This guide describes the steps needed to install and configure OpenLDAP on Centos 7 for use as a linked system with KeyHub.
Installing OpenLDAP
This part is based on the excellent guide provided at server world. Original can be found here.
you will need sudo rights throughout this guide. Either change into root or use sudo for all commands below. |
In this guide we use vi as a text editor. You can offcourse replace it by your favorite text editor. |
Step 1
-
Upda
Installing OpenLDAP
This part is based on the excellent guide provided at server world. Original can be found here.
you will need sudo rights throughout this guide. Either change into root or use sudo for all commands below. In this guide we use vi as a text editor. You can offcourse replace it by your favorite text editor. Step 1
-
Update your OS
yum update -y && yum upgrade -y
-
Install OpenLDAP Server and Client tools
yum -y install openldap-servers openldap-clients
-
Copy initial database configuration
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
-
Adjust rights
chown ldap: /var/lib/ldap/DB_CONFIG
-
Start OpenLDAP
systemctl start slapd
-
Enable OpenLDAP start at system boot
systemctl enable slapd
Step 2
-
Create a directory for the ldif files
mkdir /root/ldap
-
Change into this directory
cd ldap
-
Set OpenLDAP admin password
You might want to create a vault record in KeyHub and generate a password there ;)
Note the output for the next step.
slappasswd
-
Create chrootpw.ldif configuration file
vi chrootpw.ldif
-
Content of chrootpw.ldif
Use the output from the slappasswd step to replace the value in olcRootPW.
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx-
Apply configuration
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
Step 3
-
Import basic schemas
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldifStep 4
Set your domain name in the OpenLDAP database.
-
Generate OpenLDAP manager’s password
You might want to create a vault record in KeyHub and generate a password there ;)
Note the output for the next step.
slappasswd
-
Create chdomain.ldif configuration file
vi chdomain.ldif
-
Content of chdomain.ldif
Use the output from the slappasswd step to replace the value in olcRootPW.
Make sure you replace dc=<MY_DOMAIN>, dc=<MY_TLD> with your own domain components. eg. dc=topicus-keyhub, dc=com dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=<MY_DOMAIN>,dc=<MY_TLD>
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>" write by * read-
Apply configuration
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
-
Create basedomain.ldif configuration file
vi basedomain.ldif
-
Content of basedomain.ldif
Make sure you replace dc=<MY_DOMAIN>, dc=<MY_TLD> with your own domain components. dn: dc=<MY_DOMAIN>,dc=<MY_TLD>
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dn: cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=<MY_DOMAIN>,dc=<MY_TLD>
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=<MY_DOMAIN>,dc=<MY_TLD>
objectClass: organizationalUnit
ou: Group-
Apply configuration
Make sure you replace dc=<MY_DOMAIN>, dc=<MY_TLD> with your own domain components. Use directory manager’s password when prompted. ldapadd -x -D cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD> -W -f basedomain.ldif
Step 5
If a firewall is running you need to allow LDAP service. LDAP uses 389/TCP. Firewalld is the default firewall serice for Centos 7. The commands below will open port 389 on Firewalld.
firewall-cmd --add-service=ldap --permanent
firewall-cmd --reloadte your OS
-
yum update -y && yum upgrade -y
-
Install OpenLDAP Server and Client tools
yum -y install openldap-servers openldap-clients
-
Copy initial database configuration
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
-
Adjust rights
chown ldap: /var/lib/ldap/DB_CONFIG
-
Start OpenLDAP
systemctl start slapd
-
Enable OpenLDAP start at system boot
systemctl enable slapd
Step 2
-
Create a directory for the ldif files
mkdir /root/ldap
-
Change into this directory
cd ldap
-
Set OpenLDAP admin password
You might want to create a vault record in KeyHub and generate a password there ;)
Note the output for the next step.
slappasswd
-
Create chrootpw.ldif configuration file
vi chrootpw.ldif
-
Content of chrootpw.ldif
Use the output from the slappasswd step to replace the value in olcRootPW.
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
-
Apply configuration
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
Step 3
-
Import basic schemas
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
Step 4
Set your domain name in the OpenLDAP database.
-
Generate OpenLDAP manager’s password
You might want to create a vault record in KeyHub and generate a password there ;)
Note the output for the next step.
slappasswd
-
Create chdomain.ldif configuration file
vi chdomain.ldif
-
Content of chdomain.ldif
Use the output from the slappasswd step to replace the value in olcRootPW.
Make sure you replace dc=<MY_DOMAIN>, dc=<MY_TLD> with your own domain components. eg. dc=topicus-keyhub, dc=com |
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=<MY_DOMAIN>,dc=<MY_TLD>
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>" write by * read
-
Apply configuration
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
-
Create basedomain.ldif configuration file
vi basedomain.ldif
-
Content of basedomain.ldif
Make sure you replace dc=<MY_DOMAIN>, dc=<MY_TLD> with your own domain components. |
dn: dc=<MY_DOMAIN>,dc=<MY_TLD>
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dn: cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD>
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=<MY_DOMAIN>,dc=<MY_TLD>
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=<MY_DOMAIN>,dc=<MY_TLD>
objectClass: organizationalUnit
ou: Group
-
Apply configuration
Make sure you replace dc=<MY_DOMAIN>, dc=<MY_TLD> with your own domain components. Use directory manager’s password when prompted. |
ldapadd -x -D cn=Manager,dc=<MY_DOMAIN>,dc=<MY_TLD> -W -f basedomain.ldif
Step 5
If a firewall is running you need to allow LDAP service. LDAP uses 389/TCP. Firewalld is the default firewall serice for Centos 7. The commands below will open port 389 on Firewalld.
firewall-cmd --add-service=ldap --permanent
firewall-cmd --reload
Configuring TLS
For a secure connection between KeyHub and OpenLDAP we advise to use StartTLS.
Step 1
Create certificates and keys if you don’t want to or can’t use an existing one. Otherwise you can use your own certificate and skip this step.
-
Create Server certificate
Replace <HOSTNAME>, <MY_DOMAIN> and <MY_TLD> with the host and domain name you used for your OpenLDAP installation. eg. ldap_server, topicus-keyhub and com |
-
Create root certificate and key
openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
-
Create server private key
openssl genrsa -out <HOSTNAME>.key 2048
-
Create the server certificate configuration file
vi <HOSTNAME>.conf
-
Content
Don’t forget to change at least the CN. Other values can be changed to your liking. |
[req]
default_bits=2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C = NL
ST = Overijssel
L = Deventer
O = Topicus KeyHub
OU = KeyHub
emailAddress = info@<MY_DOMAIN>.<MY_TLD>
CN = <HOSTNAME>.<MY_DOMAIN>.<MY_TLD>
-
Create the server certificate signing request
openssl req -new -key <HOSTNAME>.key -out <HOSTNAME>.csr -config <HOSTNAME>.conf
-
Create the configuration for the alternative name
vi <HOSTNAME>.ext
-
Content
Change the DNS value to yours. eg. ldap_server.topicus-keyhub.com |
subjectAltName = DNS:<HOSTNAME>.<MY_DOMAIN>.<MY_TLD>
-
Create the server certificate
openssl x509 -req -in <HOSTNAME>.csr -CA ./rootCA.crt -CAkey ./rootCA.key -CAcreateserial -out <HOSTNAME>.<MY_DOMAIN>.<MY_TLD>.crt -days 500 -sha256 -extfile <HOSTNAME>.ext
-
Optionaly verify your certificate
openssl x509 -in <HOSTNAME>.<MY_DOMAIN>.<MY_TLD>.crt -text -noout
Step 2
Move the created certificates to the OpenLDAP directory and adjust the rights.
-
Move the certificates to /etc/openldap/certs
mv <HOSTNAME>* /etc/openldap/certs/
mv rootCA.* /etc/openldap/certs/
-
Set the rights for the certificates
chown ldap: /etc/openldap/certs/*
Step 3
Create the OpenLDAP configuration.
-
Create tlsverify.ldif configuration file
The order of the configuration lines in tlsverify.ldif is very important. |
vim tlsverify.ldif
-
Content of tlsverify.ldif
Check if the paths and names of the certificates exist and adjust if needed. The "-" in rule 20 is not a typo ;) |
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/rootCA.crt
dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:+SSLv3:+TLSv1:+SASL:MEDIUM:+SSLv2:@STRENGTH:+SHA:+MD5:!NULL
dn: cn=config
changetype: modify
add: olcTLSVerifyClient
olcTLSVerifyClient: try
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/<HOSTNAME>.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/<HOSTNAME>.<MY_DOMAIN>.<MY_TLD>.crt
Step 4
-
Run the configuartion
ldapmodify -Y EXTERNAL -H ldapi:/// -f tlsverify.ldif
Enable public Key provisioning
This step is needed to enable public key provisioning from KeyHub |
Step 1
-
Install openssh-ldap.
This is needed for adding the ssh key schema
yum -y install openssh-ldap
Step 2
Create the OpenLDAP configuration.
-
Create openssh-ldap.conf file (in this example this is done in /root/ldap)
vim /root/ldap/openssh-ldap.conf
-
Content of openssh-ldap.conf
The path of the files to be included depends on the installed version. |
include /etc/openldap/schema/core.schema
include /usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.schema
-
Create the cn=config directory and files using slapcat
slapcat reads from the current database based on the created config file and outputs to the specified directory.
slapcat -f /root/ldap/openssh-ldap.conf -F /root/ldap -n 0
-
Copy /root/ldap/cn=config/cn=schema/cn={1}openssh-lpk-openldap.ldif to /root/ldap/openssh-ldap.ldif
cp cn\=config/cn\=schema/cn\=\{1\}openssh-lpk-openldap.ldif /root/ldap/openssh-ldap.ldif
-
Edit /root/ldap/openssh-ldap.ldif
-
Remove the lines similar to these
structuralObjectClass: olcSchemaConfig
entryUUID: 02a17a84-79a3-103b-9158-15bfba5efd60
creatorsName: cn=config
createTimestamp: 20210715102733Z
entryCSN: 20210715102733.168332Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20210715102733Z
-
Replace dn: cn={1}openssh-lpk-openldap with dn: cn=openssh-openldap,cn=schema,cn=config
-
Replace cn: {1}openssh-lpk-openldap with cn: openssh-openldap
The resulting file should look similar to this
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 d4505710
dn: cn=openssh-openldap,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-openldap
olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' D
ESC 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.
1.4.1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DE
SC 'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MUST ( sshPublicK
ey $ uid ) )
Step 3
-
Apply configuration
ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-ldap.ldif
Step 4
-
Restart OpenLDAP
systemctl restart slapd