Adding OpenLDAP

Assumptions

You will need to substitute correct values for the following when applicable:

  • Base DN: dc=example,dc=org
  • Administrator DN: cn=admin,dc=example,dc=org
  • Administrator password: XXXXXXXX (do not use XXXXXXXX).

RHEL 6 installation

  1. Run the following commands:

    yum install openldap-servers
    yum install openldap-clients
    cp -rv /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    chown -R ldap:ldap /var/lib/ldap
    cd /etc/openldap/slapd.d/cn=config
    

    Do not start the server yet.

  2. Encrypt the admin password:

    slappasswd
    

    Enter XXXXXXXX twice. This should output an encrypted password starting with XXXXXXXX. Copy that into the clipboard.

    The result for XXXXXXXX is {SSHA}4bxi0+aXeYvv2TGT10VWUIwcaynqBbxH (do not use this value).

  3. Edit olcDatabase={2}bdb.ldif, and update/add the following values. Do not change anything else:

    olcSuffix: dc=example,dc=org
    olcRootDN: cn=admin,dc=example,dc=org
    olcRootPW: {SSHA}4bxi0+aXeYvv2TGT10VWUIwcaynqBbxH
    
  4. Edit olcDatabase={1}monitor.ldif, and update update the admin DN. Do not change anything else:

    olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
     l,cn=auth" read  by dn.base="cn=admin,dc=example,dc=org" read  by * none
    
  5. Run the following commands:

    service slapd start
    chkconfig slapd on
    
  6. Create the file with the following contents in /tmp/ldapssl.ldif:

    dn: cn=config
    changetype: modify
    replace: olcTLSCertificateFile
    olcTLSCertificateFile: /etc/ssl/private/www_cert.pem
    -
    replace: olcTLSCertificatekeyFile
    olcTLSCertificatekeyFile: /etc/ssl/private/www_privatekey.pem
    -
    replace: olcTLSCACertificateFile
    olcTLSCACertificateFile: /etc/ssl/private/www_intermediate.pem
    
    dn: olcDatabase={2}bdb,cn=config
    changetype: modify
    delete: olcTLSCertificateFile
    -
    delete: olcTLSCertificateKeyFile
    
  7. Import with the following command:

    ldapmodify -Y EXTERNAL -H ldapi:///  < /tmp/ldapssl.ldif
    
  8. Edit /etc/sysconfig/ldap:

    SLAPD_LDAPS=yes
    
  9. Restart LDAP server.

    service slapd restart
    
  10. Create the file with the following contents in /tmp/ppolicy1.ldif:

    dn: cn=module,cn=config
    objectClass: olcModuleList
    cn: module
    olcModulepath: /usr/lib/ldap
    olcModuleload: ppolicy.so
    
    dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
    objectClass: olcPPolicyConfig
    olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=org
    
    dn: olcDatabase={2}bdb,cn=config
    changetype: modify
    add: olcAccess
    olcAccess: to attrs=userPassword,shadowLastChange by anonymous auth by dn="cn=admin,dc=example,dc=org" write by * none
    olcAccess: to * by dn="cn=admin,dc=example,dc=org" write by * read
    
  11. Import with the following command:

    ldapadd -x -H ldapi:///  -D cn=admin,dc=example,dc=org -W < /tmp/ppolicy1.ldif
    
  12. Create the file with the following contents in /tmp/ppolicy2.ldif:

    dn: dc=example,dc=org
    objectClass: top
    objectClass: domain
    
    dn: ou=Accounts,dc=example,dc=org
    objectClass: organizationalUnit
    
    dn: ou=Groups,dc=example,dc=org
    objectClass: organizationalUnit
    
    dn: ou=policies,dc=example,dc=org
    objectClass: organizationalUnit
    
    dn: cn=default,ou=policies,dc=example,dc=org
    objectClass: top
    objectClass: device
    objectClass: pwdPolicy
    pwdAttribute: userPassword
    
  13. Import with the following command:

    ldapadd -Y EXTERNAL -H ldapi:///  < /tmp/ppolicy2.ldif
    
  14. Test ldap connections.

    ldapsearch  -x -b'dc=example,dc=org' -D cn=admin,dc=example,dc=org -W -ZZ
    

    Fix any errors.

  15. Force the use of SSL for accessing the main database without disabling access to cn=config. Create the file with the following contents in /tmp/security.ldif:

    dn: olcDatabase={2}bdb,cn=config
    changetype: modify
    replace: olcSecurity
    olcSecurity: tls=1
    
  16. Import with the following command:

    ldapmodify -Y EXTERNAL -H ldapi:/// < /tmp/security.ldif
    

    Note

    This won’t guarantee that LDAP passwords are never sent in the clear, however such attempts should fail.

Debian installation

  1. Run the following commands:

    apt-get install slapd
    apt-get install ldap-utils
    addgroup openldap ssl-cert
    

    Enter XXXXXXXX when prompted for administrator’s password.

  2. Create the file with the following contents in /tmp/ppolicy1.ldif:

    dn: cn=module,cn=config
    objectClass: olcModuleList
    cn: module
    olcModulepath: /usr/lib/ldap/
    olcModuleload: ppolicy.la
    
    dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
    objectClass: olcPPolicyConfig
    olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=org
    
  3. Create the file with the following contents in /tmp/ldapssl.ldif:

    dn: cn=config
    changetype: modify
    replace: olcTLSCertificateFile
    olcTLSCertificateFile: /etc/ssl/private/www_cert.pem
    -
    replace: olcTLSCertificatekeyFile
    olcTLSCertificatekeyFile: /etc/ssl/private/www_privatekey.pem
    -
    replace: olcTLSCACertificateFile
    olcTLSCACertificateFile: /etc/ssl/private/www_intermediate.pem
    
  4. Import with the following command:

    ldapadd -Y EXTERNAL -H ldapi:/// < /etc/ldap/schema/ppolicy.ldif
    ldapadd -Y EXTERNAL -H ldapi:///  < /tmp/ppolicy1.ldif
    ldapmodify -Y EXTERNAL -H ldapi:///  < /tmp/ldapssl.ldif
    
  5. Create the file with the following contents in /tmp/ppolicy2.ldif:

    dn: ou=policies,dc=example,dc=org
    objectClass: organizationalUnit
    
    dn: ou=Accounts,dc=example,dc=org
    objectClass: organizationalUnit
    
    dn: ou=Groups,dc=example,dc=org
    objectClass: organizationalUnit
    
    dn: cn=default,ou=policies,dc=example,dc=org
    objectClass: top
    objectClass: device
    objectClass: pwdPolicy
    pwdAttribute: userPassword
    
  6. Import with the following command:

    ldapadd -x -H ldapi:///  -D cn=admin,dc=example,dc=org -W < /tmp/ppolicy2.ldif
    
  7. Test ldap connections.

    ldapsearch  -x -b'dc=example,dc=org' -ZZ
    

    Fix any errors.

  8. Force the use of SSL for accessing the main database without disabling access to cn=config. Create the file with the following contents in /tmp/security.ldif:

    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    replace: olcSecurity
    olcSecurity: tls=1
    
  9. Import with the following command:

    ldapmodify -Y EXTERNAL -H ldapi:/// < /tmp/security.ldif
    

    Note

    This won’t guarantee that LDAP passwords are never sent in the clear, however such attempts should fail.

Configuring Karaage to use LDAP

  1. Add the LDAP and DATASTORES settings to /etc/karaage3/settings.py:

    LDAP = {
         'default': {
              'ENGINE': 'tldap.backend.fake_transactions',
              'URI': 'ldap://www.example.org',
              'USER': 'cn=admin,dc=example,dc=org',
              'PASSWORD': 'XXXXXXXX',
              'REQUIRE_TLS': True,
              'START_TLS': True,
              'TLS_CA': None,
         }
    }
    
    DATASTORES = [
          {
                'DESCRIPTION': 'LDAP datastore',
                'ENGINE': 'karaage.datastores.ldap.DataStore',
                'LDAP': 'default',
                'ACCOUNT': 'karaage.datastores.ldap_schemas.openldap_account',
                'GROUP': 'karaage.datastores.ldap_schemas.openldap_account_group',
                'PRIMARY_GROUP': "institute",
                'DEFAULT_PRIMARY_GROUP': "dummy",
                'HOME_DIRECTORY': "/home/%(uid)s",
                'LOCKED_SHELL': "/usr/local/sbin/locked",
                'NUMBER_SCHEME': 'default',
                'LDAP_ACCOUNT_BASE': 'ou=Accounts,dc=example,dc=org',
                'LDAP_GROUP_BASE': 'ou=Groups,dc=example,dc=org',
          },
     ]
    
  2. (optional) If you require people to be recorded in LDAP, add the GLOBAL_DATASTORES setting to /etc/karaage3/settings.py:

    GLOBAL_DATASTORES = [
          {
                'DESCRIPTION': 'LDAP datastore',
                'ENGINE': 'karaage.datastores.ldap.GlobalDataStore',
                'LDAP': 'default',
                'PERSON': 'karaage.datastores.ldap_schemas.openldap_person',
                'GROUP': 'karaage.datastores.ldap_schemas.openldap_person_group',
                'NUMBER_SCHEME': 'global',
                'LDAP_PERSON_BASE': 'ou=People,dc=example,dc=org',
                'LDAP_GROUP_BASE': 'ou=People_Groups,dc=example,dc=org',
          },
    ]
    

    For best results the base settings should be different for the GLOBAL_DATASTORES and the MACHINE_CATEGORY_DATASTORES settings.

  3. Reload apache.

    service apache2 reload
    service python-karaage-celery restart
    
  4. Log into web interface and add a machine category that references the ldap datastore. This should automatically populate LDAP with any entries you have created.

  5. Add missing LDAP entries:

    kg-manage migrate_ldap