open ldap configuration on rhel3-u4
Rick Stevens
ricks at nerd.com
Sat Aug 15 00:07:03 UTC 2009
This is really aimed at Nilesh, but the rest of the list may be
interested.
I attach a full-up TLS/SSL slapd.conf file. This is taken from the
servers we use here, cleaned up and sanitized. Our servers are OpenLDAP
2.4.16, but the same basic stuff should work. I include comments about
some things so that, with a bit of tweaking regarding the "authz-regexp"
stuff, turning off "starttls=yes" in the syncrepl items, using a
cleartext password hash and such, it can be used for both TLS/SSL or
SASL systems.
I hope this helps folk in the future.
#----------------- CUT HERE -------------------------------------------
#
# slapd.conf file for TLS/SSL configurations. Easily modified for use
# with SASL configurations.
# Author: Rick Stevens, HCI/C2, Inc.
# Last Edit: 1 August 2009
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/misc.schema
# Include stuff for the ppolicy mechanism...
include /usr/local/etc/openldap/schema/ppolicy.schema
# Include stuff for LDAP control of sudo...
include /usr/local/etc/openldap/schema/sudo.schema
# Include stuff for LDAP-based SSH public keys (requires a hack to sshd)
#include /usr/local/etc/openldap/schema/openssh-lpk_openldap.schema
# DEBUGGING LOG LEVELS
#loglevel 256 128 32 4 1
loglevel 128
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/var/run/slapd.pid
#argsfile /usr/var/run/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib64/openldap
moduleload accesslog.la
moduleload auditlog.la
moduleload dyngroup.la
moduleload pcache.la
moduleload ppolicy.la
moduleload refint.la
moduleload retcode.la
moduleload rwm.la
moduleload syncprov.la
moduleload translucent.la
moduleload unique.la
moduleload valsort.la
# Password Requirements
# For SASL, this MUST be in cleartext...
#password-hash {CLEARTEXT}
# Note that our specifications in both the ppolicy overlay and password
# checking library can only check the bits of the password after the
# cipher encryption. This makes SSHA unusable as it doesn't
# necessarily generate any "special" (punctuation) characters, so we
# have to use MD5 encryption. Ain't that a kick in the head?
password-hash {MD5}
# Authentication
# SASL will look up DIGEST-MD5 stuff in the LDAP database using these
# regex mappings. Note that under SSL, we do NOT use these!
# First, handle people who use a DN of "uid="...
#authz-regexp
# uid=([^,]*),cn=[^,]*,cn=auth
# uid=$1,ou=people,dc=ourcompany,dc=com
# Also handle people who use a DN of "cn="...
#authz-regexp
# cn=([^,]*),cn=[^,]*,cn=auth
# uid=sysman,ou=People,dc=ourcompany,dc=com
# Security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 128-bit (SSL) encryption for simple bind
security ssf=1 update_ssf=112 simple_bind=128
#######################################################################
# ACL specifications for pam_ldap and syncrepl...
#######################################################################
# Replication and God-like user ACL
# These users get full write access, primarily because a) gods must
# be able to do anything; and b) we use mirror mode meaning that
# other servers have to be able to update our database.
access to *
by dn="uid=sysman,ou=People,dc=ourcompany,dc=com" tls_ssf=128 write
by dn="cn=manager,dc=ourcompany,dc=com" tls_ssf=128 write
by * break
# Authentication ACL
# Anonymous users can authenticate only
# Authenticated users can modify their userPassword and
# shadowLastChange. No other access permitted.
access to attrs=userPassword,shadowLastChange
by anonymous auth
by self write
by * none
#######################################################################
# TLS/SSL Configuration
#######################################################################
TLSCACertificateFile /etc/openldap/cacerts/ourcompany-cacert.pem
TLSCertificateFile /etc/openldap/cacerts/thisserver-cert.pem
TLSCertificateKeyFile /etc/openldap/cacerts/thisserver-key.pem
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=ourcompany,dc=com"
rootdn "cn=Manager,dc=ourcompany,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#
# NOTE: See note above the "password-hash" option for the reason we use
# MD5 instead of something harder to crack (like SSHA).
#rootpw Th1sis0urP@$$w0rD!
rootpw {MD5}OhIMKkO7reCpMM3ZPwcvqQ==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/var/openldap-data
# Indices to maintain for this database...
# NOTE: the entryUUID index is to speed up syncrepl
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryUUID eq
# syncrepl replicas of this database...
# We will set up ldap1 and ldap2 as "mirror-mirror" or a hot-standby
# configuration.
#
# The basic replication is via the "syncprov" overlay using these
# criteria:
# 1) Checkpoint every 10 write operations or 1 minute, whichever is
# first.
# 2) Checkpoint the session log every 100 operations
overlay syncprov
syncprov-checkpoint 10 1
syncprov-sessionlog 100
# Here are the syncrepl configs. "rid 001" pulls from the main
# server, "rid 002" pulls from the secondary server, "rid 003" pulls
# from the remote server. Note that it's OK to use cleartext
# credentials here as everything's encrypted by SSL first (the
# "starttls=yes" option).
syncrepl rid=001
provider=ldap://192.168.1.53
type=refreshAndPersist
retry="60 +"
searchbase="dc=ourcompany,dc=com"
scope=sub
schemachecking=on
starttls=yes
bindmethod=simple
binddn="uid=sysman,ou=People,dc=ourcompany,dc=com"
credentials=Th1sis0urP@$$w0rD!
syncrepl rid=002
provider=ldap://192.168.1.10
type=refreshAndPersist
retry="60 +"
searchbase="dc=ourcompany,dc=com"
scope=sub
schemachecking=on
starttls=yes
bindmethod=simple
binddn="uid=sysman,ou=People,dc=ourcompany,dc=com"
credentials=Th1sis0urP@$$w0rD!
syncrepl rid=003
provider=ldap://192.168.1.11
type=refreshAndPersist
retry="60 +"
searchbase="dc=ourcompany,dc=com"
scope=sub
schemachecking=on
starttls=yes
bindmethod=simple
binddn="uid=sysman,ou=People,dc=ourcompany,dc=com"
credentials=Th1sis0urP@$$w0rD!
# Turn on mirror mode and set the server ID (we're the primary
# server)...
mirrormode on
serverID 1
# Password policy enforcement...
# Set up password policies via the "ppolicy" overlay.
# Unless otherwise specified by a "pwdPolicySubentry" attribute
# in a user's entry, they will use the policy defined in the
# "ppolicy_default" entry here.
# We force "Invalid Credentials" errors on locked accounts and
# we store the passwords in LDAP in MD5 hashes. Note that the
# "ppolicy_hash_cleartext" does NOT mean "save passwords in
# cleartext". It means "hash any cleartext passwords BEFORE sending
# them to the clients.
overlay ppolicy
ppolicy_default "cn=DefaultPassword,ou=Policies,dc=ourcompany,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
#######################################################################
# Monitoring and configuration database definitions
#######################################################################
# Monitor database...
database monitor
rootdn "cn=Manager,cn=Monitor"
rootpw Th1sis0urP@$$w0rD!
# Config database...
database config
rootdn "cn=Manager,cn=Config"
rootpw Th1sis0urP@$$w0rD!
#----------------- CUT HERE -------------------------------------------
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks at nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- Time: Nature's way of keeping everything from happening at once. -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list