Difference between revisions of "User:Alexmat"

From ArchWiki
Jump to navigation Jump to search
(18 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Secure OpenLDAP Autentication for a Small Network =
[http://wiki.archlinux.org/index.php/User:Alexmat:Secure_OpenLDAP_Authentication_for_a_Small_Network Secure OpenLDAP Authentication for a Small Network]
== Introduction and Concepts ==
[http://wiki.archlinux.org/index.php/User:Alexmat:Network_File_System_Setup Network File System Setup]
This guide is composed from bits and pieces of LDAP guides and forums around the net. I borrowed very heavily from Eliott's (cactus) OpenLDAP guide [[http://solarblue.net/docs/ldap.htm Ldap Server Setup]] which is very well written. Unfortunately Arch Linux has some differences in the way things are setup. It is also the case that most LDAP guides online fall into one of 3 categories: too general, outdated or uses distro specific tools (i.e. authconfig). This guide is written specifically with Arch linux in mind and will try to illustrate both LDAP concepts and implementaion from the point of view of someone who has never used LDAP before (i.e. the author).
[http://wiki.archlinux.org/index.php/User:Alexmat:Auto_File_System_Mounter Auto File System Mounter]
=== OpenLDAP ===
[http://wiki.archlinux.org/index.php/User:Alexmat:Manual_CK_Kernel_Install Manual CK Kernel Install]
[http://wiki.archlinux.org/index.php/User:Alexmat:Network_Time_Protocol_Daemon Network Time Protocol Daemon]
=== NSS and PAM ===
[http://wiki.archlinux.org/index.php/User:Alexmat:Jabberd_Setup Jabberd Setup]
== Server Setup ==
=== Install OpenLDAP ===
pacman -Sy openldap
=== Configure OpenLDAP ===
Generate root password:
slappasswd -h {SSHA}
Edit /etc/openldap/slapd.conf
Start OpenLDAP:
/etc/rc.d/slapd start
=== Populate LDAP Tree with Base Data ===
Create a file called base.ldif with the following text:
# example.org
dn: dc=example,dc=org
objectClass: dcObject
objectClass: organization
o: Example Organization
dc: example.org
# admin, example.org
dn: cn=admin,dc=example,dc=org
cn: admin
description: LDAP administrator
roleOccupant: dc=example,dc=org
objectClass: organizationalRole
objectClass: top
# People, example.org
dn: ou=People,dc=example,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit
# Group, example.org
dn: ou=Group,dc=example,dc=org
ou: Group
objectClass: top
objectClass: organizationalUnit
Add it to your OpenLDAP Tree:
ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f base.ldif
Test to make sure the data was imported:
ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'
=== Configure TLS Encryption ===
It's a good idea to configure TLS to encrypt the exchange of information between client and server. This way passwords, which are normally sent plain-text, cannot be easily sniffed from the wire. In order to use TLS, we must first create a certificate. You can have a certificate signed, or create your own Certificate Authority (CA), but for our purposed, a self-signed certificate will suffice. '''IMPORTANT:''' OpenLDAP cannot use a certificate that has a password associated to it.
To create a ''self-signed'' certificate, type the following:
openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365
You will be prompted for information about your ldap server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your ldap server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).
Now that the certificate files have been created copy them to /etc/openldap/ssl/ (if this directory doesn't exist create it) and secure them. '''IMPORTANT:''' slapdcert.pem must be world readable because it contains the public key.
cp slapdcert.pem slapdkey.pem /etc/openldap/ssl/
chmod 400 slapdkey.pem
chmod 444 slapdcert.pem
Edit the daemon configuration file (/etc/openldap/slapd.conf) to tell LDAP where the certificate files reside by adding the following lines:
# Certificate/SSL Section
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards.
To see which ciphers are supported by your local OpenSSL installation, type the following:
openssl ciphers -v ALL
In order to tell OpenLDAP to start using encryption edit /etc/rc.d/slapd and change
stat_busy "Starting OpenLDAP"
    [ -z "$PID" ] && /usr/sbin/slapd
stat_busy "Starting OpenLDAP"
    [ -z "$PID" ] && `/usr/sbin/slapd -h ldaps:///`
This will cause OpenLDAP to accept encrypted. '''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you won't be able connect to the server to test it:
Restart the server:
/etc/rc.d/slapd restart
Test that the server is encrypting traffic run the following command:
ldapsearch -x -H ldaps://example.org -b 'dc=example,dc=org' '(objectclass=*)'
== Client Setup ==
=== OpenLDAP ===
'''IMPORTANT:''' If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you won't be able connect to the server:
=== NSS_LDAP ===
=== PAM_LDAP ===
=== Name Service Cache Deamon ===
READ THIS FIRST: [[http://bbs.archlinux.org/viewtopic.php?t=9401 NSCD Bugged in Arch Linux]]
== Links and Resources ==
Eliott's (cactus) guide for a RedHat Server: [[http://solarblue.net/docs/ldap.htm Ldap Server Setup]]
One of the best OpenLDAP clients: [[http://phpldapadmin.sourceforge.net/ phpLDAPadmin]]
Debian OpenLDAP setup: [[http://www.fatofthelan.com/articles/articles.php?pid=24 Using LDAP for single authentication]]
How to integrate OpenLDAP for MacOSX, Windows and Linux: [[http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]]

Latest revision as of 00:59, 18 September 2005