203OpenLdap - amagerard/Freeradius GitHub Wiki

HOME

RedHat9/OpenLdap

01 Synoptic 02 Network 03 Openldap 04 PhpLdapAdmin
05 Selinux 06 GnomeShell 07 Troubleshoots 08 Backup
FreeRadius DaloRadius ADserver

3. Openldap.

3.1 Installation.

subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms
dnf update
dnf install openldap-servers openldap-clients
systemctl enable --now slapd

Generate a password.
The password will be: X2m56AB50!.
slappasswd

New password:    
Re-enter new password:  
{SSHA}35LzBCvugt+pBf/F+rdkwlQWcympqgqI

Note the Password SSHA.

Create a folder for your ldif files.
mkdir /root/ldif
Generate an ldif file for the password.
vi /root/ldif/pass-root.ldif

# specify the password generated above for [olcRootPW] section  
dn: olcDatabase={0}config,cn=config  
changetype: modify  
add: olcRootPW  
olcRootPW:{SSHA}35LzBCvugt+pBf/F+rdkwlQWcympqgqI

Open a connection to the LDAP server to add the password entry.
ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldif/pass-root.ldif

SASL/EXTERNAL authentication started  
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth  
SASL SSF: 0  
modifying entry "olcDatabase={0}config,cn=config"

3.2 Import default schemas.

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

SASL/EXTERNAL authentication started  
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth  
SASL SSF: 0  
adding new entry "cn=cosine,cn=schema,cn=config"

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started  
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth  
SASL SSF: 0  
adding new entry "cn=nis,cn=schema,cn=config"

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started  
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth  
SASL SSF: 0  
adding new entry "cn=inetorgperson,cn=schema,cn=config"

3.3 Import your domain's schemas.

Generate an ldif file for the domain.
vi /root/ldif/ldapdomain.ldif
My example is domain ol26modk.com.
OlcRootPW is already done.

  
dn: olcDatabase={1}monitor,cn=config  
changetype: modify  
replace: olcAccess  
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"  
  read by dn.base="cn=Manager,dc=ol26modk,dc=com" read by * none  
  
dn: olcDatabase={2}mdb,cn=config  
changetype: modify  
replace: olcSuffix  
olcSuffix: dc=ol26modk,dc=com  
  
dn: olcDatabase={2}mdb,cn=config  
changetype: modify  
replace: olcRootDN  
olcRootDN: cn=Manager,dc=ol26modk,dc=com  
  
dn: olcDatabase={2}mdb,cn=config  
changetype: modify  
add: olcRootPW  
olcRootPW: {SSHA}35LzBCvugt+pBf/F+rdkwlQWcympqgqI  
  
dn: olcDatabase={2}mdb,cn=config  
changetype: modify  
add: olcAccess  
olcAccess: {0}to attrs=userPassword,shadowLastChange by  
  dn="cn=Manager,dc=ol26modk,dc=com" write by anonymous auth by self write by * none  
olcAccess: {1}to dn.base="" by * read  
olcAccess: {2}to * by dn="cn=Manager,dc=ol26modk,dc=com" write by * read

Add the ldapdomain.ldif entry to the LDAP server.
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldif/ldapdomain.ldif

SASL/EXTERNAL authentication started  
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth  
SASL SSF: 0  
modifying entry "olcDatabase={1}monitor,cn=config"  
  
modifying entry "olcDatabase={2}mdb,cn=config"  
  
modifying entry "olcDatabase={2}mdb,cn=config"  
  
modifying entry "olcDatabase={2}mdb,cn=config"  
  
modifying entry "olcDatabase={2}mdb,cn=config"

Generate a baseldapdomain.ldif file.
vi /root/ldif/baseldapdomain.ldif

dn: dc=ol26modk,dc=com  
objectClass: top  
objectClass: dcObject  
objectclass: organization  
o: ol26modk com  
dc: ol26modk  
  
dn: cn=Manager,dc=ol26modk,dc=com  
objectClass: organizationalRole  
cn: Manager  
description: Directory Manager  
  
dn: ou=People,dc=ol26modk,dc=com  
objectClass: organizationalUnit  
ou: People  
  
dn: ou=Group,dc=ol26modk,dc=com  
objectClass: organizationalUnit  
ou: Group

Add the baseldapdomain.ldif entry to the LDAP server.
ldapadd -x -D cn=Manager,dc=ol26modk,dc=com -W -f /root/ldif/baseldapdomain.ldif
Password: X2m56AB50!.

Enter LDAP Password:  
adding new entry "dc=ol26modk,dc=com"  
  
adding new entry "cn=Manager,dc=ol26modk,dc=com"  
  
adding new entry "ou=People,dc=ol26modk,dc=com"  
  
adding new entry "ou=Group,dc=ol26modk,dc=com"

3.4 Openldap(s).

3.4.1 Certificates.

IMPORTANT
The CA.crt and CA.key of the openldap server must be the same as the CA.crt and CA.key of the freeradius server.
Import the new CA.crt and CA.key from freeradius and overwrite the existing CA.crt and CA.key.

I need:
/etc/ssl/certs/openldap.crt (to be created).
/etc/ssl/certs/CA.crt (already exists).
/etc/ssl/private/openldap.key (to be created).
Repeat the TemplateVM/certificate chapter 6.3.1 procedure to create openldap.key and openldap.crt.

openssl genrsa  -out /etc/ssl/private/openldap.key 4096  
openssl req -new  -days 365 -key /etc/ssl/private/openldap.key -out /etc/ssl/certs/openldap.csr  
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/openldap.crt -in /etc/ssl/certs/openldap.csr

chmod 400 /etc/ssl/certs/*
chmod 400 /etc/ssl/private/*

Give permissions for ldap.
setfacl -m g:ldap:r /etc/pki/tls/certs/CA.crt
setfacl -m g:ldap:r /etc/pki/tls/certs/openldap.crt
setfacl -m g:ldap:r /etc/pki/tls/private/openldap.key

3.4.2 Configuration.

Generate an ldapssl.ldif file.
vi /root/ldif/ldapssl.ldif

dn: cn=config  
changetype: modify  
replace: olcTLSCertificateFile  
olcTLSCertificateFile: /etc/pki/tls/certs/openldap.crt  
-  
replace: olcTLSCertificateKeyFile  
olcTLSCertificateKeyFile: /etc/pki/tls/private/openldap.key  
-  
replace: olcTLSCACertificateFile  
olcTLSCACertificateFile: /etc/pki/tls/certs/CA.crt

Add the ldapssl.ldif entry to the LDAP server.
ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldif/ldapssl.ldif

SASL/EXTERNAL authentication started  
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth  
SASL SSF: 0  
modifying entry "cn=config"

Check.
slaptest -u

config file testing succeeded

Edit /etc/openldap/ldap.conf
vi /etc/openldap/ldap.conf
Add or modiffy the lines.

TLS_CACERTDIR /etc/pki/tls/certs  
TLS_CACERT /etc/pki/tls/certs/CA.crt  
TLS_REQCERT allow

systemctl restart slapd
systemctl status slapd

3.4.3 ldap and ldaps verification.

ldapsearch should not be initiated with ldaps and start_tls both.
Use either -ZZ or use ldaps://localhost.

No SSL or TLS.
ldapsearch -x -H ldap://localhost:389 -LL -b "dc=ol26modk,dc=com"

LDAP SSL/TLS.
ldapsearch -x -ZZZ -LLL -H ldap://localhost:389 -b "dc=ol26modk,dc=com"

LDAPS
ldapsearch -x -H ldaps://localhost -b "dc=ol26modk,dc=com"