Alwina's open source efforts

|

Specialized in FreeBSD and CentOS

openLDAP server on FreeBSD

May 7th, 2010 at 14:31

Introduction
OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol”. This software can make it a lot easier to work on the the system (with a single centralized password), to get in touch with customers (centralized customer address book), and provide a reliable infrastructure for the future.

In this article I will describe the steps to prepare an OpenLDAP server  on FreeBSD in an actual production environment for alwina.org. The configuration is based on a directory with 3 type of branches:

  • People (OrganizationalUnit)
  • Groups (OrganizationalUnit)
  • Roles (OrganizationalUnit)

In the example I provide in this article these branches are subdivided as follows:

  • Groups: contains posixGroup “customers”. The objectclass “posixGroup” is mappable to Unix-groups
  • People: contains posixAccount “testuser”. The objectclass “posixAccount” is mappable to Unix-users.
  • Roles: contains organizationalRole “ldapmanager” and “ldapreader”.

In this posting I will not go in detail about the mapping these items to Unix-groups and users and authentication schemas. In forthcoming postings I hope to address these subjects.

Well, lets get started and get the LDAP server up and running!

Procedure

1. Standard FreeBSD installation
The first stap is a standard FreeBSD installation as described in standard FreeBSD Installation. A disk space 5GB should suffice.

2. Update /usr/ports
Make sure you have the most recent snapshots with the following commands:

# portsnap fetch
# portsnap extract

3. Install openLDAP
This may take some time!

# cd /usr/ports/net/openldap24-server
# make install clean -DBATCH

4. Create a secret password for SLAP
SLAP is the daemon supporting LDAP-services. The password for SLAP needs to be set. For this purpose we need to create the secret string. We can can use several encryption schemes:

{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), SHA-1 with a seed.
{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), SMD5 with a seed.
{CRYPT} uses the crypt(3).
{CLEARTEXT} indicates that the new password should be added to userPassword as clear text.

We choose the {MD5} because its broad support.

# slappasswd -h {MD5}

The result of this command:

Please copy the part {MD5}…..
We need to provide this string in the following step.

# cd /usr/local/etc/openldap
# vi slapd.conf

5. Edit slapd.conf

Make the following changes:

  • Add the schema’s cosine.schema, inetorgperson.schema and nis.schema
  • Uncomment and add some lines about read / write access (look for the word access)
  • Add the line with “allow bind_v2″
  • Add the line with password-hash {md5}
  • Change the line with the suffix with “dc=alwina,dc=org”
  • Change the rootdn line with “cn=Manager,dc=alwina,dc=org”
  • Change the word “secret” with the MD5-string from the previous step “{MD5}…..”

The file should look like this now:

6. Configuration of the database

This is really easy, just copy the configuration file.

# mv DB_CONFIG.example /var/db/openldap-data/DB_CONFIG

7. Edit ldap.conf

The file ldap.conf is used for accessing LDAP services.  This file needs to be configures.

# vi ldap.conf

Make the following changes:

  • Uncomment the lines with BASE, URI, SIZELIMIT, TIMELIMIT, and DEREF
  • Change the lines with BASE and URI

The result should look like this:

8. Start the openLDAP server

# vi /etc/rc.conf

Add the following line:

slapd_enable=”YES”

You can start the server with the following command:

# /usr/local/etc/rc.d/slapd start

You can check if slapd runs with the following command:

# sockstat -4

The output should contain at least one line with the word slapd and shows the ip’s and ports it is listening on. For instance:

9. Create initial tree

First we need to create a file that contains the initial entries.

# vi alwina.ldif

This file should exactly look as described. Please mind empty lines and spaces!

dn: dc=alwina,dc=org
objectClass: dcObject
objectClass: organization
o: Alwina
dc: alwina

dn: ou=People,dc=alwina,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Groups,dc=alwina,dc=org
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: ou=Roles,dc=alwina,dc=org
ou: Roles
objectClass: top
objectClass: organizationalUnit

dn: cn=customers,ou=Groups,dc=alwina,dc=org
objectClass: posixGroup
objectClass: top
cn: customers
gidNumber: 5001

dn: uid=testuser,ou=People,dc=alwina,dc=org
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser
cn: Test User
sn: TestUser
givenName: Test
displayName: Testuser
uidNumber: 5001
gidNumber: 5001
gecos: Testuser
homeDirectory: /home/testuser
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
mail: testuser@alwina.com
postalCode: 2132DL
l: Hoofddorp
o: Voorbeeld
mobile: 0616xxx
homePhone: 3123xxxxx
title: System Tester
postalAddress:
initials: TU
loginShell: /bin/sh
shadowExpire: -1

dn: cn=ldapmanager,ou=Roles,dc=alwina,dc=org
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldapmanager
description: LDAP manager user for unrestricted read/write
userPassword:

dn: cn=ldapreader,ou=Roles,dc=alwina,dc=org
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldapreader
description: LDAP reader for unrestrited reads
userPassword:

Once this file is created we can create the initial tree with the following command:

# ldapadd -x -D “cn=Manager,dc=alwina,dc=org” -W -f alwina.ldif

The command should display the added entries.

10. Install and use ldapvi tool the edit the ldap directory (optional step)

For manually editting the ldap directory the handy tool ldapvi is available. You can install it from the ports with the following steps:

# cd /usr/ports/sysutils/ldapvi
# make install clean -DBATCH
# rehash

Once installed you can easily enter or correct the ldap directory.

# ldapvi –ldap-conf -D “cn=Manager,dc=alwina,dc=org”

11. Create LDAP-password for Manager

With this step we set the password fot the special roles “ldapmanager” with complete manage control over the ldap directory  and “ldapreader” with readaccess over ldap directory.
Not that “ldapmanager” has similar access rights as the manager of the openLDAP server (“cn=Manager,dc=alwina,dc=org”). The latter is not explicitely defined in the directory.

# ldappasswd -x -D “cn=ldapreader,ou=Roles,dc=alwina,dc=org” -W -S
# ldappasswd -x -D “cn=ldapmanager,ou=Roles,dc=alwina,dc=org” -W -S

12. Restart the openLDAP service

# /usr/local/etc/rc.d/slapd restart

13. Check the service

Perform the following command to check the directory service:

# ldapsearch -D “cn=ldapreader,ou=Roles,dc=alwina,dc=org” -W

The result should look like this:

Your openLDAP service is up and running.

Now it is time to secure your openLDAP server with an encryption schema. OpenLDAP supports two similar kinds of encryption, SSL and TLS.

TLS stands for “Transport Layer Security”. Services that employ TLS tend to connect to the same services without TLS. An LDAP server could handle unsecured and TLS-secured services on the same port.
SSL stands for “Secure Socket Layer”, and services that implement SSL do not listen on the same port as their non-SSL counterparts.

In the following steps we will adjust our LDAP-server to use TLS, as SSL is concidered deprecated.

14. Obtain a set of SSL keys/certificates

There are many ways to obtain SSL/TLS certificates with. You could obtain a set from a provider or generate a self-signed certificate/key pairs yourself with the pre installed openssl tool from OpenSSL. Please note that there is no need for commercial certificates like Thawte’s in our case. In the example I just re-used a free certificate I obtained from StartCOM. If you do not have a set of SSL keys/certiticates available, do the following steps to generate a self signed certificate:

  • Build the certificate authority (CA)
  • Generate certificate + key for your LDAP-server

The SSL keys/certificate files I will use:

  • ca.pam = Certificate Authority
  • sub.class1.server.ca.pem = Chain Certificate
  • SSL.crt = Server Certificate
  • SSL.key = Server Key [ Keep secret ]

15. Place the SSL keys/certificates on your system

Perform the following steps on your server:

# cd /usr/local/etc/openldap
# mkdir private

Copy the Server Certificate and Server Key files to the newly created directory (SSL.crt and SSL.key).

If you need to generate a self signed certificate, you could do the following additional steps:

# cd /usr/local/etc/openldap/private

Create the certificate and the key for the Certificate Authority with the following command.

# openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt

Choose common name ca.<your domain>.

Create the  key for your server and a certificate signing request (server.csr).

# openssl req -days 3650 -nodes -new -keyout server.key -out server.csr

Choose common name ldap.<your domain>.

Finally create the signed certificate out of the certificate request.

# openssl x509 -req -days 3650 -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial

This completes the extra steps needed to create self signed certificates.

16. Continue with the following steps:

# cd /usr/local/etc/openldap
# chown -R ldap:ldap private
# chmod -R 700 private

Move the Certificate Authority and the Chain Certificate files to a public place:

# mkdir -p /usr/share/openldap
# mv /usr/local/etc/ldap/private/ca.pam /usr/share/openldap
# mv /usr/local/etc/ldap/private/sub.class1.server.ca.pem /usr/share/openldap
# cd /usr/share/openldap
# chmod 755 *

17. Edit slapd.conf

# vi /usr/local/etc/openldap/slapd.conf

Add the following:

security ssf=256
TLSCertificateFile /usr/local/etc/openldap/private/SSL.crt
TLSCertificateKeyFile /usr/local/etc/openldap/private/SSL.key
TLSCACertificateFile /usr/share/openldap/sub.class1.server.ca.pem /usr/share/openldap/ca.pem

The order of the files in TLSCACertificateFile is important.
In case you generated a self signed certificate, there is no chain certificate. You can just omit it.

18. Restart your openLDAP service

# /usr/local/etc/rc.d/slapd restart

Check is it is up and running:

# sockstat -4 | grep slapd

You should see a line with the listening port.
If there is an error, you could check /var/log/debug.log for further information.

19. Check if confidentiality is required by the server now

Check is security is required:

# ldapsearch -x -D “cn=Manager,dc=alwina,dc=org” -W

Now you should get an error “Confidentiality required”.

20. Edit ldap.conf

# vi /usr/local/etc/openldap/ldap.conf

Add the following line:

TLS_CACERT    /usr/share/openldap/ca.pem

21. Check if it works now

# ldapsearch -x -D “cn=Manager,dc=alwina,dc=org” -W -Z

The -Z option enables TLS.

Now you should see a response like this:

You can ignore the security warning.

After entering the password the result should be like this:

Your fully secured openLDAP server is up and running. Congratulations!

In forthcoming posting I will explain how to use and take advantage of your openLDAP server.

Tags: ,

8 Responses to “openLDAP server on FreeBSD”

  1. Anderson Cooper Says:

    This was really hard to find there was a lot of crap posts on this I am glad I finally stumbledupon a entry worthy of being under this search. Awesome stuff bookmarking cause I have a slight feeling several posts on your site will benefit other questions I have faster then looking yahoo.

  2. web site Says:

    Hello, it’s a good article, and good info.come and see very nice blog.

  3. H Azhar Says:

    hello, Alwina.

    I kinda new to linux or unix. I follow your guide step by step but i stuck here :

    # ldapvi -ldap-conf -D “cn=Manager,dc=absb,dc=org”
    -ldap-conf: unknown option

    Help please, what should i do?

    Thank you

  4. Erik Says:

    Hi Azhar,

    You should use
    –ldap-conf
    That is:
    (minus) (minus) ldap (minus) conf

    I hope this will help.
    Not really an easy task to start with an openLDAP server!

    Good luck!

    Erik

  5. H Azhar Says:

    Thank Erik,

    As you said “Not really an easy task to start with an openLDAP server!”. I got another problem with “step 11 and 12″

    LDAP# ldappasswd -x -D “cn=ldapreader,ou=Roles,dc=absb,dc=org” -W -S
    New password:
    Re-enter new password:
    Enter LDAP Password:
    ldap_bind: Invalid credentials (49) <— (here the problem start)

    LDAP# ldapsearch -D "cn=ldapreader,ou=Roles,dc=absb,dc=org" -W
    Enter LDAP Password:
    ldap_bind: Invalid credentials (49) <— (same problem)

    If anyone know how to correct this i am really thank you. Its been 1 week already and i dont know what to do.

    :(

  6. Marcel Tempelman Says:

    Hi

    ldappasswd -x -D “cn=ldapreader,ou=Roles,dc=absb,dc=org” -W -S requires a bind with an authorized user. This will work:

    ldappasswd -Z -D “cn=Manager,dc=absb,dc=org” -w {managepassword} -s {newpassword for user} “cn=ldapreader,ou=Roles,dc=absb,dc=org”

    (-Z only if you use SSL)

    Great piece btw :-D

    GL

  7. Alwina's open source efforts» Blog Archive » Secure fileserver with LDAP – Alwina’s FreeBSD and CentOS Blog Says:

    [...] is based on an LDAP authentication. If you do not have an LDAP server up and running you could use this article to setup a standard openLDAP [...]

  8. akuslive Says:

    hi,

    many thanks for the excellent tutorial. i’ve been struggling more than 2 weeks.

    Thank you so much!