NotesOnOpenLDAP

From Sfvlug

Contents

Basic LDAP Queries

First of all, there are two files named ldap.conf. The first, which I'll cover in a moment, is /etc/ldap.conf, and it is used by pam_ldap and nss_ldap. It is described by the pam_ldap(5) and nss_ldap(5) man pages. In order to use the OpenLDAP command line utilities, you need to configure /etc/openldap/ldap.conf, which is described in the ldap.conf(5) man page.

There are only a few lines needed in /etc/openldap/ldap.conf. Here is a working example:

URI ldap://auth/
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow

Without this file, you would have to specify all these parameters on the command line when using ldapsearch and other tools. You can override the contents of /etc/openldap/ldap.conf in your $HOME/.ldaprc file. You can also specify alternative configuration files with the environment variables LDAPCONF and LDAPRC.

Adding Users With Migration Scripts

The migragion scripts are included in the openldap-servers package. They are initially located in /usr/share/openldap/migration/. I never edit anything installed via a package that resides in /usr, so I copied these scripts to /root/migration/. Then the path in the scripts needs to be edited to point to the new location, and organization specific information added to migrate_common.ph.

As root, do:

mkdir ~/migration
cd ~/migration
for FILE in /usr/share/openldap/migration/* ; do
    sed 's=/usr/share/openldap=/root=' $FILE > `basename $FILE`
done

cat <<EOF | ed migrate_common.ph
/DEFAULT_MAIL_DOMAIN/s/padl.com/example.com/
/DEFAULT_BASE/s/dc=padl,dc=com/dc=example,dc=com/
/EXTENDED_SCHEMA/s/0/1/
w
EOF

Now that you have this configured, you can begin adding users to LDAP.

Begin by adding a normal user with the regular shadow utilities. Note that if you do not include the GECOS information (with the -c flag) then a bunch of fields will not be filled in when we migrate to LDAP.

useradd -c 'Joe User' -s /sbin/nologin juser
passwd juser

Then use the migration tools to build an LDIF file of the user's data.

./migrate_passwd.pl <( grep juser /etc/passwd ) > juser.ldif
./migrate_group.pl <( grep juser /etc/group ) >> juser.ldif

Take a moment to look over the LDIF information you are about to import. If you are satisfied, go ahead and import it into LDAP. If the LDAP server is currently running, do the following:

ldapadd -x -W -D 'cn=Manager,dc=example,dc=com' -f juser.ldif

Keep in mind, only migrate users corresponding to an actual employee (user ID should be 1000 or greater). Service accounts (like loguser) should exist only in the local passwd and group files.

Also, a note that the wheel group is granted elevated privilege via sudo. If a user needs to be able to gain root on one particular machine, just add that user to the wheel group on that particular box (use the vigr command to do this).

Authentication and Identification

Logins are handled by PAM (for Pluggable Authentication Modules), whereas user identification (and many other number-to-name resolutions) are handled by NSS (for Name Services Switching). PAM is configured via /etc/pam.conf and NSS is configured by /etc/nsswitch.conf. The LDAP settings for both these services are configured via /etc/ldap.conf.

On a typical RedHat system, /etc/pam.conf is not used, instead individual services are configured by files in /etc/pam.d. Within that directory, most services include the file system-auth to consolidate PAM configuration into a single point of modification. Curious individuals are directed to the pam(8) man page for further information.

If you look at /etc/nsswitch.conf, you will see the name of a lookup type service, followed by a list of sources from which translations can be made. We need passwd, shadow, and group to be looked up via files, followed by ldap. None of the other services need ldap.

To quickly configure a server to authenticate and identify with LDAP, use the following command:

authconfig --enableldap{,auth} --ldapserver=ldap://auth/ --ldapbasedn=dc=example,dc=com \\
           --enableldaptls --ldaploadcacert=file://`pwd`/cacert.pem --update

However, this will configure protocols, services, netgroup, and automount in /etc/nsswitch.conf to also use ldap for lookups. This may generate more network traffic than desired if you are not using LDAP for these services. Use the following to strip those entries:

sed -ri '/^(passwd|shadow|group):/s/(files) (ldap)/\\1 [UNAVAIL=return] \\2/;
         /^(protocols|services|netgroup|automount):/s/ ldap//' /etc/nsswitch.conf

Also, the default behavior is for the NSS libraries to continue trying to bind to the server indefinitely if it is unavailable. This means it can take up to half an hour before giving up. Add the following to make sure the libraries give up when the server is unavailable:

echo 'bind_policy soft' >> /etc/ldap.conf

And finally, to perform operations which require root access, such as getent shadow or passwd, the libraries can not bind anonymously. Include the manager password in /etc/ldap.secret (mode 0400), and use the following to bind as the administrator:

echo 'rootbinddn cn=Manager,dc=example,dc=com' >> /etc/ldap.conf

LDAP Replication

Configure another host as an LDAP server, but don't include any replication directives yet. Basically, you must at least specify the database location.

Before we begin replication, the slave server must contain a full replica of the current master server's data tree. You can do this with the master still running.

slapcat > /tmp/dump.ldif

Now copy this dump file over to the slave server and import it.

slapadd < /tmp/dump.ldif
chown -R ldap. ~ldap/

Now start the slapd daemon and it should start without error. You should be able to perform normal queries against it.

Return to the master server. Add the following information to slapd.conf.

replogfile      /var/lib/ldap/SUBDIRECTORY/replog
replica         host=SLAVEHOSTNAME
                suffix="dc=example,dc=com"
                binddn="cn=Replica,dc=example,dc=com"
                credentials=PASSWORDINPLAINTEXT
                bindmethod=simple
                tls=no

As you see, the replica user's password is included in plain text in this file, so it is critical that the slapd.conf file should only be readable by the ldap user. Restart the LDAP server. This time slurpd will also start.

Once again, return to the slave server. You must create the replica user. First generate the password.

openssl passwd -1

Then create the following ldif file.

dn: cn=Replica,dc=example,dc=com
objectClass: top
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: Replica
userPassword: {CRYPT}GENERATE_THIS_WITH_OPENSSL

And add it to the database on the slave.

ldapadd -x -W -D 'cn=Manager,dc=example,dc=com' -f replica.ldif

Finally, add the following to the slave server's slapd.conf.

updatedn                                cn=Replica,dc=example,dc=com
updateref                               ldap://MASTER_LDAP_SERVER

Restart the ldap service and now any changes made on the master server will be automatically pushed to the slave server. If someone attempts to write a change to a slave server, they will get redirected to the master. What If It Breaks?

Sometimes the network link between the master and slave goes down and it just so happens that an update was made when the link was broken. Well, it happens. Your slave is now out of sync with your master. Unfortunately, slurpd is not robust enough to catch the slave back up on its own. Well, you could go back to the beginning and rebuild the slave from the current master view. This works, except re-adding the replica user is difficult with that updateref directive in slapd.conf. So edit the file twice? Not necessary.

If you have a look at /var/lib/ldap on the master, you will see there is now a replica subdirectory. Inside it is a set of rej and rej.lock files for each of the slaves for any bit that the slave didn't successfully replicate. All you have to do is play back the rej file and the slave will catch up. You can't run two copies of slurpd so stop the ldap service and run slurpd in one-shot mode.

slurpd -o -r /var/lib/ldap/replica/SLAVE:389.rej

When it exits, restart the ldap service.

GUI Tools

libuser Tools


Jeff

Personal tools