OpenLDAP

De Wiki iRENALA

Description du serveur

  • OS: CentOS 7 x86_64
  • Outils principaux: OpenLDAP et OpenSSL

Installatio et configuration

yum install openldap-servers openldap-clients rsyslog

vim /etc/sysconfig/slapd

SLAPD_URLS="ldapi:/// ldap:///"
SLAPD_OPTIONS="-4"
  • Configuration de rsyslog:

vim /etc/rsyslog.conf

# Send slapd(8c) logs to /var/log/slapd.log
if $programname == 'slapd' then /var/log/slapd.log
 & ~
systemctl restart rsyslog.service
  • Définition du mot de passe root pour la configuration:

vim /root/LDAP/olcRootPW.ldif

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}69iaXumzEio/JQTg1DOni/tnzsZ0FYCf
  • Application de la configuration et vérification:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/olcRootPW.ldif
ldapsearch -W -x -D cn=config -b cn=config "(objectclass=olcGlobal)"
ldapsearch -W -x -D cn=config -b olcDatabase={0}config,cn=config
ldapsearch -W -x -D cn=config -b olcDatabase={-1}frontend,cn=config
ldapsearch -W -x -D cn=config -b olcDatabase={1}monitor,cn=config
ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config
  • Déficnition des bases de données:

vim /root/LDAP/BASE.ldif

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=mg" read by * none
-
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=mg
-
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=mg
  • Application:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/BASE.ldif
ldapsearch -W -x -D cn=config -b cn=config | grep -b1 cn=admin
  • Définition du mot de pass administrateur:

vim /root/LDAP/admin_olcRootPW.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}moVXokSVz9/pcZpdyJ0EYlzutrnt4iK1
  • Application:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/admin_olcRootPW.ldif
ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config
  • Paramétrage supplémentaire:

vim /root/LDAP/GLOBAL_olcIdleTimeout.ldif

dn: cn=config
changetype: modify
add: olcIdleTimeout
olcIdleTimeout: 15
  • Application:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/GLOBAL_olcIdleTimeout.ldif
ldapsearch -W -x -D cn=config -b cn=config "(objectclass=olcGlobal)"

Configuration de TLS

  • Modification de l'expiration du CA:

vim /etc/pki/tls/misc/CA

#CADAYS="-days 1095"    # 3 years
CADAYS="-days 30660"    # 2015 - 2099
  • Création d'un nouveau CA:
/etc/pki/tls/misc/CA -newca
ls -la /etc/pki/CA/*
  • Modification de l'expiration du certificat:

vim /etc/pki/tls/openssl.cnf

# default_days = 365                   # how long to certify for
default_days   = 7300                  # 2015 - 2025
  • Génération des différentes clés:
cd /root/LDAP
/etc/pki/tls/misc/CA -newreq
ls -la ./new*.pem
/etc/pki/tls/misc/CA -sign
ls -la ./new*.pem
openssl rsa < ./newkey.pem > /etc/pki/CA/key.pem
ls -la /etc/pki/CA/*key*
mkdir /etc/pki/openldap
mkdir /etc/pki/openldap/certs
mkdir /etc/pki/openldap/private
  • Installation des certificats:
cp -a /etc/pki/CA/key.pem /etc/pki/openldap/private/key.pem
cp -a ./newcert.pem /etc/pki/openldap/certs/cert.pem
cp -a /etc/pki/CA/cacert.pem /etc/pki/openldap/certs/CAcert.pem
  • Application des droits nécessaires:
chown root.ldap /etc/pki/openldap/private/key.pem
chown root.ldap /etc/pki/openldap/certs/cert.pem
chown root.ldap /etc/pki/openldap/certs/CAcert.pem
chmod 640 /etc/pki/openldap/private/key.pem
chmod 640 /etc/pki/openldap/certs/cert.pem
chmod 640 /etc/pki/openldap/certs/CAcert.pem
ls -la /etc/pki/openldap/*
rm /etc/pki/CA/key.pem ./new*.pem
  • Configuration de la partie client:

vim /etc/openldap/ldap.conf

BASE    dc=irenala,dc=edu,dc=mg
URI     ldap://ldap.irenala.edu.mg 
TLS_CACERTDIR   /etc/openldap/certs
TLS_REQCERT     allow
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on
  • Paramétrage du serveur pour le support TLS:

vim /root/LDAP/tls-config.ldif

dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: HIGH
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/openldap/certs/cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/openldap/private/key.pem
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/openldap/certs/CAcert.pem
-
replace: olcTLSProtocolMin
olcTLSProtocolMin: 3.1
  • Appication de la configuration:
ldapmodify -W -x -D cn=config -f ./tls-config.ldif
ldapsearch -W -x -D cn=config -b cn=config "(objectclass=olcGlobal)"

vim /etc/sysconfig/slapd

SLAPD_URLS="ldapi:///   ldap:///   ldaps:///"
  • Test de la configuration:
slaptest -u
  • Prise en compte des certificats par le système:
tail -n 23 /etc/pki/openldap/certs/CAcert.pem > /etc/pki/ca-trust/source/anchors/CAcert.pem
cat /etc/pki/ca-trust/source/anchors/CAcert.pem
update-ca-trust
head -n 23 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
systemctl restart slapd
  • Vérification:
netstat -tulpen | egrep "389|636"
openssl s_client -connect ldap.irenala.edu.mg:636 -showcerts -state
chown ldap:ldap /etc/openldap/certs/server.key
chmod 400 /etc/openldap/certs/server.key
  • Désactivation des accès anonymes:

vim /root/LDAP/anonymous_bind.ldif

dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
-
add: olcRequires
olcRequires: authc
  • Application de la configuration:
ldapmodify -W -x -D cn=config -f /root/LDAP/anonymous_bind.ldif
ldapsearch -W -x -D cn=config -b cn=config "(objectclass=olcGlobal)"
  • Activation des indexations pour améliorer la performance:

vim /root/LDAP/DbIndex.ldif

dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
olcDbIndex: uid,memberUid eq,pres,sub
  • Application des configurations:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/DbIndex.ldif
ldapsearch -W -x -D cn=config -b olcDatabase={2}bdb,cn=config
  • Mise en place des ACLs pour sécuriser les accès:

vim /root/LDAP/acl.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange,shadowMax,shadowWarning by self write by dn="cn=admin,dc=mg" write by dn="cn=ldapquerier,dc=mg" read by anonymous auth by * none
olcAccess: {1}to dn="cn=admin,dc=mg" by self write by * none
olcAccess: {2}to dn="cn=ldapquerier,dc=mg" by self write by dn="cn=admin,dc=mg" write by * none
olcAccess: {3}to dn.regex="cn=([^,]+),ou=Group,dc=mg" by self write by dn="cn=admin,dc=mg" write by dn="cn=ldapquerier,dc=mg" read by dn.exact,expand="uid=$1,ou=People,dc=mg" read by * none
olcAccess: {4}to dn.regex="uid=([^,]+),ou=People,dc=mg" by self write by dn="cn=admin,dc=mg" write by dn="cn=ldapquerier,dc=mg" read by dn.exact,expand="uid=$1,ou=People,dc=mg" read by * none
olcAccess: {5}to * by self write by dn.base="cn=admin,dc=mg" write by * read
  • Application et vérification:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/acl.ldif
ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config
  • Configuration de la génération des traces:

vim /root/LDAP/olcLogLevel.ldif

dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: stats
  • Application de la configuration:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/olcLogLevel.ldif
  • Modification du niveau:

vim /root/LDAP/olcLogLevel_off.ldif

dn: cn=config
changetype: modify
delete: olcLogLevel
olcLogLevel: stats
-
add: olcLogLevel
olcLogLevel: none
  • Application:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/olcLogLevel_off.ldif