Support #727
Updated by Daniel Curtis about 8 years ago
{{>toc}}
This is a guide on installing an OpenLDAP server on FreeBSD 9.
h2. Prepare the Environment
* Make sure the system is up to date:
<pre>
pkg update && pkg upgrade
portsnap fetch extract
</pre>
* Install portmaster:
<pre>
pkg install portmaster
pkg2ng
</pre>
h2. Install OpenLDAP Server
* Install the openldap24-server package from the ports tree:
<pre>
portmaster net/openldap24-server
</pre>
#* *NOTE*: Make sure to enable *[X] PPOLICY*, *[X] MEMBEROF*, and *[X] REFINT* PPOLICY* during the openldap24-server port configuration.
* Edit the OpenLDAP Client config file:
<pre>
vi /usr/local/etc/openldap/ldap.conf
</pre>
#* Change the BASE to your own environment:
<pre>
BASE dc=example,dc=com
URI ldap:// ldaps://
# SIZELIMIT 0 indicates unlimited search size
SIZELIMIT 0
TIMELIMIT 15
DEREF never
</pre>
* Change the default password:
<pre>
slappasswd -h "{SSHA}" >> /usr/local/etc/openldap/slapd.conf
</pre>
* Edit the OpenLDAP Server config file:
<pre>
vi /usr/local/etc/openldap/slapd.conf
</pre>
#* And change as necessary on each server:
<pre>
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/collective.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/duaconf.schema
include /usr/local/etc/openldap/schema/dyngroup.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/pmi.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 256
modulepath /usr/local/libexec/openldap
moduleload back_mdb
#moduleload back_ldap
allow bind_v2
disallow bind_anon
require authc
database mdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
directory /var/db/openldap-data
maxsize 1073741824
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=example,dc=com" write
by * none
access to *
by self write
by dn.base="cn=Manager,dc=example,dc=com" write
by * read
# Indices to maintain
index objectClass eq
rootpw {SSHA}A6ia1SPQlY4J5qWBUkPg1qqiwZHrL0mb
overlay memberof
memberof-dangling drop
memberof-refint TRUE
</pre>
* Edit the rc.conf file:
<pre>
vi /etc/rc.conf
</pre>
#* And add the follow to the end of the file:
<pre>
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"'
slapd_sockets="/var/run/openldap/ldapi"
</pre>
* Start slapd:
<pre>
service slapd start
</pre>
Testing the slapd configuration to demonstrate a successful connection:
<pre>
ldapsearch
</pre>
#* _Example output_:
<pre>
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 3
result: 32 No such object
# numResponses: 1
</pre>
h2. Add SSL to OpenLDAP
* Install openssl:
<pre>
pkg install openssl
</pre>
* Generate a strong SSL key and a CSR to send for signing by a CA:
<pre>
cd /usr/local/etc
openssl req -sha512 -out ldap.example.com.csr -new -newkey rsa:4096 -nodes -keyout ldap.example.com.key
</pre>
* Create a file called addsslcerts.ldif:
<pre>
cd ~
vi addsslcerts.ldif
</pre>
#* And add the following:
<pre>
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /usr/local/etc/ca_server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /usr/local/etc/ldap.example.com.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /usr/local/etc/ldap.example.com.key
</pre>
* Add the ssl config ldif file:
<pre>
ldapadd -D "cn=Manager,dc=example,dc=com" -W -f ~/addsslcerts.ldif
</pre>
* Restart openldap:
<pre>
service slapd restart
</pre>
h2. Populate the LDAP Server
* Create the domain template file:
<pre>
vi ~/example.com.ldif
</pre>
#* And add the following:
<pre>
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: example
dc: example
dn: cn=Manager,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
</pre>
* To import this file into the server:
<pre>
ldapadd -D "cn=Manager,dc=example,dc=com" -W -f ~/example.com.ldif
</pre>
* To verify the data was imported correctly using the ldapsearch command:
<pre>
ldapsearch
</pre>
#* _Example output_:
<pre>
# extended LDIF
#
# LDAPv3
# base <dc=loga,dc=us> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# example.com loga.us
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o:: bG9nYSA=
dc:: bG9nYSA=
# Manager, example.com
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
</pre>
h2. Install LDAP Web Frontend
h3. Install Nginx
* Install nginx and php56:
<pre>
pkg install nginx php56
</pre>
* Configure the default PHP settings
<pre>
cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
</pre>
* Create a configuration directory to make managing individual server blocks easier
<pre>
mkdir /usr/local/etc/nginx/conf.d
</pre>
* Edit the main nginx config file:
<pre>
vi /usr/local/etc/nginx/nginx.conf
</pre>
#* And strip down the config file and add the include statement at the end to make it easier to handle various server blocks:
<pre>
#user nobody;
worker_processes 1;
error_log /var/log/nginx-error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
# Load config files from the /etc/nginx/conf.d directory
include /usr/local/etc/nginx/conf.d/*.conf;
}
</pre>
* Edit /usr/local/etc/php-fpm.conf:
<pre>
vi /usr/local/etc/php-fpm.conf
</pre>
#* Make the following changes:
<pre>
listen = /var/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0660
</pre>
* Start and enable nginx and php-fpm at boot:
<pre>
echo 'nginx_enable="YES"' >> /etc/rc.conf
echo 'php_fpm_enable="YES"' >> /etc/rc.conf
service php-fpm start
service nginx start
</pre>
h3. Install LDAP Account Manager
* Install LDAP Acccount Manager:
<pre>
pkg install ldap-account-manager
</pre>
* Add a lam.example.com server block:
<pre>
vi /usr/local/etc/nginx/conf.d/lam.example.com.conf
</pre>
Add the following:
<pre>
server {
listen 80;
server_name lam.example.com;
root /usr/local/www/lam;
access_log /var/log/lam.example.com-access.log;
error_log /var/log/lam.example.com-error.log;
allow 192.168.1.0/24;
deny all;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ (tmp/internal|sess|config|locale) {
deny all;
return 403;
}
}
</pre>
* Restart nginx:
<pre>
service nginx restart
service php-fpm restart
</pre>
* Open a web browser and go to http://lam.example.com
*# Click on +LAM Configuration -> General Settings+, the default master password is *lam*; make sure to change it before going into production.
*# Go to +LAM Configuration -> Edit Server profiles+, select any of the profiles and enter the password *lam*. Change the domains from the default to *dc=example,dc=com*. Click *Save* when finished.
*# Go back to login page and log in as the Manager user
h2. Setup memberOf Attribute
* Create the memberof_config.ldif file:
<pre>
vi ~/memberof_config.ldif
</pre>
#* And add the following:
<pre>
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof
olcModulePath: /usr/local/libexec/openldap
dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
</pre>
* Create the refint1.ldif file:
<pre>
vi ~/refint1.ldif
</pre>
#* And add the following:
<pre>
dn: cn=module{1},cn=config
add: olcmoduleload
olcmoduleload: refint
</pre>
* Create the refint2.ldif file:
<pre>
vi ~/refint2.ldif
</pre>
#* And add the following:
<pre>
dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner
</pre>
* Then import the ldif files into the LDAP server:
<pre>
ldapadd -D "cn=Manager,dc=example,dc=com" -W -f ~/memberof_config.ldif
ldapadd -D "cn=Manager,dc=example,dc=com" -W -f ~/refint1.ldif
ldapadd -D "cn=Manager,dc=example,dc=com" -W -f ~/refint2.ldif
</pre>
h2. Resources
* http://loga.us/2014/08/16/openldap-and-multi-master-replication-in-freebsd-part-i-openldap/
* https://www.ldap-account-manager.org/static/doc/manual-onePage/index.html
* http://blog.adimian.com/2014/10/how-to-enable-memberof-using-openldap/
* https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/