Support #727
Updated by Daniel Curtis almost 8 years ago
{{>toc}}
This is a guide on installing an OpenLDAP server on FreeBSD 9.
h2. Prepare the Environment
* Make sure the system is up to date:
<pre>
pkg update && pkg upgrade
portsnap fetch extract
</pre>
* Install portmaster:
<pre>
pkg install portmaster
pkg2ng
</pre>
h2. Install OpenLDAP Server
* Install the openldap24-server package from the ports tree:
<pre>
portmaster net/openldap24-server
</pre>
#* *NOTE*: Make sure to enable *[X] GSSAPI*, *[X] PPOLICY*, *[X] MEMBEROF*, *[X] DYNLIST*, *[X] DYNGROUP*, *[X] REFINT*, *[X] SHA2*, *[X] SASL*, and *[X] UNIQUE* during the openldap24-server port configuration.
* Edit the OpenLDAP Client config file:
<pre>
vi /usr/local/etc/openldap/ldap.conf
</pre>
#* Change the BASE to your own environment:
<pre>
BASE dc=example,dc=com
URI ldap:// ldaps://
# SIZELIMIT 0 indicates unlimited search size
SIZELIMIT 0
TIMELIMIT 15
DEREF never
</pre>
* Change the default password:
<pre>
slappasswd -h "{SSHA}" >> /usr/local/etc/openldap/slapd.conf
</pre>
* Edit the OpenLDAP Server config file:
<pre>
vi /usr/local/etc/openldap/slapd.conf
</pre>
#* And change as necessary on each server:
<pre>
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/collective.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/duaconf.schema
include /usr/local/etc/openldap/schema/dyngroup.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/pmi.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
logfile /var/log/slapd.log
loglevel 256
modulepath /usr/local/libexec/openldap
moduleload back_mdb
disallow bind_anon
require authc
database mdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
directory /var/db/openldap-data
maxsize 1073741824
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=example,dc=com" write
by * none
access to *
by self write
by dn.base="cn=Manager,dc=example,dc=com" write
by * read
# Indices to maintain
index objectClass eq
index uid eq
index uidNumber eq
index uniqueMember eq
index gidNumber eq
index cn eq
index memberUid eq
rootpw {SSHA}A6ia1SPQlY4J5qWBUkPg1qqiwZHrL0mb
overlay memberof
memberof-dangling drop
memberof-refint TRUE
</pre>
* Edit the rc.conf file:
<pre>
vi /etc/rc.conf
</pre>
#* And add the follow to the end of the file:
<pre>
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"'
slapd_sockets="/var/run/openldap/ldapi"
</pre>
* Start slapd:
<pre>
service slapd start
</pre>
* Test the slapd configuration using an anonymous connection:
<pre>
ldapsearch
</pre>
_Example output_, this is expected to cause an error:
<pre>
ldap_bind: Inappropriate authentication (48)
additional info: anonymous bind disallowed
</pre>
* Test the slapd configuration to demonstrate a successful connection using an authorized user:
<pre>
ldapsearch -D "cn=Manager,dc=example,dc=com"
</pre>
#* _Example output_:
<pre>
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 3
result: 32 No such object
# numResponses: 1
</pre>
h2. Populate the LDAP Server
* Create the domain template file:
<pre>
vi ~/example.com.ldif
</pre>
#* And add the following:
<pre>
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: example
dc: example
dn: cn=Manager,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
</pre>
* To import this file into the server:
<pre>
ldapadd -D "cn=Manager,dc=example,dc=com" -W -f ~/example.com.ldif
</pre>
* To verify the data was imported correctly using the ldapsearch command:
<pre>
ldapsearch
</pre>
#* _Example output_:
<pre>
# extended LDIF
#
# LDAPv3
# base <dc=loga,dc=us> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o:: bG9nYSA=
dc:: bG9nYSA=
# Manager, example.com
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
</pre>
h2. Add SSL to OpenLDAP
* Install openssl:
<pre>
pkg install openssl
</pre>
* Generate a strong SSL key and a CSR to send for signing by a CA:
<pre>
cd /usr/local/etc
openssl req -sha512 -out ldap.example.com.csr -new -newkey rsa:4096 -nodes -keyout ldap.example.com.key
</pre>
* Generate the DH parameters:
<pre>
openssl dhparam -out /usr/local/etc/dhparam.pem /usr/local/etc/dhparam 4096
</pre>
* Edit the OpenLDAP Server config file:
<pre>
vi /usr/local/etc/openldap/slapd.conf
</pre>
#* And change as necessary on each server:
<pre>
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/collective.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/duaconf.schema
include /usr/local/etc/openldap/schema/dyngroup.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/pmi.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
TLSCACertificateFile /usr/local/etc/ca-cert.bundle
TLSCertificateFile /usr/local/etc/ldap.example.com.crt
TLSCertificateKeyFile /usr/local/etc/ldap.example.com.key
TLSDHParamFile /usr/local/etc/dhparam.pem /usr/local/etc/dhparam
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
logfile /var/log/slapd.log
loglevel 256
modulepath /usr/local/libexec/openldap
moduleload back_mdb
disallow bind_anon
require authc
database mdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
directory /var/db/openldap-data
maxsize 1073741824
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=example,dc=com" write
by * none
access to *
by self write
by dn.base="cn=Manager,dc=example,dc=com" write
by * read
# Indices to maintain
index objectClass eq
index uid eq
index uidNumber eq
index uniqueMember eq
index gidNumber eq
index cn eq
index memberUid eq
rootpw {SSHA}A6ia1SPQlY4J5qWBUkPg1qqiwZHrL0mb
overlay memberof
memberof-dangling drop
memberof-refint TRUE
</pre>
* Set the ownership of the SSL certificate and key to the LDAP user:
<pre>
chown ldap:ldap /usr/local/etc/ldap.example.com.{crt,key}
</pre>
* Edit the rc.conf file:
<pre>
vi /etc/rc.conf
</pre>
#* And add ldaps:/// to the slapd_flags:
<pre>
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///"'
</pre>
* Restart openldap:
<pre>
service slapd restart
</pre>
h2. Populate the LDAP Server
* Create the People Organizational Unit ldif file:
<pre>
vi ~/people-ou.ldif
</pre>
#* And add the following:
<pre>
dn: ou=People,dc=example,dc=com
objectclass: organizationalUnit
ou: People
</pre>
* Import the People OU file into the server:
<pre>
ldapadd -D "cn=Manager,dc=example,dc=com" -W -f ~/people-ou.ldif
</pre>
* Create the bob user ldif file:
<pre>
vi ~/bob.ldif
</pre>
#* And add the following:
<pre>
dn: cn=Bob Guy,ou=People,dc=example,dc=com
cn: Bob Guy
givenname: Bob
initials: BG
mail: bob@example.com
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
sn: Guy
uid: bob
userpassword: {MD5}X03MO1qnZdYdgyfeuILPmQ==
</pre>
#* *NOTE*: The password for bob is *password*.
h2. Install LDAP Web Frontend
h3. Install Nginx
* Install nginx and php56:
<pre>
pkg install nginx php56
</pre>
* Configure the default PHP settings
<pre>
cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
</pre>
* Create a configuration directory to make managing individual server blocks easier
<pre>
mkdir /usr/local/etc/nginx/conf.d
</pre>
* Edit the main nginx config file:
<pre>
vi /usr/local/etc/nginx/nginx.conf
</pre>
#* And strip down the config file and add the include statement at the end to make it easier to handle various server blocks:
<pre>
#user nobody;
worker_processes 1;
error_log /var/log/nginx-error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
ssl_dhparam /usr/local/etc/dhparam.pem; /usr/local/etc/dhparam;
# Load config files from the /etc/nginx/conf.d directory
include /usr/local/etc/nginx/conf.d/*.conf;
}
</pre>
* Edit /usr/local/etc/php-fpm.conf:
<pre>
vi /usr/local/etc/php-fpm.conf
</pre>
#* Make the following changes:
<pre>
listen = /var/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0660
</pre>
* Create the nginx SSL certificate bundle:
<pre>
cat /usr/local/etc/ldap.example.com.crt /usr/local/etc/dhparam.pem > /usr/local/etc/ldap.example.com.bundle.crt
</pre>
* Harden the SSL certificate bundle permissions:
<pre>
chown www:www /usr/local/etc/ldap.example.com.bundle.crt
</pre>
* Add the www user to the ldap group:
<pre>
pw user mod www -G ldap
</pre>
* Start and enable nginx and php-fpm at boot:
<pre>
echo 'nginx_enable="YES"' >> /etc/rc.conf
echo 'php_fpm_enable="YES"' >> /etc/rc.conf
service php-fpm start
service nginx start
</pre>
h3. Install LDAP Account Manager
* Install LDAP Acccount Manager:
<pre>
pkg install ldap-account-manager
</pre>
* Add a lam.example.com server block:
<pre>
vi /usr/local/etc/nginx/conf.d/lam.example.com.conf
</pre>
Add the following:
<pre>
server {
listen 80;
listen 443 ssl;
server_name ldap.example.com;
root /usr/local/www/lam;
access_log /var/log/ldap.example.com-access.log;
error_log /var/log/ldap.example.com-error.log;
ssl on;
ssl_certificate /usr/local/etc/ldap.example.com.crt;
ssl_certificate_key /usr/local/etc/ldap.example.com.key;
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/etc/dhparam.pem; /nginx/dhparam.pem;
add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
allow 192.168.1.0/24;
deny all;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ (tmp/internal|sess|config|locale) {
deny all;
return 403;
}
}
</pre>
* Restart nginx:
<pre>
service nginx restart
service php-fpm restart
</pre>
* Open a web browser and go to http://lam.example.com
*# Click on +LAM Configuration -> General Settings+, the default master password is *lam*; make sure to change it before going into production.
*# Go to +LAM Configuration -> Edit Server profiles+, select any of the profiles and enter the password *lam*. Change the domains from the default to *dc=example,dc=com*. Click *Save* when finished.
*# Go back to login page and log in as the Manager user
h2. LDAP with SASL
* Install cyrus-sasl and the cyrus-sasl-ldapdb packages:
<pre>
pkg install cyrus-sasl cyrus-sasl-ldapdb
</pre>
* Install cyrus-sasl2-saslauthd from ports:
<pre>
portmaster security/cyrus-sasl2-saslauthd
</pre>
#* *NOTE*: Make sure to enable *[X] HTTPFORM* and *[X] OPENLDAP*.
* Create and edit the saslauthd config file:
<pre>
vi /usr/local/etc/saslauthd.conf
</pre>
#* And the following:
<pre>
ldap_servers: ldaps://ldap.example.com
ldap_search_base: dc=example,dc=com
ldap_filter: (uid=%u)
ldap_bind_dn: cn=Manager,dc=example,dc=com
ldap_pw: SuperSecretPassword
ldap_auth_method: bind
</pre>
* Start saslauthd, set it to use ldap as the authentication mechanism, and enable it at boot:
<pre>
echo 'saslauthd_enable="YES"' >> /etc/rc.conf
echo 'saslauthd_flags="-a ldap"' >> /etc/rc.conf
service saslauthd start
</pre>
* Test the connection between saslauthd and the LDAP servers by running:
<pre>
testsaslauthd -u bob -p password
</pre>
#* _Example output_:
<pre>
0: OK "Success."
</pre>
h2. Kerberos
* Edit the kerberos config file:
<pre>
vi /etc/krb5.conf
</pre>
#* And adjust the parameters as needed:
<pre>
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = 192.168.1.10
kdc = 192.168.1.10
admin_server = 192.168.1.10
}
[domain_realm]
.example.com = EXAMPLE.COM
</pre>
* Create the Kerberos database using the kstash command and enter a Master Key for security:
<pre>
kstash
</pre>
* Initialize the Kerberos Database with the kadmin utility using the -l option.
<pre>
kadmin -l
init EXAMPLE.COM
</pre>
* While still in +kadmin+, create a principal ‘bob’ using the add command:
<pre>
add bob
</pre>
* Next create an ‘admin’ principal
<pre>
add larry/admin
</pre>
* Access to the administration server is controlled by an ACL file, create this file in the appropriate directory with the following contents:
<pre>
echo 'larry/admin@EXAMPLE.COM all' >> /var/heimdal/kadmind.acl
</pre>
* Then start and enable kerberos at boot:
<pre>
echo 'kdc_enable="YES"' >> /etc/rc.conf
echo 'kadmind_enable="YES"' >> /etc/rc.conf
service kdc start
service kadmind start
</pre>
h2. Resources
* http://loga.us/2014/08/16/openldap-and-multi-master-replication-in-freebsd-part-i-openldap/
* https://www.ldap-account-manager.org/static/doc/manual-onePage/index.html
* http://blog.adimian.com/2014/10/how-to-enable-memberof-using-openldap/
* https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/
* http://ximalas.info/2014/01/10/ldap-authentication-for-subversions-svnserve-on-freebsd-using-sasl-saslauthd-and-novell-edirectory/
* http://acidx.net/wordpress/2014/06/installing-a-mailserver-with-postfix-dovecot-sasl-ldap-roundcube/