Project

General

Profile

Support #727

Updated by Daniel Curtis almost 9 years ago

{{>toc}} 

 This is a guide on installing an OpenLDAP server on FreeBSD 9. 

 h2. Prepare the Environment 

 * Make sure the system is up to date: 
 <pre> 
 pkg update && pkg upgrade 
 portsnap fetch extract 
 </pre> 

 * Install portmaster: 
 <pre> 
 pkg install portmaster 
 pkg2ng 
 </pre> 

 h2. Install OpenLDAP Server 

 * Install the openldap24-server package from the ports tree: 
 <pre> 
 portmaster net/openldap24-server 
 </pre> 
 #* *NOTE*: Make sure to enable *[X] PPOLICY*, *[X] MEMBEROF*, *[X] DYNLIST*, *[X] DYNGROUP*, *[X] REFINT*, *[X] SHA2*, and *[X] UNIQUE* during the openldap24-server port configuration. 

 * Edit the OpenLDAP Client config file: 
 <pre> 
 vi /usr/local/etc/openldap/ldap.conf 
 </pre> 
 #* Change the BASE to your own environment: 
 <pre> 
 BASE dc=example,dc=com 
 URI ldap:// ldaps:// 

 # SIZELIMIT 0 indicates unlimited search size 
 SIZELIMIT 0 
 TIMELIMIT 15 
 DEREF never 
 </pre> 

 * Change the default password: 
 <pre> 
 slappasswd -h "{SSHA}" >> /usr/local/etc/openldap/slapd.conf 
 </pre> 

 * Edit the OpenLDAP Server config file: 
 <pre> 
 vi /usr/local/etc/openldap/slapd.conf 
 </pre> 
 #* And change as necessary on each server: 
 <pre> 
 include /usr/local/etc/openldap/schema/core.schema 
 include /usr/local/etc/openldap/schema/cosine.schema 
 include /usr/local/etc/openldap/schema/corba.schema 
 include /usr/local/etc/openldap/schema/inetorgperson.schema 
 include /usr/local/etc/openldap/schema/nis.schema 
 include /usr/local/etc/openldap/schema/collective.schema 
 include /usr/local/etc/openldap/schema/openldap.schema 
 include /usr/local/etc/openldap/schema/duaconf.schema 
 include /usr/local/etc/openldap/schema/dyngroup.schema 
 include /usr/local/etc/openldap/schema/misc.schema 
 include /usr/local/etc/openldap/schema/pmi.schema 
 include /usr/local/etc/openldap/schema/ppolicy.schema 

 pidfile /var/run/openldap/slapd.pid 
 argsfile /var/run/openldap/slapd.args 

 logfile /var/log/slapd.log 
 loglevel 256 

 modulepath /usr/local/libexec/openldap 
 moduleload back_mdb 

 allow bind_v2 

 disallow bind_anon 
 require authc 

 database mdb 

 suffix "dc=example,dc=com" 
 rootdn "cn=Manager,dc=example,dc=com" 

 directory /var/db/openldap-data 
 maxsize 1073741824 

 access to attrs=userPassword 
         by self write 
         by anonymous auth 
         by dn.base="cn=Manager,dc=example,dc=com" write 
         by * none 

 access to * 
         by self write 
         by dn.base="cn=Manager,dc=example,dc=com" write 
         by * read 

 # Indices to maintain 
 index objectClass eq 
 rootpw {SSHA}A6ia1SPQlY4J5qWBUkPg1qqiwZHrL0mb 

 overlay           memberof 
 memberof-dangling      drop 
 memberof-refint        TRUE 
 </pre> 

 * Edit the rc.conf file: 
 <pre> 
 vi /etc/rc.conf 
 </pre> 
 #* And add the follow to the end of the file: 
 <pre> 
 slapd_enable="YES" 
 slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"' 
 slapd_sockets="/var/run/openldap/ldapi" 
 </pre> 

 * Start slapd: 
 <pre> 
 service slapd start 
 </pre> 

 * Test Testing the slapd configuration using an anonymous connection: 
 <pre> 
 ldapsearch 
 </pre> 
 Example outputm this is expected to cause an error: 
 <pre> 
 ldap_bind: Inappropriate authentication (48) 
	 additional info: anonymous bind disallowed 
 </pre> 

 * Test the slapd configuration to demonstrate a successful connection using an authorized user: connection: 
 <pre> 
 ldapsearch -D "cn=Manager,dc=example,dc=com" 
 </pre> 
 #* _Example output_: 
 <pre> 
 # extended LDIF 
 #  
 # LDAPv3 
 # base <dc=example,dc=com> (default) with scope subtree 
 # filter: (objectclass=*) 
 # requesting: ALL 
 # 

 # search result 
 search: 3 
 result: 32 No such object 

 # numResponses: 1 
 </pre> 

 h2. Add SSL to OpenLDAP 

 * Install openssl: 
 <pre> 
 pkg install openssl 
 </pre> 

 * Generate a strong SSL key and a CSR to send for signing by a CA: 
 <pre> 
 cd /usr/local/etc 
 openssl req -sha512 -out ldap.example.com.csr -new -newkey rsa:4096 -nodes -keyout ldap.example.com.key 
 </pre> 

 * Create a file called addsslcerts.ldif: 
 <pre> 
 cd ~ 
 vi addsslcerts.ldif 
 </pre> 
 #* And add the following: 
 <pre> 
 dn: cn=config 
 changetype: modify 
 add: olcTLSCACertificateFile 
 olcTLSCACertificateFile: /usr/local/etc/ca_server.pem 
 - 
 add: olcTLSCertificateFile 
 olcTLSCertificateFile: /usr/local/etc/ldap.example.com.crt 
 - 
 add: olcTLSCertificateKeyFile 
 olcTLSCertificateKeyFile: /usr/local/etc/ldap.example.com.key 
 </pre> 

 * Add the ssl config ldif file: 
 <pre> 
 ldapadd -D "cn=Manager,dc=example,dc=com" -W -f ~/addsslcerts.ldif 
 </pre> 

 * Restart openldap: 
 <pre> 
 service slapd restart 
 </pre> 

 h2. Populate the LDAP Server 

 * Create the domain template file: 
 <pre> 
 vi ~/example.com.ldif 
 </pre> 
 #* And add the following: 
 <pre> 
 dn: dc=example,dc=com 
 objectclass: dcObject 
 objectclass: organization 
 o: example 
 dc: example 

 dn: cn=Manager,dc=example,dc=com 
 objectclass: organizationalRole 
 cn: Manager 
 </pre> 
 
 * To import this file into the server: 
 <pre> 
 ldapadd -D "cn=Manager,dc=example,dc=com" -W -f ~/example.com.ldif 
 </pre> 

 * To verify the data was imported correctly using the ldapsearch command: 
 <pre> 
 ldapsearch 
 </pre> 
 #* _Example output_: 
 <pre> 
 # extended LDIF 
 # 
 # LDAPv3 
 # base <dc=loga,dc=us> (default) with scope subtree 
 # filter: (objectclass=*) 
 # requesting: ALL 
 # 

 # example.com 
 dn: dc=example,dc=com 
 objectClass: dcObject 
 objectClass: organization 
 o:: bG9nYSA= 
 dc:: bG9nYSA= 

 # Manager, example.com 
 dn: cn=Manager,dc=example,dc=com 
 objectClass: organizationalRole 
 cn: Manager 

 # search result 
 search: 2 
 result: 0 Success 

 # numResponses: 3 
 # numEntries: 2 
 </pre> 

 h2. Add SSL to OpenLDAP 

 * Install openssl: 
 <pre> 
 pkg install openssl 
 </pre> 

 * Generate a strong SSL key and a CSR to send for signing by a CA: 
 <pre> 
 cd /usr/local/etc 
 openssl req -sha512 -out ldap.example.com.csr -new -newkey rsa:4096 -nodes -keyout ldap.example.com.key 
 </pre> 

 * Edit the OpenLDAP Server config file: 
 <pre> 
 vi /usr/local/etc/openldap/slapd.conf 
 </pre> 
 #* And change as necessary on each server: 
 <pre> 
 include /usr/local/etc/openldap/schema/core.schema 
 include /usr/local/etc/openldap/schema/cosine.schema 
 include /usr/local/etc/openldap/schema/corba.schema 
 include /usr/local/etc/openldap/schema/inetorgperson.schema 
 include /usr/local/etc/openldap/schema/nis.schema 
 include /usr/local/etc/openldap/schema/collective.schema 
 include /usr/local/etc/openldap/schema/openldap.schema 
 include /usr/local/etc/openldap/schema/duaconf.schema 
 include /usr/local/etc/openldap/schema/dyngroup.schema 
 include /usr/local/etc/openldap/schema/misc.schema 
 include /usr/local/etc/openldap/schema/pmi.schema 
 include /usr/local/etc/openldap/schema/ppolicy.schema 

 olcTLSCACertificateFile /usr/local/etc/ca-cert.bundle 
 olcTLSCertificateFile /usr/local/etc/ldap.example.com.crt 
 olcTLSCertificateKeyFile /usr/local/etc/ldap.example.com.key 

 pidfile /var/run/openldap/slapd.pid 
 argsfile /var/run/openldap/slapd.args 

 logfile /var/log/slapd.log 
 loglevel 256 

 modulepath /usr/local/libexec/openldap 
 moduleload back_mdb 

 disallow bind_anon 
 require authc 

 database mdb 

 suffix "dc=example,dc=com" 
 rootdn "cn=Manager,dc=example,dc=com" 

 directory /var/db/openldap-data 
 maxsize 1073741824 

 access to attrs=userPassword 
         by self write 
         by anonymous auth 
         by dn.base="cn=Manager,dc=example,dc=com" write 
         by * none 

 access to * 
         by self write 
         by dn.base="cn=Manager,dc=example,dc=com" write 
         by * read 

 # Indices to maintain 
 index objectClass eq 
 rootpw {SSHA}A6ia1SPQlY4J5qWBUkPg1qqiwZHrL0mb 

 overlay           memberof 
 memberof-dangling      drop 
 memberof-refint        TRUE 
 </pre> 

 * Restart openldap: 
 <pre> 
 service slapd restart 
 </pre> 

 h2. Install LDAP Web Frontend 

 h3. Install Nginx 

 * Install nginx and php56: 
 <pre> 
 pkg install nginx php56 
 </pre> 

 * Configure the default PHP settings 
 <pre> 
 cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini 
 </pre> 

 * Create a configuration directory to make managing individual server blocks easier 
 <pre> 
 mkdir /usr/local/etc/nginx/conf.d 
 </pre> 

 * Edit the main nginx config file: 
 <pre> 
 vi /usr/local/etc/nginx/nginx.conf 
 </pre> 
 #* And strip down the config file and add the include statement at the end to make it easier to handle various server blocks: 
 <pre> 
 #user    nobody; 
 worker_processes    1; 
 error_log    /var/log/nginx-error.log; 

 events { 
     worker_connections    1024; 
 } 

 http { 
     include         mime.types; 
     default_type    application/octet-stream; 

     sendfile          on; 
     #tcp_nopush       on; 

     #keepalive_timeout    0; 
     keepalive_timeout    65; 

     #gzip    on; 

     # Load config files from the /etc/nginx/conf.d directory 
     include /usr/local/etc/nginx/conf.d/*.conf; 
 } 
 </pre> 

 * Edit /usr/local/etc/php-fpm.conf: 
 <pre> 
 vi /usr/local/etc/php-fpm.conf 
 </pre> 
 #* Make the following changes: 
 <pre> 
 listen = /var/run/php-fpm.sock 
 listen.owner = www 
 listen.group = www 
 listen.mode = 0660 
 </pre> 

 * Start and enable nginx and php-fpm at boot: 
 <pre> 
 echo 'nginx_enable="YES"' >> /etc/rc.conf 
 echo 'php_fpm_enable="YES"' >> /etc/rc.conf 
 service php-fpm start 
 service nginx start 
 </pre> 

 h3. Install LDAP Account Manager 

 * Install LDAP Acccount Manager: 
 <pre> 
 pkg install ldap-account-manager 
 </pre> 

 * Add a lam.example.com server block: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/lam.example.com.conf 
 </pre> 
 Add the following: 
 <pre> 
 server { 
     listen         80; 
     server_name    lam.example.com; 
     root           /usr/local/www/lam; 
     access_log     /var/log/lam.example.com-access.log; 
     error_log      /var/log/lam.example.com-error.log; 

     ssl on; 
     ssl_certificate /usr/local/etc/ldap.example.com.crt; 
     ssl_certificate_key /usr/local/etc/ldap.example.com.key; 

     ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
     ssl_session_cache    builtin:1000    shared:SSL:10m; 
     ssl_stapling on; 
     ssl_stapling_verify on; 
     ssl_prefer_server_ciphers on; 
     ssl_dhparam /nginx/dhparam.pem; 
     add_header Strict-Transport-Security max-age=63072000; 
     add_header X-Frame-Options SAMEORIGIN; 
     add_header X-Content-Type-Options nosniff; 

     allow 192.168.1.0/24; 
     deny all; 

     location ~ \.php$ { 
       fastcgi_split_path_info ^(.+\.php)(/.+)$; 
       fastcgi_pass unix:/var/run/php-fpm.sock; 
       fastcgi_index index.php; 
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
       include fastcgi_params; 
     } 

     location ~ (tmp/internal|sess|config|locale) { 
       deny all; 
       return 403; 
     } 
 } 
 </pre> 

 * Restart nginx: 
 <pre> 
 service nginx restart 
 service php-fpm restart 
 </pre> 

 * Open a web browser and go to http://lam.example.com 
 *# Click on +LAM Configuration -> General Settings+, the default master password is *lam*; make sure to change it before going into production. 
 *# Go to +LAM Configuration -> Edit Server profiles+, select any of the profiles and enter the password *lam*. Change the domains from the default to *dc=example,dc=com*. Click *Save* when finished. 
 *# Go back to login page and log in as the Manager user 

 h2. Resources 

 * http://loga.us/2014/08/16/openldap-and-multi-master-replication-in-freebsd-part-i-openldap/ 
 * https://www.ldap-account-manager.org/static/doc/manual-onePage/index.html 
 * http://blog.adimian.com/2014/10/how-to-enable-memberof-using-openldap/ 
 * https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/

Back