Some you need the following component to get this to work
Installing the packages
Creating a Certificate authority
- Creating CA
- Creating Server Certs
- Testing and Debuging CA Certs
- Slapd.conf
- Ldap.conf
- Testing and Debugging
- Adding the LDIF components to LDAP for OU people and adding a user.
- Adding users
- PAM/nscd configuring using LDAP tools
- Auth-config-tui
Yum install openldap*
Yum install system-config*
Ok great now lets move on to the next step.
CA Configuration
Unlike ever other document I found out there the CA.sh script was nowhere to be found on the /usr/share/openldap instead in RHEL 5 its been moved to /etc/pki/tls/misc/ this will create the Certificate authority in /etc/pki/CA because the default openssl configuration for RHEL 5 puts it there.
Run the script
Bash# ./CA -newca
Making CA certificate ...
Using configuration from /etc/pki/tls/openssl.cnf
Generating a 1024 bit RSA private key
..........................++++++
.........................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []: I leave this blank just hit hard return
Common Name (eg, YOUR name) []:
Email Address []:.
Now your public key will be located in /etc/pki/CA/cacert.pem you will need this latter.
B/C of the screwy configuration of openssl.conf you need to change directory to
/etc/pki/tls/misc
Creating Sever Certificates
Now you need to create the server cert and key for the LDAP server to use.
Its really important that you setup the cn name to be the domain of your server not a FQD Host. Example example.com (Domain )
bash# openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
Using configuration from /etc/pki/openssl.cnf
Generating a 1024 bit RSA private key
..............++++++
..........................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]: ]:
Locality Name (eg, city) []: your city example SF
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []: any sub domain
Common Name (eg, YOUR name) []: enter server host name example server.domain.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name :.
It will produce newreq.pem in the current directory.
Now you need to sign the certificates
/etc/pki/tls/misc/CA.sh –sign
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'State'
localityName :PRINTABLE:'City'
organizationName :PRINTABLE:'Example Org'
organizationalUnitName:PRINTABLE:'Example yourdomain'
commonName :PRINTABLE:’server.youdomain.com'
emailAddress :IA5STRING:'ldap@myserver.com'
Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days)
Sign the certificate? [y/n]:y
Now you need to take the newreq.pem and newcert.pem and move them with the CA cert to cacerts place for ldap to read the certs from.
Cp /etc/pki/CA/cacert.pem /etc/openldap/cacerts/
Cp /etc/pki/tls/misc/newcert.pem /etc/openldap/cacerts/servercrt.pem
Cp /etc/pki/tls/misc/newreq.pem /etc/openldap/cacerts/serverkey.pem
Now lets test the certs to make sure everything is good before we go installing them.
openssl verify -CAfile ./cacert.pem servercrt.pem
servercrt.pem: OK
Distribute Cacert.pem to all the client machines
Scp /etc/openldap/cacerts/cacert.pem user@host:/etc/openldap/cacerts/
Configuring Slapd.conf
This is the configuration for the server and
This part is kind of tricky but I will give you some help on debugging so if you run into issues let me know.
Uncomment or change the following lines.
Allow bind_v2
Base dc=yourdomain,dc=org
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
access to *
by self write
by users read
by anonymous auth
database bdb
suffix "dc=yourdomain,dc=org"
binddn “cn=Manager,dc=yourdomain,dc=org”
bindpw secret
tls_cacertdir /etc/openldap/cacerts
tls_CACERT /etc/openldap/cacerts/cacert.pem
tls_REQCERT demand
ssl start_tls
uri ldap://yourserver.yourdomain.org/
Now restart ldap
Service ldap restart
Configure LDAP Client ldap.conf
Now on the server as well as client you should configure ldap.conf
This is the client configuration stored in /etc/ldap.conf
Uncomment or change the following lines
base dc=yourdomain,dc=org
binddn cn=Manager,dc=yourdomain,dc=org
bindpw secret
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cacertdir /etc/openldap/cacerts/
Testing the configuration / Debugging
Lets test to make sure the SSL is working.
openssl s_client -connect server.yourdomain.org:636 -CAfile /etc/openldap/cacerts/cacert.pem
You should get something like this.
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 69E38A9BFB51A39EB174B95974FA42D37E101F1F65CF396DC86AB088C9910F58
Session-ID-ctx:
Master-Key: E8CA2A9EBB8258F0A7A39C4167C8190C96DBCE835BD88A2DE44ABA05425B67276203C877464656022A4D65879438E31A
Key-Arg : None
Krb5 Principal: None
Start Time: 1229577041
Timeout : 300 (sec)
Verify return code: 0 (ok)
This verifies that the CA Certs are working and clients can connect via TLS.
ldapsearch -x -b "dc=yourdomain,dc=org" -D "cn=Manager,dc=yourdomain,dc=org" '(objectclass=*)' -H ldap://ldap.myserver.org -W -ZZ
The password is the password in your slapd.conf in this case secret.
The –W and –ZZ Forces TLS with password authentication if it says it fails to connect run the following command to see the reason.
ldapsearch -d -1 -x -b "dc=yourdomain,dc=org" -D "cn=Manager,dc=yourdomain,dc=org" '(objectclass=*)' -H ldap://ldap.myserver.org -W –ZZ
The –d -1 tell ldapsearch to go into debug mode with debug level -1
This is handy to figure out why it doesn’t work. Then you can debug from there.
Schema Changes
Changes the schema is kinda of important allows for you to use the migrate scripts.
You need to add the people.ldif
dn: ou=people,dc=yourdomain,dc=org
objectClass: organizationalUnit
ou: people
ldapadd –x –D “cn=Manager,dc=yourdomain,dc=org” –W –f people.ldif
Adding Users
Adding users is pretty easy do the normal useradd procedure on the ldap server in Unix and then grep out the password and run the migration script.
Useradd username
Passwd password
grep username /etc/passwd >username.passwd
/usr/share/openladp/migration/migrate_passwd username.passwd usrname.ldif
Now all you have to do is add the user.ldif to the directory
Ldapadd –x –D “cn=Manager,dc=yourdomain.,dc=org” –W –f username.ldif
Restart ldap on the server
Service Ldap restart
Configuring PAM and nscd Deamon
The quickest way to get things running is to cop the ldap.conf file to the client and make sure you have the CA cert in the right place and the rootdn and rootpasswd set in the ldap.conf.
Then simply run the authconfig-tui from the command line.
Under user information
Select use LDAP
Under Authentication select
Select USE Shadow Password
Select USE LDAP Authentication
Select Local Authorization is sufficient ( this way you don’t lock yourself out. )
Next Click Next
Select TLS
Server: ldap://yourserver.yourdomain.org/
Dc=yourdomain,dc=org
Click ok.
Now restart nscd
Service nscd restart
Check /var/log/messages to make sure that you don’t get any binding errors
Login with the LDAP user name and password
There you go. If you have any problems with the instructions email me at gryanfawcett at gmail dot com.
Posts
