Oracle Linux/OpenLDAP

From r00tedvw.com wiki
(Difference between revisions)
Jump to: navigation, search
(Installation)
(TLS Configuration)
 
(5 intermediate revisions by one user not shown)
Line 104: Line 104:
 
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
 
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
  
usr/share/phpldapadmin/htdocs>
+
<Directory /usr/share/phpldapadmin/htdocs>
  <IfModule mod_authz_core.c>
+
  <IfModule mod_authz_core.c>
    # Apache 2.4
+
    # Apache 2.4    Require all granted
    # Require local
+
  </IfModule>
     Require all granted
+
  <IfModule !mod_authz_core.c>
  IfModule>
+
    # Apache 2.2
  <IfModule !mod_authz_core.c>
+
    Order Deny,Allow
    # Apache 2.2
+
    Deny from all
    Order Deny,Allow
+
    Allow from 127.0.0.1
    Deny from all
+
    Allow from ::1
    Allow from 127.0.0.1
+
  </IfModule>
    Allow from ::1
+
  </IfModule>
+
 
</Directory></nowiki>
 
</Directory></nowiki>
 
restart
 
restart
Line 124: Line 122:
 
  <nowiki>~$ sudo firewall-cmd --permanent --add-service=http
 
  <nowiki>~$ sudo firewall-cmd --permanent --add-service=http
 
~$ sudo firewall-cmd --reload</nowiki>
 
~$ sudo firewall-cmd --reload</nowiki>
 +
 +
==Connect==
 +
http://<ip address/hostname>/phpldapadmin
 +
 +
=TLS Configuration=
 +
TLS or SSL is required for sssd, so if you want to use openldap authentication for ssh this is pretty much a requirement.<br>
 +
In the example below, i've included a CA certificate because I created my own CA, you may not have to.<br>
 +
[https://www.golinuxcloud.com/configure-openldap-with-tls-certificates/ Reference]
 +
==Position certs and key==
 +
Create the directories and move the certs and keys into them.
 +
<nowiki>~$ sudo mkdir /etc/openssl/private /etc/openssl/cacerts
 +
~$ sudo mv ~/ca_server.crt /etc/openldap/cacerts
 +
~$ sudo mv ~/ldap_server.crt /etc/openldap/certs/
 +
~$ sudo mv ~/ldap_server.key /etc/openldap/private/
 +
~$ sudo chown -R ldap:ldap /etc/openldap/certs /etc/openldap/cacerts /etc/openldap/private/ </nowiki>
 +
==Implement certs and key==
 +
Import the certs and keys, then verify.
 +
<nowiki>~$ vi addcerts.ldif
 +
dn: cn=config
 +
changetype: modify
 +
replace: olcTLSCertificateFile
 +
olcTLSCertificateFile: /etc/openldap/certs/ldap_server.crt
 +
-
 +
replace: olcTLSCertificateKeyFile
 +
olcTLSCertificateKeyFile: /etc/openldap/private/ldap_server.key
 +
-
 +
add: olcTLSCACertificateFile
 +
olcTLSCACertificateFile: /etc/openldap/cacerts/ca_server.crt
 +
 +
~$ sudo ldapmodify -Y EXTERNAL -H ldapi:// -f /home/r00t/addcerts.ldif
 +
~$ sudo slapcat -b "cn=config" | egrep "olcTLSC"</nowiki>
 +
 +
==Update for CA==
 +
Update ldap.conf for CA Cert. <code>TLS_REQCERT never</code> can be used to eliminate cert verification for self-signed cert. Security implications are obvious.
 +
<nowiki>~$ sudo vi /etc/openldap/ldap.conf
 +
...
 +
TLS_CACERTDIR /etc/openldap/certs
 +
TLS_CACERT /etc/openldap/certs/ca_server.crt
 +
TLS_REQCERT never</nowiki>
 +
==Restart and open firewall==
 +
Restart <code>slapd</code> service
 +
<nowiki>sudo systemctl restart slapd.service</nowiki>
 +
Open firewall
 +
<nowiki>~$ sudo firewall-cmd --permanent --add-service=ldaps</nowiki>

Latest revision as of 00:42, 22 August 2020

OpenLDAP

Contents

[edit] Overview

Installed on CentOS 7

[edit] Installation

~$ sudo yum install -y openldap-clients openldap-servers
~$ sudo systemctl start slapd
~$ sudo systemctl enable slapd

[edit] Configuration

[edit] LDAP User Account

Setup new user account for ldap admin

~$ sudo useradd ldapadmin -d /home/ldapadmin/ -G wheel
~$ sudo passwd ldapadmin

[edit] Setup LDAP Admin password

Create a SHA hash of the desired password for the ldap admin and add it to the ldap config. The parameter may not exist in the config file, you may need to add it.

~$ slappasswd -h {SSHA} -s ldappassword

[edit] Configure LDAP Server

create db.ldif and update:

  • SSHA password
  • olcRootDN
~$ vim db.ldif
...
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=itzgeek,dc=local

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=itzgeek,dc=local

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}d/thexcQUuSfe3rx3gRaEhHpNJ52N8D3

Send the configuration to the server.

~$ sudo ldapmodify -Y EXTERNAL  -H ldapi:/// -f db.ldif

restrict the monitor access only to ldap root. Update:

  • dn.base
~$ vim monitor.ldif
...
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=itzgeek,dc=local" read by * none

update the server.

~$ sudo ldapmodify -Y EXTERNAL  -H ldapi:/// -f monitor.ldif

[edit] Setup Database

~$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
~$ sudo chown -R ldap:ldap /var/lib/ldap
~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Setup the domain information. Update:

  • dn (x4)
~$ vim base.ldif
...
dn: dc=itzgeek,dc=local
dc: itzgeek
objectClass: top
objectClass: domain

dn: cn=ldapadm ,dc=itzgeek,dc=local
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=People,dc=itzgeek,dc=local
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=itzgeek,dc=local
objectClass: organizationalUnit
ou: Group

Build the directory structure

~$ sudo ldapadd -x -W -D "cn=ldapadm,dc=itzgeek,dc=local" -f base.ldif

[edit] PHPLDAPAdmin

[edit] Installation

~$ sudo yum install -y epel-release
~$ sudo yum install -y phpldapadmin

[edit] Edit Configuration

~$ sudo vim /etc/phpldapadmin/config.php
...
around line 300, update the domain info
$servers->setValue('server','base',array('dc=itzgeek,dc=local'));

around line 326, update the admin and domain info
$servers->setValue('login','bind_id','cn=ldapadm,dc=itzgeek,dc=local');

around line 397/398, uncomment and comment the following lines
$servers->setValue(‘login’,’attr’,’dn’);
// $servers->setValue(‘login’,’attr’,’uid’);

[edit] Update HTTPD

next, update the virtual host configuration to allow connections

sudo vim /etc/httpd/conf.d/phpldapadmin.conf
...
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs

<Directory /usr/share/phpldapadmin/htdocs>
   <IfModule mod_authz_core.c>
     # Apache 2.4     Require all granted
   </IfModule>
   <IfModule !mod_authz_core.c>
     # Apache 2.2
     Order Deny,Allow
     Deny from all
     Allow from 127.0.0.1
     Allow from ::1
   </IfModule>
</Directory>

restart

~$ sudo systemctl restart httpd.service

[edit] Update firewalld

~$ sudo firewall-cmd --permanent --add-service=http
~$ sudo firewall-cmd --reload

[edit] Connect

http://<ip address/hostname>/phpldapadmin

[edit] TLS Configuration

TLS or SSL is required for sssd, so if you want to use openldap authentication for ssh this is pretty much a requirement.
In the example below, i've included a CA certificate because I created my own CA, you may not have to.
Reference

[edit] Position certs and key

Create the directories and move the certs and keys into them.

~$ sudo mkdir /etc/openssl/private /etc/openssl/cacerts
~$ sudo mv ~/ca_server.crt /etc/openldap/cacerts
~$ sudo mv ~/ldap_server.crt /etc/openldap/certs/
~$ sudo mv ~/ldap_server.key /etc/openldap/private/
~$ sudo chown -R ldap:ldap /etc/openldap/certs /etc/openldap/cacerts /etc/openldap/private/ 

[edit] Implement certs and key

Import the certs and keys, then verify.

~$ vi addcerts.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldap_server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/private/ldap_server.key
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/cacerts/ca_server.crt

~$ sudo ldapmodify -Y EXTERNAL -H ldapi:// -f /home/r00t/addcerts.ldif
~$ sudo slapcat -b "cn=config" | egrep "olcTLSC"

[edit] Update for CA

Update ldap.conf for CA Cert. TLS_REQCERT never can be used to eliminate cert verification for self-signed cert. Security implications are obvious.

~$ sudo vi /etc/openldap/ldap.conf
...
TLS_CACERTDIR	/etc/openldap/certs
TLS_CACERT	/etc/openldap/certs/ca_server.crt
TLS_REQCERT	never

[edit] Restart and open firewall

Restart slapd service

sudo systemctl restart slapd.service

Open firewall

~$ sudo firewall-cmd --permanent --add-service=ldaps
Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Ubuntu
Ubuntu 22
Mac OSX
Oracle Linux
AWS
Windows
OpenVPN
Grafana
InfluxDB2
TrueNas
OwnCloud
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
Plex Media Server
MetaSploit
Zoneminder
ShinobiCE
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
2020 Election
Volkswagen
Covid
NCDMV
Toolbox