Changes between Version 3 and Version 4 of ldapiam2018


Ignore:
Timestamp:
Sep 4, 2018, 6:55:18 AM (6 years ago)
Author:
admin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • ldapiam2018

    v3 v4  
    1111sudo dpkg-reconfigure slapd
    1212}}}
    13 Answer the prompts appropriately, using t'''***No''' (we want an initial database and configuration)
     13Answer the prompts appropriately, using the information below as a starting point:
     14* Omit OpenLDAP server configuration? '''No''' (we want an initial database and configuration)
    1415* DNS domain name: '''YOUR-DOMAIN''' (use the server's domain name, minus the hostname. This will be used to create the base entry for the information tree)
    1516* Organization name: '''Your Institute''' (This will simply be added to the base entry as the name of your institute)
     
    2122=== Create the Certificate Templates ===
    2223To encrypt our connections, we'll need to configure a certificate authority and use it to sign the keys for the LDAP server(s) in our infrastructure. So for our single server setup, we will need two sets of key/certificate pairs: one for the certificate authority itself and one that is associated with the LDAP service.
     24
    2325To create the certificates needed to represent these entities, we'll create some template files. These will contain the information that the certtool utility needs in order to create certificates with the appropriate properties.
     26
    2427Start by making a directory to store the template files:
    2528{{{
     
    3740}}}
    3841Save and close the file.
     42
    3943Next, we can create a template for our LDAP server certificate called ldap_server.conf. Create and open the file in your text editor with sudo privileges:
    4044{{{
     
    4246}}}
    4347Here, we'll provide a few different pieces of information. We'll provide the name of our organization and set the tls_www_server, encryption_key, and signing_key options so that our cert has the basic functionality it needs.
     48
    4449The cn in this template must match the FQDN of the LDAP server. If this value does not match, the client will reject the server's certificate. We will also set the expiration date for the certificate. We'll create a 10 year certificate to avoid having to manage frequent renewals: `ldapserver.conf`
    4550{{{
     
    5257}}}
    5358Save and close the file when you're finished.
     59
    5460=== Create CA Key and Certificate ===
    5561Now that we have our templates, we can create our two key/certificate pairs. We need to create the certificate authority's set first.
     62
    5663Use the certtool utility to generate a private key. The `/etc/ssl/private` directory is protected from non-root users and is the appropriate location to place the private keys we will be generating. We can generate a private key and write it to a file called ca_server.key within this directory by typing:
    5764{{{
     
    6370}}}
    6471We now have the private key and certificate pair for our certificate authority. We can use this to sign the key that will be used to actually encrypt the LDAP session.
     72
    6573=== Create LDAP Service Key and Certificate ===
    6674Next, we need to generate a private key for our LDAP server. We will again put the generated key in the `/etc/ssl/private` directory for security purposes and will call the file ldap_server.key for clarity.
     75
    6776We can generate the appropriate key by typing:
    6877{{{
     
    7079}}}
    7180Once we have the private key for the LDAP server, we have everything we need to generate a certificate for the server. We will need to pull in almost all of the components we've created thus far (the CA certificate and key, the LDAP server key, and the LDAP server template).
     81
    7282We will put the certificate in the `/etc/ssl/certs` directory and name it `ldap_server.pem`. The command we need is:
    7383{{{
    7484sudo certtool -c --load-privkey /etc/ssl/private/ldap_server.key --load-ca-certificate /etc/ssl/certs/ca_server.pem --load-ca-privkey /etc/ssl/private/ca_server.key --template /etc/ssl/templates/ldap_server.conf --outfile /etc/ssl/certs/ldap_server.pem
    7585}}}
     86
    7687=== Give OpenLDAP Access to the LDAP Server Key ===
    7788We now have all of the certificates and keys we need. However, currently, our OpenLDAP process will be unable to access its own key.
     89
    7890A group called ssl-cert already exists as the group-owner of the `/etc/ssl/private` directory. We can add the user our OpenLDAP process runs under (openldap) to this group:
    7991{{{
     
    89101}}}
    90102Our OpenSSL process can now access the key file properly. Configure OpenLDAP to Use the Certificate and Keys
     103
    91104We have our files and have configured access to the components correctly. Now, we need to modify our OpenLDAP configuration to use the files we've made. We will do this by creating an LDIF file with our configuration changes and loading it into our LDAP instance.
     105
    92106Move to your home directory and open a file called `addcerts.ldif`. We will put our configuration changes in this file:
    93107{{{
     
    96110}}}
    97111To make configuration changes, we need to target the cn=config entry of the configuration DIT. We need to specify that we are wanting to modify the attributes of the entry. Afterwards we need to add the `olcTLSCACertificateFile`, `olcCertificateFile`, and `olcCertificateKeyFile` attributes and set them to the correct file locations.
     112
    98113The end result will look like this:
    99114{{{
     
    118133}}}
    119134If you see some error while importing,
     135
    120136Start your `slapd` in debug mode
    121137{{{
     
    132148}}}
    133149Your clients can now be configured to encrypt their connections to the server over the conventional 'ldap://ldap.YOUR-DOMAIN:389' port by using STARTTLS.
     150
    134151== Setting up the Client Machines ==
    135 In order to connect to the LDAP server and initiate a STARTTLS upgrade, the clients must have access to the certificate authority certificate and must request the upgrade.
    136 On the OpenLDAP Server
     152In order to connect to the LDAP server and initiate a STARTTLS upgrade, the clients must have access to the certificate authority certificate and must request the upgrade.On the OpenLDAP Server
     153
    137154If you are interacting with the OpenLDAP server from the server itself, you can set up the client utilities by copying the CA certificate and adjusting the client configuration file.
     155
    138156First, copy the CA certificate from the `/etc/ssl/certs` directory to a file within the `/etc/ldap` directory. We will call this file ca_certs.pem. This file can be used to store all of the CA certificates that clients on this machine may wish to access. For our purposes, this will only contain a single certificate:
    139157{{{
     
    163181=== Load eduPerson Schema ===
    164182Get the schema downloaded from [https://ws.learn.ac.lk/raw-attachment/wiki/ldapiam2018/eduperson-201602.ldif eduperson-201602.ldif​]
     183
    165184Or the latest from `https://spaces.at.internet2.edu/display/macedir/LDIFs`
     185
    166186Load it using:
    167187{{{
     
    169189}}}
    170190Also Lets load The SChema for Academia, SCHAC.
    171 Get the schema downloaded from [https://ws.learn.ac.lk/raw-attachment/wiki/ldapiam2018/SCHAC.ldif SCHAC.ldif][SCHAC.ldif](./schac-20150413.ldif)
     191
     192Get the schema downloaded from [https://ws.learn.ac.lk/raw-attachment/wiki/ldapiam2018/SCHAC.ldif SCHAC.ldif]
     193
    172194Or the latest from `https://wiki.refeds.org/display/STAN/SCHAC+Releases`
     195
    173196Load it using:
    174197{{{