Openldap goals and lessons learned:

Title:

ldap lessons learned

Author:

Douglas O’Leary <dkoleary@olearycomputers.com>

Description:

Miscellaneous lessons learned regarding ldap

Disclaimer:

Standard: Use the information that follows at your own risk. If you screw up a system, don’t blame it on me…

Lessons learned:

• posixgroup vs groupofnames: Short version, both of these classes are structural so can’t be used in the same group… by default. Issue is that posixgroup is required for linux use but groupofnames is require for pam based access restrictions. Answer is to use rfc2307bis schema in directory. There’ll be a much longer version of this entry in due course.

• Line length on ldapsearch wraps lines at 79 characters w/o an option to make it stop. To avoid it:

  ldapsearch ... | perl -00pe 's/\n //g' | perl -ne 'print unless (m{^$})'
  

• Initial access to directory - something that’s confused the hell out of me:

  • via SASL

  • Right answer in the installation guide. Short version: jumpstart the slapd.d with /usr/share/openldap-servers/slapd.conf.obsolete. Edit it, then slaptest it into the slapd.d directory.

• Despite cautions to the contrary, the schema files under /etc/openldap/slap.d can be edited; but, as indicated, you have to be very careful.

• The slapd.conf.bak file that’s often referenced, under rhel6, is /usr/share/openldap-servers/slapd.conf.obsolete

• ldap_tls_reqcert = allow in /etc/sssd/sssd.conf enables the use of certificates that the client can’t authenticate.

• ldap related files and their uses:

File/dir	Purpose
/etc/openldap/ldap.conf	Client configuration
/etc/sysconfig/ldap	ldap daemon configuration
/etc/sysconfig/authconfig	Python script which configures authentication based on cli args. Updates all required files.
/etc/openldap/slap.d	New format configuration directory
/etc/sssd/sssd.conf	Conf file for system security services daemon. rhel6 authentication
/etc/nslcd.conf	Conf file for ldap name service daemon; nss-pam-ldapd/legacy auth

• LDIF to update ACLs is incredibly twitchy:

  • Create access.ldif:

    ## BDB access control list
    dn: olcDatabase={2}bdb,cn=config
    changetype: modify
    add: olcAccess
    olcAccess: {0}to attrs=userpassword,shadowlastchange by self write by anonymous auth by * none
    olcAccess: {1}to * by self write by  * read
    

  • Apply it:

    # ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/working/ldap/access.ldif
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    modifying entry "olcDatabase={2}bdb,cn=config"
    

  • To delete, use:

    ## BDB access control list
    dn: olcDatabase={2}bdb,cn=config
    changetype: modify
    delete: olcAccess
    olcAccess: {0}
    

  After hours of messing around with it, I finally found the syntax error when I was adding it. I never did find out what was wrong with the delete. The version above is copy/pasted from a google search. As far as I could tell, it looks exactly like what I had; however, the one above works and my original one didn’t…. Go figure.

• TLS: host provided in the URI must match the CN used in the certificate. If it doesn’t, you’ll get bind errors:

  ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
  

  Use ldapsearch -d 5 -LLL ... to help identify the cause.

• authconfig explained:

  authconfig --enableldap --enableldapauth \
      --ldapserver=ldaps://ldapsvr.olearycomputers.com \
      --ldapbasedn="dc=oci,dc=com" --enablemkhomedir \
      --ldaploadcacert=ftp://192.168.122.1/pub/CA/cacert.pem  --update
  

  • enableldap, enableldapauth, ldapbasedn are self explanatory

  • ldapserver must match the cn used in the signed cert. If it doesn’t, you’ll get bind errors.

  • enablemkhomedir adds the appropriate entry to /etc/pam.d/system-auth to automatically create home directories upon access. Verify proper settings.

  • ldaploadcacert defines the url from which to get the Certificate Authority’s (not the ldap server’s) public key. It will use the proper commands so that tls_cacertdir entries are honored.

• Identify if an account is locked (assuming everygthing is set up correctly):

  # ldapsearch -LLLxD cn=admin,dc=oci,dc=com -w "${pwd}" \
      -b dc=oci,dc=com uid=aaaa pwdaccountlockedtime
  dn: uid=aaaa,ou=users,dc=oci,dc=com
  pwdAccountLockedTime: 20140118190653Z
  

  Note: the pwdAccountLockedTime entry does not show up in the normal uid display:

  ldapsearch -LLLxD cn=admin,dc=oci,dc=com -w "${pwd}" \
      -b dc=oci,dc=com uid=aaaa
  dn: uid=aaaa,ou=users,dc=oci,dc=com
  cn: aaaa
  gecos: aaaa test user
  objectClass: top
  objectClass: account
  objectClass: posixAccount
  objectClass: shadowAccount
  shadowMin: 0
  shadowMax: 90
  shadowWarning: 7
  loginShell: /bin/bash
  uidNumber: 604
  gidNumber: 614
  homeDirectory: /home/aaaa
  uid: aaaa
  userPassword:: [[snipped]]
  

• Eventually, there will be an ldapsearch ll entry on it’s own, but in the meantime, in order to get rid of the folded lines on col 78 of openldap ldapsearch, you can do the following:

  ldapsearch -xLLLD ${dn} -w ${pwd} -b ${base} ${filter} ${attrs} | \
      perl -p -0040 's/\n //g'
  

  Short version: that searches for newlines followed by a space (ldif continuation) and removes them. Nice! Thank you, Dave Horsfall of Australia for posting that on openldap.org on/about 03/11/2003. You’d think openldap would have an option for no line wrap by now…

Acronyms:

ldap:

lightweight directory access protocol.

DIT:

directory information tree.

LDIF:

LDAP directory interchange format.

SASL:

Simple Authentication and Security Layer.