Installation, configuraiton notes and generic lessons learned on openldap

Author:Doug O’Leary
Created:07/27/13
Updated:
Description:Notes and lessons learned re openldap

Overview:

It’s time to relearn ldap. I installed and configured it for a client a good while back and have had some minor fun with it since at a couple of clients. Problem is, though, that I’m running into crap that I don’t know and I don’t like it.

Case in point: while attempting to work with a network tech to get the right ports open to the right server, I was using the system listed in /etc/openldap/ldap.conf instead of /etc/ldap.conf. Why are those two flipping different? They obviously can be; but should they be?

I think I finally figured out why it’s /etc/ldap.conf instead of /etc/openldap/ldap.conf (nss_ldap uses /etc/ldap.conf), but still.

While on the topic, I also decided I want to figure out directory replication, backup and recovery, and, possibly most cool: how to store ssh keys in the directory. Public keys need to support the forced commands and private keys should be user restricted so they can’t reset the passphrase to null.

Notes:

  • Reading through chapter 24 of the centos docs for ldap. Doesn’t seem like a lot of actual implementation information in here. //later: I was right not a lot there. Did have links to other sites that I’ve bookmarked - and three antique books.
  • Moving on to the openldap site. Just downloaded the 2.4 admin guide and will be going through that Not nearly as quickly as the centos chapter... this one’s 264 pages long.
  • ldap forums at http://www.umich.edu/~dirsvcs/ldap/mailinglist.html
  • Newly provisioned VMs installed/patched, and reobooting. ldapa is going to be the ldap master. ldapb will be, initially, the first ldap client followed by the replication server.
  • Wow; that’s fucked up. The /etc/openldap/slapd.conf file no longer exists and is apparently deprecated. The quickstart guide on openldap.org tells you to edit the goddamned thing. WTF with that?? I found another site that provides details for a ‘minimal install guide’ and will be follwoing that before going back to openldap admin guide. http://spectlog.com/content/Minimal_LDAP_configuration_on_RHEL6_in_stages_and_details
    • The slapd.conf.bak file isn’t in the same place. now, rh is calling it slapd.conf.obsolete.
    • DB_CONFIG file isn’t there either: /usr/share/openldap-servers*
    • Rest of the directions worked as advertised.
  • Creating a new vm (ldapc) to go through the install manually. All the makes seem to have worked. Running through the tests now. That’s taking longer than expected.
  • I read through the chapter on the new slapd-config and I’m still confused. Basically, they turned the slapd.conf file into entries in the directory. It’s a different database (-D cn=config vs -D cn=example).
    • How am I supposed to access it though?
    • How do I display entries in it?
    • How do I update entries?
  • OK: got access to the config db. You apparently have to set the config passwd first - as part of the initial configuration. There should be some way to reset it. What happens if you forget the damned thing? Question for later; but, I’m in. The process that I followed is:
    • Create a reset script as follows. Logic courtesy of spectlog.com
# cat /root/bin/reset_ldap
#!/bin/ksh

wdir=/root/working/ldap
Config=${1:-/etc/openldap/slapd.example.conf}
service slapd stop
rm -fr /etc/openldap/slapd.d/* /var/lib/ldap/*
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
echo "" | slapadd -f ${Config}
slaptest -f ${Config} -F /etc/openldap/slapd.d
cd ${wdir}
for f in example.com.ldif \
        admin.example.com.ldif \
        groups.example.com.ldif \
        users.example.com.ldif
do
        echo slapadd -l ${f}
        slapadd -l ${f}
done
chown -R ldap:ldap /var/lib/ldap /etc/openldap/slapd.d
service slapd start

  • Add rootpw entry to the database config section of slapd.example.conf
  • Run reset_ldap
  • Verify by running ldapsearch -D cn=config -W -b cn=config
  • Very definitely did not get the warm fuzzy from the openldap admin guide so more searching about interfacing with the slapd.config resulted in zytrax open Reading through that one now. Seems much more complete.
  • OK: ldap browser’s not going to do me much good as the server and clients are all on vms behind the vmhost firewall. No biggie; wanted to relearn ldapsearch anyway.
  • (08/24/13): finished going through the zytrax book and, while all good info, I’m still not warm and fuzzy. I remember getting quite a bit of good info from the oreilly’s ldap book so I went and rebought it. It’ll be a bit dated, but that’s my next step.
  • I got involved with getting the mkhomedir functionality working on solaris boxes at work. While the final resolution there is still in question, I have the right answer to post to the lessons learned site. Doing that now. // few minutes later. OK; that’s done. Still need to get the ldapsearch that supports -Z, though. Don’t remember where that is off the top of my head.
  • Rebuilding ldapa as I have a new url to try: http://linuxserverathome.com/articles/installing-and-configuring-openldap-2423-centos-63
  • That link was quite good. After some wrestling, I finally got openldap running and saw some methods of updating the cn=config mess. Got a few more things to do; but, we can continue with the openldap book
  • The /etc/openldap/ldap.conf file is for clients only - similar to tnsnames.ora file for oracle.
  • (08/29/13) Followed the links in the centos install doc; but, got a bit lost trying to get users added. Followed another link and got dkoleary/admin added however, somewhere along the line, I lost access to the cert again. I’m depressed... Stopping for the night.

Questions to be answered:

  • How to access config db if pwd or access method is forgotten/disabled?
  • How to query specific elements from the config db

Things to do:

  • Locking the rootdn down to a specific IP address, eg on page 67 of openldap admin guide.
  • (done) ldap browser
  • ldap w/iptables firewall
  • authentication
  • public ssh keys
  • private ssh keys
  • password aging - - does ldap block ssh/pka access to accounts who’s passwords have expired. - does passwd/chage combo work to force users to change pwds on initial access
  • multiple base dns (how to add, how to support, how to integrate, etc)
  • samba authenticating to ldap
  • process for updating the ssl certs.

Command examples:

  • searching the cn=config:

    ldapsearch -b cn=config -D cn=admin,cn=config -w ${pwd} \
    '(objectclass=olcglobal)'
    # extended LDIF
    #
    # LDAPv3
    # base <cn=config> with scope subtree
    # filter: (objectclass=olcglobal)
    # requesting: ALL
    #
    
    # config
    dn: cn=config
    objectClass: olcGlobal
    cn: config
    olcConfigFile: /etc/openldap/slapd.conf.bak
    olcConfigDir: /etc/openldap/slapd.d
    olcAllows: bind_v2
    olcArgsFile: /var/run/openldap/slapd.args
    olcAttributeOptions: lang-
    olcAuthzPolicy: none
    olcConcurrency: 0
    olcConnMaxPending: 100
    olcConnMaxPendingAuth: 1000
    olcGentleHUP: FALSE
    olcIdleTimeout: 0
    olcIndexSubstrIfMaxLen: 4
    olcIndexSubstrIfMinLen: 2
    olcIndexSubstrAnyLen: 4
    olcIndexSubstrAnyStep: 2
    olcIndexIntLen: 4
    olcLocalSSF: 71
    olcPidFile: /var/run/openldap/slapd.pid
    olcReadOnly: FALSE
    olcReverseLookup: FALSE
    olcSaslSecProps: noplain,noanonymous
    olcSockbufMaxIncoming: 262143
    olcSockbufMaxIncomingAuth: 16777215
    olcThreads: 16
    olcTLSCACertificatePath: /etc/openldap/certs
    olcTLSCertificateFile: "OpenLDAP Server"
    olcTLSCertificateKeyFile: /etc/openldap/certs/password
    olcTLSVerifyClient: never
    olcToolThreads: 1
    olcWriteTimeout: 0
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    
  • Identifying the indexes used in the bdb database:

    ldapsearch -ZZ -b cn=config -D cn=admin,cn=config -w 3pizda \
    '(olcdatabase={2}bdb)' olcdbindex
    # extended LDIF
    #
    # LDAPv3
    # base <cn=config> with scope subtree
    # filter: (olcdatabase={2}bdb)
    # requesting: olcdbindex
    #
    
    # {2}bdb, config
    dn: olcDatabase={2}bdb,cn=config
    olcDbIndex: objectClass pres,eq
    olcDbIndex: cn pres,eq,sub
    olcDbIndex: uid pres,eq,sub
    olcDbIndex: uidNumber pres,eq
    olcDbIndex: gidNumber pres,eq
    olcDbIndex: mail pres,eq,sub
    olcDbIndex: ou pres,eq,sub
    olcDbIndex: loginShell pres,eq
    olcDbIndex: sn pres,eq,sub
    olcDbIndex: givenName pres,eq,sub
    olcDbIndex: memberUid pres,eq,sub
    olcDbIndex: nisMapName pres,eq,sub
    olcDbIndex: nisMapEntry pres,eq,sub
    
    # search result
    search: 3
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    

    Note: you can also use '(objectclass=oldbdbconfig)' as the filter.

  • Sampe database queries (using a really small database):

    # ldapsearch -ZZ -b dc=oci,dc=com -D cn=manager,dc=oci,dc=com -w 3pizda \^J'(>
    ldapsearch -ZZ -b dc=oci,dc=com -D cn=manager,dc=oci,dc=com -w 3pizda \
    '(objectclass=organizationalunit)' dn
    # extended LDIF
    #
    # LDAPv3
    # base <dc=oci,dc=com> with scope subtree
    # filter: (objectclass=organizationalunit)
    # requesting: dn
    #
    
    # people, oci.com
    dn: ou=people,dc=oci,dc=com
    
    # groups, oci.com
    dn: ou=groups,dc=oci,dc=com
    
    # search result
    search: 3
    result: 0 Success
    
    # numResponses: 3
    # numEntries: 2
    
    ldapsearch -Z -w 3pizda -D cn=manager,dc=oci,dc=com \
    '(objectclass=organizationalunit)' dn
    # extended LDIF
    #
    # LDAPv3
    # base <dc=oci,dc=com> (default) with scope subtree
    # filter: (objectclass=organizationalunit)
    # requesting: dn
    #
    
    # people, oci.com
    dn: ou=people,dc=oci,dc=com
    
    # groups, oci.com
    dn: ou=groups,dc=oci,dc=com
    
    # search result
    search: 3
    result: 0 Success
    
    # numResponses: 3
    # numEntries: 2
    

    Note the difference between the commands; the second one didn’t show a base. It picked the base to use up from the /etc/openldap/ldap.conf file.