Changes between Version 1 and Version 2 of ldapiam2018
- Timestamp:
- Sep 4, 2018, 6:45:13 AM (6 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
ldapiam2018
v1 v2 20 20 * Move old database? '''Yes''' 21 21 === Create the Certificate Templates === 22 23 22 To encrypt our connections, we'll need to configure a certificate authority and use it to sign the keys for the LDAP server(s) in our infrastructure. So for our single server setup, we will need two sets of key/certificate pairs: one for the certificate authority itself and one that is associated with the LDAP service. 24 25 23 To create the certificates needed to represent these entities, we'll create some template files. These will contain the information that the certtool utility needs in order to create certificates with the appropriate properties. 26 27 24 Start by making a directory to store the template files: 28 29 25 {{{ 30 26 sudo mkdir /etc/ssl/templates 31 27 }}} 32 33 28 Create the template for the certificate authority first. We'll call the file ca_server.conf. Create and open the file in your text editor: 34 35 29 {{{ 36 30 sudo nano /etc/ssl/templates/ca_server.conf 37 31 }}} 38 39 32 We only need to provide a few pieces of information in order to successfully create a certificate authority. We need to specify that the certificate will be for a CA (certificate authority) by adding the ca option. We also need the cert_signing_key option to give the generated certificate the ability to sign additional certificates. We can set the cn to whatever descriptive name we'd like for our certificate authority: 40 41 33 {{{ 42 34 cn = LDAP Server CA … … 44 36 cert_signing_key 45 37 }}} 46 47 38 Save and close the file. 48 49 39 Next, we can create a template for our LDAP server certificate called ldap_server.conf. Create and open the file in your text editor with sudo privileges: 50 51 ``` 40 {{{ 52 41 sudo nano /etc/ssl/templates/ldap_server.conf 53 ``` 54 42 }}} 55 43 Here, we'll provide a few different pieces of information. We'll provide the name of our organization and set the tls_www_server, encryption_key, and signing_key options so that our cert has the basic functionality it needs. 56 57 44 The cn in this template must match the FQDN of the LDAP server. If this value does not match, the client will reject the server's certificate. We will also set the expiration date for the certificate. We'll create a 10 year certificate to avoid having to manage frequent renewals: `ldapserver.conf` 58 59 45 {{{ 60 46 organization = "Name of your institution" … … 110 96 }}} 111 97 To make configuration changes, we need to target the cn=config entry of the configuration DIT. We need to specify that we are wanting to modify the attributes of the entry. Afterwards we need to add the `olcTLSCACertificateFile`, `olcCertificateFile`, and `olcCertificateKeyFile` attributes and set them to the correct file locations. 112 113 98 The end result will look like this: 114 99 {{{ … … 132 117 sudo service slapd force-reload 133 118 }}} 134 135 119 If you see some error while importing, 136 137 120 Start your `slapd` in debug mode 138 139 ``` 121 {{{ 140 122 sudo service slapd stop 141 123 sudo slapd -h ldapi:/// -u openldap -g openldap -d 65 -F /etc/ldap/slapd.d/ -d 65 142 ``` 124 }}} 143 125 Then in another console, 144 145 ``` 126 {{{ 146 127 ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif 147 ``` 148 128 }}} 149 129 then `ctrl+c` to stop the debug mode on first console and start the service. 150 151 ``` 130 {{{ 152 131 sudo service slapd start 153 ``` 154 155 132 }}} 156 133 Your clients can now be configured to encrypt their connections to the server over the conventional 'ldap://ldap.YOUR-DOMAIN:389' port by using STARTTLS. 157 158 159 134 == Setting up the Client Machines == 160 161 135 In order to connect to the LDAP server and initiate a STARTTLS upgrade, the clients must have access to the certificate authority certificate and must request the upgrade. 162 136 On the OpenLDAP Server 163 164 137 If you are interacting with the OpenLDAP server from the server itself, you can set up the client utilities by copying the CA certificate and adjusting the client configuration file. 165 166 138 First, copy the CA certificate from the `/etc/ssl/certs` directory to a file within the `/etc/ldap` directory. We will call this file ca_certs.pem. This file can be used to store all of the CA certificates that clients on this machine may wish to access. For our purposes, this will only contain a single certificate: 167 168 ``` 139 {{{ 169 140 sudo cp /etc/ssl/certs/ca_server.pem /etc/ldap/ca_certs.pem 170 ``` 141 }}} 171 142 Now, we can adjust the system-wide configuration file for the OpenLDAP utilities. Open up the configuration file in your text editor with sudo privileges: 172 173 ``` 143 {{{ 174 144 sudo nano /etc/ldap/ldap.conf 175 ``` 176 145 }}} 177 146 Adjust the value of the '''TLS_CACERT''' option to point to the file we just created: 178 179 ``` 147 {{{ 180 148 TLS_CACERT /etc/ldap/ca_certs.pem 181 149 TLS_REQCERT allow 182 ``` 183 150 }}} 184 151 Save and close the file. 185 152 186 153 You should now be able to upgrade your connections to use STARTTLS by passing the '''-Z''' option when using the OpenLDAP utilities. You can force STARTTLS upgrade by passing it twice. Test this by typing: 187 188 ``` 154 {{{ 189 155 ldapwhoami -H ldap:// -x -ZZ 190 ``` 156 }}} 191 157 This forces a STARTTLS upgrade. If this is successful, you should see: 192 ``` 158 {{{ 193 159 STARTTLS success 194 160 195 161 anonymous 196 ``` 197 198 ### Load eduPerson Schema. 199 162 }}} 163 === Load eduPerson Schema === 200 164 Get the schema downloaded from [Eduperson.ldif](./eduperson-201602.ldif) 201 202 165 Or the latest from `https://spaces.at.internet2.edu/display/macedir/LDIFs` 203 204 166 Load it using: 205 206 ```bash 167 {{{ 207 168 ldapadd -Y EXTERNAL -H ldapi:/// -f eduperson-201602.ldif 208 ``` 209 169 }}} 210 170 Also Lets load The SChema for Academia, SCHAC. 211 171 Get the schema downloaded from [SCHAC.ldif](./schac-20150413.ldif) 212 213 172 Or the latest from `https://wiki.refeds.org/display/STAN/SCHAC+Releases` 214 215 173 Load it using: 216 217 ```bash 174 {{{ 218 175 ldapadd -Y EXTERNAL -H ldapi:/// -f schac-20150413.ldif 219 ``` 220 221 ### Create User Structure 222 223 Depending on your Institute's Requirement, you may create grouop as follows: 224 225 ``` 176 }}} 177 === Create User Structure === 178 Depending on your Institutes's Requirement, you may create group as follows: 179 {{{ 226 180 dn: ou=People,dc=YOUR-DOMAIN,dc=ac,dc=lk 227 181 objectClass: organizationalUnit … … 300 254 mail: testme@YOUR_DOMAIN 301 255 eduPersonPrincipalName: testme@YOUR_DOMAIN 302 303 ``` 256 }}} 304 257 305 258 Save the above as a ldif file and add it to your directory as 306 307 `ldapadd -H ldap:// -x -D "cn=admin,dc=YOUR-DOMAIN,dc=ac,dc=lk" -W -Z -f path_to_file.ldif` 259 {{{ 260 ldapadd -H ldap:// -x -D "cn=admin,dc=YOUR-DOMAIN,dc=ac,dc=lk" -W -Z -f path_to_file.ldif 261 }}}
