LDAP UCL IIHE

From T2B Wiki
Jump to navigation Jump to search

Procedure for the installation of the LDAP master server at IIHE

This procedure describes the installation on a Fedora Core 10 machine.

RPM installation

To install the needed RPM, just type :

yum install openldap-servers
yum install openldap-clients

LDAP service configuration

The service must be start automatically :

chkconfig --level 345 ldap on

The parameters to be passed at the starting of the LDAP service can be added or changed in the /etc/sysconfig/ldap file. Modifying this file, we can, for example, define the URLs that must be used to access the LDAP service.

Now, adpapt the LDAP service configuration file /etc/openldap/slapd.conf :

include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/nis.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args
loglevel	2047

# Load dynamic backend modules:
# modulepath	/usr/lib/openldap # or /usr/lib64/openldap
# The following module is needed for replication with shadow LDAP server
modulepath	/usr/lib64/openldap
moduleload syncprov.la

# The next three lines allow use of TLS for encrypting connections
TLSCACertificateFile /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be-bundle.pem
TLSCertificateFile /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be.crt
TLSCertificateKeyFile /etc/pki/tls/ldap/private/ldap01_iihe_ac_be.key

TLSVerifyClient try

# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
#security ssf=1 update_ssf=112 simple_bind=64

# disable anonymous bind
disallow bind_anon

# Access restricted to the password (even if they are hashed !)
access to attrs=userPassword
	by dn="cn=manager,dc=tier2,dc=be" write
	by dn="uid=syncrepl,ou=System,dc=tier2,dc=be" write
	by dn="uid=proxyuser,ou=System,dc=tier2,dc=be" read
	by self write
	by anonymous auth
	by * none

# Prevent simple users to modify their uid and gid
access to attrs=uidNumber,gidNumber
	by dn="cn=manager,dc=tier2,dc=be" write
	by dn="uid=syncrepl,ou=System,dc=tier2,dc=be" write
	by dn="uid=proxyuser,ou=System,dc=tier2,dc=be" read
	by self read
	by anonymous auth
	by * none

# Access read-only for everybody to the rest of the directory
access to *
	by dn="cn=manager,dc=tier2,dc=be" write
	by dn="uid=syncrepl,ou=System,dc=tier2,dc=be" write
	by dn="uid=proxyuser,ou=System,dc=tier2,dc=be" read
	by self write
	by anonymous auth
	by users read

#######################################################################
# Backend database definition
#######################################################################

database	bdb
suffix		"dc=tier2,dc=be"
#checkpoint	1024 15
rootdn		"cn=manager,dc=tier2,dc=be"
rootpw		{MD5}C0v0wBolHmN9pDpfWbdxyz==

# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended and owner must be ldap user
directory	/var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index nisDomain				eq
# indices added for syncrepl
index entryCSN,entryUUID		eq

# loads and configures the syncprov overlay
overlay syncprov
syncprov-checkpoint 50 10
syncprov-sessionlog 100

Note that, as we didn't want the manager's account password to appear in clear, we encrypted it with :

slappassword -h '{MD5}'

and we simply copy-past the result in slapd.conf (see the value of rootpw).

This configuration file enables two important features :

  • A security layer with TLS/SSL (authentication of the server by its certificate and encryption)
  • Replication to another shadow server with syncrepl

From the above config file, you also guess that the LDAP directory content will be stored into a BDB database. Before this backend is created, you must be sure that the user ldap exists, and then check that the directory /var/lib/ldap exists with permission 700 and owner ldap. If it is not the case :

useradd ldap
mkdir /var/lib/ldap
chmod 700 /var/lib/ldap
chown -R ldap:ldap /var/lib/ldap

For tuning the performance of the Berkeley DB backends, a file DB_CONFIG is needed in /var/lib/ldap :

cp /usr/share/doc/openldap-servers-2.4.12/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap /var/lib/ldap/DB_CONFIG

Finally, we have to configure the local client tool, changing /etc/openldap/ldap.conf, because we need it to make some checks on the server :

BASE		dc=iihe,dc=ac,dc=be
URI		ldap://ldap.iihe.ac.be/

Test server configuration

To simply test the configuration, just type :

service ldap configtest

Populate the LDAP directory

We will populate the directory with the following ldif file :

dn: dc=tier2,dc=be
dc: tier2
description: Toplevel domain
associatedDomain: tier2.be
nisDomain: tier2.be
objectClass: top
objectClass: domain
objectClass: domainRelatedObject

dn: dc=iihe,dc=tier2,dc=be
dc: iihe
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
description: IIHE's subdomain
associatedDomain: iihe.tier2.be

dn: dc=fynu,dc=tier2,dc=be
dc: fynu
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
description: FYNU's subdomain
associatedDomain: fynu.tier2.be

dn: ou=Group,dc=fynu,dc=tier2,dc=be
objectClass: top
objectClass: organizationalUnit
ou: Group
description: The groups

dn: ou=People,dc=fynu,dc=tier2,dc=be
objectClass: top
objectClass: organizationalUnit
ou: People
description: The users

dn: ou=Group,dc=iihe,dc=tier2,dc=be
objectClass: top
objectClass: organizationalUnit
ou: Group
description: The groups

dn: ou=People,dc=iihe,dc=tier2,dc=be
objectClass: top
objectClass: organizationalUnit
ou: People
description: The users

dn: cn=extrausers,ou=Group,dc=iihe,dc=tier2,dc=be
objectClass: posixGroup
objectClass: top
cn: extrausers
gidNumber: 20900

dn: cn=localgrid,ou=Group,dc=iihe,dc=tier2,dc=be
objectClass: posixGroup
objectClass: top
cn: localgrid
gidNumber: 20501

dn: cn=localusers,ou=Group,dc=iihe,dc=tier2,dc=be
objectClass: posixGroup
objectClass: top
cn: localusers
gidNumber: 20500

dn: ou=System,dc=tier2,dc=be
objectClass: top
objectClass: organizationalUnit
ou: System
description: System accounts

dn: uid=syncrepl,ou=System,dc=tier2,dc=be
uid: syncrepl
ou: System
description: Special account for SyncRepl
objectClass: account
objectClass: simpleSecurityObject

dn: uid=proxyuser,ou=System,dc=tier2,dc=be
uid: proxyuser
ou: System
objectClass: account
objectClass: simpleSecurityObject
description: System account to bind to ldap in readonly mode
userPassword:: e0NSWUBVfXdCejlQehRaSzFsYzI=

Here is the command to import this ldif file :

slapadd -v -l test.ldif

Note : for security reason, the above ldif file does not give the actual content of our LDAP server. You will find the real content in our restricted area : here

Final check of the service

First, we must start the service :

service ldap start

Then, we can try a few searches through the directory :

ldapsearch -x -D "cn=manager,dc=iihe,dc=ac,dc=be" -W -b "ou=Users,dc=iihe,dc=ac,dc=be"
ldapsearch -x -D "cn=manager,dc=iihe,dc=ac,dc=be" -W -b "dc=iihe,dc=ac,dc=be"

Procedure describing how to configure an UI for LDAP authentication

Procedure for the renewal of the LDAP server certificates

Here are the files to update :

TLSCACertificateFile /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be-bundle.pem
TLSCertificateFile /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be.crt

For your information, here is the private key : TLSCertificateKeyFile /etc/pki/tls/ldap/private/ldap01_iihe_ac_be.key It should not be changed.

Use the BELNET Web interface to request a new certificate. A request file will be asked. Simply give this file :

ldap01:/root/host_req.pem

(Since we allways reuse the same key, it is not useful to generate a new request.)

Once you have got the new certificates from BELNET, first, make a backup of the old ones :

ssh root@ldap01 "mv /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be.crt /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be.crt.old"
ssh root@ldap01 "mv /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be-bundle.pem /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be-bundle.pem.old"

Then, copy the new ones :

scp ldap01_iihe_ac_be.pem root@ldap01:/etc/pki/tls/ldap/certs/ldap01_iihe_ac_be.crt

How to synchronise accounts on the LDAP server with accounts created by Quattor in flat files ?

Since the LDAP server is not managed by Quattor, accounts have to be synchronised by a "manual" step. To make this task easy, a Perl script has been written (see attachment of this page). Simply launch this script as root on CCQ.


Template:TracNotice