OpenLDAP
De Wiki iRENALA
Description du serveur
- OS: CentOS 7 x86_64
- Outils principaux: OpenLDAP et OpenSSL
Installatio et configuration
yum install openldap-servers openldap-clients rsyslog
vim /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldap:///" SLAPD_OPTIONS="-4"
- Configuration de rsyslog:
vim /etc/rsyslog.conf
# Send slapd(8c) logs to /var/log/slapd.log if $programname == 'slapd' then /var/log/slapd.log & ~ systemctl restart rsyslog.service
- Définition du mot de passe root pour la configuration:
vim /root/LDAP/olcRootPW.ldif
dn: olcDatabase={0}config,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}69iaXumzEio/JQTg1DOni/tnzsZ0FYCf
- Application de la configuration et vérification:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/olcRootPW.ldif ldapsearch -W -x -D cn=config -b cn=config "(objectclass=olcGlobal)" ldapsearch -W -x -D cn=config -b olcDatabase={0}config,cn=config ldapsearch -W -x -D cn=config -b olcDatabase={-1}frontend,cn=config ldapsearch -W -x -D cn=config -b olcDatabase={1}monitor,cn=config ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config
- Déficnition des bases de données:
vim /root/LDAP/BASE.ldif
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=mg" read by * none - dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=mg - dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=admin,dc=mg
- Application:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/BASE.ldif ldapsearch -W -x -D cn=config -b cn=config | grep -b1 cn=admin
- Définition du mot de pass administrateur:
vim /root/LDAP/admin_olcRootPW.ldif
dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}moVXokSVz9/pcZpdyJ0EYlzutrnt4iK1
- Application:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/admin_olcRootPW.ldif ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config
- Paramétrage supplémentaire:
vim /root/LDAP/GLOBAL_olcIdleTimeout.ldif
dn: cn=config changetype: modify add: olcIdleTimeout olcIdleTimeout: 15
- Application:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/GLOBAL_olcIdleTimeout.ldif ldapsearch -W -x -D cn=config -b cn=config "(objectclass=olcGlobal)"
Configuration de TLS
- Modification de l'expiration du CA:
vim /etc/pki/tls/misc/CA
#CADAYS="-days 1095" # 3 years CADAYS="-days 30660" # 2015 - 2099
- Création d'un nouveau CA:
/etc/pki/tls/misc/CA -newca ls -la /etc/pki/CA/*
- Modification de l'expiration du certificat:
vim /etc/pki/tls/openssl.cnf
# default_days = 365 # how long to certify for default_days = 7300 # 2015 - 2025
- Génération des différentes clés:
cd /root/LDAP /etc/pki/tls/misc/CA -newreq ls -la ./new*.pem /etc/pki/tls/misc/CA -sign ls -la ./new*.pem openssl rsa < ./newkey.pem > /etc/pki/CA/key.pem ls -la /etc/pki/CA/*key* mkdir /etc/pki/openldap mkdir /etc/pki/openldap/certs mkdir /etc/pki/openldap/private
- Installation des certificats:
cp -a /etc/pki/CA/key.pem /etc/pki/openldap/private/key.pem cp -a ./newcert.pem /etc/pki/openldap/certs/cert.pem cp -a /etc/pki/CA/cacert.pem /etc/pki/openldap/certs/CAcert.pem
- Application des droits nécessaires:
chown root.ldap /etc/pki/openldap/private/key.pem chown root.ldap /etc/pki/openldap/certs/cert.pem chown root.ldap /etc/pki/openldap/certs/CAcert.pem chmod 640 /etc/pki/openldap/private/key.pem chmod 640 /etc/pki/openldap/certs/cert.pem chmod 640 /etc/pki/openldap/certs/CAcert.pem ls -la /etc/pki/openldap/* rm /etc/pki/CA/key.pem ./new*.pem
- Configuration de la partie client:
vim /etc/openldap/ldap.conf
BASE dc=irenala,dc=edu,dc=mg URI ldap://ldap.irenala.edu.mg TLS_CACERTDIR /etc/openldap/certs TLS_REQCERT allow # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on
- Paramétrage du serveur pour le support TLS:
vim /root/LDAP/tls-config.ldif
dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: HIGH - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/pki/openldap/certs/cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/pki/openldap/private/key.pem - add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/pki/openldap/certs/CAcert.pem - replace: olcTLSProtocolMin olcTLSProtocolMin: 3.1
- Appication de la configuration:
ldapmodify -W -x -D cn=config -f ./tls-config.ldif ldapsearch -W -x -D cn=config -b cn=config "(objectclass=olcGlobal)"
vim /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
- Test de la configuration:
slaptest -u
- Prise en compte des certificats par le système:
tail -n 23 /etc/pki/openldap/certs/CAcert.pem > /etc/pki/ca-trust/source/anchors/CAcert.pem cat /etc/pki/ca-trust/source/anchors/CAcert.pem update-ca-trust head -n 23 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem systemctl restart slapd
- Vérification:
netstat -tulpen | egrep "389|636" openssl s_client -connect ldap.irenala.edu.mg:636 -showcerts -state chown ldap:ldap /etc/openldap/certs/server.key chmod 400 /etc/openldap/certs/server.key
- Désactivation des accès anonymes:
vim /root/LDAP/anonymous_bind.ldif
dn: cn=config changetype: modify add: olcDisallows olcDisallows: bind_anon - add: olcRequires olcRequires: authc
- Application de la configuration:
ldapmodify -W -x -D cn=config -f /root/LDAP/anonymous_bind.ldif ldapsearch -W -x -D cn=config -b cn=config "(objectclass=olcGlobal)"
- Activation des indexations pour améliorer la performance:
vim /root/LDAP/DbIndex.ldif
dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uidNumber,gidNumber,loginShell eq,pres olcDbIndex: uid,memberUid eq,pres,sub
- Application des configurations:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/DbIndex.ldif ldapsearch -W -x -D cn=config -b olcDatabase={2}bdb,cn=config
- Mise en place des ACLs pour sécuriser les accès:
vim /root/LDAP/acl.ldif
dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange,shadowMax,shadowWarning by self write by dn="cn=admin,dc=mg" write by dn="cn=ldapquerier,dc=mg" read by anonymous auth by * none olcAccess: {1}to dn="cn=admin,dc=mg" by self write by * none olcAccess: {2}to dn="cn=ldapquerier,dc=mg" by self write by dn="cn=admin,dc=mg" write by * none olcAccess: {3}to dn.regex="cn=([^,]+),ou=Group,dc=mg" by self write by dn="cn=admin,dc=mg" write by dn="cn=ldapquerier,dc=mg" read by dn.exact,expand="uid=$1,ou=People,dc=mg" read by * none olcAccess: {4}to dn.regex="uid=([^,]+),ou=People,dc=mg" by self write by dn="cn=admin,dc=mg" write by dn="cn=ldapquerier,dc=mg" read by dn.exact,expand="uid=$1,ou=People,dc=mg" read by * none olcAccess: {5}to * by self write by dn.base="cn=admin,dc=mg" write by * read
- Application et vérification:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/acl.ldif ldapsearch -W -x -D cn=config -b olcDatabase={2}hdb,cn=config
- Configuration de la génération des traces:
vim /root/LDAP/olcLogLevel.ldif
dn: cn=config changetype: modify add: olcLogLevel olcLogLevel: stats
- Application de la configuration:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/olcLogLevel.ldif
- Modification du niveau:
vim /root/LDAP/olcLogLevel_off.ldif
dn: cn=config changetype: modify delete: olcLogLevel olcLogLevel: stats - add: olcLogLevel olcLogLevel: none
- Application:
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/LDAP/olcLogLevel_off.ldif