Project

General

Profile

Support #727

Updated by Daniel Curtis over 8 years ago

{{>toc}} 

 This is a guide on installing an OpenLDAP server on FreeBSD 9. 

 h2. Prepare the Environment 

 * Make sure the system is up to date: 
 <pre> 
 pkg update && pkg upgrade 
 portsnap fetch extract 
 </pre> 

 * Install portmaster: 
 <pre> 
 pkg install portmaster 
 pkg2ng 
 </pre> 

 h2. Install OpenLDAP Server 

 * Install the openldap24-server package from the ports tree: 
 <pre> 
 portmaster net/openldap24-server 
 </pre> 
 #* *NOTE*: Make sure to enable *[X] GSSAPI*, *[X] PPOLICY*, *[X] MEMBEROF*, *[X] DYNLIST*, *[X] DYNGROUP*, *[X] REFINT*, *[X] SHA2*, *[X] SASL*, and *[X] UNIQUE* during the openldap24-server port configuration. 

 * Edit the OpenLDAP Client config file: 
 <pre> 
 vi /usr/local/etc/openldap/ldap.conf 
 </pre> 
 #* Change the BASE to your own environment: 
 <pre> 
 BASE dc=example,dc=com 
 URI ldap:// ldaps:// 

 # SIZELIMIT 0 indicates unlimited search size 
 SIZELIMIT 0 
 TIMELIMIT 15 
 DEREF never 
 </pre> 

 * Change the default password: 
 <pre> 
 slappasswd -h "{SSHA}" >> /usr/local/etc/openldap/slapd.conf 
 </pre> 

 * Edit the OpenLDAP Server config file: 
 <pre> 
 vi /usr/local/etc/openldap/slapd.conf 
 </pre> 
 #* And change as necessary on each server: 
 <pre> 
 include /usr/local/etc/openldap/schema/core.schema 
 include /usr/local/etc/openldap/schema/cosine.schema 
 include /usr/local/etc/openldap/schema/corba.schema 
 include /usr/local/etc/openldap/schema/inetorgperson.schema 
 include /usr/local/etc/openldap/schema/nis.schema 
 include /usr/local/etc/openldap/schema/collective.schema 
 include /usr/local/etc/openldap/schema/openldap.schema 
 include /usr/local/etc/openldap/schema/duaconf.schema 
 include /usr/local/etc/openldap/schema/dyngroup.schema 
 include /usr/local/etc/openldap/schema/misc.schema 
 include /usr/local/etc/openldap/schema/pmi.schema 
 include /usr/local/etc/openldap/schema/ppolicy.schema 

 pidfile /var/run/openldap/slapd.pid 
 argsfile /var/run/openldap/slapd.args 

 logfile /var/log/slapd.log 
 loglevel 256 

 modulepath /usr/local/libexec/openldap 
 moduleload back_mdb 

 disallow bind_anon 
 require authc 

 database mdb 

 suffix "dc=example,dc=com" 
 rootdn "cn=Manager,dc=example,dc=com" 

 directory /var/db/openldap-data 
 maxsize 1073741824 

 access to attrs=userPassword 
         by self write 
         by anonymous auth 
         by dn.base="cn=Manager,dc=example,dc=com" write 
         by * none 

 access to * 
         by self write 
         by dn.base="cn=Manager,dc=example,dc=com" write 
         by * read 

 # Indices to maintain 
 index objectClass    eq 
 index uid            eq 
 index uidNumber      eq 
 index uniqueMember eq 
 index gidNumber      eq 
 index cn             eq 
 index memberUid      eq 

 rootpw {SSHA}A6ia1SPQlY4J5qWBUkPg1qqiwZHrL0mb 

 overlay           memberof 
 memberof-dangling      drop 
 memberof-refint        TRUE 
 </pre> 

 * Edit the rc.conf file: 
 <pre> 
 vi /etc/rc.conf 
 </pre> 
 #* And add the follow to the end of the file: 
 <pre> 
 slapd_enable="YES" 
 slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"' 
 slapd_sockets="/var/run/openldap/ldapi" 
 </pre> 

 * Start slapd: 
 <pre> 
 service slapd start 
 </pre> 

 * Test the slapd configuration using an anonymous connection: 
 <pre> 
 ldapsearch 
 </pre> 
 _Example output_, this is expected to cause an error: 
 <pre> 
 ldap_bind: Inappropriate authentication (48) 
	 additional info: anonymous bind disallowed 
 </pre> 

 * Test the slapd configuration to demonstrate a successful connection using an authorized user: 
 <pre> 
 ldapsearch -D "cn=Manager,dc=example,dc=com" 
 </pre> 
 #* _Example output_: 
 <pre> 
 # extended LDIF 
 #  
 # LDAPv3 
 # base <dc=example,dc=com> (default) with scope subtree 
 # filter: (objectclass=*) 
 # requesting: ALL 
 # 

 # search result 
 search: 3 
 result: 32 No such object 

 # numResponses: 1 
 </pre> 

 h2. Populate the LDAP Server 

 * Create the domain template file: 
 <pre> 
 vi ~/example.com.ldif 
 </pre> 
 #* And add the following: 
 <pre> 
 dn: dc=example,dc=com 
 objectclass: dcObject 
 objectclass: organization 
 o: example 
 dc: example 

 dn: cn=Manager,dc=example,dc=com 
 objectclass: organizationalRole 
 cn: Manager 
 </pre> 
 
 * To import this file into the server: 
 <pre> 
 ldapadd -D "cn=Manager,dc=example,dc=com" -W -f ~/example.com.ldif 
 </pre> 

 * To verify the data was imported correctly using the ldapsearch command: 
 <pre> 
 ldapsearch 
 </pre> 
 #* _Example output_: 
 <pre> 
 # extended LDIF 
 # 
 # LDAPv3 
 # base <dc=loga,dc=us> (default) with scope subtree 
 # filter: (objectclass=*) 
 # requesting: ALL 
 # 

 # example.com 
 dn: dc=example,dc=com 
 objectClass: dcObject 
 objectClass: organization 
 o:: bG9nYSA= 
 dc:: bG9nYSA= 

 # Manager, example.com 
 dn: cn=Manager,dc=example,dc=com 
 objectClass: organizationalRole 
 cn: Manager 

 # search result 
 search: 2 
 result: 0 Success 

 # numResponses: 3 
 # numEntries: 2 
 </pre> 

 h2. Add SSL to OpenLDAP 

 * Install openssl: 
 <pre> 
 pkg install openssl 
 </pre> 

 * Generate a strong SSL key and a CSR to send for signing by a CA: 
 <pre> 
 cd /usr/local/etc 
 openssl req -sha512 -out ldap.example.com.csr -new -newkey rsa:4096 -nodes -keyout ldap.example.com.key 
 </pre> 

 * Generate the DH parameters: 
 <pre> 
 openssl dhparam -out /usr/local/etc/dhparam 4096 
 </pre> 

 * Edit the OpenLDAP Server config file: 
 <pre> 
 vi /usr/local/etc/openldap/slapd.conf 
 </pre> 
 #* And change as necessary on each server: 
 <pre> 
 include /usr/local/etc/openldap/schema/core.schema 
 include /usr/local/etc/openldap/schema/cosine.schema 
 include /usr/local/etc/openldap/schema/corba.schema 
 include /usr/local/etc/openldap/schema/inetorgperson.schema 
 include /usr/local/etc/openldap/schema/nis.schema 
 include /usr/local/etc/openldap/schema/collective.schema 
 include /usr/local/etc/openldap/schema/openldap.schema 
 include /usr/local/etc/openldap/schema/duaconf.schema 
 include /usr/local/etc/openldap/schema/dyngroup.schema 
 include /usr/local/etc/openldap/schema/misc.schema 
 include /usr/local/etc/openldap/schema/pmi.schema 
 include /usr/local/etc/openldap/schema/ppolicy.schema 

 TLSCACertificateFile /usr/local/etc/ca-cert.bundle 
 TLSCertificateFile /usr/local/etc/ldap.example.com.crt 
 TLSCertificateKeyFile /usr/local/etc/ldap.example.com.key 
 TLSDHParamFile /usr/local/etc/dhparam 

 pidfile /var/run/openldap/slapd.pid 
 argsfile /var/run/openldap/slapd.args 

 logfile /var/log/slapd.log 
 loglevel 256 

 modulepath /usr/local/libexec/openldap 
 moduleload back_mdb 

 disallow bind_anon 
 require authc 

 database mdb 

 suffix "dc=example,dc=com" 
 rootdn "cn=Manager,dc=example,dc=com" 

 directory /var/db/openldap-data 
 maxsize 1073741824 

 access to attrs=userPassword 
         by self write 
         by anonymous auth 
         by dn.base="cn=Manager,dc=example,dc=com" write 
         by * none 

 access to * 
         by self write 
         by dn.base="cn=Manager,dc=example,dc=com" write 
         by * read 

 # Indices to maintain 
 index objectClass    eq 
 index uid            eq 
 index uidNumber      eq 
 index uniqueMember eq 
 index gidNumber      eq 
 index cn             eq 
 index memberUid      eq 

 rootpw {SSHA}A6ia1SPQlY4J5qWBUkPg1qqiwZHrL0mb 

 overlay           memberof 
 memberof-dangling      drop 
 memberof-refint        TRUE 
 </pre> 

 * Set the ownership of the SSL certificate and key to the LDAP user: 
 <pre> 
 chown ldap:ldap /usr/local/etc/ldap.example.com.{crt,key} 
 </pre> 

 * Edit the rc.conf file: 
 <pre> 
 vi /etc/rc.conf 
 </pre> 
 #* And add ldaps:/// to the slapd_flags: 
 <pre> 
 slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///"' 
 </pre> 

 * Restart openldap: 
 <pre> 
 service slapd restart 
 </pre> 

 h2. Populate the LDAP Server 

 * Create the People Organizational Unit ldif file: 
 <pre> 
 vi ~/people-ou.ldif 
 </pre> 
 #* And add the following: 
 <pre> 
 dn: ou=People,dc=example,dc=com 
 objectclass: organizationalUnit 
 ou: People 
 </pre> 

 * Import the People OU file into the server: 
 <pre> 
 ldapadd -D "cn=Manager,dc=example,dc=com" -W -f ~/people-ou.ldif 
 </pre> 

 * Create the bob user ldif file: 
 <pre> 
 vi ~/bob.ldif 
 </pre> 
 #* And add the following: 
 <pre> 
 dn: cn=Bob Guy,ou=People,dc=example,dc=com 
 cn: Bob Guy 
 givenname: Bob 
 initials: BG 
 mail: bob@example.com 
 objectclass: inetOrgPerson 
 objectclass: organizationalPerson 
 objectclass: person 
 sn: Guy 
 uid: bob 
 userpassword: {MD5}X03MO1qnZdYdgyfeuILPmQ== 
 </pre> 
 #* *NOTE*: The password for bob is *password*. 

 h2. Install LDAP Web Frontend 

 h3. Install Nginx 

 * Install nginx and php56: 
 <pre> 
 pkg install nginx php56 
 </pre> 

 * Configure the default PHP settings 
 <pre> 
 cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini 
 </pre> 

 * Create a configuration directory to make managing individual server blocks easier 
 <pre> 
 mkdir /usr/local/etc/nginx/conf.d 
 </pre> 

 * Edit the main nginx config file: 
 <pre> 
 vi /usr/local/etc/nginx/nginx.conf 
 </pre> 
 #* And strip down the config file and add the include statement at the end to make it easier to handle various server blocks: 
 <pre> 
 #user    nobody; 
 worker_processes    1; 
 error_log    /var/log/nginx-error.log; 

 events { 
     worker_connections    1024; 
 } 

 http { 
     include         mime.types; 
     default_type    application/octet-stream; 
     sendfile          on; 
     keepalive_timeout    65; 

     ssl_dhparam /usr/local/etc/dhparam; 

     # Load config files from the /etc/nginx/conf.d directory 
     include /usr/local/etc/nginx/conf.d/*.conf; 
 } 
 </pre> 

 * Edit /usr/local/etc/php-fpm.conf: 
 <pre> 
 vi /usr/local/etc/php-fpm.conf 
 </pre> 
 #* Make the following changes: 
 <pre> 
 listen = /var/run/php-fpm.sock 
 listen.owner = www 
 listen.group = www 
 listen.mode = 0660 
 </pre> 

 * Add the www user to the ldap group: 
 <pre> 
 pw user mod www -G ldap 
 </pre> 

 * Start and enable nginx and php-fpm at boot: 
 <pre> 
 echo 'nginx_enable="YES"' >> /etc/rc.conf 
 echo 'php_fpm_enable="YES"' >> /etc/rc.conf 
 service php-fpm start 
 service nginx start 
 </pre> 

 h3. Install LDAP Account Manager 

 * Install LDAP Acccount Manager: 
 <pre> 
 pkg install ldap-account-manager 
 </pre> 

 * Add a lam.example.com server block: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/lam.example.com.conf 
 </pre> 
 Add the following: 
 <pre> 
 server { 
     listen         80; 
     listen         443 ssl; 
     server_name    ldap.example.com; 
     root           /usr/local/www/lam; 
     access_log     /var/log/ldap.example.com-access.log; 
     error_log      /var/log/ldap.example.com-error.log; 

     ssl on; 
     ssl_certificate /usr/local/etc/ldap.example.com.crt; 
     ssl_certificate_key /usr/local/etc/ldap.example.com.key; 

     ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
     ssl_session_cache    builtin:1000    shared:SSL:10m; 
     ssl_stapling on; 
     ssl_stapling_verify on; 
     ssl_prefer_server_ciphers on; 
     ssl_dhparam /nginx/dhparam.pem; 
     add_header Strict-Transport-Security max-age=63072000; 
     add_header X-Frame-Options SAMEORIGIN; 
     add_header X-Content-Type-Options nosniff; 

     allow 192.168.1.0/24; 
     deny all; 

     location ~ \.php$ { 
       fastcgi_split_path_info ^(.+\.php)(/.+)$; 
       fastcgi_pass unix:/var/run/php-fpm.sock; 
       fastcgi_index index.php; 
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
       include fastcgi_params; 
     } 

     location ~ (tmp/internal|sess|config|locale) { 
       deny all; 
       return 403; 
     } 
 } 
 </pre> 

 * Restart nginx: 
 <pre> 
 service nginx restart 
 service php-fpm restart 
 </pre> 

 * Open a web browser and go to http://lam.example.com 
 *# Click on +LAM Configuration -> General Settings+, the default master password is *lam*; make sure to change it before going into production. 
 *# Go to +LAM Configuration -> Edit Server profiles+, select any of the profiles and enter the password *lam*. Change the domains from the default to *dc=example,dc=com*. Click *Save* when finished. 
 *# Go back to login page and log in as the Manager user 

 h2. LDAP with SASL 

 * Install cyrus-sasl and the cyrus-sasl-ldapdb packages: 
 <pre> 
 pkg install cyrus-sasl cyrus-sasl-ldapdb 
 </pre> 

 * Install cyrus-sasl2-saslauthd from ports: 
 <pre> 
 portmaster security/cyrus-sasl2-saslauthd 
 </pre> 
 #* *NOTE*: Make sure to enable *[X] HTTPFORM* and *[X] OPENLDAP*. 

 * Create and edit the saslauthd config file: 
 <pre> 
 vi /usr/local/etc/saslauthd.conf 
 </pre> 
 #* And the following: 
 <pre> 
 ldap_servers: ldaps://ldap.example.com 
 ldap_search_base: dc=example,dc=com 
 ldap_filter: (uid=%u) 
 ldap_bind_dn: cn=Manager,dc=example,dc=com 
 ldap_pw: SuperSecretPassword 
 ldap_auth_method: bind 
 </pre> 

 * Start saslauthd, set it to use ldap as the authentication mechanism, and enable it at boot: 
 <pre> 
 echo 'saslauthd_enable="YES"' >> /etc/rc.conf 
 echo 'saslauthd_flags="-a ldap"' >> /etc/rc.conf 
 service saslauthd start 
 </pre> 

 * Test the connection between saslauthd and the LDAP servers by running: 
 <pre> 
 testsaslauthd -u bob -p password 
 </pre> 
 #* _Example output_: 
 <pre> 
 0: OK "Success." 
 </pre> 

 h2. Kerberos 
 
 * Edit the kerberos config file: 
 <pre> 
 vi /etc/krb5.conf 
 </pre> 
 #* And adjust the parameters as needed: 
 <pre> 
 [libdefaults] 
     default_realm = EXAMPLE.COM 
 [realms] 
     EXAMPLE.COM = { 
         kdc = 192.168.1.10 
         kdc = 192.168.1.10 
         admin_server = 192.168.1.10 
     } 
 [domain_realm] 
     .example.com = EXAMPLE.COM 
 </pre> 

 * Create the Kerberos database using the kstash command and enter a Master Key for security: 
 <pre> 
 kstash 
 </pre> 

 * Initialize the Kerberos Database with the kadmin utility using the -l option. 
 <pre> 
 kadmin -l 
 init EXAMPLE.COM 
 </pre> 

 * While still in +kadmin+, create a principal ‘bob’ using the add command: 
 <pre> 
 add bob 
 </pre> 

 * Next create an ‘admin’ principal 
 <pre> 
 add larry/admin 
 </pre> 

 * Access to the administration server is controlled by an ACL file, create this file in the appropriate directory with the following contents: 
 <pre> 
 echo 'larry/admin@EXAMPLE.COM all' >> /var/heimdal/kadmind.acl 
 </pre> 


 * Then start and enable kerberos at boot: 
 <pre> 
 echo 'kdc_enable="YES"' >> /etc/rc.conf 
 echo 'kadmind_enable="YES"' >> /etc/rc.conf 
 service kdc start 
 service kadmind start 
 </pre> 

 h2. Resources 

 * http://loga.us/2014/08/16/openldap-and-multi-master-replication-in-freebsd-part-i-openldap/ 
 * https://www.ldap-account-manager.org/static/doc/manual-onePage/index.html 
 * http://blog.adimian.com/2014/10/how-to-enable-memberof-using-openldap/ 
 * https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/ 
 * http://ximalas.info/2014/01/10/ldap-authentication-for-subversions-svnserve-on-freebsd-using-sasl-saslauthd-and-novell-edirectory/ 
 * http://acidx.net/wordpress/2014/06/installing-a-mailserver-with-postfix-dovecot-sasl-ldap-roundcube/

Back