203OpenLdap - amagerard/FreeRadius GitHub Wiki

HOME

RedHat/OpenLdap

01 Synoptic 02 Network 03 Openldap 04 PhpLdapAdmin
05 Selinux 06 GnomeShell 07 Troubleshoots 08 Backup
FreeRadius DaloRadius ADserver

3. Openldap.

3.1 Installation.

subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms
dnf update
dnf install openldap-servers openldap-clients
systemctl enable --now slapd

Generate a password.
The password will be: X2m56AB50!.
slappasswd

New password:    
Re-enter new password:  
{SSHA}35LzBCvugt+pBf/F+rdkwlQWcympqgqI

Note the Password SSHA.

Create a folder for your ldif files.
mkdir /root/ldif
Generate an ldif file for the password.
vi /root/ldif/pass-root.ldif

# specify the password generated above for [olcRootPW] section  
dn: olcDatabase={0}config,cn=config  
changetype: modify  
add: olcRootPW  
olcRootPW:{SSHA}35LzBCvugt+pBf/F+rdkwlQWcympqgqI

Open a connection to the LDAP server to add the password entry.
ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldif/pass-root.ldif

SASL/EXTERNAL authentication started  
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth  
SASL SSF: 0  
modifying entry "olcDatabase={0}config,cn=config"

3.2 Import default schemas.

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

SASL/EXTERNAL authentication started  
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth  
SASL SSF: 0  
adding new entry "cn=cosine,cn=schema,cn=config"

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started  
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth  
SASL SSF: 0  
adding new entry "cn=nis,cn=schema,cn=config"

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started  
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth  
SASL SSF: 0  
adding new entry "cn=inetorgperson,cn=schema,cn=config"

3.3 Import your domain's schemas.

Generate an ldif file for the domain.
vi /root/ldif/ldapdomain.ldif
My example is domain ol26modk.com.
OlcRootPW is already done.

  
dn: olcDatabase={1}monitor,cn=config  
changetype: modify  
replace: olcAccess  
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"  
  read by dn.base="cn=Manager,dc=ol26modk,dc=com" read by * none  
  
dn: olcDatabase={2}mdb,cn=config  
changetype: modify  
replace: olcSuffix  
olcSuffix: dc=ol26modk,dc=com  
  
dn: olcDatabase={2}mdb,cn=config  
changetype: modify  
replace: olcRootDN  
olcRootDN: cn=Manager,dc=ol26modk,dc=com  
  
dn: olcDatabase={2}mdb,cn=config  
changetype: modify  
add: olcRootPW  
olcRootPW: {SSHA}35LzBCvugt+pBf/F+rdkwlQWcympqgqI  
  
dn: olcDatabase={2}mdb,cn=config  
changetype: modify  
add: olcAccess  
olcAccess: {0}to attrs=userPassword,shadowLastChange by  
  dn="cn=Manager,dc=ol26modk,dc=com" write by anonymous auth by self write by * none  
olcAccess: {1}to dn.base="" by * read  
olcAccess: {2}to * by dn="cn=Manager,dc=ol26modk,dc=com" write by * read

Add the ldapdomain.ldif entry to the LDAP server.
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldif/ldapdomain.ldif

SASL/EXTERNAL authentication started  
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth  
SASL SSF: 0  
modifying entry "olcDatabase={1}monitor,cn=config"  
  
modifying entry "olcDatabase={2}mdb,cn=config"  
  
modifying entry "olcDatabase={2}mdb,cn=config"  
  
modifying entry "olcDatabase={2}mdb,cn=config"  
  
modifying entry "olcDatabase={2}mdb,cn=config"

Generate a baseldapdomain.ldif file.
vi /root/ldif/baseldapdomain.ldif

dn: dc=ol26modk,dc=com  
objectClass: top  
objectClass: dcObject  
objectclass: organization  
o: ol26modk com  
dc: ol26modk  
  
dn: cn=Manager,dc=ol26modk,dc=com  
objectClass: organizationalRole  
cn: Manager  
description: Directory Manager  
  
dn: ou=People,dc=ol26modk,dc=com  
objectClass: organizationalUnit  
ou: People  
  
dn: ou=Group,dc=ol26modk,dc=com  
objectClass: organizationalUnit  
ou: Group

Add the baseldapdomain.ldif entry to the LDAP server.
ldapadd -x -D cn=Manager,dc=ol26modk,dc=com -W -f /root/ldif/baseldapdomain.ldif
Password: X2m56AB50!.

Enter LDAP Password:  
adding new entry "dc=ol26modk,dc=com"  
  
adding new entry "cn=Manager,dc=ol26modk,dc=com"  
  
adding new entry "ou=People,dc=ol26modk,dc=com"  
  
adding new entry "ou=Group,dc=ol26modk,dc=com"

3.4 Openldap(s).

3.4.1 Certificates.

I need:
/etc/ssl/certs/openldap.crt (to be created).
/etc/ssl/certs/CA.crt (already exists).
/etc/ssl/private/openldap.key (to be created).
Repeat the TemplateVM/certificate chapter 6.3.1 procedure to create openldap.key and openldap.crt.

Very important.
the mods-available/ldap needs to have the same CA as freeradius and openldap.
On February 10, 2025, the mods-available/ldap does not work with a CA generated by OpenSSL from Redhat 9.5.
It is necessary to create the certificate of authority (CA) with a live CD Alamlinux 9.4.
And then import the CA.CRT and CA.KEY from Live CD Almalinux to freeradius and openldap.
Maybe this problem will be resolved in future versions.

openssl genrsa  -out /etc/ssl/private/openldap.key 4096  
openssl req -new  -days 365 -key /etc/ssl/private/openldap.key -out /etc/ssl/certs/openldap.csr  
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/openldap.crt -in /etc/ssl/certs/openldap.csr

chmod 400 /etc/ssl/certs/*
chmod 400 /etc/ssl/private/*

Give permissions for ldap.
setfacl -m g:ldap:r /etc/pki/tls/certs/CA.crt
setfacl -m g:ldap:r /etc/pki/tls/certs/openldap.crt
setfacl -m g:ldap:r /etc/pki/tls/private/openldap.key

3.4.2 Configuration.

Generate an ldapssl.ldif file.
vi /root/ldif/ldapssl.ldif

dn: cn=config  
changetype: modify  
replace: olcTLSCertificateFile  
olcTLSCertificateFile: /etc/pki/tls/certs/openldap.crt  
-  
replace: olcTLSCertificateKeyFile  
olcTLSCertificateKeyFile: /etc/pki/tls/private/openldap.key  
-  
replace: olcTLSCACertificateFile  
olcTLSCACertificateFile: /etc/pki/tls/certs/CA.crt

Add the ldapssl.ldif entry to the LDAP server.
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldif/ldapssl.ldif

SASL/EXTERNAL authentication started  
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth  
SASL SSF: 0  
modifying entry "cn=config"

Check.
slaptest -u

config file testing succeeded

Edit /etc/openldap/ldap.conf
vi /etc/openldap/ldap.conf
Add or modiffy the lines.

TLS_CACERTDIR /etc/pki/tls/certs  
TLS_CACERT /etc/pki/tls/certs/CA.crt  
TLS_REQCERT allow

systemctl restart slapd
systemctl status slapd

3.4.3 ldap and ldaps verification.

ldapsearch should not be initiated with ldaps and start_tls both.
Use either -ZZ or use ldaps://localhost.

No SSL or TLS.
ldapsearch -x -h localhost -p 389 -LL -b "dc=ol26modk,dc=com"

LDAP SSL/TLS.
ldapsearch -xv -ZZZ -LLL -h localhost -p 389 -b "dc=ol26modk,dc=com"

LDAPS
ldapsearch -x -H ldaps://localhost -b "dc=ol26modk,dc=com"