Oracle Linux/OpenLDAP
From r00tedvw.com wiki
(Difference between revisions)
(→Implement certs and key) |
(→TLS Configuration) |
||
| Line 129: | Line 129: | ||
TLS or SSL is required for sssd, so if you want to use openldap authentication for ssh this is pretty much a requirement.<br> | TLS or SSL is required for sssd, so if you want to use openldap authentication for ssh this is pretty much a requirement.<br> | ||
In the example below, i've included a CA certificate because I created my own CA, you may not have to.<br> | In the example below, i've included a CA certificate because I created my own CA, you may not have to.<br> | ||
| + | [https://www.golinuxcloud.com/configure-openldap-with-tls-certificates/ Reference] | ||
==Position certs and key== | ==Position certs and key== | ||
Create the directories and move the certs and keys into them. | Create the directories and move the certs and keys into them. | ||
Latest revision as of 00:42, 22 August 2020
OpenLDAP
Contents |
[edit] Overview
Installed on CentOS 7
[edit] Installation
~$ sudo yum install -y openldap-clients openldap-servers ~$ sudo systemctl start slapd ~$ sudo systemctl enable slapd
[edit] Configuration
[edit] LDAP User Account
Setup new user account for ldap admin
~$ sudo useradd ldapadmin -d /home/ldapadmin/ -G wheel ~$ sudo passwd ldapadmin
[edit] Setup LDAP Admin password
Create a SHA hash of the desired password for the ldap admin and add it to the ldap config. The parameter may not exist in the config file, you may need to add it.
~$ slappasswd -h {SSHA} -s ldappassword
[edit] Configure LDAP Server
create db.ldif and update:
- SSHA password
- olcRootDN
~$ vim db.ldif
...
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=itzgeek,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=itzgeek,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3
Send the configuration to the server.
~$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
restrict the monitor access only to ldap root. Update:
- dn.base
~$ vim monitor.ldif
...
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=itzgeek,dc=local" read by * none
update the server.
~$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
[edit] Setup Database
~$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG ~$ sudo chown -R ldap:ldap /var/lib/ldap ~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Setup the domain information. Update:
- dn (x4)
~$ vim base.ldif ... dn: dc=itzgeek,dc=local dc: itzgeek objectClass: top objectClass: domain dn: cn=ldapadm ,dc=itzgeek,dc=local objectClass: organizationalRole cn: ldapadm description: LDAP Manager dn: ou=People,dc=itzgeek,dc=local objectClass: organizationalUnit ou: People dn: ou=Group,dc=itzgeek,dc=local objectClass: organizationalUnit ou: Group
Build the directory structure
~$ sudo ldapadd -x -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f base.ldif
[edit] PHPLDAPAdmin
[edit] Installation
~$ sudo yum install -y epel-release ~$ sudo yum install -y phpldapadmin
[edit] Edit Configuration
~$ sudo vim /etc/phpldapadmin/config.php
...
around line 300, update the domain info
$servers->setValue('server','base',array('dc=itzgeek,dc=local'));
around line 326, update the admin and domain info
$servers->setValue('login','bind_id','cn=ldapadm,dc=itzgeek,dc=local');
around line 397/398, uncomment and comment the following lines
$servers->setValue(‘login’,’attr’,’dn’);
// $servers->setValue(‘login’,’attr’,’uid’);
[edit] Update HTTPD
next, update the virtual host configuration to allow connections
sudo vim /etc/httpd/conf.d/phpldapadmin.conf
...
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4 Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
restart
~$ sudo systemctl restart httpd.service
[edit] Update firewalld
~$ sudo firewall-cmd --permanent --add-service=http ~$ sudo firewall-cmd --reload
[edit] Connect
http://<ip address/hostname>/phpldapadmin
[edit] TLS Configuration
TLS or SSL is required for sssd, so if you want to use openldap authentication for ssh this is pretty much a requirement.
In the example below, i've included a CA certificate because I created my own CA, you may not have to.
Reference
[edit] Position certs and key
Create the directories and move the certs and keys into them.
~$ sudo mkdir /etc/openssl/private /etc/openssl/cacerts ~$ sudo mv ~/ca_server.crt /etc/openldap/cacerts ~$ sudo mv ~/ldap_server.crt /etc/openldap/certs/ ~$ sudo mv ~/ldap_server.key /etc/openldap/private/ ~$ sudo chown -R ldap:ldap /etc/openldap/certs /etc/openldap/cacerts /etc/openldap/private/
[edit] Implement certs and key
Import the certs and keys, then verify.
~$ vi addcerts.ldif dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/ldap_server.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/private/ldap_server.key - add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/cacerts/ca_server.crt ~$ sudo ldapmodify -Y EXTERNAL -H ldapi:// -f /home/r00t/addcerts.ldif ~$ sudo slapcat -b "cn=config" | egrep "olcTLSC"
[edit] Update for CA
Update ldap.conf for CA Cert. TLS_REQCERT never can be used to eliminate cert verification for self-signed cert. Security implications are obvious.
~$ sudo vi /etc/openldap/ldap.conf ... TLS_CACERTDIR /etc/openldap/certs TLS_CACERT /etc/openldap/certs/ca_server.crt TLS_REQCERT never
[edit] Restart and open firewall
Restart slapd service
sudo systemctl restart slapd.service
Open firewall
~$ sudo firewall-cmd --permanent --add-service=ldaps
