Useful documentation

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

http://www.openldap.org/doc/admin24/sasl.html

http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/

https://bobcares.com/blog/kerberos-and-ldap-so-strong-together/

http://www.lichteblau.com/ldapvi/manual/ <-- Super useful for editing

https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls

Before you start

Make sure puppet is updated and ran. Our puppet configuration will install some needed schemas and software needed to follow this installation process.

Create certs and keytabs

Certficates

First, generate official certificates. There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert
chmod 0500 /etc/ldap/cert
chmod -R 0400 /etc/ldap/cert/*

Kerberos

The ldap server needs two keytabs, one for the server itself and one specific to ldap.

The host principal should be located under /etc as with all other machines.

The ldap/ldap.lysator.liu.se principal should be located at /etc/ldap/ldap.keytab and have 440 openldap:openldap.

/etc/default/slapd should be updated with (should already have been configured by puppet)

 export KRB5_KTNAME=/etc/ldap/ldap.keytab

Bootstrap slapd

First install debian, configure the network and run puppet. Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password). Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
 ldap slapd[XXX]: Starting OpenLDAP: slapd.

Purgin the database

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

Configure slapd

The OpenLDAP server (slapd) is configured by making changes to a database call ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

Configure debug logging

Put this in debug.ldif

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

Run this to change log level.

ldapmodify -Y EXTERNAL -H ldapi:/// -f debug.ldif

Verify using this.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcLogLevel=*)" olcLogLevel

Borde skriva ut.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcLogLevel: -1

Configure more extensive indexing (To be removed)

Configure slapd to use more indexing to improve performance. Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

Import NIS User schema

Import nis schema

 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

 ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

Modify NIS schema, change NetgroupTriple SYNTAX to 1.3.6.1.4.1.1466.115.121.1.26 using ldapvi

ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config

Import AUTOFS schema

Import autofs schema

 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount

Add top ou for automount to automount.ldif

dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

Import using

ldapadd -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f automount.ldif

Verify using

ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" "(objectClass=organizationalUnit)"

Following should be in the output

dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

Kerberos Auth

Make ldap use kerberos for auth against ldap (e.g database access). This does not cover using kerberos for login.

NOTE: Double check if schema uses ou People or users. If users is used then replace People with users bellow.

Add the following to kerb.ldif

dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=People,dc=lysator,dc=liu,dc=se

dn: cn=config
changetype: modify
add: olcSaslHost
olcSaslHost: ldap.lysator.liu.se

dn: cn=config
changetype: modify
add: olcSaslRealm
olcSaslRealm: LYSATOR.LIU.SE

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f kerb.ldif

Verify by running

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcAuthzRegexp=*)" olcAuthzRegexp

Should output

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcAuthzRegexp: {0}uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=People,dc=lysator,dc=liu,dc=se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslHost=*)" olcSaslHost

Should output

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslHost: ldap.lysator.liu.se

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslRealm=*)" olcSaslRealm

Should output

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslRealm: LYSATOR.LIU.SE

Verify that the output matches the same as configured above

Next, add 'export KRB5_KTNAME=/etc/ldap/ldap.keytab' to /etc/default/slapd (there should be a similar entry where you can put this line)

Configure SASL/SSL

Put the following in ldif files and apply.

Specify certificate and change verify client to allow (does the default (never) work? (note, dashes between lines should be included)

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow

Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator

Only allow encrypted connections when accessing the database

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif 

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

Allow chsh, chfn and root to modify anything

In order to allow users to change their shell, an acl rule is required.

Place the following text in shell.ldif:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=loginShell
  by self write
  by * read
olcAccess: {1}to *
  by set="[cn=root,ou=Group,dc=lysator,dc=liu,dc=se]/memberUid & user/uid" manage
  by * read

Then run the following:

 ldapmodify -Y EXTERNAL -H ldapi:/// -f shell_access.ldif

It should print:

 SASL/EXTERNAL authentication started
 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 SASL SSF: 0
 modifying entry "olcDatabase={1}mdb,cn=config"

Verify by running:

 ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}mdb,cn=config olcAccess

It should print:

 SASL/EXTERNAL authentication started
 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 SASL SSF: 0
 # extended LDIF
 #
 # LDAPv3
 # base <olcDatabase={1}mdb,cn=config> with scope subtree
 # filter: (objectclass=*)
 # requesting: olcAccess 
 #
 # {1}mdb, config
 dn: olcDatabase={1}mdb,cn=config
 olcAccess: {0}to attrs=loginShell,gecos by self write by * read
 olcAccess: {1}to * by set="[cn=root,ou=Group,dc=lysator,dc=liu,dc=se]/memberUi
  d & user/uid" manage by * read
 # search result
 search: 2
 result: 0 Success
 # numResponses: 2
 # numEntries: 1

Importing data from NIS

• Import from nis scripts.
• Autofs conversion.

Add uid counter

Place the following in nextUid.ldif:

 dn: cn=nextUid,dc=lysator,dc=liu,dc=se
 changetype: add
 objectClass: top
 objectClass: organizationalRole
 objectClass: uidObject
 cn: nextUid
 uid: 10000

Run:

 ldapmodify -Y EXTERNAL -H ldapi:/// -f nextUid.ldif

Should print:

 TODO

To verify run:

 ldapsearch -ZZ -H ldap://ldap.lysator.liu.se -b "dc=lysator,dc=liu,dc=se" "(objectClass=uidObject)"

Should print:

 SASL/GSSAPI authentication started
 SASL username: net4all@LYSATOR.LIU.SE
 SASL SSF: 56
 SASL data security layer installed.
 # extended LDIF
 #
 # LDAPv3
 # base <dc=lysator,dc=liu,dc=se> with scope subtree
 # filter: (objectClass=uidObject)
 # requesting: ALL
 #
 # nextUid, lysator.liu.se
 dn: cn=nextUid,dc=lysator,dc=liu,dc=se
 objectClass: top
 objectClass: organizationalRole
 objectClass: uidObject
 cn: nextUid
 uid: 10000
 # search result
 search: 5
 result: 0 Success
 # numResponses: 2
 # numEntries: 1

Character conversion

Check encoding from output when converting from nis to ldap

 file -bi <file>

Convert to utf-8

 iconv -f <current-encoding> -t utf-8  <file> > <file>-utf8.ldif

Check top tree nodes in ldap database

Before we import data into the database, we should verify that some structures exist. Also, that admin can login.

ldapsearch -Z -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

Should display:

# admin, lysator.liu.se
dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <password-hash>
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2

Configure migrationtools

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

Importing into ldap database

Remember to convert the output of the migration scripts. Then run this.

ldapadd -Z -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f nis-utf8.ldif

It will display many lines similar to this:

adding new entry "uid=<user>,ou=<thing>,dc=lysator,dc=liu,dc=se"

And the command may take several seconds to complete (depending on the dataset size).

Migrating autofs

NOTE: Migration tools provides a tool to migrate from nis but ueses other objectClasses. Some manuall work is needed to match the schema we use.

NOTE: Data should be in utf-8 before importing. Don't forget to convert.

Following needs to be converted: auto.master auto.home auto.pkg auto.lysator

auto.master

Add

dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

Indirect mounts

Next is to add entries for /home, /mp and /pkg Template follows:

dn: cn=/<dir>,ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: automount
cn: /<dir>
automountInformation: auto.<file> <mount info>

where dir is mount point e.g /home. File is home for auto.home

For each indirect mount you also have to add a "top" for that "file"

 dn: ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
 ou: auto.<file>
 objectClass: top
 objectClass: automountMap

Entry Template

dn: cn=<name>,ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
cn: <name>
objectClass: automount
objectClass: top
automountInformation: -fstype=nfs,rw <additional mount options> <server>:<path>

Errors & Hell

Implementation Specific Error (80)

This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet. Implementation Specific Error seems to be a catch all kind of error.\

Database config change doesn't take effetct

Try restarting slapd. Some changes doesn't take effect immediately.