Support #727
Updated by Daniel Curtis over 8 years ago
{{>toc}} This is a guide on installing an OpenLDAP server on FreeBSD 9. h2. Prepare the Environment * Make sure the system is up to date: <pre> pkg update && pkg upgrade portsnap fetch extract </pre> * Install portmaster: <pre> pkg install portmaster pkg2ng </pre> h2. Install OpenLDAP Server * Install the openldap24-server package from the ports tree: <pre> portmaster net/openldap24-server </pre> #* *NOTE*: Make sure to enable *[X] GSSAPI*, *[X] PPOLICY*, *[X] MEMBEROF*, *[X] DYNLIST*, *[X] DYNGROUP*, *[X] REFINT*, *[X] SHA2*, *[X] SASL*, and *[X] UNIQUE* during the openldap24-server port configuration. * Edit the OpenLDAP Client config file: <pre> vi /usr/local/etc/openldap/ldap.conf </pre> #* Change the BASE to your own environment: <pre> BASE dc=example,dc=com URI ldap:// ldaps:// # SIZELIMIT 0 indicates unlimited search size SIZELIMIT 0 TIMELIMIT 15 DEREF never </pre> * Change the default password: <pre> slappasswd -h "{SSHA}" >> /usr/local/etc/openldap/slapd.conf </pre> * Edit the OpenLDAP Server config file: <pre> vi /usr/local/etc/openldap/slapd.conf </pre> #* And change as necessary on each server: <pre> include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/corba.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/collective.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/duaconf.schema include /usr/local/etc/openldap/schema/dyngroup.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/pmi.schema include /usr/local/etc/openldap/schema/ppolicy.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args logfile /var/log/slapd.log loglevel 256 modulepath /usr/local/libexec/openldap moduleload back_mdb disallow bind_anon require authc database mdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" directory /var/db/openldap-data maxsize 1073741824 access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=example,dc=com" write by * none access to * by self write by dn.base="cn=Manager,dc=example,dc=com" write by * read # Indices to maintain index objectClass eq index uid eq index uidNumber eq index uniqueMember eq index gidNumber eq index cn eq index memberUid eq rootpw {SSHA}A6ia1SPQlY4J5qWBUkPg1qqiwZHrL0mb overlay memberof memberof-dangling drop memberof-refint TRUE </pre> * Edit the rc.conf file: <pre> vi /etc/rc.conf </pre> #* And add the follow to the end of the file: <pre> slapd_enable="YES" slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"' slapd_sockets="/var/run/openldap/ldapi" </pre> * Start slapd: <pre> service slapd start </pre> * Test the slapd configuration using an anonymous connection: <pre> ldapsearch </pre> _Example output_, this is expected to cause an error: <pre> ldap_bind: Inappropriate authentication (48) additional info: anonymous bind disallowed </pre> * Test the slapd configuration to demonstrate a successful connection using an authorized user: <pre> ldapsearch -D "cn=Manager,dc=example,dc=com" </pre> #* _Example output_: <pre> # extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 32 No such object # numResponses: 1 </pre> h2. Populate the LDAP Server * Create the domain template file: <pre> vi ~/example.com.ldif </pre> #* And add the following: <pre> dn: dc=example,dc=com objectclass: dcObject objectclass: organization o: example dc: example dn: cn=Manager,dc=example,dc=com objectclass: organizationalRole cn: Manager </pre> * To import this file into the server: <pre> ldapadd -D "cn=Manager,dc=example,dc=com" -W -f ~/example.com.ldif </pre> * To verify the data was imported correctly using the ldapsearch command: <pre> ldapsearch </pre> #* _Example output_: <pre> # extended LDIF # # LDAPv3 # base <dc=loga,dc=us> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: dcObject objectClass: organization o:: bG9nYSA= dc:: bG9nYSA= # Manager, example.com dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 </pre> h2. Add SSL to OpenLDAP * Install openssl: <pre> pkg install openssl </pre> * Generate a strong SSL key and a CSR to send for signing by a CA: <pre> cd /usr/local/etc openssl req -sha512 -out ldap.example.com.csr -new -newkey rsa:4096 -nodes -keyout ldap.example.com.key </pre> * Generate the DH parameters: <pre> openssl dhparam -out /usr/local/etc/dhparam 4096 </pre> * Edit the OpenLDAP Server config file: <pre> vi /usr/local/etc/openldap/slapd.conf </pre> #* And change as necessary on each server: <pre> include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/corba.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/collective.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/duaconf.schema include /usr/local/etc/openldap/schema/dyngroup.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/pmi.schema include /usr/local/etc/openldap/schema/ppolicy.schema TLSCACertificateFile /usr/local/etc/ca-cert.bundle TLSCertificateFile /usr/local/etc/ldap.example.com.crt TLSCertificateKeyFile /usr/local/etc/ldap.example.com.key TLSDHParamFile /usr/local/etc/dhparam pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args logfile /var/log/slapd.log loglevel 256 modulepath /usr/local/libexec/openldap moduleload back_mdb disallow bind_anon require authc database mdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" directory /var/db/openldap-data maxsize 1073741824 access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=example,dc=com" write by * none access to * by self write by dn.base="cn=Manager,dc=example,dc=com" write by * read # Indices to maintain index objectClass eq index uid eq index uidNumber eq index uniqueMember eq index gidNumber eq index cn eq index memberUid eq rootpw {SSHA}A6ia1SPQlY4J5qWBUkPg1qqiwZHrL0mb overlay memberof memberof-dangling drop memberof-refint TRUE </pre> * Set the ownership of the SSL certificate and key to the LDAP user: <pre> chown ldap:ldap /usr/local/etc/ldap.example.com.{crt,key} </pre> * Edit the rc.conf file: <pre> vi /etc/rc.conf </pre> #* And add ldaps:/// to the slapd_flags: <pre> slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///"' </pre> * Restart openldap: <pre> service slapd restart </pre> h2. Populate the LDAP Server * Create the People Organizational Unit ldif file: <pre> vi ~/people-ou.ldif </pre> #* And add the following: <pre> dn: ou=People,dc=example,dc=com objectclass: organizationalUnit ou: People </pre> * Import the People OU file into the server: <pre> ldapadd -D "cn=Manager,dc=example,dc=com" -W -f ~/people-ou.ldif </pre> * Create the bob user ldif file: <pre> vi ~/bob.ldif </pre> #* And add the following: <pre> dn: cn=Bob Guy,ou=People,dc=example,dc=com cn: Bob Guy givenname: Bob initials: BG mail: bob@example.com objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: person sn: Guy uid: bob userpassword: {MD5}X03MO1qnZdYdgyfeuILPmQ== </pre> #* *NOTE*: The password for bob is *password*. h2. Install LDAP Web Frontend h3. Install Nginx * Install nginx and php56: <pre> pkg install nginx php56 </pre> * Configure the default PHP settings <pre> cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini </pre> * Create a configuration directory to make managing individual server blocks easier <pre> mkdir /usr/local/etc/nginx/conf.d </pre> * Edit the main nginx config file: <pre> vi /usr/local/etc/nginx/nginx.conf </pre> #* And strip down the config file and add the include statement at the end to make it easier to handle various server blocks: <pre> #user nobody; worker_processes 1; error_log /var/log/nginx-error.log; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; ssl_dhparam /usr/local/etc/dhparam; # Load config files from the /etc/nginx/conf.d directory include /usr/local/etc/nginx/conf.d/*.conf; } </pre> * Edit /usr/local/etc/php-fpm.conf: <pre> vi /usr/local/etc/php-fpm.conf </pre> #* Make the following changes: <pre> listen = /var/run/php-fpm.sock listen.owner = www listen.group = www listen.mode = 0660 </pre> * Add the www user to the ldap group: <pre> pw user mod www -G ldap </pre> * Start and enable nginx and php-fpm at boot: <pre> echo 'nginx_enable="YES"' >> /etc/rc.conf echo 'php_fpm_enable="YES"' >> /etc/rc.conf service php-fpm start service nginx start </pre> h3. Install LDAP Account Manager * Install LDAP Acccount Manager: <pre> pkg install ldap-account-manager </pre> * Add a lam.example.com server block: <pre> vi /usr/local/etc/nginx/conf.d/lam.example.com.conf </pre> Add the following: <pre> server { listen 80; listen 443 ssl; server_name ldap.example.com; root /usr/local/www/lam; access_log /var/log/ldap.example.com-access.log; error_log /var/log/ldap.example.com-error.log; ssl on; ssl_certificate /usr/local/etc/ldap.example.com.crt; ssl_certificate_key /usr/local/etc/ldap.example.com.key; ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_stapling on; ssl_stapling_verify on; ssl_prefer_server_ciphers on; ssl_dhparam /nginx/dhparam.pem; add_header Strict-Transport-Security max-age=63072000; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; allow 192.168.1.0/24; deny all; location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ~ (tmp/internal|sess|config|locale) { deny all; return 403; } } </pre> * Restart nginx: <pre> service nginx restart service php-fpm restart </pre> * Open a web browser and go to http://lam.example.com *# Click on +LAM Configuration -> General Settings+, the default master password is *lam*; make sure to change it before going into production. *# Go to +LAM Configuration -> Edit Server profiles+, select any of the profiles and enter the password *lam*. Change the domains from the default to *dc=example,dc=com*. Click *Save* when finished. *# Go back to login page and log in as the Manager user h2. LDAP with SASL * Install cyrus-sasl and the cyrus-sasl-ldapdb packages: <pre> pkg install cyrus-sasl cyrus-sasl-ldapdb </pre> * Install cyrus-sasl2-saslauthd from ports: <pre> portmaster security/cyrus-sasl2-saslauthd </pre> #* *NOTE*: Make sure to enable *[X] HTTPFORM* and *[X] OPENLDAP*. * Create and edit the saslauthd config file: <pre> vi /usr/local/etc/saslauthd.conf </pre> #* And the following: <pre> ldap_servers: ldaps://ldap.example.com ldap_search_base: dc=example,dc=com ldap_filter: (uid=%u) ldap_bind_dn: cn=Manager,dc=example,dc=com ldap_pw: SuperSecretPassword ldap_auth_method: bind </pre> * Start saslauthd, set it to use ldap as the authentication mechanism, and enable it at boot: <pre> echo 'saslauthd_enable="YES"' >> /etc/rc.conf echo 'saslauthd_flags="-a ldap"' >> /etc/rc.conf service saslauthd start </pre> * Test the connection between saslauthd and the LDAP servers by running: <pre> testsaslauthd -u bob -p password </pre> #* _Example output_: <pre> 0: OK "Success." </pre> h2. Kerberos * Edit the kerberos config file: <pre> vi /etc/krb5.conf </pre> #* And adjust the parameters as needed: <pre> [libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = 192.168.1.10 kdc = 192.168.1.10 admin_server = 192.168.1.10 } [domain_realm] .example.com = EXAMPLE.COM </pre> * Create the Kerberos database using the kstash command and enter a Master Key for security: <pre> kstash </pre> * Initialize the Kerberos Database with the kadmin utility using the -l option. <pre> kadmin -l init EXAMPLE.COM </pre> * While still in +kadmin+, create a principal ‘bob’ using the add command: <pre> add bob </pre> * Next create an ‘admin’ principal <pre> add larry/admin </pre> * Access to the administration server is controlled by an ACL file, create this file in the appropriate directory with the following contents: <pre> echo 'larry/admin@EXAMPLE.COM all' >> /var/heimdal/kadmind.acl </pre> * Then start and enable kerberos at boot: <pre> echo 'kdc_enable="YES"' >> /etc/rc.conf echo 'kadmind_enable="YES"' >> /etc/rc.conf service kdc start service kadmind start </pre> h2. Resources * http://loga.us/2014/08/16/openldap-and-multi-master-replication-in-freebsd-part-i-openldap/ * https://www.ldap-account-manager.org/static/doc/manual-onePage/index.html * http://blog.adimian.com/2014/10/how-to-enable-memberof-using-openldap/ * https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/ * http://ximalas.info/2014/01/10/ldap-authentication-for-subversions-svnserve-on-freebsd-using-sasl-saslauthd-and-novell-edirectory/ * http://acidx.net/wordpress/2014/06/installing-a-mailserver-with-postfix-dovecot-sasl-ldap-roundcube/