LDAP UCL IIHE
Procedure for the installation of the LDAP master server at IIHE
This procedure describes the installation on a Fedora Core 10 machine.
RPM installation
To install the needed RPM, just type :
yum install openldap-servers yum install openldap-clients
LDAP service configuration
The service must be start automatically :
chkconfig --level 345 ldap on
The parameters to be passed at the starting of the LDAP service can be added or changed in the /etc/sysconfig/ldap file. Modifying this file, we can, for example, define the URLs that must be used to access the LDAP service.
Now, adpapt the LDAP service configuration file /etc/openldap/slapd.conf :
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 2047
# Load dynamic backend modules:
# modulepath /usr/lib/openldap # or /usr/lib64/openldap
# The following module is needed for replication with shadow LDAP server
modulepath /usr/lib64/openldap
moduleload syncprov.la
# The next three lines allow use of TLS for encrypting connections
TLSCACertificateFile /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be-bundle.pem
TLSCertificateFile /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be.crt
TLSCertificateKeyFile /etc/pki/tls/ldap/private/ldap01_iihe_ac_be.key
TLSVerifyClient try
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
#security ssf=1 update_ssf=112 simple_bind=64
# disable anonymous bind
disallow bind_anon
# Access restricted to the password (even if they are hashed !)
access to attrs=userPassword
by dn="cn=manager,dc=tier2,dc=be" write
by dn="uid=syncrepl,ou=System,dc=tier2,dc=be" write
by dn="uid=proxyuser,ou=System,dc=tier2,dc=be" read
by self write
by anonymous auth
by * none
# Prevent simple users to modify their uid and gid
access to attrs=uidNumber,gidNumber
by dn="cn=manager,dc=tier2,dc=be" write
by dn="uid=syncrepl,ou=System,dc=tier2,dc=be" write
by dn="uid=proxyuser,ou=System,dc=tier2,dc=be" read
by self read
by anonymous auth
by * none
# Access read-only for everybody to the rest of the directory
access to *
by dn="cn=manager,dc=tier2,dc=be" write
by dn="uid=syncrepl,ou=System,dc=tier2,dc=be" write
by dn="uid=proxyuser,ou=System,dc=tier2,dc=be" read
by self write
by anonymous auth
by users read
#######################################################################
# Backend database definition
#######################################################################
database bdb
suffix "dc=tier2,dc=be"
#checkpoint 1024 15
rootdn "cn=manager,dc=tier2,dc=be"
rootpw {MD5}C0v0wBolHmN9pDpfWbdxyz==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended and owner must be ldap user
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index nisDomain eq
# indices added for syncrepl
index entryCSN,entryUUID eq
# loads and configures the syncprov overlay
overlay syncprov
syncprov-checkpoint 50 10
syncprov-sessionlog 100
Note that, as we didn't want the manager's account password to appear in clear, we encrypted it with :
slappassword -h '{MD5}'
and we simply copy-past the result in slapd.conf (see the value of rootpw).
This configuration file enables two important features :
- A security layer with TLS/SSL (authentication of the server by its certificate and encryption)
- Replication to another shadow server with syncrepl
From the above config file, you also guess that the LDAP directory content will be stored into a BDB database. Before this backend is created, you must be sure that the user ldap exists, and then check that the directory /var/lib/ldap exists with permission 700 and owner ldap. If it is not the case :
useradd ldap mkdir /var/lib/ldap chmod 700 /var/lib/ldap chown -R ldap:ldap /var/lib/ldap
For tuning the performance of the Berkeley DB backends, a file DB_CONFIG is needed in /var/lib/ldap :
cp /usr/share/doc/openldap-servers-2.4.12/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap /var/lib/ldap/DB_CONFIG
Finally, we have to configure the local client tool, changing /etc/openldap/ldap.conf, because we need it to make some checks on the server :
BASE dc=iihe,dc=ac,dc=be URI ldap://ldap.iihe.ac.be/
Test server configuration
To simply test the configuration, just type :
service ldap configtest
Populate the LDAP directory
We will populate the directory with the following ldif file :
dn: dc=tier2,dc=be dc: tier2 description: Toplevel domain associatedDomain: tier2.be nisDomain: tier2.be objectClass: top objectClass: domain objectClass: domainRelatedObject dn: dc=iihe,dc=tier2,dc=be dc: iihe objectClass: top objectClass: domain objectClass: domainRelatedObject description: IIHE's subdomain associatedDomain: iihe.tier2.be dn: dc=fynu,dc=tier2,dc=be dc: fynu objectClass: top objectClass: domain objectClass: domainRelatedObject description: FYNU's subdomain associatedDomain: fynu.tier2.be dn: ou=Group,dc=fynu,dc=tier2,dc=be objectClass: top objectClass: organizationalUnit ou: Group description: The groups dn: ou=People,dc=fynu,dc=tier2,dc=be objectClass: top objectClass: organizationalUnit ou: People description: The users dn: ou=Group,dc=iihe,dc=tier2,dc=be objectClass: top objectClass: organizationalUnit ou: Group description: The groups dn: ou=People,dc=iihe,dc=tier2,dc=be objectClass: top objectClass: organizationalUnit ou: People description: The users dn: cn=extrausers,ou=Group,dc=iihe,dc=tier2,dc=be objectClass: posixGroup objectClass: top cn: extrausers gidNumber: 20900 dn: cn=localgrid,ou=Group,dc=iihe,dc=tier2,dc=be objectClass: posixGroup objectClass: top cn: localgrid gidNumber: 20501 dn: cn=localusers,ou=Group,dc=iihe,dc=tier2,dc=be objectClass: posixGroup objectClass: top cn: localusers gidNumber: 20500 dn: ou=System,dc=tier2,dc=be objectClass: top objectClass: organizationalUnit ou: System description: System accounts dn: uid=syncrepl,ou=System,dc=tier2,dc=be uid: syncrepl ou: System description: Special account for SyncRepl objectClass: account objectClass: simpleSecurityObject dn: uid=proxyuser,ou=System,dc=tier2,dc=be uid: proxyuser ou: System objectClass: account objectClass: simpleSecurityObject description: System account to bind to ldap in readonly mode userPassword:: e0NSWUBVfXdCejlQehRaSzFsYzI=
Here is the command to import this ldif file :
slapadd -v -l test.ldif
Note : for security reason, the above ldif file does not give the actual content of our LDAP server. You will find the real content in our restricted area : here
Final check of the service
First, we must start the service :
service ldap start
Then, we can try a few searches through the directory :
ldapsearch -x -D "cn=manager,dc=iihe,dc=ac,dc=be" -W -b "ou=Users,dc=iihe,dc=ac,dc=be" ldapsearch -x -D "cn=manager,dc=iihe,dc=ac,dc=be" -W -b "dc=iihe,dc=ac,dc=be"
Procedure describing how to configure an UI for LDAP authentication
Procedure for the renewal of the LDAP server certificates
Here are the files to update :
TLSCACertificateFile /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be-bundle.pem TLSCertificateFile /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be.crt
For your information, here is the private key : TLSCertificateKeyFile /etc/pki/tls/ldap/private/ldap01_iihe_ac_be.key It should not be changed.
Use the BELNET Web interface to request a new certificate. A request file will be asked. Simply give this file :
ldap01:/root/host_req.pem
(Since we allways reuse the same key, it is not useful to generate a new request.)
Once you have got the new certificates from BELNET, first, make a backup of the old ones :
ssh root@ldap01 "mv /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be.crt /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be.crt.old" ssh root@ldap01 "mv /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be-bundle.pem /etc/pki/tls/ldap/certs/ldap01_iihe_ac_be-bundle.pem.old"
Then, copy the new ones :
scp ldap01_iihe_ac_be.pem root@ldap01:/etc/pki/tls/ldap/certs/ldap01_iihe_ac_be.crt
How to synchronise accounts on the LDAP server with accounts created by Quattor in flat files ?
Since the LDAP server is not managed by Quattor, accounts have to be synchronised by a "manual" step. To make this task easy, a Perl script has been written (see attachment of this page). Simply launch this script as root on CCQ.