Scribd Logo
Upload

Welcome to Scribd!

  • LDAP-CONFIGURED

    Uploaded by

    Faisal Saeed Saeed
    72 views13 pages
    The document describes the key features of LinuxCBT OpenLDAPv24x Edition, which is the current major release of OpenLDAP. It provides centralized directory services and access to common information like users, configurations, and attributes via an LDAP server. The configuration is now stored in the LDAP directory itself rather than in an external file for easier management and replication of data across multiple nodes.

    Original Description:

    Redhat Enterprise Linux Manual Guide.

    Original Title

    Redhat Linux Enterprise

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document describes the key features of LinuxCBT OpenLDAPv24x Edition, which is the current major release of OpenLDAP. It provides centralized directory services and access to common information like users, configurations, and attributes via an LDAP server. The configuration is now stored in the LDAP directory itself rather than in an external file for easier management and replication of data across multiple nodes.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    72 views13 pages

    LDAP-CONFIGURED

    Uploaded by

    Faisal Saeed Saeed
    The document describes the key features of LinuxCBT OpenLDAPv24x Edition, which is the current major release of OpenLDAP. It provides centralized directory services and access to common information like users, configurations, and attributes via an LDAP server. The configuration is now stored in the LDAP directory itself rather than in an external file for easier management and replication of data across multiple nodes.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    # LinuxCBT OpenLDAPv24x Edition #

    Features:
    1. Current Major Release: 2.4x - in contrast to 2.3x (LinuxCBT OpenLDAP Edition)
    2. Industry Standard Directory Services via: Standalone LDAP Server: 'slapd'
    3. Centralized access to common information:
    a. Users
    b. Configurations: i.e. MySQL, Apache, Postfix, etc.
    c. Associated attributes || Key-Value pairs
    4. Facilitates the current Virtulization trend, whereby the ability to spawn
    numerous instances of OSes is the norm. Saves time in referencing common data-sets:
    users, groups, machines, application data, other key-value pairs (associated
    attributes)
    5. Provides fast searches of such data
    6. Quite scalable at providing access to key data
    7. Replication (distribution) of content (data) across N nodes as needed
    a. N-Way - Replication
    b. Multi-Master (configurable - not Default) Replication
    c. Single-Master (Default) replication framework
    c1. In Single-Master mode, 1-Node is responsible for data-writes, whilst ALL
    nodes accept read requests
    Note: 'slurpd' is no longer used for replication - 'slapd' handles replication
    8. Consistent presentation of Directory Information Tree (DIT) across ALL: 'slapd'
    instances
    9. Simpler configuration
    a. Deprecated: 'slapd.conf' - use 'slapd-config' instead
    Note: 'slapd-config' influences dedicated configuration DIT instead of standalone
    configuration file: 'slapd.conf'
    b. Note: 'slapd.conf' is still supported, but being phased-out - prepare for
    subsequent releases to fully release 'slapd.conf'
    Note: Configuration is still largely the same, just stored inside of LDAP instead
    of outside in a configuration file
    10. In-built support to convert from: 'slapd.conf' to 'slapd-config' - auto-updated
    on Debian | Ubuntu if exists: 'slapd.conf'
    11. Services driven primarily by: 'slapd'
    12. LDAP Entries (Unique amalgamations of values) consist of:
    a. Attributes - which consist of:
    a1. Types: i.e. country(c), state(st), city, organization, ou, cn, mail, dc,
    uid, etc.
    13. Common implementations follow DNS: i.e. linuxcbt.internal => i.e.
    dc=linuxcbt,dc=internal,o=LinuxCBT,ou=training
    14. It is common internally to use a sub-domain of Internet-routable naming scheme:
    i.e. linuxcbt.com, ad.linuxcbt.com, it.ad.linuxcbt.com
    15. Entries are referenced using: Distinguished Names (DNs) - Concatenations of
    entries' attributes
    i.e. 'uid=linuxcbt,ou=training,o=LinuxCBT,dc=linuxcbt,dc=internal'
    DNs allow LDAP servers and clients to fully qualify objects, as even a single
    attribute difference relates to different objects
    16. Directory Information Tree (DIT) - maintained by 'slapd' instances
    a. House of DNs (attributes that relate to identifiable objects)
    17. Single configuration via - 'slapd-config'
    18. Ability to dynamically configure: 'slapd' instances - sans server restart
    a. Dynamic Configuration Engine - new to current version
    19. Support for a variety of back-ends: BDB, HDB(Default), Custom (i.e. scripts,
    etc.), other DBMSs (MySQL, Oracle)
    20. Referrals - LDAP can refer client requests to appropriate 'slapd' instance(s)
    21. SASL Support for Authentication
    22. TLS | SSL Support for Encryption - Confidentiality & Integrity - 'ldaps://' -
    TCP:636
    23. Unix Domain Sockets (UDS) Support - 'ldapi://' - local access via UDS
    24. Logging is configurable and defaults to: LOCAL4
    25. Overlays - Additional (modular) functionality providing hooks to various
    behaiors: i.e. logging

    # Installation | Exploration | Environment #


    Topology:
    1. linuxcbtopenldap1 - .200
    2. linuxcbtopenldap2 - .201
    Both running Ubuntu 12.04 LTS

    Features:
    1. Primary daemon: 'slapd'
    2. Configured dynamically via: 'slapd.d/' - 'ldiff' entries - these reflect
    configurations maintained in new 'slapd' DIT configuration
    Note: This gives us a file system (FS) view of the current configuration
    Note: These files (beneath: slapd.d/) are NOT to be modified directly, but rather
    via DTI configuration: 'cn=config' (DIT)
    Note: If necessary, provide directives via: 'slapd.conf'
    Note: Do NOT modify LDIFF entries directly - Use: 'ldapadd, ldapmodify, ldapdelete'

    3. Dynamic Configuration Engine - requires fewer server restarts


    a. Supported since OpenLDAP2.3x (Covered in LinuxCBT OpenLDAP Edition)
    4. 'slapd.conf' - deprecated - Use: 'slapd-config' command to effect changes
    dynamically

    Tasks:
    1. Install 'slapd' on both servers - linuxcbtopenldap[12]
    a. 'aptitude install slapd ldap-utils' - installs server and client components
    Note: If installer does NOT prompt for 'Admin' password and domain info, then run:
    'dpkg-reconfigure -plow slapd' - permits defaults
    b. 'sudo sudo dpkg-reconfigure -plow slapd' - run anyway to properly reconfigure
    'slapd'
    2. Confirm running 'slapd'
    a. 'ps -ef | grep slapd'
    '/usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F
    /etc/ldap/slapd.d'

    2. Explore configuration
    a. '/etc/ldap/slapd.d' - default directory containing configuration: 'cn=config'
    data - do NOT modify directly
    b. '/etc/default/slapd'
    c. '/etc/ldap/'
    c1. 'ldap.conf' - server config - basics
    c2. 'sasl2' - SASL2 support
    c3. 'schema' - Default LDAP schemas
    c4. 'slapd.d' - contains 'cn=config' schema | ldiff datat - Do NOT modify
    manually
    d. '/var/lib/ldap' - DB directory - contains, by default:
    d1. 'cn=config' - DIT
    d2. 'dc=linuxcbt,dc=internal' - DIT

    e. '/var/run/slapd/'
    e1. 'slapd.pid' - current PID
    e2. 'slapd.args' - arguments used during invocation
    e3. 'ldapi' - UDS
    f. 'dpkg -L ldap-utils' - reveals key LDAP client utilities
    f1. 'ldap(add|modify|delete|search)'

    # 'slapd-config' - Configuration #
    Features:
    1. LDAP-stored and driven configuration
    2. Reduces the likelihood of a damaged configuration due to human error, because
    changes must be effected via front-end tools: i.e. 'ldap[add|modify|delete] -
    'slapd-config'

    3. 'cn=config' - root of configuration of LDAP instance - server-wide


    configuration attributes
    a. i.e. logging configuration, referral server, etc.
    4. 'slapd.conf' - still supported, but deprecated - Debian-systems (Ubuntu |
    Debian) auto-migrate entries from: 'slapd.conf'

    Configuration - 'slapd-config'
    a. Stored in LDAP with distinct DIT and root of: 'cn=config'
    b. LDIFFs are referenced from: '/etc/ldap/slapd.d'

    Tasks:
    1. Explore 'slapd-config' hierarchy
    a. '/etc/ldap/slapd.d/cn=config/'
    a1. ' cn\=module\{0\}.ldif' - calls ALL supported modules: i.e. HDB back-end
    a2. 'cn=schema.ldif' - describes inclusion of various schema files
    a3. 'cn=schema' - list of default schema to include
    a3a. i.e. 'inetorgperson' - common LDAP object representing typical contact:
    i.e. user within and organization
    a4. Back-Ends - HDB (Default)
    a5. Supported Databases - distinct instances of implemented Back-Ends - i.e.
    'dc=linuxcbt,dc=internal' - on HDB back-end
    Note: If you need to implement feature in OpenLDAP via 'cn=config' mechanism, you
    will often prefix the directive with: 'olc' to indicate OpenLDAP Configuration
    entry: i.e. 'slapd.conf' supported directive would usually be prefixed with:
    'olcNameOfDirective'

    2. Dump Default Configuration - Fully-amalgamated


    a. 'sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config' '
    Note: Debug on new instances inability to dump 'cn=config'
    3. Enable logging with: 'cn=config'
    a. Create simple LDIF
    b. 'ldapmodify -Y EXTERNAL -H ldapi:// -f EnableLogging.ldif'
    c. 'sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" | grep -i log' -
    reveals logging set to: '-1'
    d. 'sudo tail /var/log/syslog' - search for 'slapd' entries
    Note: This is a realtime, configuration change sans need to restart 'slapd'

    Note: Base of interest in new configuration is: 'cn=config' - change keys/values


    that drive server behavior here

    # LDAP Entries #
    dc=linuxcbt,dc=internal, o, ou, users, machines, groups, etc.

    Tasks:
    1. Create basic top-level entries in: dc=linuxcbt,dc=internal
    a. Sales
    b. Marketing
    c. Development
    d. IT

    1a. 'ldapadd -D 'cn=admin,dc=linuxcbt,dc=internal' -x -c -W ' - copy and paste 2


    OUs
    1b 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -x -W -b
    "dc=linuxcbt,dc=internal"
    Note: 'ldapadd' permits multiple records sans delimiting '-' unlike 'ldapmodify'
    Note: '-c' option will skip errors pertaining to existing records

    Current Structure:
    linuxcbt.internal (Top-level LDAP Doamain)
    -LinuxCBT (Organization)
    -people,IT,devops,engineering,development,sales,marketing (OUs)
    -Real-world objects: i.e. users, groups, machines

    2. Search for objects


    a. 'ldapsearch -D 'cn=admin,dc=linuxcbt,dc=internal' -b
    "dc=linuxcbt,dc=internal" -x -W ' - classic LDAP bind DN search
    b. 'ldapsearch -Y EXTERNAL -H ldapi:// -b "dc=linuxcbt,dc=internal" ' - searches
    using UDS sans SASL or simple AUTH - presumes local read-only (minimum) access to
    Unix Domain Socket (UDS)

    Note: Default search from: 'dc=linuxcbt,dc=internal' reveals ALL objects in DIT


    (dc=linuxcbt,dc=internal)

    3. Filter Results
    a. 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -x -wabc123 -b
    "dc=linuxcbt,dc=internal" "(ObjectClass=organizationalunit)"
    Note: Search criteria can include any key from LDAP with common comparisons,
    operators, wildcards, etc.

    4. Add Users
    a. 'ldapadd -D 'cn=admin,dc=linuxcbt,dc=internal' -x -c -wabc123 -f
    Add_Users.ldif '
    b. 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -x -wabc123 -b
    "dc=linuxcbt,dc=internal" "objectclass=inetorgperson" '
    c. 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -x -wabc123 -b
    "dc=linuxcbt,dc=internal" "cn=linuxcbt*" - finds ALL 'cn' matches of: 'linuxcbt'

    5. Change Users' Passwords


    a. 'ldappasswd -D "cn=admin,dc=linuxcbt,dc=internal" -x -wabc123 -S
    "cn=linuxcbt,ou=IT,dc=linuxcbt,dc=internal"
    b. 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -x -wabc123 -b
    "dc=linuxcbt,dc=internal" "cn=linuxcbt* ' - confirm User's password is set
    c. Repeast for user=linuxcbt2
    d. 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -x -wabc123 -b
    "dc=linuxcbt,dc=internal" "cn=linuxcbt*' - confirm different string

    4. Modify Users' details


    a. 'ldapmodify -D "cn=admin,dc=linuxcbt,dc=internal" -x -wabc123 -f
    Modify_Users.ldif'
    Note: When modifying records with: 'ldapmodify', separate actions
    (add,replace,delete) with '-', but separate records (LDAP DNs) with whitespace

    5. Delete User
    a. 'ldapdelete -D "cn=admin,dc=linuxcbt,dc=internal" -x -wabc123
    "cn=linuxcbt2,ou=IT,dc=linuxcbt,dc=internal" '
    # LDAP AUTH - Centralized Accounts #
    Features:
    1. Centralized accounts
    2. Centralized configuration data for applications: i.e. MySQL, Postfix, Apache,
    etc.
    3. Reduced administrative overhead

    Typtical Stack:
    1. AUTH Client (LDAP Client)
    2. PAM Hook
    a. AUTH against LDAP directory
    b. Auto-creation of $HOME
    3. NSS Hook

    Tasks:
    1. Configure Ubuntu to use LDAP AUTH
    a. 'aptitude install ldap-auth-client nscd' - meta package - installs ALL
    requisite packages
    Note: 'nscd' - will cache lookups of: passwd, group, hosts
    Note: UDS 'ldapi://' - requires no AUTH to view entries in LDAP
    Note: If problems accessing LDAP, re-configure with: 'dpkg-reconfigure ldap-auth-
    config'

    2. Configure dependent LDAP client components


    a. '/etc/nsswitch.conf' - modify to include a search of 'ldap' for desired DBs:
    i.e. passwd, group, hosts
    Note: prepend: 'passwd', 'group', and 'shadow' with: 'ldap ' - to allow NSSWITCH to
    search LDAP for results
    b. Configure PAM to auto-create $HOME upon login
    b1. '/etc/pam.d/common-session'
    b2. 'session required pam_mkhomedir.so skel=/etc/skel umask=0022'
    b3. '/etc/pam.d/common-password' If necesary, remove: 'use_authtok' option from:
    'ldap' line to workaround bug with inability to change user's password

    3. Prepare for new AUTH environment


    a. 'invoke-rc.d nscd restart'
    b. 'getent passwd' || 'getent group'

    Note: Add user as objectclass=POSIX_USER to realize via LDAP AUTH client: i.e.
    'getent passwd'

    4. SSH to local LDAP clients as LDAP users


    a. 'ssh linuxcbt4@localhost' - auto-creates '/home/linuxcbt4' but defaults to
    Bourne $SHELL

    5. Ensure that: linuxcbtubudesk2 also uses common LDAP


    a. 'sudo dpkg-reconfigure ldap-auth-config' - point to: 192.168.75.200

    6. Confirm current LDAP client access


    a. 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -x -wabc123 -b
    "dc=linuxcbt,dc=internal" -h 192.168.75.200 '
    b. 'cat /etc/ldap.conf' - Debian | Ubuntu systems - ensure that LDAP URI(s) point
    to appropriate LDAP instances - this confirms that client uses LDAP server(s) for
    AUTH
    Note: On CentOS | RedHat systems - check: /etc/openldap/ldap.conf to ensure
    appropriate LDAP URI(s)

    Note: If LDAP users have: 'uid=linuxcbt' (existing user: i.e. linuxcbt), there will
    be ambiguity upon login. Ensure that LDAP users do NOT use uid=existing users
    Note: LDAP permits each user object to have multiple 'uid' values, which may
    conflict with: /etc/passwd users

    c. 'getent passwd' - should dispaly LDAP users


    d. 'id LDAP_USER' i.e. 'id linuxcbt4'

    #Debian Clients - LDAP AUTH #


    Tasks:
    1. Configure Debian clients to use LDAP servers as AUTH sources
    a. 'aptitude install ldap-auth-client nscd'
    b. '/etc/ldap.conf' - confirm values
    c. '/etc/nsswitch.conf' - update to reference 'ldap compat'
    d. '/etc/pam.d/common-session'
    'sesson required pam_mkhomedir.so skel=/etc/skel umask=0022'
    e. '/etc/pam.d/common-password'
    remove 'authtok' - reference
    f. 'getent passwd'
    g. 'id linuxcbt4' - check presence
    h. 'ssh linuxcbt4@192.168.75.101'

    Note: Password AUTH issues often relate to mismatch in LDAP client algorithm
    default: i.e. Server uses: SHA256, client supports MD5
    Note: Ensure that ALL LDAP clients use matching algors with LDAP server

    i. '/etc/login.defs' - consult to ensure consistent algor (passwords) across


    systems sharing LDAP

    #RedHat | CentOS Clients - LDAP AUTH #


    Features:
    1. Uses: sssd to cache and interact with directory services: i.e. LDAP, NIS, ADS,
    etc.
    2. Stack:
    a. PAM hook
    b. AUTH client
    c. NSS hook - sssd

    Tasks:
    1. Review | Build stack
    a. 'yum install openldap openldap-clients nss-pam-ldapd' - installs 'sssd' by
    default

    b. 'cat /etc/nsswitch.conf'
    '
    passwd: files sss
    shadow: files sss
    group: files sss
    '
    c. '/etc/openldap/ldap.conf'
    d. 'system-config-authentication' - GUI to manage AUTH config to various remote
    directories: i.e. LDAP, ADS, Kerberos support
    e. 'ssh -X root@192.168.75.120' - connects and exports graphics to local system
    Note: 'authconfig' is $SHELL alternative to updating CLIENT AUTH mechanism of
    CentOS | RedHat instances

    2. Test access to LDAP Directory Users


    a. 'id linuxcbt4'
    Note: If this fails, re-run: 'system-config-authentication' and check settings

    b. 'su linuxcbt4'
    3. Update PAM config to auto-create $HOME
    a. '/etc/pam.d/su'
    '
    #LinuxCBT Classroom
    session required pam_mkhomedir.so skel=/etc/skel umask=0022
    '
    4. Update using 'ldapmodify' cn=linuxcbt3 to have 'loginShell' attribute
    a. 'ldapmodify -D "cn=admin,dc=linuxcbt,dc=internal" -x -wabc123 '
    'dn: cn=linuxcbt3,ou=IT,dc=linuxcbt,dc=internal'
    'changetype: modify'
    'add: loginShell'
    'loginShell: /bin/bash'

    b. Test that uid=linuxcbt3 defaults to: '/bin/bash' as $SHELL - Note: new login
    session may be required

    # LDAP Account Manager - Enterprise LDAP Administration #


    Features:
    1. Web GUI to assist with LDAP DIT Management
    2. Schema Browser
    a. Effective way to study LDAP schemas

    Tasks:
    1. Install & Explore
    a. 'aptitude install ldap-account-manager' - will install ALL dependencies as
    needed: i.e. Apache, PHP, etc.
    b. 'dpkg -L ldap-account-manager' - examine footrpint of package
    c. '/etc/ldap-account-manager/apache.conf' - included by Apache to provide hook
    d. '/usr/share/ldap-account-manager' - web root of LDAP Account Manager
    e. '/lam' -> '/usr/share/ldap-account-manager'

    2. Use Interface - Update defaults


    a. Change passwords for both classes of administration to something secret other
    than defaul=>'lam'
    b. Update configuration with appropriate LDAP settings: i.e. base DN, AUTH info,
    etc.

    3. Clean-up existing users


    4. Create new users
    5. Test connectivity
    a. 'su'
    b. 'ssh'
    Note: Now that MD5 algo is part-and-parcel of ALL users, AUTH issues should be
    fixed

    6. Further exploration
    a. Extend supported schemas of exiting users to include: ShadowAccount
    b. Create new objects (accounts)
    b1. 'linuxcbt[67]' - inetOrgPerson, posixAccount, ShadowAccount

    Note: Use: 'slappasswd' to generate password strings for user accounts when using
    LDAP client utilities
    Note: By default, pam_mkhomedir.so will apply the $USER as the owner of their
    $HOME. This may not be desirable for some applications: i.e. 'sftp' in restricted,
    high-security mode. In this case, tweak pam_mkhomedir.so accordingly to flag
    permissions as: i.e. 'root.root'

    c. Attempt to query DIT dc=linxucbt,dc=internal as newly-created user=linuxcbt6


    c1. 'ldapsearch -D "uid=linuxcbt6,ou=engineering,dc=linuxcbt,dc=internal" -W -x
    -b "dc=linuxcbt,dc=internal" -h 192.168.75.200'

    Note: Default LDAP implementation permits ALL users, including anonymous, access to
    'read' contents of Default DIT - dc=linuxcbt,dc=internal

    d. Move users across OUs


    d1. Note: With $SHELL, you can copy, then delete objects from original OU
    d2. With GUI, similar process
    d2a. GUI copies, then optionally deletes. Beware, that this could result in
    more than 1 user with access to same files

    # Replication #
    Features:
    1. New model: Provider | Consumer - instead of Master | Slave
    2. Providers (Masters) and Consumers (Slaves) can interchange roles
    3. Syncrepl
    a. Uses LDAP Sync Protocol - pull(refreshOnly mode) && push(refreshAndPersist)
    (preferred in proper bandwidth arrangements) updates
    Note: If connections are unstable, then use: 'refreshOnly'(pull) synchronization
    b. Operates on client (slapd thread) - polls provider for updates - pull model
    c. Push updates are also supported - changes on providers triggers pushes to
    consumers
    d. Incremental updates - ability to synch content from any point in the data
    stream
    4. Synchs are provided via special searches by consumer to provider: i.e.
    'ldapsearch...'
    a. 'refreshOnlhy' - consumer (slave) performs special search, receives latest
    DIT, connection closes until next search|synch interval
    b. 'refreshAndPersist' - consumer performs special search and receives latest
    DIT, and connection remains open for additional updates
    5. Each synched object(record) has unique: entryUUID attribute - more unique than
    DN because DN is subject to change
    6. Single-Master && Multi-Master Replication Supported
    7. Replicas can be built from backups or using syncrepl (auto-converges)
    8. Replication configuration is made directly to DIT DBs

    Tasks:
    1. Server Configuration
    a. Create 'repl' user
    a1. Use 'ldapadd' - Add 'repl' user based on our LDIF
    b. Ensure 'cn=config' permissions permit 'cn=repl' access to read DIT
    dc=linuxcbt,dc=internal
    b1. 'ldapsearch -Y EXTERNAL -H ldapi:// -b "cn=config" '
    Note: We will assume for now that 'cn=repl' has access to read DIT
    c. Enable replication on Provider (.200)
    c1. 'ldapadd -Y EXTERNAL -H ldapi:// -f
    Copy and paste directives impacting: 'cn=config' and check
    d. Inject new olcAccess rule to permit: 'cn=repl,dc=linuxcbt,dc=internal' read
    permissions to DIT (dc=linuxcbt,dc=internal)
    d1. 'ldapmodify -Y EXTERNAL -H ldapi://'
    '
    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    delete: olcAccess
    olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous
    auth by dn="cn=admin,dc=linuxcbt,dc=internal" write by * none
    '
    d2. 'ldapmodify -Y EXTERNAL -H ldapi://'
    '
    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    add: olcAccess
    olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous
    auth by dn="cn=admin,dc=linuxcbt,dc=internal" write by
    dn="cn=repl,dc=linuxcbt,dc=internal" read by * none
    '
    d3. 'ldapsearch -Y EXTERNAL -H ldapi:// -b "cn=config" ' - query and ensure new
    permissions are applied to {1}hdb...

    2. Client Configuration
    a. Ensure consumer server is clean: 'ldapsearch -D
    "cn=admin,dc=linuxcbt,dc=internal" -x -W "dc=linuxcbt,dc=internal" '
    a1. 'sudo ldapsearch -Y EXTERNAL -H ldapi:// -b "cn=config" ' - ensure clean
    configuration

    b. Enable indexes and replication


    b1. 'ldapmodify -Y EXTERNAL -H ldapi://'
    '
    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    add: olcDbIndex
    olcDbIndex: entryUUID eq
    -
    add: olcDbIndex
    olcDbIndex: entryCSN eq
    -
    add: olcDbIndex
    olcDbIndex: ou eq
    -
    add: olcDbIndex
    olcDbIndex: uid eq
    -
    add: olcDbIndex
    olcDbIndex: cn eq
    -
    add: olcDbIndex
    olcDbIndex: dc eq
    -
    add: olcSyncrepl
    olcSyncrepl: rid=001 provider="ldap://192.168.75.200:389/" type=refreshAndPersist
    retry="60 30 300 +" searchbase="dc=linuxcbt,dc=internal" bindmethod=simple
    binddn="cn=repl,dc=linuxcbt,dc=internal" credentials="abc123"
    '
    c. Confirm replication settings
    c1. 'ldapsearch -Y EXTERNAL -H ldapi:// -b "cn=config"' - look for Indexes and
    'olcSyncRepl' details
    d. Confirm replication
    d1. 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -x -W -b
    "dc=linuxcbt,dc=internal" ' - reveals replicated records
    Note: If problems with replication, consider the following options:
    a. Wait a bit (interval-based on server | client)
    b. Wipe consumer's DB and restart configuration of DIT: 'dpkg-reconfigure slapd' -
    reset DB by purging, then re-applying replication settings
    c. Dump full DIT from server and import to client manually using: 'slap*' ||
    'ldap" commands

    3. Create Dummy POSIX accounts and ensure replication


    Note: In Single-Master configuration, writes are performed on the Server
    a. Add entries to Provider and Confirm on replica using simple $SHELL semantics
    b. Use Add_10001_Users.sh to generate .ldif, then add
    c. 'ldapadd -D "cn=admin,dc=linuxcbt,dc=internal" -x -wabc123 -f
    Add_10001_Users.ldif'

    4. Add: 'linuxcbtbuild2' as Consumer of: 'linuxcbtopenldap1'


    a. 'ldapmodify -Y EXTERNAL -H ldapi://'

    '
    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    add: olcDbIndex
    olcDbIndex: entryUUID eq
    -
    add: olcDbIndex
    olcDbIndex: entryCSN eq
    -
    add: olcDbIndex
    olcDbIndex: ou eq
    -
    add: olcDbIndex
    olcDbIndex: uid eq
    -
    add: olcDbIndex
    olcDbIndex: cn eq
    -
    add: olcDbIndex
    olcDbIndex: dc eq
    -
    add: olcSyncrepl
    olcSyncrepl: rid=002 provider="ldap://192.168.75.200:389/" type=refreshAndPersist
    retry="60 30 300 +" searchbase="dc=linuxcbt,dc=internal" bindmethod=simple
    binddn="cn=repl,dc=linuxcbt,dc=internal" credentials="abc123"

    b. 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -x -wabc123 -b


    "dc=linuxcbt,dc=internal" - confirm that replication has begun

    4. MISC Replication-related tasks


    a. 'su' as various users on various systems with LDAP base
    b. 'passwd USER' - invokes LDAP Change Password command appropriately
    Note: 'usermod', 'userdel', and 'useradd' do NOT update LDAP by default
    Note: 'passwd' command has special hook for LDAP and local users

    c. Delete & Re-create Users


    c1. Create file with list of cn values
    c2. 'ldapdelete -D "cn=admin,dc=linuxcbt,dc=internal" -x -wabc123 -f
    Delete_Mass_Users.ldif'

    # LDAP over TLS - Secure Communications #


    Features:
    1. Secure communications over standard LDAP port of: TCP:389 (Default)
    Note: Traditionally, LDAP functioned over 2-ports: TCP:389(Clear-text) &&
    TCP:636(Secure)(-H ldaps:///)
    Note: (ldaps:///) - considered deprecated - use: LDAP over TLS via TCP:389
    Note: With this model, clients will attempt to use: TLS if available, with clear-
    text if unavailable

    Tasks:
    1. Examine default connection
    a. 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -x -w"abc123" -H
    ldap://192.168.75.200 -b "dc=linuxcbt,dc=internal" '
    b. 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -x -w"abc123" -H
    ldap://192.168.75.200 -ZZ -b "dc=linuxcbt,dc=internal" ' - forces TLS
    communications, fails if non-existent on server
    c. 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -x -w"abc123" -H
    ldap://192.168.75.200 -Z -b "dc=linuxcbt,dc=internal" ' - single '-Z' option will
    attempt TLS, and fallback to clear-text if non-existent
    d. 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -x -w"abc123" -H
    ldap://192.168.75.200 -ZZ -d 1 -b "dc=linuxcbt,dc=internal" '

    2. Install TLS support on servers: linuxcbtopenldap[12]


    a. 'sudo aptitude update' - perform before installation
    b. 'http://help.ubuntu.com/12.04/serverguide/openldap-server.html'
    b1. Generate: '/etc/ssl/private/cakey.pem' - private key for the CA server
    b2. 'cp /usr/share/doc/gnutls-bin/examples/certtool.cfg /etc/ssl/ca.info' -
    create template for public key(cert) from example file
    b3. '
    'sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem
    --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem'
    Note: '/etc/ssl/private/cakey.pem' && '/etc/ssl/certs/cacert.pem' - form the
    keypair for the self-signed CA server

    b4. Generate private key for 'slapd' instance


    'sudo certtool --generate-privkey --bits 2048 --outfile
    /etc/ssl/private/linuxcbtopenldap1_slapd_key.pem'
    b5. Generate Cert (public key) for slapd instance
    b5a. copy template and enable options as per Ubuntu documentation

    b6. Generate Cert (public key)


    '
    sudo certtool --generate-certificate --load-privkey
    /etc/ssl/private/linuxcbtopenldap1_slapd_key.pem --load-ca-certificate
    /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem
    --template /etc/ssl/linuxcbtopenldap1.info --outfile
    /etc/ssl/certs/linuxcbtopenldap1_slapd_cert.pem

    b7. Update 'slapd' 'cn=config' configuration

    '
    dn: cn=config
    add: olcTLSCACertificateFile
    olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
    -
    add: olcTLSCertificateFile
    olcTLSCertificateFile: /etc/ssl/certs/linuxcbtopenldap1_slapd_cert.pem
    -
    add: olcTLSCertificateKeyFile
    olcTLSCertificateKeyFile: /etc/ssl/private/linuxcbtopenldap1_slapd_key.pem
    '
    '
    '

    b8. Update permissions so that 'slapd' may access keypairs

    '
    sudo adduser openldap ssl-cert
    sudo chgrp ssl-cert /etc/ssl/private/linuxcbtopenldap1_slapd_key.pem
    sudo chmod g+r /etc/ssl/private/linuxcbtopenldap1_slapd_key.pem
    sudo chmod o-r /etc/ssl/private/linuxcbtopenldap1_slapd_key.pem
    '

    # TLS Client Configuration #


    Features:
    1. Secure client communications with LDAP Servers - Not Default
    2. Clear-text is a fallback for default connections using TLS: i.e. '-Z'

    Tasks:
    1. Update 'ldap.conf' client configuration file
    a. '/etc/ldap/ldap.conf' - populate with reference to TLS certificate file
    'TLS_CACERT /etc/ssl/certs/ca-certificates.crt' - key reference to CA that signed
    OpenLDAP TLS cert
    Note: Default Linux bundle containing numerous certs except internal, self-signed
    certs
    Note: One tactic is to append OpenLDAP TLS cert to generic: '/etc/ssl/certs/ca-
    certificates.crt'
    Note: Another tactic, is to create a new, OpenLDAP-specific bundle file: i.e.
    '/etc/ssl/certs/cacert.pem'
    Note: TLS | SSL clients auto-cycle through available certs in bundle files
    b. Update: '/etc/ldap/ldap.conf' - to refernce new OpenLDAP cert bundle:
    '/etc/ssl/certs/cacert.pem'

    2. Test Default Connection to Server


    a. 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -w"abc123" -x -b
    "dc=linuxcbt,dc=internal" -Z' - this now works because of updated LDAP client
    ('/etc/ldap/ldap.conf') configuration
    b. 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -w"abc123" -x -b
    "dc=linuxcbt,dc=internal" -ZZ' - forces TLS with check of 'cn' on indicated HOST -
    if no match, TLS fails
    Note: Ensure that '/etc/hsots' && || DNS are updated accordingly to fulfill extra
    check of: '-ZZ'
    Note: At this point, both LDAP servers still support clear-text communications
    c. 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -w"abc123" -x -b
    "dc=linuxcbt,dc=internal" ' - clear-text still works

    3. Force TLS | SSL Connection


    Note: Applied per-database || globally (systemwide)
    a. 'sudo ldapmodify -Y EXTERNAL -H ldapi://'
    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    add: olcSecurity
    olcSecurity: tls=1

    b. 'ldapsearch -D "cn=admin,dc=linuxcbt,dc=internal" -w"abc123" -x -b


    "dc=linuxcbt,dc=internal" -H ldap://linuxcbtopenldap1.linuxcbt.internal' - fails
    due to lack of '-Z[Z]' support

    Note: Replication MUST be updated to support TLS if DB requires confidentiality

    URL: https://help.ubuntu.com/12.04/serverguide/openldap-server.html

    You might also like