Adding OpenLDAP

Assumptions

You will need to substitute correct values for the following when applicable:

  • Base DN: dc=example,dc=org
  • Administrator DN: cn=admin,dc=example,dc=org
  • Administrator password: XXXXXXXX (do not use XXXXXXXX).

RHEL 6 installation

  1. Run the following commands:

    yum install openldap-servers
    yum install openldap-clients
    cp -rv /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    chown -R ldap:ldap /var/lib/ldap
    cd /etc/openldap/slapd.d/cn=config
    

    Do not start the server yet.

  2. Encrypt the admin password:

    slappasswd
    

    Enter XXXXXXXX twice. This should output an encrypted password starting with XXXXXXXX. Copy that into the clipboard.

    The result for XXXXXXXX is {SSHA}4bxi0+aXeYvv2TGT10VWUIwcaynqBbxH (do not use this value).

  3. Edit olcDatabase={2}bdb.ldif, and update/add the following values. Do not change anything else:

    olcSuffix: dc=example,dc=org
    olcRootDN: cn=admin,dc=example,dc=org
    olcRootPW: {SSHA}4bxi0+aXeYvv2TGT10VWUIwcaynqBbxH
    
  4. Edit olcDatabase={1}monitor.ldif, and update update the admin DN. Do not change anything else:

    olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
     l,cn=auth" read  by dn.base="cn=admin,dc=example,dc=org" read  by * none
    
  5. Run the following commands:

    service slapd start
    chkconfig slapd on
    
  6. Create the file with the following contents in /tmp/ldapssl.ldif:

    dn: cn=config
    changetype: modify
    replace: olcTLSCertificateFile
    olcTLSCertificateFile: /etc/ssl/private/www_cert.pem
    -
    replace: olcTLSCertificatekeyFile
    olcTLSCertificatekeyFile: /etc/ssl/private/www_privatekey.pem
    -
    replace: olcTLSCACertificateFile
    olcTLSCACertificateFile: /etc/ssl/private/www_intermediate.pem
    
    dn: olcDatabase={2}bdb,cn=config
    changetype: modify
    delete: olcTLSCertificateFile
    -
    delete: olcTLSCertificateKeyFile
    
  7. Import with the following command:

    ldapmodify -Y EXTERNAL -H ldapi:///  < /tmp/ldapssl.ldif
    
  8. Edit /etc/sysconfig/ldap:

    SLAPD_LDAPS=yes
    
  9. Restart LDAP server.

    service slapd restart
    
  10. Create the file with the following contents in /tmp/ppolicy1.ldif:

    dn: cn=module,cn=config
    objectClass: olcModuleList
    cn: module
    olcModulepath: /usr/lib/ldap
    olcModuleload: ppolicy.so
    
    dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
    objectClass: olcPPolicyConfig
    olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=org
    
    dn: olcDatabase={2}bdb,cn=config
    changetype: modify
    add: olcAccess
    olcAccess: to attrs=userPassword,shadowLastChange by anonymous auth by dn="cn=admin,dc=example,dc=org" write by * none
    olcAccess: to * by dn="cn=admin,dc=example,dc=org" write by * read
    
  11. Import with the following command:

    ldapadd -x -H ldapi:///  -D cn=admin,dc=example,dc=org -W < /tmp/ppolicy1.ldif
    
  12. Create the file with the following contents in /tmp/ppolicy2.ldif:

    dn: dc=example,dc=org
    objectClass: top
    objectClass: domain
    
    dn: ou=Accounts,dc=example,dc=org
    objectClass: organizationalUnit
    
    dn: ou=Groups,dc=example,dc=org
    objectClass: organizationalUnit
    
    dn: ou=policies,dc=example,dc=org
    objectClass: organizationalUnit
    
    dn: cn=default,ou=policies,dc=example,dc=org
    objectClass: top
    objectClass: device
    objectClass: pwdPolicy
    pwdAttribute: userPassword
    
  13. Import with the following command:

    ldapadd -Y EXTERNAL -H ldapi:///  < /tmp/ppolicy2.ldif
    
  14. Test ldap connections.

    ldapsearch  -x -b'dc=example,dc=org' -D cn=admin,dc=example,dc=org -W -ZZ
    

    Fix any errors.

  15. Force the use of SSL for accessing the main database without disabling access to cn=config. Create the file with the following contents in /tmp/security.ldif:

    dn: olcDatabase={2}bdb,cn=config
    changetype: modify
    replace: olcSecurity
    olcSecurity: tls=1
    
  16. Import with the following command:

    ldapmodify -Y EXTERNAL -H ldapi:/// < /tmp/security.ldif
    

    Note

    This won’t guarantee that LDAP passwords are never sent in the clear, however such attempts should fail.

Debian installation

  1. Run the following commands:

    apt-get install slapd
    apt-get install ldap-utils
    addgroup openldap ssl-cert
    

    Enter XXXXXXXX when prompted for administrator’s password.

  2. Create the file with the following contents in /tmp/ppolicy1.ldif:

    dn: cn=module,cn=config
    objectClass: olcModuleList
    cn: module
    olcModulepath: /usr/lib/ldap/
    olcModuleload: ppolicy.la
    
    dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
    objectClass: olcPPolicyConfig
    olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=org
    
  3. Create the file with the following contents in /tmp/ldapssl.ldif:

    dn: cn=config
    changetype: modify
    replace: olcTLSCertificateFile
    olcTLSCertificateFile: /etc/ssl/private/www_cert.pem
    -
    replace: olcTLSCertificatekeyFile
    olcTLSCertificatekeyFile: /etc/ssl/private/www_privatekey.pem
    -
    replace: olcTLSCACertificateFile
    olcTLSCACertificateFile: /etc/ssl/private/www_intermediate.pem
    
  4. Import with the following command:

    ldapadd -Y EXTERNAL -H ldapi:/// < /etc/ldap/schema/ppolicy.ldif
    ldapadd -Y EXTERNAL -H ldapi:///  < /tmp/ppolicy1.ldif
    ldapmodify -Y EXTERNAL -H ldapi:///  < /tmp/ldapssl.ldif
    
  5. Create the file with the following contents in /tmp/ppolicy2.ldif:

    dn: ou=policies,dc=example,dc=org
    objectClass: organizationalUnit
    
    dn: ou=Accounts,dc=example,dc=org
    objectClass: organizationalUnit
    
    dn: ou=Groups,dc=example,dc=org
    objectClass: organizationalUnit
    
    dn: cn=default,ou=policies,dc=example,dc=org
    objectClass: top
    objectClass: device
    objectClass: pwdPolicy
    pwdAttribute: userPassword
    
  6. Import with the following command:

    ldapadd -x -H ldapi:///  -D cn=admin,dc=example,dc=org -W < /tmp/ppolicy2.ldif
    
  7. Test ldap connections.

    ldapsearch  -x -b'dc=example,dc=org' -ZZ
    

    Fix any errors.

  8. Force the use of SSL for accessing the main database without disabling access to cn=config. Create the file with the following contents in /tmp/security.ldif:

    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    replace: olcSecurity
    olcSecurity: tls=1
    
  9. Import with the following command:

    ldapmodify -Y EXTERNAL -H ldapi:/// < /tmp/security.ldif
    

    Note

    This won’t guarantee that LDAP passwords are never sent in the clear, however such attempts should fail.

Configuring Karaage to use LDAP

  1. Add the LDAP and MACHINE_CATEGORY_DATASTORES settings to /etc/karaage3/settings.py:

    LDAP = {
         'default': {
              'ENGINE': 'tldap.backend.fake_transactions',
              'URI': 'ldap://www.example.org',
              'USER': 'cn=admin,dc=example,dc=org',
              'PASSWORD': 'XXXXXXXX',
              'REQUIRE_TLS': True,
              'START_TLS': True,
              'TLS_CA': None,
         }
    }
    
    MACHINE_CATEGORY_DATASTORES = {
         'ldap': [
              {
                    'DESCRIPTION': 'LDAP datastore',
                    'ENGINE': 'karaage.datastores.ldap.MachineCategoryDataStore',
                    'LDAP': 'default',
                    'ACCOUNT': 'karaage.datastores.ldap_schemas.openldap_account',
                    'GROUP': 'karaage.datastores.ldap_schemas.openldap_account_group',
                    'PRIMARY_GROUP': "institute",
                    'DEFAULT_PRIMARY_GROUP': "dummy",
                    'HOME_DIRECTORY': "/home/%(uid)s",
                    'LOCKED_SHELL': "/usr/local/sbin/locked",
                    'NUMBER_SCHEME': 'default',
                    'LDAP_ACCOUNT_BASE': 'ou=Accounts,dc=example,dc=org',
                    'LDAP_GROUP_BASE': 'ou=Groups,dc=example,dc=org',
              },
         ],
         'dummy': [
         ],
    }
    
  2. (optional) If you require people to be recorded in LDAP, add the GLOBAL_DATASTORES setting to /etc/karaage3/settings.py:

    GLOBAL_DATASTORES = [
          {
                'DESCRIPTION': 'LDAP datastore',
                'ENGINE': 'karaage.datastores.ldap.GlobalDataStore',
                'LDAP': 'default',
                'PERSON': 'karaage.datastores.ldap_schemas.openldap_person',
                'GROUP': 'karaage.datastores.ldap_schemas.openldap_person_group',
                'NUMBER_SCHEME': 'global',
                'LDAP_PERSON_BASE': 'ou=People,dc=example,dc=org',
                'LDAP_GROUP_BASE': 'ou=People_Groups,dc=example,dc=org',
          },
    ]
    

    For best results the base settings should be different for the GLOBAL_DATASTORES and the MACHINE_CATEGORY_DATASTORES settings.

  3. Reload apache.

    service apache2 reload
    service python-karaage-celery restart
    
  4. Log into web interface and add a machine category that references the ldap datastore. This should automatically populate LDAP with any entries you have created.

  5. Add missing LDAP entries:

    kg-manage migrate_ldap