open ldap configuration on rhel3-u4
Nilesh Joshi
nileshnjoshi at gmail.com
Sat Aug 15 04:10:18 UTC 2009
Thanks Rick.
I do not have access to systems now. I will do the suggested changes on
monday once I have access.
Regards,
-Nilesh
On Fri, Aug 14, 2009 at 5:07 PM, Rick Stevens <ricks at nerd.com> wrote:
> This is really aimed at Nilesh, but the rest of the list may be
> interested.
>
> I attach a full-up TLS/SSL slapd.conf file. This is taken from the
> servers we use here, cleaned up and sanitized. Our servers are OpenLDAP
> 2.4.16, but the same basic stuff should work. I include comments about
> some things so that, with a bit of tweaking regarding the "authz-regexp"
> stuff, turning off "starttls=yes" in the syncrepl items, using a
> cleartext password hash and such, it can be used for both TLS/SSL or
> SASL systems.
>
> I hope this helps folk in the future.
>
> #----------------- CUT HERE -------------------------------------------
> #
> # slapd.conf file for TLS/SSL configurations. Easily modified for use
> # with SASL configurations.
> # Author: Rick Stevens, HCI/C2, Inc.
> # Last Edit: 1 August 2009
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> include /usr/local/etc/openldap/schema/nis.schema
> include /usr/local/etc/openldap/schema/misc.schema
> # Include stuff for the ppolicy mechanism...
> include /usr/local/etc/openldap/schema/ppolicy.schema
> # Include stuff for LDAP control of sudo...
> include /usr/local/etc/openldap/schema/sudo.schema
> # Include stuff for LDAP-based SSH public keys (requires a hack to sshd)
> #include
> /usr/local/etc/openldap/schema/openssh-lpk_openldap.schema
>
> # DEBUGGING LOG LEVELS
> #loglevel 256 128 32 4 1
> loglevel 128
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral ldap://root.openldap.org
>
> pidfile /usr/var/run/slapd.pid
> #argsfile /usr/var/run/slapd.args
>
> # Load dynamic backend modules:
> modulepath /usr/lib64/openldap
> moduleload accesslog.la
> moduleload auditlog.la
> moduleload dyngroup.la
> moduleload pcache.la
> moduleload ppolicy.la
> moduleload refint.la
> moduleload retcode.la
> moduleload rwm.la
> moduleload syncprov.la
> moduleload translucent.la
> moduleload unique.la
> moduleload valsort.la
>
> # Password Requirements
> # For SASL, this MUST be in cleartext...
> #password-hash {CLEARTEXT}
> # Note that our specifications in both the ppolicy overlay and password
> # checking library can only check the bits of the password after the
> # cipher encryption. This makes SSHA unusable as it doesn't
> # necessarily generate any "special" (punctuation) characters, so we
> # have to use MD5 encryption. Ain't that a kick in the head?
> password-hash {MD5}
>
> # Authentication
> # SASL will look up DIGEST-MD5 stuff in the LDAP database using these
> # regex mappings. Note that under SSL, we do NOT use these!
> # First, handle people who use a DN of "uid="...
> #authz-regexp
> # uid=([^,]*),cn=[^,]*,cn=auth
> # uid=$1,ou=people,dc=ourcompany,dc=com
>
> # Also handle people who use a DN of "cn="...
> #authz-regexp
> # cn=([^,]*),cn=[^,]*,cn=auth
> # uid=sysman,ou=People,dc=ourcompany,dc=com
>
> # Security restrictions
> # Require integrity protection (prevent hijacking)
> # Require 112-bit (3DES or better) encryption for updates
> # Require 128-bit (SSL) encryption for simple bind
> security ssf=1 update_ssf=112 simple_bind=128
>
> #######################################################################
> # ACL specifications for pam_ldap and syncrepl...
> #######################################################################
> # Replication and God-like user ACL
> # These users get full write access, primarily because a) gods must
> # be able to do anything; and b) we use mirror mode meaning that
> # other servers have to be able to update our database.
> access to *
> by dn="uid=sysman,ou=People,dc=ourcompany,dc=com" tls_ssf=128 write
> by dn="cn=manager,dc=ourcompany,dc=com" tls_ssf=128 write
> by * break
>
> # Authentication ACL
> # Anonymous users can authenticate only
> # Authenticated users can modify their userPassword and
> # shadowLastChange. No other access permitted.
> access to attrs=userPassword,shadowLastChange
> by anonymous auth
> by self write
> by * none
>
> #######################################################################
> # TLS/SSL Configuration
> #######################################################################
> TLSCACertificateFile /etc/openldap/cacerts/ourcompany-cacert.pem
> TLSCertificateFile /etc/openldap/cacerts/thisserver-cert.pem
> TLSCertificateKeyFile /etc/openldap/cacerts/thisserver-key.pem
>
> #######################################################################
> # BDB database definitions
> #######################################################################
> database bdb
> suffix "dc=ourcompany,dc=com"
> rootdn "cn=Manager,dc=ourcompany,dc=com"
> # Cleartext passwords, especially for the rootdn, should
> # be avoided. See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> #
> # NOTE: See note above the "password-hash" option for the reason we use
> # MD5 instead of something harder to crack (like SSHA).
> #rootpw Th1sis0urP@$$w0rD!
> rootpw {MD5}OhIMKkO7reCpMM3ZPwcvqQ==
>
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory /usr/var/openldap-data
>
> # Indices to maintain for this database...
> # NOTE: the entryUUID index is to speed up syncrepl
> index objectClass eq,pres
> index ou,cn,mail,surname,givenname eq,pres,sub
> index uidNumber,gidNumber,loginShell eq,pres
> index uid,memberUid eq,pres,sub
> index nisMapName,nisMapEntry eq,pres,sub
> index entryUUID eq
>
> # syncrepl replicas of this database...
> # We will set up ldap1 and ldap2 as "mirror-mirror" or a hot-standby
> # configuration.
> #
> # The basic replication is via the "syncprov" overlay using these
> # criteria:
> # 1) Checkpoint every 10 write operations or 1 minute, whichever is
> # first.
> # 2) Checkpoint the session log every 100 operations
> overlay syncprov
> syncprov-checkpoint 10 1
> syncprov-sessionlog 100
>
> # Here are the syncrepl configs. "rid 001" pulls from the main
> # server, "rid 002" pulls from the secondary server, "rid 003" pulls
> # from the remote server. Note that it's OK to use cleartext
> # credentials here as everything's encrypted by SSL first (the
> # "starttls=yes" option).
> syncrepl rid=001
> provider=ldap://192.168.1.53
> type=refreshAndPersist
> retry="60 +"
> searchbase="dc=ourcompany,dc=com"
> scope=sub
> schemachecking=on
> starttls=yes
> bindmethod=simple
> binddn="uid=sysman,ou=People,dc=ourcompany,dc=com"
> credentials=Th1sis0urP@$$w0rD!
>
> syncrepl rid=002
> provider=ldap://192.168.1.10
> type=refreshAndPersist
> retry="60 +"
> searchbase="dc=ourcompany,dc=com"
> scope=sub
> schemachecking=on
> starttls=yes
> bindmethod=simple
> binddn="uid=sysman,ou=People,dc=ourcompany,dc=com"
> credentials=Th1sis0urP@$$w0rD!
>
> syncrepl rid=003
> provider=ldap://192.168.1.11
> type=refreshAndPersist
> retry="60 +"
> searchbase="dc=ourcompany,dc=com"
> scope=sub
> schemachecking=on
> starttls=yes
> bindmethod=simple
> binddn="uid=sysman,ou=People,dc=ourcompany,dc=com"
> credentials=Th1sis0urP@$$w0rD!
>
> # Turn on mirror mode and set the server ID (we're the primary
> # server)...
> mirrormode on
> serverID 1
>
> # Password policy enforcement...
> # Set up password policies via the "ppolicy" overlay.
> # Unless otherwise specified by a "pwdPolicySubentry" attribute
> # in a user's entry, they will use the policy defined in the
> # "ppolicy_default" entry here.
> # We force "Invalid Credentials" errors on locked accounts and
> # we store the passwords in LDAP in MD5 hashes. Note that the
> # "ppolicy_hash_cleartext" does NOT mean "save passwords in
> # cleartext". It means "hash any cleartext passwords BEFORE sending
> # them to the clients.
> overlay ppolicy
> ppolicy_default "cn=DefaultPassword,ou=Policies,dc=ourcompany,dc=com"
> ppolicy_use_lockout
> ppolicy_hash_cleartext
>
> #######################################################################
> # Monitoring and configuration database definitions
> #######################################################################
> # Monitor database...
> database monitor
> rootdn "cn=Manager,cn=Monitor"
> rootpw Th1sis0urP@$$w0rD!
>
> # Config database...
> database config
> rootdn "cn=Manager,cn=Config"
> rootpw Th1sis0urP@$$w0rD!
> #----------------- CUT HERE -------------------------------------------
>
>
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer ricks at nerd.com -
> - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
> - -
> - Time: Nature's way of keeping everything from happening at once. -
>
> ----------------------------------------------------------------------
>
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/redhat-install-list/attachments/20090814/8df6bfb9/attachment.htm>
More information about the Redhat-install-list
mailing list