Installing and configuring OpenLDAP+phpldapadmin+SSL/TLS+NFS Remote home directories

From Fyzix
Jump to: navigation, search

Reference: http://www.howtoforge.com/debian-squeeze-ldap-server-with-openldap-and-phpldapadmin

Reference: https://www.youtube.com/watch?v=DM_UQVVVtoY continued https://www.youtube.com/watch?v=kSCx3tzC0cA

Reference: http://askubuntu.com/questions/127389/how-to-configure-ubuntu-as-an-ldap-client

Installation

apt-get update
apt-get upgrade
apt-get install slapd

When prompted enter a password for the administrator of the LDAP server.

Now we need to install ldap-utils and phpLDAPadmin, now apache2 and php will also be installed because it's a part of the dependencies for phpLDAPadmin.

apt-get install ldap-utils phpldapadmin

Open /etc/ldap/ldap.conf with your favorite editor.

pico /etc/ldap/ldap.conf

Uncomment BASE and URI

#
# LDAP Defaults
#
 
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
 
BASE dc=fyzix,dc=net
URI ldap://127.0.0.1
 
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

After editing the BASE dc= variables run the following command to configure domain changes

dpkg-reconfigure slapd

Select NO and follow the guide, type in your domain, e.g. example.com, choose recommend settings.

Now open /etc/phpldapadmin/config.php:

pico /etc/phpldapadmin/config.php
$servers = new Datastore();
$servers->newServer('ldap_pla');
$servers->setValue('server','name','Quorra LDAP Server');
$servers->setValue('server','host','10.1.38.93');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=burn,dc=net'));
$servers->setValue('login','bind_id','cn=admin,dc=burncycl,dc=net');

Your server is now up and running, ready to be used. You should be able to access phpLDAPadmin on http://10.1.38.93/phpldapadmin; log in with the password you configured for phpLDAPadmin.

Modify posixaccount template

Modify this template to use /home/$username as opposed to /home/users/$username. Additionally, allow /bin/bash as a shell.

/etc/phpldapadmin/templates/creation/posixAccount.xml

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
 
<template>
<askcontainer>1</askcontainer>
<description>New User Account</description>
<icon>ldap-user.png</icon>
<invalid>0</invalid>
<rdn>cn</rdn>
<!--<regexp>^ou=People,o=.*,</regexp>-->
<title>Generic: User Account</title>
<visible>1</visible>
 
<objectClasses>
<objectClass id="inetOrgPerson"></objectClass>
<objectClass id="posixAccount"></objectClass>
</objectClasses>
 
<attributes>
<attribute id="givenName">
        <display>First name</display>
        <icon>ldap-uid.png</icon>
        <onchange>=autoFill(cn;%givenName% %sn%)</onchange>
        <onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
        <order>1</order>
        <page>1</page>
</attribute>
<attribute id="sn">
        <display>Last name</display>
        <onchange>=autoFill(cn;%givenName% %sn%)</onchange>
        <onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
        <!-- <onchange>=autoFill(homeDirectory;/home/%uid|0-1/l%/%uid%)</onchange> -->
        <order>2</order>
        <page>1</page>
</attribute>
<attribute id="cn">
        <display>Common Name</display>
        <order>3</order>
        <page>1</page>
</attribute>
<attribute id="uid">
        <display>User ID</display>
        <onchange>=autoFill(homeDirectory;/home/%uid%)</onchange>
        <order>4</order>
        <page>1</page>
        <spacer>1</spacer>
</attribute>
<attribute id="homeDirectory">
        <display>Home directory</display>
        <!-- <onchange>=autoFill(homeDirectory;/home/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
        <order>8</order>
        <page>1</page>
</attribute>
<attribute id="uidNumber">
        <display>UID Number</display>
        <icon>terminal.png</icon>
        <order>6</order>
        <page>1</page>
        <readonly>1</readonly>
        <value>=php.GetNextNumber(/;uidNumber)</value>
</attribute>
<attribute id="gidNumber">
        <display>GID Number</display>
        <!-- <onchange>=autoFill(homeDirectory;/home/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
        <order>7</order>
        <page>1</page>
        <value><![CDATA[=php.PickList(/;(&(objectClass=posixGroup));gidNumber;%cn%;;;;cn)]]></value>
</attribute>
<attribute id="loginShell">
        <display>Login shell</display>
        <order>9</order>
        <page>1</page>
        <!-- <value><![CDATA[=php.PickList(/;(&(objectClass=posixAccount));loginShell;%loginShell%;;;;loginShell)]]></value> -->
        <type>select</type>
        <value id="/bin/sh">/bin/sh</value>
        <value id="/bin/csh">/bin/csh</value>
        <value id="/bin/tsh">/bin/tsh</value>
        <value id="/bin/bash">/bin/bash</value>
</attribute>
<attribute id="userPassword">
        <display>Password</display>
        <!-- <helper>
                <display>Encryption</display>
                <id>enc</id>
                <value>=php.PasswordEncryptionTypes()</value>
        </helper> -->
        <icon>lock.png</icon>
        <order>5</order>
        <page>1</page>
        <post>=php.PasswordEncrypt(%enc%;%userPassword%)</post>
        <spacer>1</spacer>
        <verify>1</verify>
</attribute>
</attributes>
 
</template>

Adding objects People / Groups

http://ipaddres_to_phpldapadmin

Click Create new entry here > Click Generic: Organization Unit > Name the unit people > Commit

Click Create new entry here > Click Generic: Organization Unit > Name the unit groups > Commit

Click ou=groups > Click Create a child entry > Click Generic: Posix Group > Name the group genusers for "General users"

Click ou=people > Click Create a child entry > Click Generic: User Account > Name the user fill in the relevant fields. Be sure to assign user to genusers GID.

SSL/TLS for OpenLDAP

Reference: http://rogermoffatt.com/2011/08/24/ubuntu-openldap-with-ssltls/

Reference: http://labs.opinsys.com/blog/2010/01/28/setting-up-openldap-on-ubuntu-10-04-lucid-part2/

The references are okay. But, some steps are missing. Hopefully my documentation is more thorough.

Prerequisites

apt-get update
apt-get upgrade
apt-get install gnutls-bin

Server side configuration

Generate certificates

OpenLDAP needs specially formatted certs. To do this use certtool

Generate CA certs

First make the temp directory where certs can land.

mkdir -p /root/certs/

The CA key needs to be created and signed:

certtool --generate-privkey --outfile /etc/ssl/private/ldap-ca-key.pem
certtool --generate-self-signed --load-privkey /etc/ssl/private/ldap-ca-key.pem \
--outfile /root/certs/ldap-ca-cert.pem

You'll get asked a bunch of questions. Feel free to hit enter for most of them (i.e. leave them blank) .Below are the important variables. Be sure the common name matches the hostname of the OpenLDAP server. This will generate a certificate that is good for 10 years.

Common name: ca.edu.example.org
The certificate will expire in (days): 3650
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint): -1
Will the certificate be used to sign other certificates? (y/N): y

Fix permissions – the resulting files need to be readable by the openldap group.

To do this, add the openldap user to the ssl-cert group and then ensure the certs and key are owned by the ssl-cert group. Remember that the directory /etc/ssl/private has strict permissions on it so you need to get this right.

adduser openldap ssl-cert

If the group isn't ssl-cert for ldap-ca-key.pem change the group.

chgrp ssl-cert /etc/ssl/private/ldap-ca-key.pem

To verify the permissions

cd /etc/ssl/private
ls -la

Generate server certs

Next create the server key and certificate and sign it:

certtool --generate-privkey --outfile /root/certs/ldap-server.key
certtool --generate-certificate --load-privkey /root/certs/ldap-server.key \
--outfile /root/certs/ldap-server.crt --load-ca-certificate /root/certs/ldap-ca-cert.pem \
 --load-ca-privkey /etc/ssl/private/ldap-ca-key.pem

Again, you'll get asked a bunch of questions. Feel free to hit enter for most of them (i.e. leave them blank). Below are the important variables. Be sure the common name matches the hostname of the OpenLDAP server. This will generate a certificate that is good for 10 years.

Common name: ldap.edu.example.org
The certificate will expire in (days): 3650
Will the certificate be used for signing (required for TLS)? (y/N): y
Will the certificate be used for encryption (not required for TLS)? (y/N): y

Install the certs

install -D -o openldap -g openldap -m 600 /root/certs/ldap-server.crt \
             /etc/ssl/certs/ldap-server.crt
install -D -o openldap -g openldap -m 600 /root/certs/ldap-server.key \
             /etc/ssl/certs/ldap-server.key
install -D -o openldap -g openldap -m 600 /root/certs/ldap-ca-cert.pem \
             /etc/ssl/certs/ldap-ca-cert.pem

Create ldif file

Create a suitable ssl.ldif file for importing into the configuration database.

pico /etc/ldap/ssl.ldif

Contents:

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ldap-ca-cert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap-server.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/certs/ldap-server.key

Import ssl.ldiff

ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ssl.ldif -v

The -v gives you a verbose output. Make sure that you see the new entries being printed out, if it just says something like:

modifying entry "cn=config"
modify complete

Then this DOES NOT mean it has worked. It quite likely means it hasn’t processed the file because of errors and no changes will actually have been made. You need to see it list the entries it has modified.

For example, this is a working version

ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
add olcTLSCACertificateFile:
        /etc/ssl/certs/ldap-ca-cert.pem
add olcTLSCertificateFile:
        /etc/ssl/certs/ldap-server.crt
add olcTLSCertificateKeyFile:
        /etc/ssl/certs/ldap-server.key
modifying entry "cn=config"
modify complete

Make OpenLDAP listen on SSL port

Modify /etc/default/slapd

pico /etc/default/slapd

Find the line that says

SLAPD_SERVICES="ldap:/// ldapi:///"

Modify it to say

SLAPD_SERVICES="ldap://10.1.38.93/ ldapi://10.1.38.93/ ldaps://10.1.38.93/"

I have statically bound slapd to my IP address (change to whatever IP address you're using). I have also removed the non-secure ldap:///

Restart slapd

service slapd restart

To verify the new configuration

netstat -nap|grep slapd

Should see something like this:

root@Quorra:~# netstat -nap|grep slapd
tcp        0      0 10.1.38.93:636          0.0.0.0:*               LISTEN      4210/slapd
tcp        0      0 10.1.38.93:389          0.0.0.0:*               LISTEN      4210/slapd
tcp        0      0 10.1.38.93:389          10.1.38.33:38183        ESTABLISHED 4210/slapd
tcp        0      0 10.1.38.93:389          10.1.38.33:57876        ESTABLISHED 4210/slapd
tcp        0      0 10.1.38.93:389          10.1.38.103:60777       ESTABLISHED 4210/slapd
tcp        0      0 10.1.38.93:389          10.1.38.103:41237       ESTABLISHED 4210/slapd
tcp        0      0 10.1.38.93:389          10.1.38.103:41252       ESTABLISHED 4210/slapd
tcp        0      0 10.1.38.93:389          10.1.38.103:43690       ESTABLISHED 4210/slapd
tcp        0      0 10.1.38.93:389          10.1.38.103:41238       ESTABLISHED 4210/slapd
tcp        0      0 10.1.38.93:389          10.1.38.103:46109       ESTABLISHED 4210/slapd
tcp        0      0 10.1.38.93:389          10.1.38.103:38866       ESTABLISHED 4210/slapd
tcp        0      0 10.1.38.93:389          10.1.38.103:41254       ESTABLISHED 4210/slapd
tcp        0      0 10.1.38.93:389          10.1.38.103:41249       ESTABLISHED 4210/slapd
tcp        0      0 10.1.38.93:389          10.1.38.103:60675       ESTABLISHED 4210/slapd
unix  2      [ ACC ]     STREAM     LISTENING     12661    4210/slapd          10.1.38.93
unix  2      [ ]         DGRAM                    1928089  4210/slapd

Fix untrusted certificate problem

Modify /etc/ldap/ldap.conf

pico /etc/ldap/ldap.conf

Add these lines to your config.

TLS_CACERT /etc/ssl/certs/ldap-ca-cert.pem
TLS_REQCERT never

The first line points to the ldap-ca-cert.pem. The second line resolves to the untrusted certificate problem.

Exmaple /etc/ldap/ldap.conf

#
# LDAP Defaults
#
 
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
 
BASE    dc=burn,dc=net
URI     ldaps://10.1.38.93
 
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
 
# TLS certificates (needed for GnuTLS)
#TLS_CACERT     /root/certs/ca-certificates.crt
TLS_CACERT /etc/ssl/certs/ldap-ca-cert.pem
TLS_REQCERT never

Restart slapd

service slapd restart

Client side configuration

Prerequisites

apt-get install libnss-ldapd libpam-ldapd

Configure to your LDAP Server URI:

Example: ldaps://10.1.38.93

LDAP server search base: dc=burn,dc=net

Modify to match your configuration.

Check server SSL certificates: never

During installation select ldap for the following nss services:

   group
   passwd
   shadow

This configured /etc/nsswitch.conf, /etc/pam.d/common-auth and /etc/nslcd.conf automatically to work correctly.

Go ahead and Override /etc/pam.d/common-*?

Fetch/Install CA-cert

On the client copy /etc/ssl/certs/ldap-ca-cert.pem from the server to /etc/ssl/certs/ on the client:

scp -P 32022 root@10.1.38.93:/etc/ssl/certs/ldap-ca-cert.pem /etc/ssl/certs/ldap-ca-cert.pem

Modify the IP address to match your server's IP.

Modify client side ldap.conf

Then add the following lines in /etc/ldap/ldap.conf:

pico /etc/ldap/ldap.conf
URI ldaps://10.1.38.93/
TLS_CACERT /etc/ssl/certs/ldap-ca-cert.pem
TLS_REQCERT never

Again, modify the IP address to match your server's IP.

Example client side /etc/ldap/ldap.conf

#
# LDAP Defaults
#
 
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
 
BASE    dc=burn,dc=net
URI     ldap://10.1.38.93
 
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
 
# TLS certificates (needed for GnuTLS)
#TLS_CACERT     /etc/ssl/certs/ca-certificates.crt
CA_CERTREQ never
TLS_REQCERT never

The TLS_REQCERT never directive is important.

Test the configuration

ldapsearch -x -h 10.1.38.93 -ZZ -b dc=burn,dc=net

or

ldapsearch -x -W -D 'cn=admin,dc=burn,dc=net' -b "" -s base

or

ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

Install / Configure NFS remote home directories

Reference: http://www.cs.wcupa.edu/~rkline/linux/ldap-nfs.html

Server

We are going to make our machine an NFS server and serve the /home directory to the client machine.

On the LDAP server, install the server package:

apt-get install nfs-kernel-server

Modify /etc/exports to export home directories on LDAP server to client by adding this line:

/home 192.168.122.0/24(rw,sync,no_subtree_check)

Restart the NFS service and verify the exports:

service nfs-kernel-server restart
exportfs

Client

Now, the NFS client.

Install the client software:

apt-get install nfs-common

Mount LDAP NFS home directory. You can modify the ipaddress to whatever the LDAP/NFS server's ip is.

mount -o vers=3 10.1.38.93:/home /home

Verify the directory mounted

df -h
ls -l /home

Set up the client so that it mounts automatically. Edit /etc/fstab and add this line at the end:

10.1.38.93:/home   /home   nfs  nfsvers=3   0  0

Again, you can change the ipaddress to match whatever the ip is of the LDAP/NFS server.