LDAP

From FGWiki
Jump to: navigation, search


OpenLDAP

Overview

OpenLDAP is installed on Hosts/boron and has a CNAME alias of ldap.shop.lan, It has the standard four schema files installed.

Administration

Administration of OpenLDAP itself can be done via command line on boron or via webmin found here

Please read this guide to learn how to add and remove users.

Enabling Ubuntu/Debian

To integrate to our LDAP authentication.

Note: the following edits to pam.d is a deprecated procedure and should not be followed unless working with older ( < 9.10 ) OSes

  • Modify '/etc/pam.d/passwd' with the following, this will allow 'passwd' to continue to work

@include common-password

auth sufficient /lib/security/pam_ldap.so

auth required /lib/security/pam_pwdb.so shadow nullok


account sufficient /lib/security/pam_ldap.so

account required /lib/security/pam_pwdb.so


password required /lib/security/pam_cracklib.so retry=3 type=aerospace

password sufficient /lib/security/pam_ldap.so authtok use_first_pass

password required /lib/security/pam_pwdb.so authtok use_first_pass md5 shadow

  • Modify '/etc/pam.d/common-password' with the following

password sufficient pam_unix.so nullok obscure md5

  • Then edit the /etc/nsswitch.conf to make passwd/group/shadow lines say "files ldap"
  • To refresh the nsswitch cache use the command

nss_updatedb ldap

Access

sudo

Sudo access is granted by assigning a user to the ldap group ldap-admin This group is then granted access on all the server by inserting %ldap-admin ALL=(ALL) ALL into /etc/sudoers

VPN

OpenVPN access is granted by assigning a user into the group vpnusers

Please read this OpenVPN guide] to learn how to do so

Maintenance

Backing up data

Back up the configuration to the file config.ldif

 slapcat -bcn=config -l config.ldif

Back up the database to the file data.ldif

 slapcat -bdc=shop,dc=lan -l data.ldif

Restoring data

Configuration

With slapd stopped and the configuration backup in file config.ldif

 sudo rm -rf /etc/ldap/slapd.d
 sudo mkdir /etc/ldap/slapd.d
 sudo chown openldap.openldap /etc/ldap/slapd.d
 sudo -u openldap slapadd -F /etc/ldap/slapd.d -bcn=config -l config.ldif

Data

With slapd stopped and backup in file data.ldif

 # Remove existing data
 sudo rm -rf /var/lib/ldap
 
 # Restore data
 sudo mkdir /var/lib/ldap
 sudo chown openldap.openldap /var/lib/ldap
 sudo chmod 750 /var/lib/ldap
 sudo -u openldap slapadd -F /etc/ldap/slapd.d -bdc=shop,dc=lan -l data.ldif

Modifying configuration

As an example to change the root password for the first database.

Create the file describing the changes we want as pass.ldif:

 dn: olcDatabase={1}hdb,cn=config
 changetype: modify
 replace: olcRootPW
 olcRootPW: {SSHA}LXgddQqVZ52ctplFlfRdWmNKj/RWYZr8

Then load the modification into ldap:

 sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f pass.ldif

Refer to the OpenLDAP 2.4 Administrator's guide for more information.

Rebuild LDAP Server

First slapcat the existing database so you have a backup.

 slapcat -h localhost -l data.ldif

Then ensure the packages are up to date

sudo apt-get install slapd ldap-utils

After that we must load the schema files into the database.

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif

Then create a file called create_database.ldif and paste this into it.

# Load hdb backend module dn: cn=module{0},cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: {0}back_hdb

  1. Create the hdb database and place the files under /var/lib/ldap

dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=shop,dc=lan olcRootDN: uid=diradmin,ou=People,dc=shop,dc=lan olcRootPW: example olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbIndex: uid pres,eq olcDbIndex: cn,sn,mail pres,eq,approx,sub olcDbIndex: objectClass eq

Now push that into the database

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f create_database.ldif

Next, create a file called init_database.ldif

dn: dc=shop,dc=lan objectClass: dcObject objectclass: organization o: dc=shop,dc=lan description: LDAP root

dn: ou=People,dc=shop,dc=lan objectClass: top objectClass: organizationalUnit ou: People

dn: ou=Groups,dc=shop,dc=lan objectClass: top objectClass: organizationalUnit ou: Groups

and add it sudo ldapadd -Y EXTERNAL -H ldapi:/// -f init_database.ldif

Now modify the acls so that only diradmin can modify the database by pasting this into the file acls.ldif

dn: olcDatabase={1}hdb,cn=config add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="uid=admin,ou=People,dc=shop,dc=lan" write by anonymous auth by self write by * none olcAccess: {1}to dn.subtree="" by * read olcAccess: {2}to * by dn="cn=diradmin,ou=People,dc=shop,dc=lan" write by * read

and modify the database

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f acls.ldif

Now stop the ldap server by /etc/init.d/slapd stop and grab that data.ldif file we created earlier. Edit the ldif to take out the statements that were added by init_database.ldif. Yes take out the whole blocks, should be around 15-20 lines.

Next use sudo -u openldap slapped -H ldapi:/// -l data.ldif to write that file to LDAP server. You should see a little progress bar tick away.

Note: If you hit an error about "Cannot modify cn=diradmin" don't panic, take that block out and paste into a separate file. Then run the command again.

use slappasswd until to generate a new root password.