In our implementation the openldap server is inside a firewall protected intranet, thus it does not require a client certificate that authenticates the client to the server - a server site certificate is sufficient to secure the connection. Server certificate can be generated by openssl or issued by third party such as thaws. In this application a self signed certificate is enough for securing the service.
  1. Make sure that openssl has been installed on the machine
  2. go to /etc/pki/tls/certs, delete slapd.pem there if its existed
  3. use the command make slapd.pem to generate the ssl certificate. a few questions would be asked such as country code and email addresses, answer them as clearly as possible because they are coded into the certificate
  4. Make sure the hostname of the server must match the cn of the certificate (ie sophia.blueprint.org) when asked for the cn
  5. use chown command to make ldap to be the user of slapd.pem and assign right 644 to it
  6. if there is no make program configured, the certificate can be build manually by the following command:
/usr/bin/openssl req -newkey rsa:1024 -keyout tempfile1 -nodes -x509 -days 365 -out tempfile2
cat tempfile1 >slapd.pem
echo "" >> slapd.pem
cat tempfile2 >> slapd.pem
rm -f tempfile1 tempfile2
After generation of certificate, it should be specified in the slapd.conf file, edit the following line in the slapd.conf
TLSCACertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
 
And this certificate needs to be copied to the /etc/ldap/cacerts folder on the client machines.
 
 

Ca certificates

The drawback of self-signed certificate is that  the private and public keys are in the same file. Therefore, the private key is passed to client machines, causing protential risk of interfereing the connection. A more secured way is to use ca certificate to generate private and public keys for both clients and servers. The ca certificate can be obtained from a third party issuing authority. For internal use in the lab, ca certificate generated by openssl can be used. The following is the guide to configure openldap to use a generated ca certificates. An additional benefit of using ca certificates is that, the same CA certificate can be used to sign multiple ldap servers. Therefore only one certificate is needed for openldap clients to access multiple servers.
 
 

For generation of Ca certificates, three shell scripts are used, which are adapted from Gary Tan. The first script (cr_ssl_certs_openldap.sh) generates the CA certificate, and use it to sign the certificate for the master openldap server. The next one (cr_unsigned_ssl_cert.sh) produced an unsigned certificate on the slave openldap server and the third one( sign_ssl_cert_from_slave.sh) uses the CA key generated by the first script to sign the unsigned certificate to be used on the slave ldap server.

These script will be using a modified openssl.cnf file, which is attached with this page. The main modification is to introduce a subjectAltName attribute that contain the DNS name of the load balancer's virtual host, in this way the problem of host name mismatch caused by load balancers will be solved. To do this, add the following line in the [ usr_cert ] section of openssl.cnf:

subjectAltName=DNS:ldap.blueprint.org

 

 

To use the scripts, create a folder on the master ldap server (CA for example, on sophia). Copy cr_ssl_certs_openldap.sh,sign_ssl_cert_from_slave, and openssl.cnf attached with this page to the folder. Run the script by ./cr_ssl_certs_openldap.sh. The first section of this script will create a CA certificate and key. A strong password is needed for the cakey generated. There will be prompts asking for parameters of the certificate such as country code. Follow the default (which can be modified in the openssl.conf file) except change the cn to “Ca certificate”. The next section of the script would create a certificate for openldap and sign it using the ca certificate. When prompt for common name, enter the host name of the ldap server. When the certificate is signed, copy the certificate file generated to the openldap folder, and configure proper permissions.

cp cacert.pem /etc/openldap/

cp newcert.pem /etc/openldap/slapd-cert-ldap1.pem

cp newreq.pem /etc/openldap/slapd-key-ldap1.pem

chomd 640 /etc/openldap/slapd-key-ldap1.pem

chown ldap:ldap /etc/openldap/*.pem

 

To generate a certificate for slave ldap server, run cr_unsigned_ssl_cert.sh with openssl.cnf on the slave ldap server. Note the common name asked must be the host name of the slave ldap server. It would generate an unsigned ldap certificate/ key pair on the slave ldap server. Then run sign_ssl_cert_from_slave.sh on the master ldap server. It would ask for host name of the slave server and the directory the unsigned certs  are stored.  Then down load the certs and use the CA key to sign that file. After running the script copy the signed certificate to the openldap folder of the slave server and change to proper permissions.
 
scp cacert.pem slave-ldap:/etc/openldap/
scp newcert_slave.pem slave-ldap:/etc/openldap/slapd-cert-ldap2.pem
scp newreq_slave.pem slave-ldap:/etc/openldap/slapd-key-ldap2.pem
on the slave server:
chmod 640 /etc/openldap/slapd-key-ldap1.pem
chown ldap:ldap /etc/openldap/*.pem
 
Now specify the ca certs and ldap keys in the slapd.conf of ldap server and restart ldap service. e.g. on sophia:
 
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /etc/openldap/slapd-key-ldap1.pem
 
And copy the cacert.pem to the /etc/openldap/cacerts/ folder of all the openldap clients, and use authconfig-tui to refresh the cache
 
Now the clients can use the cacerts.pem certificate to access multifple openldap servers, which is needed for replication of LDAP servers.
  
Comments