Subsections

Configurazione di LDAP

Struttura dell'albero LDAP

 DC=esempio,DC=lan
 +-- OU=Groups (gruppi posix/samba)
 +-- OU=Computers (computer samba = utenti posix)
 +-- OU=Users (utenti posix/samba)
     +--OU=KerberosPrincipals (principal Kerberos)

OpenLDAP+OpenSSL (ldaps)

Iniziamo generando i certificati SSL per OpenLDAP:

creiamo la nostra certification authority

# mkdir -p /etc/ldap/ssl
# cd /etc/ldap/ssl
# mkdir certs
# mkdir private
# chmod 700 private
# echo '01' > serial
# touch index.txt
modifichiamo /etc/ldap/ssl/CA.conf
[ ca ]
default_ca  = local_ca

[ local_ca  ]
dir = /etc/ldap/ssl
certificate = /etc/ldap/ssl/cacert.pem
database = /etc/ldap/ssl/index.txt
new_certs_dir = /etc/ldap/ssl/certs
private_key = /etc/ldap/ssl/private/cakey.pem
serial = /etc/ldap/ssl/serial
default_crl_days = 3650
default_days = 3650
default_md = md5
default_bits = 1024
encrypt_key = yes
policy = local_ca_policy
x509_extensions = local_ca_extensions
unique_subject = no

[ local_ca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = supplied

[ local_ca_extensions ]
subjectAltName = DNS:pdc.esempio.lan
basicConstraints = CA:false
nsCertType = server

[ req ]
default_bits = 2048
default_keyfile = /etc/ldap/ssl/private/cakey.pem
default_md = md5
prompt = no
distinguished_name = esempio
x509_extensions = x509_cert

[ esempio ]
countryName = IT
stateOrProvinceName = Padova
localityName = Padova
emailAddress = [email protected]
organizationName = Esempio
organizationalUnitName = Lab
commonName = pdc.esempio.lan

[ x509_cert ]
nsCertType = server
basicConstraints = CA:true

e /etc/ldap/ssl/LocalServer.conf

[ req ]
prompt = no
distinguished_name = esempio

[ esempio ]
countryName = IT
stateOrProvinceName = Padova
localityName = Padova
emailAddress = [email protected]
organizationName = Esempio
organizationalUnitName  = Lab
commonName = pdc.esempio.lan

possiamo ora generare i nostri certificati:

# cd /etc/ldap/ssl/
# export OPENSSL_CONF=/etc/ldap/ssl/CA.conf
# openssl req -x509 -newkey rsa:1024 -out cacert.pem -outform PEM -days 3650 -passout pass:TOPSECRET
# export OPENSSL_CONF=/etc/ldap/ssl/LocalServer.conf
# openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM -passout pass:TOPSECRET
# openssl rsa < tempkey.pem > serverkey.pem -passin pass:TOPSECRET
# chmod 400 serverkey.pem
# export OPENSSL_CONF=/etc/ldap/ssl/CA.conf
# openssl ca -in tempreq.pem -out servercrt.pem -passin pass:TOPSECRET

Demone OpenLDAP: slapd

Passiamo ora alla configurazione OpenLDAP vera e propria:

generiamo una password cifrata per il nostro amministratore LDAP:

# slappasswd -h {MD5} -s secret1

e passiamo alla modifica di /etc/ldap/slapd.conf che deve risultare simile al seguente:

# Allow LDAPv2 binds
allow bind_v2 

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

#######################################################################
# Global Directives:
sizelimit 20
timelimit -1
threads 8

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/qmailuser.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/hdb.schema

TLSCertificateFile      /etc/ldap/ssl/servercrt.pem
TLSCertificateKeyFile   /etc/ldap/ssl/serverkey.pem
TLSCACertificateFile    /etc/ldap/ssl/cacert.pem

sasl-host pdc.esempio.lan
sasl-realm ESEMPIO.LAN

# Mapping of SASL authentication identities to LDAP entries
authz-regexp
  uid=(.+),cn=(.+),cn=.+,cn=auth
  ldap:///dc=esempio,dc=lan??sub?(|(uid=$1)(cn=$1@$2))

authz-regexp
  uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth
  krb5PrincipalName=ldapmaster/[email protected],ou=KerberosPrincipals,ou=Users,dc=esempio,dc=lan

authz-regexp
  gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
  krb5PrincipalName=ldapmaster/[email protected],ou=KerberosPrincipals,ou=Users,dc=esempio,dc=lan

authz-regexp
  uid=(.+),cn=.+,cn=auth
  ldap:///dc=esempio,dc=lan??sub?(|(uid=$1)([email protected]))

sasl-secprops  noanonymous 
security ssf=0

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

loglevel        0

modulepath      /usr/lib/ldap
moduleload      back_bdb
moduleload      unique
moduleload      auditlog

idletimeout     30
backend         bdb
database        bdb
suffix          "dc=esempio,dc=lan"
rootdn          "krb5PrincipalName=ldapmaster/[email protected],ou=KerberosPrincipals,ou=Users,dc=esempio,dc=lan"
rootpw          {MD5}5S2YxFmBmhF3WTbY37t5KQ==
directory       "/var/lib/ldap"

dbconfig set_cachesize 0 2097152 0 
dbconfig set_lk_max_objects 1500 
dbconfig set_lk_max_locks 1500  
dbconfig set_lk_max_lockers 1500
 
# Indices to maintain
index mail,mailAlternateAddress,objectClass,deliveryMode,accountStatus,ou pres,eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index mailHost              eq
index givenName             pres,sub,eq
index default               sub
index krb5PrincipalName,krb5PrincipalRealm      eq,pres

# Password Hash Definition
password-hash {MD5}
 
# Overlay Unique
# Atributos unicos na base
overlay unique
unique_uri ldap:///dc=esempio,dc=lan?uidNumber,uid,krb5PrincipalName?sub
unique_uri ldap:///ou=Groups,dc=esempio,dc=lan?gidNumber,cn?sub

# Overlay Auditlog
overlay auditlog
auditlog /var/log/ldapchanges.log

# Save the time that the entry gets modified, for database #
lastmod         on

include /etc/ldap/slapd.access

evitiamo di inserire in slapd.conf tutte le informazioni riguardanti i permessi dei vari utenti sull'albero, in quanto inseriremo tali informazioni nel file /etc/ldap/slapd.access:

# Heimdal User mapping
authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
        dn="krb5PrincipalName=ldapmaster/[email protected],ou=KerberosPrincipals,ou=Users,dc=esempio,dc=lan"
authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=KerberosPrincipals,ou=Users,dc=esempio,dc=lan

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPasswordHistory,krb5Key,krb5KeyVersionNumber
        by dn="krb5PrincipalName=ldapmaster/[email protected],ou=KerberosPrincipals,ou=Users,dc=esempio,dc=lan" write
        by anonymous auth
        by self write
        by * none

# Everyone must be able to read password expiry attributes,
# if you are not granting rootdn access to workstations.
# Otherwise, the client system won't be able to know if
# user's password has expired, and will prompt him/her to
# change his/her password everytime he/she logs in.
# The owner must also be able to write it when he/she
# changes his/her own password.
access to attrs=shadowLastChange,sambaPwdLastSet,sambaPwdMustChange
        by dn="krb5PrincipalName=ldapmaster/[email protected],ou=KerberosPrincipals,ou=Users,dc=esempio,dc=lan" write
        by self write
        by * read 

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base= by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="krb5PrincipalName=ldapmaster/[email protected],ou=KerberosPrincipals,ou=Users,dc=esempio,dc=lan" write
        by * read

recuperiamo ora gli schemi ldap mancanti:

# wget http://stefano.dscnet.org/howto/samba-pdc-ldap-kerberos/files/hdb.schema -P /etc/ldap/schema/
# wget http://stefano.dscnet.org/howto/samba-pdc-ldap-kerberos/files/qmailuser.schema -P /etc/ldap/schema/
# cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
# gunzip /etc/ldap/schema/samba.schema.gz

Client LDAP e NSS-Ldap

Modifichiamo ora le impostazioni del client ldap: /etc/ldap/ldap.conf
HOST pdc.esempio.lan
BASE dc=esempio,dc=lan
URI ldaps://pdc.esempio.lan
PORT 636
TLS_CACERT /etc/ldap/ssl/cacert.pem
TLS_REQCERT never
TIMELIMIT 2

e le impostazioni di libnss-ldap: /etc/ldap.conf

base dc=esempio,dc=lan
uri ldaps://pdc.esempio.lan/
rootbinddn krb5PrincipalName=ldapmaster/[email protected],ou=KerberosPrincipals,ou=Users,dc=esempio,dc=lan
port 636
 
ldap_version 3
bind_policy soft
bind_timelimit 2
timelimit 2
scope sub
nss_reconnect_maxsleeptime 8
nss_reconnect_sleeptime 1
nss_initgroups_ignoreusers root
nss_srv_domain esempio.lan
 
pam_password exop

pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
 
nss_base_passwd ou=Users,dc=esempio,dc=lan?one
nss_base_shadow ou=Users,dc=esempio,dc=lan?one
nss_base_passwd ou=Computers,dc=esempio,dc=lan?one
nss_base_shadow ou=Computers,dc=esempio,dc=lan?one
nss_base_group  ou=Groups,dc=esempio,dc=lan?one


ssl on

memorizziamo poi la password dell'amministratore ldap in /etc/ldap.secret e rendiamolo leggibile solo a root:

# echo secret1 > /etc/ldap.secret
# chown root.root /etc/ldap.secret
# chmod 600 /etc/ldap.secret

istruiamo NSS per recuperare le informazioni degli utenti via LDAP: /etc/nsswitch.conf

passwd:    files ldap [notfound=continue]
shadow:    files ldap [notfound=continue]
group:     files ldap [notfound=continue]

hosts:          files dns wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Primo avvio di slapd

Modifichiamo la configurazione dello script di avvio del server OpenLDAP: /etc/default/slapd
SLAPD_CONF=
SLAPD_PIDFILE=
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
SLAPD_OPTIONS=""
SLAPD_USER="openldap"
SLAPD_GROUP="openldap"
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
export KRB5_KTNAME="/etc/ldap/ldap.keytab"

stoppiamo il demone ldap e rimuoviamo il database del precedente albero:

# /etc/init.d/slapd stop
# rm -f /var/lib/ldap/*
andiamo quindi a creare le impostazioni per il database del nuovo albero: /var/lib/ldap/DB_CONFIG
set_cachesize           0 150000000 1
set_lg_regionmax        262144
set_lg_bsize            2097152
set_lk_max_objects      1500
set_lk_max_locks        1500
set_lk_max_lockers      1500
set_flags               DB_LOG_AUTOREMOVE
sistemiamo i permessi:
# chown openldap.openldap /var/lib/ldap -R
# chown openldap.openldap /etc/ldap -R
# find /var/lib/ldap -type d -exec chmod 700 {} \;
# find /var/lib/ldap -type f -exec chmod 600 {} \;
# find /etc/ldap -type d -exec chmod 700 {} \; 
# find /etc/ldap -type f -exec chmod 600 {} \;
# touch /var/log/ldapchanges.log 
# chown openldap.openldap /var/log/ldapchanges.log /etc/sasldb2
# chmod 600 /var/log/ldapchanges.log /etc/sasldb2
e configuriamo logrotate per /var/log/ldapchanges.log: /etc/logrotate.d/ldapchanges
/var/log/ldapchanges.log {
        rotate 5
        weekly  
        compress
}
possiamo ora avviare slapd
# /etc/init.d/slapd start

Creazione albero LDAP iniziale

Possiamo ora creare la struttura di base del nostro albero:

creiamo il file /root/ldap_base.ldif con questo contenuto:

dn: dc=esempio,dc=lan
dc: esempio
objectClass: top
objectClass: domain

dn: ou=Users,dc=esempio,dc=lan
ou: Users
objectClass: top
objectClass: organizationalUnit

dn: ou=KerberosPrincipals,ou=Users,dc=esempio,dc=lan
ou: KerberosPrincipals
objectClass: top
objectClass: organizationalUnit

dn: ou=Groups,dc=esempio,dc=lan
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: ou=Computers,dc=esempio,dc=lan
ou: Computers
objectClass: top
objectClass: organizationalUnit

dn: krb5PrincipalName=ldapmaster/[email protected],ou=KerberosPrincipals,ou=Users,dc=esempio,dc=lan
objectClass: top
objectClass: person
objectClass: krb5Principal
objectClass: krb5KDCEntry
krb5PrincipalName: ldapmaster/[email protected]
krb5KeyVersionNumber: 1
krb5MaxLife: 86400
krb5MaxRenew: 604800
krb5KDCFlags: 126
cn: ldapmaster/[email protected]
sn: ldapmaster/[email protected]
userPassword: {MD5}5S2YxFmBmhF3WTbY37t5KQ==

passiamo quindi ora all'importazione del file ldif nel nostro albero:

# ldapadd -x -D krb5PrincipalName=ldapmaster/[email protected],ou=KerberosPrincipals,ou=Users,dc=esempio,dc=lan -w secret1 -f /root/ldap_base.ldif
che dovrebbe dare come output:
adding new entry "dc=esempio,dc=lan"

adding new entry "ou=Users,dc=esempio,dc=lan"

adding new entry "ou=KerberosPrincipals,ou=Users,dc=esempio,dc=lan"

adding new entry "ou=Groups,dc=esempio,dc=lan"

adding new entry "ou=Computers,dc=esempio,dc=lan"

adding new entry "krb5PrincipalName=ldapmaster/[email protected],ou=KerberosPrincipals,ou=Users,dc=esempio,dc=lan"

Stefano Sasso 2009-04-16