=========================================================================
Installation, configuraiton notes and generic lessons learned on openldap
=========================================================================
:Author: Doug O'Leary
:Created: 07/27/13
:Updated:
:Description: Notes and lessons learned re openldap
.. contents::
Overview:
=========
It's time to relearn ldap. I installed and configured it for a client a good
while back and have had some minor fun with it since at a couple of clients.
Problem is, though, that I'm running into crap that I don't know and I don't
like it.
Case in point: while attempting to work with a network tech to get the
right ports open to the right server, I was using the system listed in
/etc/openldap/ldap.conf instead of /etc/ldap.conf. Why are those two
flipping different? They obviously **can** be; but should they be?
I think I finally figured out why it's /etc/ldap.conf instead of
/etc/openldap/ldap.conf (nss_ldap uses /etc/ldap.conf), but still.
While on the topic, I also decided I want to figure out directory replication,
backup and recovery, and, possibly most cool: how to store ssh keys in
the directory. Public keys need to support the forced commands and
private keys should be user restricted so they can't reset the passphrase
to null.
Notes:
======
* Reading through chapter 24 of the centos docs for ldap. Doesn't seem like
a lot of actual implementation information in here. //later: I was right
not a lot there. Did have links to other sites that I've bookmarked -
and three antique books.
* Moving on to the `openldap `_ site. Just
downloaded the 2.4 admin guide and will be going through that Not
nearly as quickly as the centos chapter... this one's 264 pages long.
* ldap forums at http://www.umich.edu/~dirsvcs/ldap/mailinglist.html
* Newly provisioned VMs installed/patched, and reobooting. ldapa is going
to be the ldap master. ldapb will be, initially, the first ldap
client followed by the replication server.
* Wow; that's fucked up. The /etc/openldap/slapd.conf file no longer exists
and is apparently deprecated. The quickstart guide on openldap.org tells
you to edit the goddamned thing. WTF with that?? I found another site
that provides details for a 'minimal install guide' and will be follwoing
that before going back to openldap admin guide.
http://spectlog.com/content/Minimal_LDAP_configuration_on_RHEL6_in_stages_and_details
* The slapd.conf.bak file isn't in the same place. now, rh is calling it
slapd.conf.obsolete.
* DB_CONFIG file isn't there either: /usr/share/openldap-servers*
* Rest of the directions worked as advertised.
* Creating a new vm (ldapc) to go through the install manually. All the
makes seem to have worked. Running through the tests now. That's taking
longer than expected.
* I read through the chapter on the new slapd-config and I'm still confused.
Basically, they turned the slapd.conf file into entries in the directory.
It's a different database (-D cn=config vs -D cn=example).
* How am I supposed to access it though?
* How do I display entries in it?
* How do I update entries?
* OK: got access to the config db. You apparently have to set the config
passwd first - as part of the initial configuration. There should be
some way to reset it. What happens if you forget the damned thing?
Question for later; but, I'm in. The process that I followed is:
* Create a reset script as follows. Logic courtesy of
`spectlog.com `_
::
# cat /root/bin/reset_ldap
#!/bin/ksh
wdir=/root/working/ldap
Config=${1:-/etc/openldap/slapd.example.conf}
service slapd stop
rm -fr /etc/openldap/slapd.d/* /var/lib/ldap/*
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
echo "" | slapadd -f ${Config}
slaptest -f ${Config} -F /etc/openldap/slapd.d
cd ${wdir}
for f in example.com.ldif \
admin.example.com.ldif \
groups.example.com.ldif \
users.example.com.ldif
do
echo slapadd -l ${f}
slapadd -l ${f}
done
chown -R ldap:ldap /var/lib/ldap /etc/openldap/slapd.d
service slapd start
------
* Add rootpw entry to the ``database config`` section of
*slapd.example.conf*
* Run reset_ldap
* Verify by running ``ldapsearch -D cn=config -W -b cn=config``
* Very definitely did not get the warm fuzzy from the openldap admin
guide so more searching about interfacing with the slapd.config
resulted in `zytrax open `_
Reading through that one now. Seems much more complete.
* OK: ldap browser's not going to do me much good as the server
and clients are all on vms behind the vmhost firewall. No biggie;
wanted to relearn ldapsearch anyway.
* (08/24/13): finished going through the zytrax book and, while all good
info, I'm still not warm and fuzzy. I remember getting quite a bit of
good info from the oreilly's ldap book so I went and rebought it. It'll
be a bit dated, but that's my next step.
* I got involved with getting the mkhomedir functionality working on
solaris boxes at work. While the final resolution there is still
in question, I have the right answer to post to the lessons learned
site. Doing that now. // few minutes later. OK; that's done. Still
need to get the ldapsearch that supports -Z, though. Don't remember
where that is off the top of my head.
* Rebuilding ldapa as I have a new url to try: http://linuxserverathome.com/articles/installing-and-configuring-openldap-2423-centos-63
* That link was quite good. After some wrestling, I finally got openldap
running and saw some methods of updating the cn=config mess. Got a few
more things to do; but, we can continue with the openldap book
* The */etc/openldap/ldap.conf* file is for clients only - similar to
tnsnames.ora file for oracle.
* (08/29/13) Followed the links in the centos install doc; but, got a bit lost
trying to get users added. Followed another link and got dkoleary/admin added
however, somewhere along the line, I lost access to the cert again. I'm
depressed... Stopping for the night.
Questions to be answered:
=========================
* How to access config db if pwd or access method is forgotten/disabled?
* How to query specific elements from the config db
Things to do:
==============
* Locking the rootdn down to a specific IP address, eg on page 67 of
openldap admin guide.
* (done) ldap browser
* ldap w/iptables firewall
* authentication
* public ssh keys
* private ssh keys
* password aging -
- does ldap block ssh/pka access to accounts who's passwords have expired.
- does passwd/chage combo work to force users to change pwds on initial access
* multiple base dns (how to add, how to support, how to integrate, etc)
* samba authenticating to ldap
* process for updating the ssl certs.
Command examples:
=================
* searching the cn=config::
ldapsearch -b cn=config -D cn=admin,cn=config -w ${pwd} \
'(objectclass=olcglobal)'
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=olcglobal)
# requesting: ALL
#
# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/openldap/slapd.conf.bak
olcConfigDir: /etc/openldap/slapd.d
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 0
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
* Identifying the indexes used in the bdb database::
ldapsearch -ZZ -b cn=config -D cn=admin,cn=config -w 3pizda \
'(olcdatabase={2}bdb)' olcdbindex
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (olcdatabase={2}bdb)
# requesting: olcdbindex
#
# {2}bdb, config
dn: olcDatabase={2}bdb,cn=config
olcDbIndex: objectClass pres,eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidNumber pres,eq
olcDbIndex: gidNumber pres,eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: ou pres,eq,sub
olcDbIndex: loginShell pres,eq
olcDbIndex: sn pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbIndex: memberUid pres,eq,sub
olcDbIndex: nisMapName pres,eq,sub
olcDbIndex: nisMapEntry pres,eq,sub
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
Note: you can also use ``'(objectclass=oldbdbconfig)'`` as the filter.
* Sampe database queries (using a **really** small database)::
# ldapsearch -ZZ -b dc=oci,dc=com -D cn=manager,dc=oci,dc=com -w 3pizda \^J'(>
ldapsearch -ZZ -b dc=oci,dc=com -D cn=manager,dc=oci,dc=com -w 3pizda \
'(objectclass=organizationalunit)' dn
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=organizationalunit)
# requesting: dn
#
# people, oci.com
dn: ou=people,dc=oci,dc=com
# groups, oci.com
dn: ou=groups,dc=oci,dc=com
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2
ldapsearch -Z -w 3pizda -D cn=manager,dc=oci,dc=com \
'(objectclass=organizationalunit)' dn
# extended LDIF
#
# LDAPv3
# base (default) with scope subtree
# filter: (objectclass=organizationalunit)
# requesting: dn
#
# people, oci.com
dn: ou=people,dc=oci,dc=com
# groups, oci.com
dn: ou=groups,dc=oci,dc=com
# search result
search: 3
result: 0 Success
# numResponses: 3
# numEntries: 2
Note the difference between the commands; the second one didn't show a
base. It picked the base to use up from the /etc/openldap/ldap.conf file.