http://www.selinuxproject.org/w/?title=Labeled_NFS/Demo/Manual/LDAP&feed=atom&action=history Labeled NFS/Demo/Manual/LDAP - Revision history 2024-03-19T07:12:52Z Revision history for this page on the wiki MediaWiki 1.23.13 http://www.selinuxproject.org/w/?title=Labeled_NFS/Demo/Manual/LDAP&diff=403&oldid=prev CraigGrube: /* Access Control */ 2008-12-12T15:26:05Z <p>‎<span dir="auto"><span class="autocomment">Access Control</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 15:26, 12 December 2008</td> </tr><tr><td colspan="2" class="diff-lineno">Line 123:</td> <td colspan="2" class="diff-lineno">Line 123:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Access Control:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Access Control:</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Add global access control restrictions. &lt;b&gt;These must go before any &lt;code&gt;database&lt;/code&gt; line in the file, or else the settings will not be global!&lt;/b&gt;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Add global access control restrictions. <ins class="diffchange diffchange-inline">&lt;h3&gt;</ins>&lt;b&gt;These must go before any &lt;code&gt;database&lt;/code&gt; line in the file, or else the settings will not be global!&lt;/b<ins class="diffchange diffchange-inline">&gt;&lt;/h3</ins>&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># Users can change their shell, anyone else can see it</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div># Users can change their shell, anyone else can see it</div></td></tr> </table> CraigGrube http://www.selinuxproject.org/w/?title=Labeled_NFS/Demo/Manual/LDAP&diff=402&oldid=prev CraigGrube at 15:23, 12 December 2008 2008-12-12T15:23:20Z <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 15:23, 12 December 2008</td> </tr><tr><td colspan="2" class="diff-lineno">Line 1:</td> <td colspan="2" class="diff-lineno">Line 1:</td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">= LDAP Server = </ins></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Software Packages ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Software Packages ==</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">The LDAP server requires installation of the following packages:</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; # yum install openldap openldap-devel openldap-servers openldap-clients \</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; # yum install openldap openldap-devel openldap-servers openldap-clients \</div></td></tr> </table> CraigGrube http://www.selinuxproject.org/w/?title=Labeled_NFS/Demo/Manual/LDAP&diff=388&oldid=prev CraigGrube: /* SSL Certificate */ 2008-12-11T19:54:20Z <p>‎<span dir="auto"><span class="autocomment">SSL Certificate</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 19:54, 11 December 2008</td> </tr><tr><td colspan="2" class="diff-lineno">Line 43:</td> <td colspan="2" class="diff-lineno">Line 43:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The LDAP server will require an SSL certificate. It could be purchased, but this isn’t necessary.&#160; The certificate authority can be easily distributed to the clients during configuration. The openssl package provides the necessary scripts to create the required certificates.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The LDAP server will require an SSL certificate. It could be purchased, but this isn’t necessary.&#160; The certificate authority can be easily distributed to the clients during configuration. The openssl package provides the necessary scripts to create the required certificates.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The [[Labeled_NFS/Demo/Manual/LDAP/CA|certificate guide]] shows how to create a Certificate Authority (CA) certificate and also CA signed Server Certificates. NOTE: If the LDAP Server has one or more aliases, then the certificate</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The [[Labeled_NFS/Demo/Manual/LDAP/CA|certificate guide]] shows how to create a Certificate Authority (CA) certificate and also CA signed Server Certificates. &#160;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>NOTE: If the LDAP Server has one or more aliases, then the certificate</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>must contain all of the aliases. For example, if the LDAP Server can</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>must contain all of the aliases. For example, if the LDAP Server can</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>be looked up in the DNS under host1.domain, ldap.domain,</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>be looked up in the DNS under host1.domain, ldap.domain,</div></td></tr> </table> CraigGrube http://www.selinuxproject.org/w/?title=Labeled_NFS/Demo/Manual/LDAP&diff=387&oldid=prev CraigGrube: /* LDAP Server */ 2008-12-11T19:44:58Z <p>‎<span dir="auto"><span class="autocomment">LDAP Server</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 19:44, 11 December 2008</td> </tr><tr><td colspan="2" class="diff-lineno">Line 1:</td> <td colspan="2" class="diff-lineno">Line 1:</td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">= LDAP Server =</del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Normally, the LDAP network setup would have 2+ servers in order to provide backup.&#160; '''This demo only has one LDAP server.'''</del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Software Packages ==</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>== Software Packages ==</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> </table> CraigGrube http://www.selinuxproject.org/w/?title=Labeled_NFS/Demo/Manual/LDAP&diff=341&oldid=prev CraigGrube: New page: = LDAP Server = Normally, the LDAP network setup would have 2+ servers in order to provide backup. '''This demo only has one LDAP server.''' == Software Packages == <pre> # yum install... 2008-12-11T13:50:44Z <p>New page: = LDAP Server = Normally, the LDAP network setup would have 2+ servers in order to provide backup. &#039;&#039;&#039;This demo only has one LDAP server.&#039;&#039;&#039; == Software Packages == &lt;pre&gt; # yum install...</p> <p><b>New page</b></p><div>= LDAP Server =<br /> <br /> Normally, the LDAP network setup would have 2+ servers in order to provide backup. '''This demo only has one LDAP server.'''<br /> <br /> == Software Packages ==<br /> &lt;pre&gt;<br /> # yum install openldap openldap-devel openldap-servers openldap-clients \<br /> krb5-server-ldap nss_ldap<br /> &lt;/pre&gt;<br /> The LDAP server is also a Kerberos client and is required to be configured as such.<br /> <br /> Other useful packages:<br /> * ldapvi<br /> <br /> == Kerberos Configuration ==<br /> <br /> The LDAP server must be configured to use Kerberos. <br /> <br /> Each LDAP server requires a Kerberos principal. The special principal, ldap/hostname must be extracted to a key table to which the LDAP server (slapd) has access.<br /> <br /> * The following needs to be done for each LDAP Server<br /> <br /> &lt;pre&gt;<br /> [root@sefos ~]# kadmin<br /> Authenticating as principal root/admin@EXAMPLE.COM with password.<br /> Password for root/admin@EXAMPLE.COM:<br /> kadmin: addprinc -randkey ldap/sefos.example.com<br /> kadmin: ktadd -k /etc/openldap/ldap.keytab ldap/sefos.example.com<br /> kadmin: exit<br /> [root@sefos ~]# chgrp ldap /etc/openldap/ldap.keytab<br /> [root@sefos ~]# chmod 640 /etc/openldap/ldap.keytab<br /> &lt;/pre&gt;<br /> <br /> == /etc/sysconfig/ldap ==<br /> * Edit /etc/sysconfig/ldap and configure the ldap server, slapd.<br /> ** Set it to use SSL certificates which are configured next.<br /> ** Set it to use the Kerberos key table created above, /etc/openldap/ldap.keytab.<br /> <br /> &lt;pre&gt;<br /> SLAPD_LDAPS=yes<br /> ...<br /> export KRB5_KTNAME=/etc/openldap/ldap.keytab<br /> &lt;/pre&gt;<br /> <br /> == SSL Certificate ==<br /> <br /> The LDAP server will require an SSL certificate. It could be purchased, but this isn’t necessary. The certificate authority can be easily distributed to the clients during configuration. The openssl package provides the necessary scripts to create the required certificates.<br /> <br /> The [[Labeled_NFS/Demo/Manual/LDAP/CA|certificate guide]] shows how to create a Certificate Authority (CA) certificate and also CA signed Server Certificates. NOTE: If the LDAP Server has one or more aliases, then the certificate<br /> must contain all of the aliases. For example, if the LDAP Server can<br /> be looked up in the DNS under host1.domain, ldap.domain,<br /> ldap.someotherdomain. The openssl.conf file should be configured by adding the followinging line in the usr_cert section:<br /> <br /> &lt;pre&gt;<br /> subjectAltName=DNS:ldap.domain,DNS:ldap.otherdomain<br /> &lt;/pre&gt;<br /> <br /> The CA certificate and the server certificate should be copied into the /etc/openldap directory.<br /> <br /> &lt;pre&gt;<br /> [root@sefos ~]# cp /etc/pki/CA/cacert.pem /etc/openldap/cacerts/cacert.pem<br /> [root@sefos ~# cp /etc/pki/tls/misc/newreq.pem /etc/openldap/slapd.key<br /> [root@sefos ~]# cp /etc/pki/tls/misc/newcert.pem /etc/openldap/slapd.pem<br /> [root@sefos ~]# chmod 640 /etc/openldap/slapd.key<br /> [root@sefos ~]# chgrp -R ldap /etc/openldap<br /> &lt;/pre&gt;<br /> <br /> == /etc/openldap/slapd.conf ==<br /> === Add references to the SSL certificates ===<br /> &lt;pre&gt;<br /> TLSCACertificateFile /etc/openldap/cacerts/cacert.pem<br /> TLSCertificateFile /etc/openldap/slapd.pem<br /> TLSCertificateKeyFile /etc/openldap/slapd.key<br /> &lt;/pre&gt;<br /> <br /> === Add idle timeout ===<br /> &lt;pre&gt;<br /> idletimeout 3600<br /> &lt;/pre&gt;<br /> <br /> Failure to add this idle timeout will result in LDAP failing after a period of time. The number of TCP connections is limited internally. If connections are not released, the LDAP daemon (slapd) is unable to open files. This causees slapd to return an error to all queries. If this value is too high (or disabled), then slapd will run out of file handles. If this value is set too low, the system log will fill with messages about reconnecting to the LDAP server. The '3600' used here is somewhat arbitrary and may need to change depending on LDAP service demands.<br /> <br /> === configure suffix and rootdn to match system domain ===<br /> &lt;pre&gt;<br /> suffix &quot;dc=example,dc=com&quot;<br /> rootdn &quot;cn=Manager,dc=example,dc=com&quot;<br /> &lt;/pre&gt;<br /> <br /> === Add temporary Manager account ===<br /> This is need for the initial load. A simple method is to add an encrypted password using slappasswd. Run slappasswd to create the file entry. NOTE: if you are using the MLS policy, you will have to run &lt;code&gt;slappasswd&lt;/code&gt; via &lt;code&gt;run_init&lt;/code&gt;.<br /> &lt;pre&gt;<br /> [root@sefos ~]# slappasswd <br /> New password: <br /> Re-enter new password: <br /> {SSHA}ISM1CdMvg6jOMNjASCKZvOWxXy6F8jY4<br /> &lt;/pre&gt;<br /> <br /> In the rootpw section of /etc/openldap/slapd.conf:<br /> &lt;pre&gt;<br /> rootpw {SSHA}ISM1CdMvg6jOMNjASCKZvOWxXy6F8jY4<br /> &lt;/pre&gt;<br /> <br /> === Access Control ===<br /> <br /> This is a bit of a hack to restrict the SASL mechanisms that the<br /> server advertises to just GSSAPI. Otherwise it also advertises<br /> DIGEST-MD5, which the clients prefer. Then you have to add &quot;-Y<br /> GSSAPI&quot; to all of your ldapsearch/ldapmodify/etc. command lines, which<br /> is annoying. The default for this is noanonymous,noplain so the<br /> addition of noactive is what makes DIGEST-MD5 and the others go away.<br /> &lt;pre&gt;<br /> sasl-secprops noanonymous,noplain,noactive<br /> &lt;/pre&gt;<br /> <br /> Map SASL authentication properly:<br /> &lt;pre&gt;<br /> # Map SASL authentication DNs to LDAP DNs<br /> # This leaves &quot;username/admin&quot; principals untouched<br /> sasl-regexp &quot;uid=([^/]*),cn=GSSAPI,cn=auth&quot; &quot;uid=$1,ou=people,dc=example,dc=com&quot;<br /> # This should be a ^ plus, not a star, but slapd won't accept it<br /> &lt;/pre&gt;<br /> <br /> Access Control:<br /> Add global access control restrictions. &lt;b&gt;These must go before any &lt;code&gt;database&lt;/code&gt; line in the file, or else the settings will not be global!&lt;/b&gt;<br /> &lt;pre&gt;<br /> # Users can change their shell, anyone else can see it<br /> access to attrs=loginShell<br /> by dn.regex=&quot;uid=.*/admin,cn=GSSAPI,cn=auth&quot; write<br /> by self write<br /> by * read<br /> # Only the user can see their employeeNumber<br /> access to attrs=employeeNumber<br /> by dn.regex=&quot;uid=.*/admin,cn=GSSAPI,cn=auth&quot; write<br /> by self read<br /> by * none<br /> # Default read access for everything else<br /> access to *<br /> by dn.regex=&quot;uid=.*/admin,cn=GSSAPI,cn=auth&quot; write<br /> by * read<br /> &lt;/pre&gt;<br /> <br /> Here are a number of additional security options:<br /> <br /> In order to make slapd require integrity-encryption (i.e. SSL connection):<br /> * The number value is roughly equivalent to the bit length of the encryption key that is required.<br /> &lt;pre&gt;<br /> security ssf=1 update_ssf=112 simple_bind=64 <br /> &lt;/pre&gt;<br /> <br /> == Edit /etc/openldap/ldap.conf ==<br /> This file needs to reside on each host that accesses the LDAP server including the LDAP server(s) themselves.<br /> &lt;pre&gt;<br /> BASE dc=example,dc=com<br /> URI ldap://sefos.example.com<br /> TLS_CACERT /etc/openldap/cacerts/cacert.pem<br /> TLS_REQCERT hard<br /> &lt;/pre&gt;<br /> <br /> == Edit /etc/ldap.conf ==<br /> <br /> '''Note''' Editing this file is done in order to copy the file to<br /> the client during the client configuration. The file isn't<br /> necessary for the server unless it is running as a client and using<br /> the ldap user information, which is not suggested. The server using<br /> the ldap user information hasn't been tested here and would require<br /> some careful configuration.<br /> <br /> &lt;pre&gt;<br /> # The distinguished name of the search base.<br /> base dc=example,dc=com<br /> ...<br /> uri ldap://sefos.example.com/<br /> ssl start_tls<br /> tls_cacertdir /etc/openldap/cacerts<br /> &lt;/pre&gt;<br /> <br /> == Add Initial Entries to LDAP Directory ==<br /> To avoid an annoying warning message, create a DB_CONFIG for ldap:<br /> [root@sefos ~]# touch /var/lib/ldap/DB_CONFIG<br /> <br /> Next the root of the directory service needs to be added. This is<br /> the Distinguished Name for the Realm that the user and group data<br /> resides under within the LDAP directory. The LDAP directory is<br /> stored conceptually as a hierarchical tree structure with the user<br /> and group information for a realm stored underneath the realm name.<br /> The realm name needs to be added to the LDAP directory to provide<br /> the base name for the user and group data. To enter this root name<br /> create the following LDAP Data Interchange Format (LDIF) file.<br /> Create a file &lt;code&gt;/tmp/ldap-init.ldif&lt;/code&gt;:<br /> &lt;pre&gt;<br /> # Our top level domain<br /> dn: dc=example,dc=com<br /> objectclass: dcObject<br /> objectclass: organization<br /> o: SEFOS Test<br /> dc: example<br /> <br /> # The Manager<br /> dn: cn=Manager,dc=example,dc=com<br /> objectclass: organizationalRole<br /> cn: Manager<br /> &lt;/pre&gt;<br /> <br /> Then add it by running<br /> &lt;pre&gt;<br /> # chcon system_u:object_r:slapd_db_t:s0 /tmp/ldap-init.ldif<br /> # run_init slapadd -v -l /tmp/ldap-init.ldif<br /> &lt;/pre&gt;<br /> This has created several files in the LDAP database directory which are owned by root. The LDAP server runs as the user ldap, so permissions must be fixed: <br /> [root@sefos ~]# chown ldap:ldap /var/lib/ldap/*<br /> <br /> == Firewall ==<br /> <br /> If the LDAP server is behind a firewall the fallowing ports are necessary to be open:<br /> * 389 TCP | LDAP<br /> * 636 TCP | LDAP over TLS/SSL<br /> <br /> The following rules should be added to &lt;code&gt;/etc/sysconfig/iptables&lt;/code&gt; just before the INPUT REJECT rule:<br /> # ldap server<br /> -A INPUT -m tcp -p tcp --dport 389 -j ACCEPT<br /> -A INPUT -m tcp -p tcp --dport 636 -j ACCEPT<br /> <br /> And then iptables needs to be restarted:<br /> [root@sefos ~]# run_init service iptables restart<br /> <br /> == Start LDAP Server and Start at Boot ==<br /> <br /> Start the LDAP server on the system and configure the system to<br /> start LDAP during boot.<br /> <br /> &lt;pre&gt;<br /> [root@sefos /]# run_init service ldap start<br /> [root@sefos /]# chkconfig ldap on<br /> &lt;/pre&gt;<br /> <br /> == Test local LDAP access ==<br /> Now 2 nodes need to be added; one for groups and one for users. Create &lt;code&gt;/tmp/usernodes.ldif&lt;/code&gt;<br /> &lt;pre&gt; <br /> # Now we create a organizational unit to hold our users:<br /> dn: ou=people,dc=example,dc=com<br /> objectClass: organizationalUnit<br /> ou: People<br /> <br /> # And, finally, one to hold our groups:<br /> dn: ou=group,dc=example,dc=com<br /> objectClass: organizationalUnit<br /> ou: Group<br /> &lt;/pre&gt;<br /> <br /> And, assuming you have kerberos credentials, add them like so:<br /> &lt;pre&gt;<br /> # chcon system_u:object_r:slapd_db_t:s0 /tmp/usernodes.ldif<br /> # ldapadd -ZZ -f /tmp/usernodes.ldif<br /> &lt;/pre&gt;<br /> <br /> == Troubleshooting ==<br /> * If you get &quot; Insufficient access (50); additional info: no write access to parent&quot;, then make sure the access control rules added to slapd.conf are global (i.e. they occur before any &lt;code&gt;database&lt;/code&gt; statements).<br /> <br /> * If you get &quot;ldap_sasl_interactive_bind_s: Local error (-2)&quot;, Then you don't have any kerberos credentials, or they have expired. Simply run &lt;code&gt;kinit -p root/admin&lt;/code&gt; and you should get some proper credentials after supplying the admin password.<br /> <br /> = LDAP Client =<br /> <br /> == F9 LDAP Client Packages ==<br /> &lt;pre&gt;<br /> # yum install openldap openldap-devel openldap-clients nss_ldap<br /> &lt;/pre&gt;<br /> The LDAP client is also a Kerberos client and is required to be configured as such.<br /> <br /> <br /> == LDAP Client Configuration ==<br /> <br /> Copy the following files from the LDAP server.<br /> * /etc/ldap.conf<br /> * /etc/openldap/ldap.conf<br /> * /etc/openldap/cacerts/cacert.pem<br /> <br /> Make sure the certificate is world readable<br /> chmod 644 /etc/openldap/cacerts/cacert.pem<br /> <br /> == Testing LDAP from the Client ==<br /> We should be able to query the LDAP server from the client and extract information. Here is a sample query and the expected output:<br /> &lt;pre&gt;<br /> [root@sefos /] ldapsearch -b 'dc=example,dc=com' -L &quot;cn=Manager&quot;<br /> SASL/GSSAPI authentication started<br /> SASL username: root/admin@EXAMPLE.COM<br /> SASL SSF: 56<br /> SASL data security layer installed.<br /> version: 1<br /> <br /> #<br /> # LDAPv3<br /> # base &lt;dc=example,dc=com&gt; with scope subtree<br /> # filter: cn=Manager<br /> # requesting: ALL<br /> #<br /> <br /> # Manager, example.com<br /> dn: cn=Manager,dc=example,dc=com<br /> objectClass: organizationalRole<br /> cn: Manager<br /> <br /> # search result<br /> <br /> # numResponses: 2<br /> # numEntries: 1<br /> <br /> [root@sefos /] <br /> &lt;/pre&gt;<br /> <br /> If you get this error<br /> ldap_sasl_interactive_bind_s: Local error (-2)<br /> <br /> Then you don't have any kerberos credentials, or they have expired. Simply run<br /> kinit -p root/admin<br /> and you should get some proper credentials after supplying the admin password.<br /> <br /> = LDAP References =<br /> <br /> * OpenLDAP Software 2.4 [http://www.openldap.org/doc/admin24/ Administrator's Guide]<br /> * Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map, RFC 4510<br /> * Lightweight Directory Access Protocol (LDAP): The Protocol, RFC 4511<br /> * LDAP Data Interchange Format (LDIF) - Technical Specification: RFC 2849<br /> * Lightweight Directory Access Protocol (LDAP): Directory Information Models: RFC 4512<br /> * Lightweight Directory Access Protocol (LDAP): Schema for User Applications, RFC 4519</div> CraigGrube