OpenLDAP install guide

This guide describes the steps needed to install and configure OpenLDAP on Centos 7 for use as a linked system with KeyHub.

Installing OpenLDAP

This part is based on the excellent guide provided at server world. Original can be found here.

  you will need sudo rights throughout this guide. Either change into root or use sudo for all commands below.
  In this guide we use vi as a text editor. You can offcourse replace it by your favorite text editor.

Step 1

  • Upda

    Installing OpenLDAP

    This part is based on the excellent guide provided at server world. Original can be found here.

      you will need sudo rights throughout this guide. Either change into root or use sudo for all commands below.
      In this guide we use vi as a text editor. You can offcourse replace it by your favorite text editor.

    Step 1

    • Update your OS

    yum update -y && yum upgrade -y
    • Install OpenLDAP Server and Client tools

    yum -y install openldap-servers openldap-clients
    • Copy initial database configuration

    cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    • Adjust rights

    chown ldap: /var/lib/ldap/DB_CONFIG
    • Start OpenLDAP

    systemctl start slapd
    • Enable OpenLDAP start at system boot

    systemctl enable slapd

    Step 2

    • Create a directory for the ldif files

    mkdir /root/ldap
    • Change into this directory

    cd ldap
    • Set OpenLDAP admin password
      You might want to create a vault record in KeyHub and generate a password there ;)
      Note the output for the next step.

    slappasswd
    • Create chrootpw.ldif configuration file

    vi chrootpw.ldif
    • Content of chrootpw.ldif
      Use the output from the slappasswd step to replace the value in olcRootPW.

    dn: olcDatabase={0}config,cn=config
    changetype: modify
    add: olcRootPW
    olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
    • Apply configuration

    ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

    Step 3

    • Import basic schemas

    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

    Step 4

    Set your domain name in the OpenLDAP database.

    • Generate OpenLDAP manager’s password
      You might want to create a vault record in KeyHub and generate a password there ;)
      Note the output for the next step.

    slappasswd
    • Create chdomain.ldif configuration file

    vi chdomain.ldif
    • Content of chdomain.ldif
      Use the output from the slappasswd step to replace the value in olcRootPW.

      Make sure you replace dc=<MY_DOMAIN>, dc=<MY_TLD> with your own domain components. eg. dc=topicus-keyhub, dc=com
    dn: olcDatabase={1}monitor,cn=config
    changetype: modify
    replace: olcAccess
    olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
    read by dn.base="cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>" read by * none

    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    replace: olcSuffix
    olcSuffix: dc=<MY_DOMAIN>,dc=<MY_TLD>

    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    replace: olcRootDN
    olcRootDN: cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>

    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    add: olcRootPW
    olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    add: olcAccess
    olcAccess: {0}to attrs=userPassword,shadowLastChange by
    dn="cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>" write by anonymous auth by self write by * none
    olcAccess: {1}to dn.base="" by * read
    olcAccess: {2}to * by dn="cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>" write by * read
    • Apply configuration

    ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
    • Create basedomain.ldif configuration file

    vi basedomain.ldif
    • Content of basedomain.ldif

      Make sure you replace dc=<MY_DOMAIN>, dc=<MY_TLD> with your own domain components.
    dn: dc=<MY_DOMAIN>,dc=<MY_TLD>
    objectClass: top
    objectClass: dcObject
    objectclass: organization
    o: Server World

    dn: cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>
    objectClass: organizationalRole
    cn: Manager
    description: Directory Manager

    dn: ou=People,dc=<MY_DOMAIN>,dc=<MY_TLD>
    objectClass: organizationalUnit
    ou: People

    dn: ou=Group,dc=<MY_DOMAIN>,dc=<MY_TLD>
    objectClass: organizationalUnit
    ou: Group
    • Apply configuration

      Make sure you replace dc=<MY_DOMAIN>, dc=<MY_TLD> with your own domain components. Use directory manager’s password when prompted.
    ldapadd -x -D cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD> -W -f basedomain.ldif

    Step 5

    If a firewall is running you need to allow LDAP service. LDAP uses 389/TCP. Firewalld is the default firewall serice for Centos 7. The commands below will open port 389 on Firewalld.

    firewall-cmd --add-service=ldap --permanent
    firewall-cmd --reload

    te your OS

yum update -y && yum upgrade -y
  • Install OpenLDAP Server and Client tools

yum -y install openldap-servers openldap-clients
  • Copy initial database configuration

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
  • Adjust rights

chown ldap: /var/lib/ldap/DB_CONFIG
  • Start OpenLDAP

systemctl start slapd
  • Enable OpenLDAP start at system boot

systemctl enable slapd

Step 2

  • Create a directory for the ldif files

mkdir /root/ldap
  • Change into this directory

cd ldap
  • Set OpenLDAP admin password
    You might want to create a vault record in KeyHub and generate a password there ;)
    Note the output for the next step.

slappasswd
  • Create chrootpw.ldif configuration file

vi chrootpw.ldif
  • Content of chrootpw.ldif
    Use the output from the slappasswd step to replace the value in olcRootPW.

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
  • Apply configuration

ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

Step 3

  • Import basic schemas

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

Step 4

Set your domain name in the OpenLDAP database.

  • Generate OpenLDAP manager’s password
    You might want to create a vault record in KeyHub and generate a password there ;)
    Note the output for the next step.

slappasswd
  • Create chdomain.ldif configuration file

vi chdomain.ldif
  • Content of chdomain.ldif
    Use the output from the slappasswd step to replace the value in olcRootPW.

  Make sure you replace dc=<MY_DOMAIN>, dc=<MY_TLD> with your own domain components. eg. dc=topicus-keyhub, dc=com
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=<MY_DOMAIN>,dc=<MY_TLD>

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>" write by * read
  • Apply configuration

ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
  • Create basedomain.ldif configuration file

vi basedomain.ldif
  • Content of basedomain.ldif

  Make sure you replace dc=<MY_DOMAIN>, dc=<MY_TLD> with your own domain components.
dn: dc=<MY_DOMAIN>,dc=<MY_TLD>
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World

dn: cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=<MY_DOMAIN>,dc=<MY_TLD>
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=<MY_DOMAIN>,dc=<MY_TLD>
objectClass: organizationalUnit
ou: Group
  • Apply configuration

  Make sure you replace dc=<MY_DOMAIN>, dc=<MY_TLD> with your own domain components. Use directory manager’s password when prompted.
ldapadd -x -D cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD> -W -f basedomain.ldif

Step 5

If a firewall is running you need to allow LDAP service. LDAP uses 389/TCP. Firewalld is the default firewall serice for Centos 7. The commands below will open port 389 on Firewalld.

firewall-cmd --add-service=ldap --permanent
firewall-cmd --reload

Configuring TLS

For a secure connection between KeyHub and OpenLDAP we advise to use StartTLS.

Step 1

Create certificates and keys if you don’t want to or can’t use an existing one. Otherwise you can use your own certificate and skip this step.

  • Create Server certificate

  Replace <HOSTNAME>, <MY_DOMAIN> and <MY_TLD> with the host and domain name you used for your OpenLDAP installation. eg. ldap_server, topicus-keyhub and com
  • Create root certificate and key

openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
  • Create server private key

openssl genrsa -out <HOSTNAME>.key 2048
  • Create the server certificate configuration file

vi <HOSTNAME>.conf
  • Content

  Don’t forget to change at least the CN. Other values can be changed to your liking.
[req]
default_bits=2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C = NL
ST = Overijssel
L = Deventer
O = Topicus KeyHub
OU = KeyHub
emailAddress = info@<MY_DOMAIN>.<MY_TLD>
CN = <HOSTNAME>.<MY_DOMAIN>.<MY_TLD>
  • Create the server certificate signing request

openssl req -new -key <HOSTNAME>.key -out <HOSTNAME>.csr -config <HOSTNAME>.conf
  • Create the configuration for the alternative name

vi <HOSTNAME>.ext
  • Content

  Change the DNS value to yours. eg. ldap_server.topicus-keyhub.com
subjectAltName = DNS:<HOSTNAME>.<MY_DOMAIN>.<MY_TLD>
  • Create the server certificate

openssl x509 -req -in <HOSTNAME>.csr -CA ./rootCA.crt -CAkey ./rootCA.key -CAcreateserial -out <HOSTNAME>.<MY_DOMAIN>.<MY_TLD>.crt -days 500 -sha256 -extfile <HOSTNAME>.ext
  • Optionaly verify your certificate

openssl x509 -in <HOSTNAME>.<MY_DOMAIN>.<MY_TLD>.crt -text -noout

Step 2

Move the created certificates to the OpenLDAP directory and adjust the rights.

  • Move the certificates to /etc/openldap/certs

mv <HOSTNAME>* /etc/openldap/certs/
mv rootCA.* /etc/openldap/certs/
  • Set the rights for the certificates

chown ldap: /etc/openldap/certs/*

Step 3

Create the OpenLDAP configuration.

  • Create tlsverify.ldif configuration file

  The order of the configuration lines in tlsverify.ldif is very important.
vim tlsverify.ldif
  • Content of tlsverify.ldif

  Check if the paths and names of the certificates exist and adjust if needed. The "-" in rule 20 is not a typo ;)
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/rootCA.crt

dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:+SSLv3:+TLSv1:+SASL:MEDIUM:+SSLv2:@STRENGTH:+SHA:+MD5:!NULL

dn: cn=config
changetype: modify
add: olcTLSVerifyClient
olcTLSVerifyClient: try

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/<HOSTNAME>.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/<HOSTNAME>.<MY_DOMAIN>.<MY_TLD>.crt

Step 4

  • Run the configuartion

ldapmodify -Y EXTERNAL -H ldapi:/// -f tlsverify.ldif

Enable public Key provisioning

  This step is needed to enable public key provisioning from KeyHub

Step 1

  • Install openssh-ldap.
    This is needed for adding the ssh key schema

yum -y install openssh-ldap

Step 2

Create the OpenLDAP configuration.

  • Create openssh-ldap.conf file (in this example this is done in /root/ldap)

vim /root/ldap/openssh-ldap.conf
  • Content of openssh-ldap.conf

  The path of the files to be included depends on the installed version.
include /etc/openldap/schema/core.schema
include /usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.schema
  • Create the cn=config directory and files using slapcat
    slapcat reads from the current database based on the created config file and outputs to the specified directory.

slapcat -f /root/ldap/openssh-ldap.conf -F /root/ldap -n 0
  • Copy /root/ldap/cn=config/cn=schema/cn={1}openssh-lpk-openldap.ldif to /root/ldap/openssh-ldap.ldif

cp cn\=config/cn\=schema/cn\=\{1\}openssh-lpk-openldap.ldif /root/ldap/openssh-ldap.ldif
  • Edit /root/ldap/openssh-ldap.ldif

  • Remove the lines similar to these

structuralObjectClass: olcSchemaConfig
entryUUID: 02a17a84-79a3-103b-9158-15bfba5efd60
creatorsName: cn=config
createTimestamp: 20210715102733Z
entryCSN: 20210715102733.168332Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20210715102733Z
  • Replace dn: cn={1}openssh-lpk-openldap with dn: cn=openssh-openldap,cn=schema,cn=config

  • Replace cn: {1}openssh-lpk-openldap with cn: openssh-openldap

The resulting file should look similar to this

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 d4505710
dn: cn=openssh-openldap,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-openldap
olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' D
ESC 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.
1.4.1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DE
SC 'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MUST ( sshPublicK
ey $ uid ) )

Step 3

  • Apply configuration

ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-ldap.ldif

Step 4

  • Restart OpenLDAP

systemctl restart slapd