Administration
      Back to home
      1. Knowledge Base
      2. Administration

      OpenLDAP install guide

      This guide describes the steps needed to install and configure OpenLDAP on Centos 7 for use as a linked system with KeyHub.

      Installing OpenLDAP

      This part is based on the excellent guide provided at server world. Original can be found here.

        you will need sudo rights throughout this guide. Either change into root or use sudo for all commands below.
        In this guide we use vi as a text editor. You can offcourse replace it by your favorite text editor.

      Step 1

      • Update your OS

      yum update -y && yum upgrade -y

      • Install OpenLDAP Server and Client tools

      yum -y install openldap-servers openldap-clients

      • Copy initial database configuration

      cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

      • Adjust rights

      chown ldap: /var/lib/ldap/DB_CONFIG

      • Start OpenLDAP

      systemctl start slapd

      • Enable OpenLDAP start at system boot

      systemctl enable slapd

      Step 2

      • Create a directory for the ldif files

      mkdir /root/ldap

      • Change into this directory

      cd ldap

      • Set OpenLDAP admin password
        You might want to create a vault record in KeyHub and generate a password there ;)
        Note the output for the next step.

      slappasswd

      • Create chrootpw.ldif configuration file

      vi chrootpw.ldif

      • Content of chrootpw.ldif
        Use the output from the slappasswd step to replace the value in olcRootPW.

      dn: olcDatabase={0}config,cn=config
      changetype: modify
      add: olcRootPW
      olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

      • Apply configuration

      ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

      Step 3

      • Import basic schemas

      ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
      ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
      ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

      Step 4

      Set your domain name in the OpenLDAP database.

      • Generate OpenLDAP manager’s password
        You might want to create a vault record in KeyHub and generate a password there ;)
        Note the output for the next step.

      slappasswd

      • Create chdomain.ldif configuration file

      vi chdomain.ldif

      • Content of chdomain.ldif
        Use the output from the slappasswd step to replace the value in olcRootPW.

        Make sure you replace dc=<MY_DOMAIN>, dc=<MY_TLD> with your own domain components. eg. dc=topicus-keyhub, dc=com 
      dn: olcDatabase={1}monitor,cn=config
      changetype: modify
      replace: olcAccess
      olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
        read by dn.base="cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>" read by * none

      dn: olcDatabase={2}hdb,cn=config
      changetype: modify
      replace: olcSuffix
      olcSuffix: dc=<MY_DOMAIN>,dc=<MY_TLD>

      dn: olcDatabase={2}hdb,cn=config
      changetype: modify
      replace: olcRootDN
      olcRootDN: cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>

      dn: olcDatabase={2}hdb,cn=config
      changetype: modify
      add: olcRootPW
      olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

      dn: olcDatabase={2}hdb,cn=config
      changetype: modify
      add: olcAccess
      olcAccess: {0}to attrs=userPassword,shadowLastChange by
        dn="cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>" write by anonymous auth by self write by * none
      olcAccess: {1}to dn.base="" by * read
      olcAccess: {2}to * by dn="cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>" write by * read

      • Apply configuration

      ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

      • Create basedomain.ldif configuration file

      vi basedomain.ldif

      • Content of basedomain.ldif

        Make sure you replace dc=<MY_DOMAIN>, dc=<MY_TLD> with your own domain components. 
      dn: dc=<MY_DOMAIN>,dc=<MY_TLD>
      objectClass: top
      objectClass: dcObject
      objectclass: organization
      o: Server World

      dn: cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>
      objectClass: organizationalRole
      cn: Manager
      description: Directory Manager

      dn: ou=People,dc=<MY_DOMAIN>,dc=<MY_TLD>
      objectClass: organizationalUnit
      ou: People

      dn: ou=Group,dc=<MY_DOMAIN>,dc=<MY_TLD>
      objectClass: organizationalUnit
      ou: Group

      • Apply configuration

        Make sure you replace dc=<MY_DOMAIN>, dc=<MY_TLD> with your own domain components. Use directory manager’s password when prompted. 
      ldapadd -x -D cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD> -W -f basedomain.ldif

      Step 5

      If a firewall is running you need to allow LDAP service. LDAP uses 389/TCP. Firewalld is the default firewall serice for Centos 7. The commands below will open port 389 on Firewalld.

      firewall-cmd --add-service=ldap --permanent
      firewall-cmd --reload

      Configuring TLS

      For a secure connection between KeyHub and OpenLDAP we advise to use StartTLS.

      Step 1

      Create certificates and keys if you don’t want to or can’t use an existing one. Otherwise you can use your own certificate and skip this step.

      • Create Server certificate

        Replace <HOSTNAME>, <MY_DOMAIN> and <MY_TLD> with the host and domain name you used for your OpenLDAP installation. eg. ldap_server, topicus-keyhub and com

      • Create root certificate and key

      openssl genrsa -des3 -out rootCA.key 4096
      openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

      • Create server private key

      openssl genrsa -out <HOSTNAME>.key 2048

      • Create the server certificate configuration file

      vi <HOSTNAME>.conf

      • Content

        Don’t forget to change at least the CN. Other values can be changed to your liking. 
      [req]
      default_bits=2048
      prompt = no
      default_md = sha256
      distinguished_name = dn
      [dn]
      C = NL
      ST = Overijssel
      L = Deventer
      O = Topicus KeyHub
      OU = KeyHub
      emailAddress = info@<MY_DOMAIN>.<MY_TLD>
      CN = <HOSTNAME>.<MY_DOMAIN>.<MY_TLD>

      • Create the server certificate signing request

      openssl req -new -key <HOSTNAME>.key -out <HOSTNAME>.csr -config <HOSTNAME>.conf

      • Create the configuration for the alternative name

      vi <HOSTNAME>.ext

      • Content

        Change the DNS value to yours. eg. ldap_server.topicus-keyhub.com 
      subjectAltName = DNS:<HOSTNAME>.<MY_DOMAIN>.<MY_TLD>

      • Create the server certificate

      openssl x509 -req -in <HOSTNAME>.csr -CA ./rootCA.crt -CAkey ./rootCA.key -CAcreateserial -out <HOSTNAME>.<MY_DOMAIN>.<MY_TLD>.crt -days 500 -sha256 -extfile <HOSTNAME>.ext

      • Optionaly verify your certificate

      openssl x509 -in <HOSTNAME>.<MY_DOMAIN>.<MY_TLD>.crt -text -noout

      Step 2

      Move the created certificates to the OpenLDAP directory and adjust the rights.

      • Move the certificates to /etc/openldap/certs

      mv <HOSTNAME>* /etc/openldap/certs/
      mv rootCA.* /etc/openldap/certs/

      • Set the rights for the certificates

      chown ldap: /etc/openldap/certs/*

      Step 3

      Create the OpenLDAP configuration.

      • Create tlsverify.ldif configuration file

        The order of the configuration lines in tlsverify.ldif is very important. 
      vim tlsverify.ldif

      • Content of tlsverify.ldif

        Check if the paths and names of the certificates exist and adjust if needed. The "-" in rule 20 is not a typo ;) 
      dn: cn=config
      changetype: modify
      add: olcTLSCACertificateFile
      olcTLSCACertificateFile: /etc/openldap/certs/rootCA.crt

      dn: cn=config
      changetype: modify
      add: olcTLSCipherSuite
      olcTLSCipherSuite: HIGH:+SSLv3:+TLSv1:+SASL:MEDIUM:+SSLv2:@STRENGTH:+SHA:+MD5:!NULL

      dn: cn=config
      changetype: modify
      add: olcTLSVerifyClient
      olcTLSVerifyClient: try

      dn: cn=config
      changetype: modify
      replace: olcTLSCertificateKeyFile
      olcTLSCertificateKeyFile: /etc/openldap/certs/<HOSTNAME>.key
      -
      replace: olcTLSCertificateFile
      olcTLSCertificateFile: /etc/openldap/certs/<HOSTNAME>.<MY_DOMAIN>.<MY_TLD>.crt

      Step 4

      • Run the configuartion

      ldapmodify -Y EXTERNAL -H ldapi:/// -f tlsverify.ldif

      Enable public Key provisioning

        This step is needed to enable public key provisioning from KeyHub

      Step 1

      • Install openssh-ldap.
        This is needed for adding the ssh key schema

      yum -y install openssh-ldap

      Step 2

      Create the OpenLDAP configuration.

      • Create openssh-ldap.conf file (in this example this is done in /root/ldap)

      vim /root/ldap/openssh-ldap.conf

      • Content of openssh-ldap.conf

        The path of the files to be included depends on the installed version. 
      include /etc/openldap/schema/core.schema
      include /usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.schema

      • Create the cn=config directory and files using slapcat
        slapcat reads from the current database based on the created config file and outputs to the specified directory.

      slapcat -f /root/ldap/openssh-ldap.conf -F /root/ldap -n 0

      • Copy /root/ldap/cn=config/cn=schema/cn={1}openssh-lpk-openldap.ldif to /root/ldap/openssh-ldap.ldif

      cp cn\=config/cn\=schema/cn\=\{1\}openssh-lpk-openldap.ldif /root/ldap/openssh-ldap.ldif

      • Edit /root/ldap/openssh-ldap.ldif

      • Remove the lines similar to these

      structuralObjectClass: olcSchemaConfig
      entryUUID: 02a17a84-79a3-103b-9158-15bfba5efd60
      creatorsName: cn=config
      createTimestamp: 20210715102733Z
      entryCSN: 20210715102733.168332Z#000000#000#000000
      modifiersName: cn=config
      modifyTimestamp: 20210715102733Z

      • Replace dn: cn={1}openssh-lpk-openldap with dn: cn=openssh-openldap,cn=schema,cn=config

      • Replace cn: {1}openssh-lpk-openldap with cn: openssh-openldap

      • Replace cn=openssh-openldap with cn=openssh-openldap,cn=schema,cn=config

      The resulting file should look similar to this

      # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
      # CRC32 d4505710
      dn: cn=openssh-openldap,cn=schema,cn=config
      objectClass: olcSchemaConfig
      cn: openssh-openldap
      olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' D
       ESC 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.
       1.4.1.1466.115.121.1.40 )
      olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DE
       SC 'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MUST ( sshPublicK
       ey $ uid ) )

      Step 3

      • Apply configuration

      ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-ldap.ldif

      Step 4

      • Restart OpenLDAP

      systemctl restart slapd

      Install PBKDF2 module on OpenLDAP

      OpenLDAP is not able to use PBKDF2 out of the box. PBKDF2 is a strong hashing algorithm using 64k iterations of SHA512. KeyHub is able to provision password hashes in PBKDF2 format.

      Step 1

      • Download the PBKDF2 module from the Topicus servers
        md5sum 198056d220b0d94750a05fa9c0dade6f pw-pbk2.tar.gz

      wget https://files.topicus-keyhub.com/download/pw-pbk2.tar.gz

      Step 2

      • Unpack pw-pbk2.tar.gz
        This wil unpack in /usr/lib64/openldap/

      tar xvfz ~/ldap/pw-pbk2.tar.gz

      Step 3

      • If SELinux is enabled (this is default for Centos 7) you will need to set a context for these files

      restorecon -v /usr/lib64/openldap/pw-pbkdf2.*

      Step 4

      • Create the configuration file pbk.ldif
        with the following content:

      dn: cn=module{1},cn=config
      objectClass: olcModuleList
      cn: module{1}
      olcModulePath: /usr/lib64/openldap
      olcModuleLoad: pw-pbkdf2.la

      • Apply the configuration

      ldapadd -Y EXTERNAL -H ldapi:/// -f pbk.ldif