<div>Thanks Rick. </div> <div> </div> <div>I do not have access to systems now. I will do the suggested changes on monday once I have access.</div> <div> </div> <div> </div> <div>Regards,</div> <div>-Nilesh </div> <div class="gmail_quote">On Fri, Aug 14, 2009 at 5:07 PM, Rick Stevens <<a href="mailto:ricks@nerd.com">ricks@nerd.com</a>> wrote: <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">This is really aimed at Nilesh, but the rest of the list may be interested. I attach a full-up TLS/SSL slapd.conf file. This is taken from the servers we use here, cleaned up and sanitized. Our servers are OpenLDAP 2.4.16, but the same basic stuff should work. I include comments about some things so that, with a bit of tweaking regarding the "authz-regexp" stuff, turning off "starttls=yes" in the syncrepl items, using a cleartext password hash and such, it can be used for both TLS/SSL or SASL systems. I hope this helps folk in the future. #----------------- CUT HERE ------------------------------------------- # # slapd.conf file for TLS/SSL configurations. Easily modified for use # with SASL configurations. # Author: Rick Stevens, HCI/C2, Inc. # Last Edit: 1 August 2009 # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/misc.schema # Include stuff for the ppolicy mechanism... include /usr/local/etc/openldap/schema/ppolicy.schema # Include stuff for LDAP control of sudo... include /usr/local/etc/openldap/schema/sudo.schema # Include stuff for LDAP-based SSH public keys (requires a hack to sshd) #include /usr/local/etc/openldap/schema/openssh-lpk_openldap.schema # DEBUGGING LOG LEVELS #loglevel 256 128 32 4 1 loglevel 128 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://<a href="http://root.openldap.org/" target="_blank">root.openldap.org</a> <div class="im"> pidfile /usr/var/run/slapd.pid #argsfile /usr/var/run/slapd.args </div># Load dynamic backend modules: modulepath /usr/lib64/openldap moduleload <a href="http://accesslog.la/" target="_blank">accesslog.la</a> moduleload <a href="http://auditlog.la/" target="_blank">auditlog.la</a> moduleload <a href="http://dyngroup.la/" target="_blank">dyngroup.la</a> moduleload <a href="http://pcache.la/" target="_blank">pcache.la</a> moduleload <a href="http://ppolicy.la/" target="_blank">ppolicy.la</a> moduleload <a href="http://refint.la/" target="_blank">refint.la</a> moduleload <a href="http://retcode.la/" target="_blank">retcode.la</a> moduleload <a href="http://rwm.la/" target="_blank">rwm.la</a> moduleload <a href="http://syncprov.la/" target="_blank">syncprov.la</a> moduleload <a href="http://translucent.la/" target="_blank">translucent.la</a> moduleload <a href="http://unique.la/" target="_blank">unique.la</a> moduleload <a href="http://valsort.la/" target="_blank">valsort.la</a> # Password Requirements # For SASL, this MUST be in cleartext... #password-hash {CLEARTEXT} # Note that our specifications in both the ppolicy overlay and password # checking library can only check the bits of the password after the # cipher encryption. This makes SSHA unusable as it doesn't # necessarily generate any "special" (punctuation) characters, so we # have to use MD5 encryption. Ain't that a kick in the head? password-hash {MD5} # Authentication # SASL will look up DIGEST-MD5 stuff in the LDAP database using these # regex mappings. Note that under SSL, we do NOT use these! # First, handle people who use a DN of "uid="... #authz-regexp # uid=([^,]*),cn=[^,]*,cn=auth # uid=$1,ou=people,dc=ourcompany,dc=com # Also handle people who use a DN of "cn="... #authz-regexp # cn=([^,]*),cn=[^,]*,cn=auth # uid=sysman,ou=People,dc=ourcompany,dc=com # Security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 128-bit (SSL) encryption for simple bind security ssf=1 update_ssf=112 simple_bind=128 ####################################################################### # ACL specifications for pam_ldap and syncrepl... ####################################################################### # Replication and God-like user ACL # These users get full write access, primarily because a) gods must # be able to do anything; and b) we use mirror mode meaning that # other servers have to be able to update our database. access to * by dn="uid=sysman,ou=People,dc=ourcompany,dc=com" tls_ssf=128 write by dn="cn=manager,dc=ourcompany,dc=com" tls_ssf=128 write by * break # Authentication ACL # Anonymous users can authenticate only # Authenticated users can modify their userPassword and # shadowLastChange. No other access permitted. access to attrs=userPassword,shadowLastChange <div class="im"> by anonymous auth by self write by * none </div>####################################################################### # TLS/SSL Configuration ####################################################################### TLSCACertificateFile /etc/openldap/cacerts/ourcompany-cacert.pem TLSCertificateFile /etc/openldap/cacerts/thisserver-cert.pem TLSCertificateKeyFile /etc/openldap/cacerts/thisserver-key.pem ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=ourcompany,dc=com" rootdn "cn=Manager,dc=ourcompany,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # # NOTE: See note above the "password-hash" option for the reason we use # MD5 instead of something harder to crack (like SSHA). #rootpw Th1sis0urP@$$w0rD! rootpw {MD5}OhIMKkO7reCpMM3ZPwcvqQ== # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. <div class="im"> directory /usr/var/openldap-data </div># Indices to maintain for this database... # NOTE: the entryUUID index is to speed up syncrepl index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryUUID eq # syncrepl replicas of this database... # We will set up ldap1 and ldap2 as "mirror-mirror" or a hot-standby # configuration. # # The basic replication is via the "syncprov" overlay using these # criteria: # 1) Checkpoint every 10 write operations or 1 minute, whichever is # first. # 2) Checkpoint the session log every 100 operations overlay syncprov syncprov-checkpoint 10 1 syncprov-sessionlog 100 # Here are the syncrepl configs. "rid 001" pulls from the main # server, "rid 002" pulls from the secondary server, "rid 003" pulls # from the remote server. Note that it's OK to use cleartext # credentials here as everything's encrypted by SSL first (the # "starttls=yes" option). syncrepl rid=001 provider=ldap://<a href="http://192.168.1.53/" target="_blank">192.168.1.53</a> type=refreshAndPersist retry="60 +" searchbase="dc=ourcompany,dc=com" scope=sub schemachecking=on starttls=yes bindmethod=simple binddn="uid=sysman,ou=People,dc=ourcompany,dc=com" credentials=Th1sis0urP@$$w0rD! syncrepl rid=002 provider=ldap://<a href="http://192.168.1.10/" target="_blank">192.168.1.10</a> type=refreshAndPersist retry="60 +" searchbase="dc=ourcompany,dc=com" scope=sub schemachecking=on starttls=yes bindmethod=simple binddn="uid=sysman,ou=People,dc=ourcompany,dc=com" credentials=Th1sis0urP@$$w0rD! syncrepl rid=003 provider=ldap://<a href="http://192.168.1.11/" target="_blank">192.168.1.11</a> type=refreshAndPersist retry="60 +" searchbase="dc=ourcompany,dc=com" scope=sub schemachecking=on starttls=yes bindmethod=simple binddn="uid=sysman,ou=People,dc=ourcompany,dc=com" credentials=Th1sis0urP@$$w0rD! # Turn on mirror mode and set the server ID (we're the primary # server)... mirrormode on serverID 1 # Password policy enforcement... # Set up password policies via the "ppolicy" overlay. # Unless otherwise specified by a "pwdPolicySubentry" attribute # in a user's entry, they will use the policy defined in the # "ppolicy_default" entry here. # We force "Invalid Credentials" errors on locked accounts and # we store the passwords in LDAP in MD5 hashes. Note that the # "ppolicy_hash_cleartext" does NOT mean "save passwords in # cleartext". It means "hash any cleartext passwords BEFORE sending # them to the clients. overlay ppolicy ppolicy_default "cn=DefaultPassword,ou=Policies,dc=ourcompany,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext ####################################################################### # Monitoring and configuration database definitions ####################################################################### # Monitor database... database monitor rootdn "cn=Manager,cn=Monitor" rootpw Th1sis0urP@$$w0rD! # Config database... database config rootdn "cn=Manager,cn=Config" rootpw Th1sis0urP@$$w0rD! #----------------- CUT HERE ------------------------------------------- <div class="im"> ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer <a href="mailto:ricks@nerd.com" target="_blank">ricks@nerd.com</a> - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - </div>- Time: Nature's way of keeping everything from happening at once. - <div> <div></div> <div class="h5"> ---------------------------------------------------------------------- _______________________________________________ Redhat-install-list mailing list <a href="mailto:Redhat-install-list@redhat.com" target="_blank">Redhat-install-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/redhat-install-list" target="_blank">https://www.redhat.com/mailman/listinfo/redhat-install-list</a> To Unsubscribe Go To ABOVE URL or send a message to: <a href="mailto:redhat-install-list-request@redhat.com" target="_blank">redhat-install-list-request@redhat.com</a> Subject: unsubscribe </div></div></blockquote></div>