Installing and configuring OpenLDAP:
Part I of this series on OpenLPAD concentrates on configuring a simple OpenLDAP Server. Our goal in adopting OpenLDAP is to provide an authentication mechanism for our LAN Clients, in particular Macintosh OSX Clients, to login to the network and work with data on network shares. Additionally, the installation of OpenLDAP will include the new backend database lmdb – OpenLDAP’s own Lighting Memory-Mapped Database to store Openldap objects.
Operating Environment:
Server 1:
Hostname: ldap1.loga.us
IP Address: 192.168.0.220
Server 2:
Hostname: ldap2.loga.us
IP Address: 192.168.0.222
DNS Resolution:
Before we get started we need to ensure our OpenLDAP Servers have the proper DNS entries and that the host names can be resolved.
root@bsd220:/ # host ldap1.loga.us ldap1.loga.us has address 192.168.0.220 root@bsd220:/ # host ldap2.loga.us ldap2.loga.us has address 192.168.0.222
Of course, the reverse lookup, as well…
root@bsd220:/ # host 192.168.0.220 220.0.168.192.in-addr.arpa domain name pointer loga.us. root@bsd220:/ # host 192.168.0.222 222.0.168.192.in-addr.arpa domain name pointer ldap2.loga.us.
OpenLDAP:
Installing OpenLDAP Server on each server:
# portsnap fetch update # cd /usr/ports/net/openldap24-server # make install clean
As indicated below, the BDB – with BerkeleyDB backend option was deselected since BerkeleyDB is marked as deprecated. Additionally, the options MDB – with Memory-Mapped DB backend and PPolicy – with Password Policy overlay were selected.
Now that OpenLDAP is installed and ready to be configured, we must not forget about the client side of the equation. Yes, before we can access the OpenLDAP Server and perform queries on it’s data, we must configure the client. Fortunately, when OpenLDAP Server was installed via the FreeBSD Ports Collection, it installed the client as well.
ldap.conf:
Let’s begin configuring the OpenLDAP Client on each server at /usr/local/etc/openldap/ldap.conf. Please change the BASE to your own environment:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=loga,dc=us
URI ldap:// ldaps://
# SIZELIMIT 0 indicates unlimited search size
SIZELIMIT 0
TIMELIMIT 15
DEREF never
slapd.conf:
Before starting the slapd service, the default password needs to be changed by using the following command on each server:
# slappasswd -h "{SSHA}" >> /usr/local/etc/openldap/slapd.conf
Note: This command will prompt the user for a password. The result will produce a password hash added to the end of the slapd.conf file. Even though a password hash is produced, in slapd.conf, a clear text password of “secret” is employed in order to easily demonstrate replication since replication requires passwords to be in clear text. Later in this series, the password hash will be utilized.
Next, let’s look at our /usr/local/etc/openldap/slapd.conf file and change as necessary on each server:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. # referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args loglevel 256 # Load dynamic backend modules: modulepath /usr/local/libexec/openldap #moduleload back_bdb moduleload back_mdb # moduleload back_hdb # moduleload back_ldap allow bind_v2 # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # BDB database definitions ####################################################################### database mdb suffix "dc=loga,dc=us" rootdn "cn=Manager,dc=loga,dc=us" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # For Now Use a Clear Text Password: rootpw secret # rootpw {SSHA}A6ia1SPQlY4J5qWBUkPg1qqiwZHrL0mb # password-hash {SSHA} # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/db/openldap-data maxsize 1073741824 # Indices to maintain index objectClass eq
Notes:
- mdb database is used in lieu of bdb – Berkeley Database. Need maxsize parameter needs to be set to accommodate the largest the database will ever grow.
- Add parameter moduleload back_mdb and comment out moduleload back_bdb
- Added the following schemas cosine, interorgperson, and nis.
rc.conf:
Next, let’s setup slapd to startup automatically by adding the following lines in our /etc/rc.conf on each server:
slapd_enable="YES" slapd_flags="-4 -h 'ldap:/// ldaps:///'"
Time to start each of our OpenLDAP Servers:
# service slapd start Starting slapd.
If starting the slapd service fails, try restarting it with the debugging options turned on:
# service slapd stop # /usr/local/libexec/slapd -d -1
Testing the slapd configuration to demonstrate a sucessful connection to each server:
# ldapsearch
# extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 32 No such object # numResponses: 1
Having the server responding correctly to requests, it’s time to populate the directory with data using the ldpadd command. First, a file – /usr/local/etc/openldap/import.ldif – is created containing user and domain data:
dn: dc=loga,dc=us objectclass: dcObject objectclass: organization o: loga dc: loga dn: cn=Manager,dc=loga,dc=us objectclass: organizationalRole cn: Manager
ldapadd:
To import this file on each server, utilize the ldapadd command and specifying the file name. The command is below:
# cd /usr/local/etc/openldap # ldapadd -D "cn=Manager,dc=loga,dc=us" -W -f import.ldif
ldapsearch:
To verify the data was imported correctly on each server by using the ldapsearch command:
# ldapsearch
# extended LDIF # # LDAPv3 # base <dc=loga,dc=us> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # loga.us dn: dc=loga,dc=us objectClass: dcObject objectClass: organization o:: bG9nYSA= dc:: bG9nYSA= # Manager, loga.us dn: cn=Manager,dc=loga,dc=us objectClass: organizationalRole cn: Manager # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
Log Files:
Before Multi-Master Replication is added to the configuration, proper logging and log maintenance is required on each server:
Like all daemons and process, I prefer to examine the log files from time-to-time to ensure everything is fine. In order to have OpenLDAP log entries into it’s own log file, a few changes are needed.
Changes needed on each server in /etc/syslog.conf:
# $FreeBSD: release/10.0.0/etc/syslog.conf 252481 2013-07-01 21:20:17Z asomers$
#
# Spaces ARE valid field separators in this file. However,
# other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here.
# Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log
mail.info /var/log/maillog
lpr.info /var/log/lpd-errs
ftp.info /var/log/xferlog
cron.* /var/log/cron
!-devd
*.=debug /var/log/debug.log
*.emerg *
# uncomment this to log all writes to /dev/console to /var/log/console.log
# touch /var/log/console.log and chmod it to mode 600 before it will work
#console.info /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.* /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.* @loghost
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err /var/log/news/news.err
# news.notice /var/log/news/news.notice
# Uncomment this if you wish to see messages produced by devd
# !devd
# *.>=info /var/log/devd.log
!ppp
*.* /var/log/ppp.log
!slapd
*.* /var/log/slapd.log
!*
Before moving on, perform the following tasks:
# touch /var/log/slapd.log # service syslogd restart # service slapd restart
Rotate Log Files:
To rotate the log files periodically edit /etc/newsyslog.conf on each server:
/var/log/slapd.log 600 7 * @T11 R /usr/local/etc/openldap/log_rotate
Create the log_rotate script in /usr/local/etc/openldap on each server:
# !/bin/sh # This script restarts openLDAP after log rotation by newsyslog(8). # /usr/local/etc/rc.d/slapd restart exit 0
Change owner, group, and permissions on /usr/local/etc/openldap/log_rotate on each server:
# cd /usr/local/etc/openldap # chown ldap:wheel log_rotate # chmod 744 log_rotate
After adding the above entry, restart the newsy slog service on each server:
service newsyslog restart service slapd restart
Summary:
The OpenLDAP Server is now configured and ready to accept additional entries. Part II of this series of articles on OpenLDAP will focus on implementing phpldapadmin to manage the server.
Additional Resources:
http://www.tokiwinter.com/openldap-multi-master-replication/
There is no need to restart slapd when rotating log files, since you are using syslog for logging.
Palle,
Thanks for you comment. I know there is no reason to restart slapd when rotating the log files, but unfortunately, if you do not restart slapd on a regular basis it sporadically dies. In fact, another user of OpenLDAP on FreeBSD has similar experiences. Please see his post on the FreeBSD Forums – https://forums.freebsd.org/threads/47634/#post-307209
Regards,
Scott
Nice How-to. It helped a total noob like me a lot.
Have you tried using the Online Configuration?
I have not tried utilizing OLC.