Rootmanual:ldap

Från Lysators datorhandbok, den ultimata referensen.
Hoppa till navigering Hoppa till sök

Useful documentation

https://wiki.debian.org/LDAP/OpenLDAPSetup

http://www.openldap.org/doc/admin22/index.html

http://www.zytrax.com/books/ldap/ch6/slapd-config.html

https://wiki.debian.org/LDAP/MigrationTools

http://www.openldap.org/doc/admin24/sasl.html

http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/

https://bobcares.com/blog/kerberos-and-ldap-so-strong-together/

http://www.lichteblau.com/ldapvi/manual/ <-- Super useful for editing

https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls

Bootstrap slapd

First install debian, configure the network and run puppet. Please see ldap-server in the lysator puppet git repo.

Now, slapd needs to be reconfigured (mainly to set ldap admin password). Run this:

dpkg-reconfigure -plow slapd

Example answers, note the password <ldap-admin>.

Omit OpenLDAP server configuration? no
DNS nomain name: lysator.liu.se
Organization name: lysator.liu.se
Administrator password: <ldap-admin>
Database backend to use: MDB
Remove database when slapd is purged: no
Move old database: yes
Allow ldapv2 protocol: no

Last, make sure slapd is running:

service slapd start

You should see this in /var/log/syslog:

<date> ldap slapd[XXX]: slapd starting
 ldap slapd[XXX]: Starting OpenLDAP: slapd.

Purgin the database

To start from scratch:

service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/ldap/slapd.d/*

Configure slapd

The OpenLDAP server (slapd) is configured by making changes to a database call ed "cn=config".

We need to make a number of changes before we are ready to initialize the normal database with user data.

We make the changes by writing so called ldif files and applying them to the database with the ldapmodify tool.

ldapmodify -Y EXTERNAL -H ldapi:/// -f diff.ldif

For viewing changes we use the following:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

Configure debug logging

Put this in debug.ldif

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

Run this to change log level.

ldapmodify -Y EXTERNAL -H ldapi:/// -f debug.ldif

Verify using this.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcLogLevel=*)" olcLogLevel

Borde skriva ut.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcLogLevel: -1

Configure more extensive indexing

Configure slapd to use more indexing to improve performance. Put this into indexing.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f indexing.ldif

Import NIS User schema

Import nis schema

 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Verify that you can find posixAccount

 ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep posixAccount

Modify NIS schema, change NetgroupTripe SYNTAX to 1.3.6.1.4.1.1466.115.121.1.26 using ldapvi

ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config

Import AUTOFS schema

Import autofs schema

 ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

Verify that you can find automount

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep automount


Add top ou for automount to automount.ldif

dn: ou=automount,dc=lysator,dc=liu,dc=se
ou: automount
objectClass: top
objectClass: organizationalUnit

Import using

ldapadd -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f automount.ldif

Verify using

ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" "(objectClass=automountMap)"

Following should be in the output

# auto.master, automount, lysator.liu.se
dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

Kerberos Auth

Make ldap use kerberos for auth against ldap (e.g database access). This does not cover using kerberos for login.

Add the following to sasl.ldif

dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=users,dc=lysator,dc=liu,dc=se

dn: cn=config
changetype: modify
add: olcSaslHost
olcSaslHost: ldap.lysator.liu.se

dn: cn=config
changetype: modify
add: olcSaslRealm
olcSaslRealm: LYSATOR.LIU.SE

Run this:

ldapmodify -Y EXTERNAL -H ldapi:/// -f sasl.ldif

Verify by running

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcAuthzRegexp=*)" olcAuthzRegexp

Should output

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcAuthzRegexp: {0}uid=(.*),cn=lysator.liu.se,cn=gssapi,cn=auth uid=$1,ou=users,dc=lysator,dc=liu,dc=se
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslHost=*)" olcSaslHost

Should output

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslHost: ldap.lysator.liu.se


ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSaslRealm=*)" olcSaslRealm

Should output

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcSaslRealm: LYSATOR.LIU.SE

Verify that the output matches the same as configured above

Next, add 'export KRB5_KTNAME=/etc/ldap/ldap.keytab' to /etc/default/slapd (there should be a similar entry where you can put this line)

Configure SASL/SSL

First, generate official certificates. There should be three files, in our case:

/etc/ldap/cert/chain-lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.pem
/etc/ldap/cert/ldap.lysator.liu.se.key

Make sure that the openldap user has the rights to read these files.

chown -R openldap:openldap /etc/ldap/cert/*
chmod -R 0400 /etc/ldap/cert*

Put the following in ldif files and apply.

Only use tls.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSecurity
olcSecurity: tls=1

Add it like so:

ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldif 

Should print:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Check that it is in the config:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcSecurity=*)" olcSecurity | grep olcSecurity

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
olcSecurity: tls=1

Specify certificate.

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
-
add: olcTLSVerifyClient
olcTLSVerifyClient: allow

Add using:

ldapadd -Y EXTERNAL -H ldapi:/// -f certs.ldif

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

Check it using:

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcTLSCACertificateFile=*)" olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient

Should output:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/cert/chain-lysator.liu.se.pem
olcTLSCertificateFile: /etc/ldap/cert/ldap.lysator.liu.se.pem
olcTLSCertificateKeyFile: /etc/ldap/cert/ldap.lysator.liu.se.key
olcTLSVerifyClient: allow

Check that admin can login using tls:

ldapsearch -LLL -ZZ -W -H ldap:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -b "dc=lysator,dc=liu,dc=se" "(cn=admin)" description

Should first query for password, like so:

Enter LDAP Password:

It is the password entered during package configuration.

Then it should print the following:

dn: cn=admin,dc=lysator,dc=liu,dc=se
description: LDAP administrator


Allow chsh and chfn

Importing data from NIS

  • Import from nis scripts.
  • Autofs conversion.

Character conversion

Check encoding from output when converting from nis to ldap

 file -bi <file>

Convert to utf-8

 iconv -f <current-encoding> -t utf-8  <file> > <file>-utf8.ldif

Check top tree nodes in ldap database

Before we import data into the database, we should verify that some structures exist. Also, that admin can login.

ldapsearch -Z -H ldapi:/// -b "dc=lysator,dc=liu,dc=se" -D "cn=admin,dc=lysator,dc=liu,dc=se" -W

Use the password specified during the package configuration.

Should display:

# admin, lysator.liu.se
dn: cn=admin,dc=lysator,dc=liu,dc=se
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <password-hash>
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2

Configure migrationtools

Run this:

apt-get install migrationtools

This installs a number of scripts and configuration tools for converting NIS to ldap.

Configuration files can be found here:

/usr/share/migrationtools

Cruically in :

/etc/migrationtools/migrate_common.ph

Change to the following:

$DEFAULT_MAIL_DOMAIN = "lysator.liu.se";
$DEFAULT_BASE = "dc=lysator,dc=liu,dc=se";

Importing into ldap database

Remember to convert the output of the migration scripts. Then run this.

ldapadd -Z -H ldapi:/// -D "cn=admin,dc=lysator,dc=liu,dc=se" -W -f nis-utf8.ldif

It will display many lines similar to this:

adding new entry "uid=<user>,ou=<thing>,dc=lysator,dc=liu,dc=se"

And the command may take several seconds to complete (depending on the dataset size).

Migrating autofs

NOTE: Migration tools provides a tool to migrate from nis but ueses other objectClasses. Some manuall work is needed to match the schema we use.

NOTE: Data should be in utf-8 before importing. Don't forget to convert.

Following needs to be converted: auto.master auto.home auto.pkg auto.lysator

auto.master

Add

dn: ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
ou: auto.master
objectClass: top
objectClass: automountMap

Indirect mounts

Next is to add entries for /home, /mp and /pkg Template follows:

dn: cn=/<dir>,ou=auto.master,ou=automount,dc=lysator,dc=liu,dc=se
objectClass: top
objectClass: automount
cn: /<dir>
automountInformation: auto.<file> <mount info>

where dir is mount point e.g /home. File is home for auto.home

For each indirect mount you also have to add a "top" for that "file"

 dn: ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
 ou: auto.<file>
 objectClass: top
 objectClass: automountMap

Entry Template

dn: cn=<name>,ou=auto.<file>,ou=automount,dc=lysator,dc=liu,dc=se
cn: <name>
objectClass: automount
objectClass: top
automountInformation: -fstype=nfs,rw <additional mount options> <server>:<path>

Errors & Hell

Implementation Specific Error (80)

This can be due to incorrect indentation or possibly that a path to a file specified in the ldif is incorrect. We got this error while trying to add the encryption keys. The path was correct but the files had not been moved there yet. Implementation Specific Error seems to be a catch all kind of error.