Legido Wiki

User Tools

Site Tools

Trace: openldap
informatica:linux:openldap

This is an old revision of the document!

Table of Contents

openldap

open-ldap slapd ldap

Variables:

Distro Ubuntu Server 12.10
Domain Component example.com

Instalacion

https://help.ubuntu.com/12.10/serverguide/openldap-server.html

0.1 (Opcional) Eliminar por completo una instalacion anterior: 

sudo aptitude purge ldap-utils slapd

0.2 (Opcional) Al instalar el paquete slapd nos crea un DIT por defecto basado en el hostname de la maquina donde se instale. Si queremos en este ejemplo usar el dominio de prueba 'example.com': 

sudo vim /etc/hosts

Y dejar la linea tal que asi, asumiendo que nuestro hostname es “ldap-1.dev.local.example.com”: 

127.0.0.1	localhost
127.0.1.1	ldap.example.com ldap-1.dev.local.example.com

1. Instalar paquetes: 

sudo aptitude install ldap-utils slapd

Nos pedira una contrasenya.

IMPORTANTE: esa contrasenya sera la del usuario “cn=admin,dc=example,dc=com”

Ingesta inicial de datos

Sin crear BD (seguir este)

https://help.ubuntu.com/12.10/serverguide/openldap-server.html#openldap-server-populate

Asumimos que la BD ha sido creada al instalar los paquetes, y que tenemos el DIT “dc=example,dc=com”.

1. Crear: 

vim ~/ingesta.ldif

Con el siguiente contenido: 

# Creado al instalar 
#dn: dc=example,dc=com
#dc: example
#o: example.com
#objectclass: top
#objectclass: dcObject
#objectclass: organization

# Creado al instalar. Superusuario. Permisos de escritura
#dn: cn=admin,dc=example,dc=com
#cn: admin
#description: LDAP administrator
#objectclass: simpleSecurityObject
#objectclass: organizationalRole
#userpassword: {SSHA}JXmAPflthZNZZKv2GR5CAoP4WkFCzJf1

# Usuario de solo lectura para uso de las aplicaciones que se conecten a LDAP
dn: cn=readonly,dc=example,dc=com
cn: readonly
description: LDAP readonly to be used by 3rd party applications
objectclass: simpleSecurityObject
objectclass: organizationalRole
objectclass: top
userpassword: {SSHA}Ij157dTx0/kapcSa2AT7DfJIksc4MYV2

# People. Los usuarios cuelgan de esta OU
dn: ou=people,dc=example,dc=com
objectclass: organizationalUnit
ou: people

# Usuario #1
dn: uid=user1,ou=people,dc=example,dc=com
cn: User One
objectclass: inetOrgPerson
objectclass: top
sn: User One
uid: user1
userpassword: {MD5}kod69wpF/Wou1/6B4SNreA==

# Usuario #2
dn: uid=user2,ou=people,dc=example,dc=com
cn: User Two
objectclass: inetOrgPerson
objectclass: top
sn: User Two
uid: user2
userpassword: {MD5}kod69wpF/Wou1/6B4SNreA==

# Grupos
dn: ou=groups,dc=example,dc=com
objectclass: organizationalUnit
objectclass: top
ou: groups

# Grupo chat. Metemos al usuario #1
dn: cn=chat,ou=groups,dc=example,dc=com
cn: chat 
gidnumber: 10001
memberuid: user1
objectclass: posixGroup

# Grupo redmine. Metemos a los usuarios #1 y #2
dn: cn=redmine,ou=groups,dc=example,dc=com
cn: redmine
gidnumber: 10002
memberuid: user1
objectclass: posixGroup
objectclass: top

NOTA: la contrasenya de los usuarios luego la cambiamos con phpldapadmin

2. Ejecutar: 

sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f ingesta.ldif

Teclear contrasenya de admin: 

Enter LDAP Password:

Salida: 

adding new entry "dc=example,dc=com"

adding new entry "cn=admin,dc=example,dc=com"

adding new entry "ou=people,dc=example,dc=com"

adding new entry "ou=groups,dc=example,dc=com"

etc...

3. Comprobar: 

ldapsearch -x -LLL -b dc=example,dc=com 'uid=user1' cn

Salida: 

dn: uid=john,ou=People,dc=example,dc=com
cn: User One

Creando BD

Puede servir si queremos crear un segundo DIT.

1. Crear: 

vim ~/backend.ldif

Con el siguiente contenido: 

# Load dynamic backend modules
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/ldap
#olcModuleload: back_hdb

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: password
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uid eq
olcDbIndex: uidNumber eq
olcDbIndex: uniqueMember eq
olcDbIndex: gidNumber eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

Variables

dc=example,dc=com Domain Component. Todos los objetos colgaran de ahi
cn=admin,dc=example,dc=com Usuario admin
password contrasenya usuario admin

2. Ejecutar: 

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

Salida: 

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase=hdb,cn=config"

3. Crear: 

vim ~/frontend.ldif

Con el siguiente contenido: 

# Create top-level object in domain
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example Organization
dc: example
description: LDAP Example 

# Admin user.
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: password

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

dn: uid=perico,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: perico
sn: Os Palotes
givenName: Perico
cn: Perico Os Palotes
displayName: Perico Os Palotes
uidNumber: 10001
gidNumber: 10001
userPassword: pericopassword
gecos: Perico Os Palotes
loginShell: /bin/bash
homeDirectory: /home/perico
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: perico.ospalotes@example.com
postalCode: 31000
l: Barcelona
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: PO

dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
gidNumber: 10001

Variables

dc=example,dc=com -
cn=admin,dc=example,dc=com Usuario admin
password contrasenya usuario admin
uid=perico -
pericopassword -

4. Ejecutar: 

sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.ldif

Teclear contrasenya de admin: 

Enter LDAP Password:

Salida: 

adding new entry "dc=example,dc=com"

adding new entry "cn=admin,dc=example,dc=com"

adding new entry "ou=people,dc=example,dc=com"

adding new entry "ou=groups,dc=example,dc=com"

adding new entry "uid=perico,ou=people,dc=example,dc=com"

adding new entry "cn=example,ou=groups,dc=example,dc=com"

5. Verificar: 

ldapsearch -x -LLL -b "dc=example,dc=com" uid=perico

Salida: 

dn: uid=perico,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: perico
sn: Os Palotes
givenName: Perico
cn: Perico Os Palotes
displayName: Perico Os Palotes
uidNumber: 10001
gidNumber: 10001
gecos: Perico Os Palotes
loginShell: /bin/bash
homeDirectory: /home/perico
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: perico.ospalotes@example.com
postalCode: 31000
l: Barcelona
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: PO

6. A partir de aqui ya podriamos probar con phpldapadmin: 

Login DN: cn=admin,dc=example,dc=com
Password: password

Autenticacion Apache contra LDAP

Asumimos que tenemos un servidor Apache (httpd) y otro con OpenLDAP (ldap.example.com). En este ejemplo tenemos el siguiente objeto en nuestro LDAP: 

dn: uid=perico,ou=people,dc=example,dc=com
...
cn: Perico Os Palotes
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
...
uid: perico
userpassword: pericopassword
...

1. (Apache) Habilitar el modulo ldap 

sudo a2enmod authnz_ldap

HTTP plano

1. (Apache) Ejemplo de virtualhost: 

<VirtualHost *:80>
        ServerName testldap.example.com
        ServerAdmin webmaster@localhost
        DocumentRoot /srv/www/testldap

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        <Directory /srv/www/testldap>
         Options Indexes ExecCGI FollowSymLinks
        order allow,deny
        allow from all

        AuthName "AuthRequired"
        AuthType Basic
        AuthBasicProvider ldap

        AuthLDAPBindDN cn=readonly,dc=example,dc=com
        AuthLDAPBindPassword clearpassword
        AuthLDAPURL "ldap://ldap.example.com:389/ou=people,dc=example,dc=com" STARTTLS        
        require valid-user
       </Directory>

        ErrorLog ${APACHE_LOG_DIR}/testldap.error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/testldap.access.log combined
</VirtualHost>

Variables: 

ldap://ldap.example.com:389/ou=people,dc=example,dc=com

Ver authldapurl

TLS

1. Configuracion del virtual host: 

<VirtualHost *:443>
        ServerName testldap.example.com
        ServerAdmin webmaster@localhost
        DocumentRoot /srv/www/testldap

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        <Directory /srv/www/testldap>
         Options Indexes ExecCGI FollowSymLinks
        order allow,deny
        allow from all

        AuthName "AuthRequired"
        AuthType Basic
        AuthBasicProvider ldap

        AuthLDAPBindDN cn=readonly,dc=example,dc=com
        AuthLDAPBindPassword clearpassword
        AuthLDAPURL "ldaps://ldap.local.jamgo.org:636/ou=people,dc=jamgo,dc=org"

        require valid-user
       </Directory>

        ErrorLog ${APACHE_LOG_DIR}/testldap.error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/testldap.access.log combined
</VirtualHost>

2. Crear el siguiente archivo: 

sudo vim /etc/apache2/conf.d/ldap-tls

Con el siguiente contenido: 

LDAPVerifyServerCert Off

3. (TODO) Comprobar si es necesario reiniciar apache o con el reload de mas adelante es suficiente

Comprobacion

1. (Apache) Reiniciar Apache: 

sudo service apache2 reload

2. En un navegador teclear: 

http://testldap.example.com
Usuario: perico
Contrasenya: pericopassword

Logging

https://help.ubuntu.com/12.10/serverguide/openldap-server.html#openldap-server-logging

1. Crear: 

vim ~/logging.ldif

Con el siguiente contenido: 

dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: stats

2. Implementar el cambio: 

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif

3. Ver los logs (ahora mas descriptivos): 

sudo tail -F /var/log/syslog

Deshabilitar acceso para usuarios anonimos

Si tras teclear: 

ldapsearch -x -W -b 'dc=example,dc=com' -H 'ldap://127.0.0.1:389/' 'objectclass=*'

Y pulsar 'Enter' te aparecen resultados, el usuario anonimo puede acceder a tu servidor LDAP

TODO: hacerlo en un solo archivo

1. Crear dos archivos: 

vim ~/disable_anonymous_part_1.ldif

Con el siguiente contenido: 

dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
vim ~/disable_anonymous_part_2.ldif

Con el siguiente contenido: 

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

2. Aplicar los dos cambios: 

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f disable_anonymous_part_1.ldif 
modifying entry "cn=config"

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f disable_anonymous_part_2.ldif 
modifying entry "olcDatabase={-1}frontend,cn=config"

3. Volver a probar: 

ldapsearch -x -W -b 'dc=example,dc=com' -H 'ldap://127.0.0.1:389/' 'objectclass=*'
Enter LDAP Password: 
ldap_bind: Inappropriate authentication (48)
	additional info: anonymous bind disallowed

NOTA: si se utiliza 'cn=config' en lugar de 'slapd.conf' NO hace falta reiniciar el servicio. Esto vale para todos los cambios a no ser que se indique lo contrario

TLS, SSL, STARTTLS, LDAPS

https://help.ubuntu.com/12.10/serverguide/openldap-server.html#openldap-tls

When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport Layer Security (TLS).

Here, we will be our own Certificate Authority and then create and sign our LDAP server certificate as that CA. Since slapd is compiled using the gnutls library, we will use the certtool utility to complete these tasks.

1. Install the gnutls-bin and ssl-cert packages: 

sudo apt-get install gnutls-bin ssl-cert

2. Create a private key for the Certificate Authority: 

sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"

3. Create the template/file /etc/ssl/ca.info to define the CA: 

cn = Example Company
ca
cert_signing_key

4. Create the self-signed CA certificate: 

sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem

5. Make a private key for the server: 

sudo certtool --generate-privkey --bits 1024 --outfile /etc/ssl/private/ldap01_slapd_key.pem

6. Create the /etc/ssl/ldap01.info info file containing: 

organization = Example Company
cn = ldap01.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 3650

The above certificate is good for 10 years. Adjust accordingly.

7. Create the server's certificate: 

sudo certtool --generate-certificate --load-privkey /etc/ssl/private/ldap01_slapd_key.pem --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ldap01.info --outfile /etc/ssl/certs/ldap01_slapd_cert.pem

8. Create the file /etc/ssl/certinfo.ldif with the following contents (adjust accordingly, our example assumes we created certs using https://www.cacert.org): 

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem

Use the ldapmodify command to tell slapd about our TLS work via the slapd-config database: 

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif

9. IMPORTANTE es recomendable habilitar ldaps, por lo tanto SI es necesario:

Editar: 

sudo vim /etc/default/slapd

Y dejar la linea tal que asi: 

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

Mas info:

LDAP over TLS/SSL (ldaps: / / ) is deprecated in favour of StartTLS. The latter refers to an existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct encrypted-from-the-start protocol that operates over TCP port 636.

10. Tighten up ownership and permissions: 

sudo adduser openldap ssl-cert
sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem
sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem
sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem

11. Restart OpenLDAP: 

sudo service slapd restart

12. Comprobar: 

sudo netstat -nlp | egrep "636|389" | grep -v "tcp6"

Salida esperada: 

tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      15275/slapd     
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      15275/slapd
informatica/linux/openldap.1461137738.txt.gz · Last modified: 2016/04/20 07:35 by jose