Openldap
Contents
About
OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol.
Links
Specifications
Useful RFCs:
Motivation
Make SASL MECH EXTERNAL working with own certificate authority.
Removal
Wenn Ldap von den Platte geputzt wird, bleiben die HDB-Dateien auf dem Dateisystem und werden nicht entfernt. Diese müssen im Gegensatz zu den Konfigurationsdateien auch bei einem "purge" händisch gelöscht werden.
1 root@ldap2 ~ # aptitude purge slapd
2 Die folgenden Pakete werden ENTFERNT:
3 libltdl7{u} libodbc1{u} libperl5.18{u} libslp1{u} slapd{p}
4 0 Pakete aktualisiert, 0 zusätzlich installiert, 5 werden entfernt und 0 nicht aktualisiert.
5 0 B an Archiven müssen heruntergeladen werden. Nach dem Entpacken werden 5.356 kB frei werden.
6 Möchten Sie fortsetzen? [Y/n/?] y
7 (Lese Datenbank ... 45759 Dateien und Verzeichnisse sind derzeit installiert.)
8 Entfernen von slapd (2.4.39-1) ...
9 [ ok ] Stopping OpenLDAP: slapd.
10 Löschen der Konfigurationsdateien von slapd (2.4.39-1) ...
11 Removing slapd configuration... done.
12 Trigger für man-db (2.6.7.1-1) werden verarbeitet ...
13 Trigger für libc-bin (2.19-7) werden verarbeitet ...
14 (Lese Datenbank ... 45502 Dateien und Verzeichnisse sind derzeit installiert.)
15 Entfernen von libodbc1:amd64 (2.3.1-3) ...
16 Entfernen von libltdl7:amd64 (2.4.2-1.7) ...
17 Entfernen von libperl5.18 (5.18.2-7) ...
18 Entfernen von libslp1 (1.2.1-9) ...
19 Trigger für libc-bin (2.19-7) werden verarbeitet ...
20
21 root@ldap2 ~ # ll /var/lib/ldap
22 insgesamt 632
23 -rw-r--r-- 1 openldap openldap 2048 Aug 5 09:33 alock
24 -rw------- 1 openldap openldap 532479 Aug 5 09:33 __db.001
25 -rw------- 1 openldap openldap 139263 Aug 5 09:33 __db.002
26 -rw------- 1 openldap openldap 114687 Aug 5 09:33 __db.003
27 -rw-r--r-- 1 openldap openldap 96 Aug 5 09:27 DB_CONFIG
28 -rw------- 1 openldap openldap 8192 Aug 5 09:27 dn2id.bdb
29 -rw------- 1 openldap openldap 32768 Aug 5 09:27 id2entry.bdb
30 -rw------- 1 openldap openldap 10485759 Aug 5 09:33 log.0000000001
31 -rw------- 1 openldap openldap 8192 Aug 5 09:27 objectClass.bdb
32
33 root@ldap2 ~ # rm -r /var/lib/ldap/
34
Installation
Prepare a admin password and install openldap from backports to get the latest fixes.
1 aptitude install -t buster-backports slapd slapd-contrib ldap-utils
OS |
Debian Jessie/Sid |
Paket |
slapd |
Version |
2.4.39-1 |
Wenn Openldap installiert wird, wird ein Passwort für den Manager des Verzeichnisses abgefragt, welches nicht zur cn=config gehört. Angenommen der Domänen-Anteil FQDN des künfigen Ldap-Servers lautet "example.com", so lautet der dn des Managers per Voreinstellung cn=admin,dc=example,dc=com.
1 root@ldap2 ~ # aptitude install slapd
2 Die folgenden NEUEN Pakete werden zusätzlich installiert:
3 libltdl7{a} libodbc1{a} libperl5.18{a} libslp1{a} slapd
4 0 Pakete aktualisiert, 5 zusätzlich installiert, 0 werden entfernt und 0 nicht aktualisiert.
5 0 B/1.987 kB an Archiven müssen heruntergeladen werden. Nach dem Entpacken werden 5.356 kB zusätzlich belegt sein.
6 Möchten Sie fortsetzen? [Y/n/?] y
7 Vorkonfiguration der Pakete ...
8 Vormals nicht ausgewähltes Paket libltdl7:amd64 wird gewählt.
9 (Lese Datenbank ... 45454 Dateien und Verzeichnisse sind derzeit installiert.)
10 Vorbereitung zum Entpacken von .../libltdl7_2.4.2-1.7_amd64.deb ...
11 Entpacken von libltdl7:amd64 (2.4.2-1.7) ...
12 Vormals nicht ausgewähltes Paket libodbc1:amd64 wird gewählt.
13 Vorbereitung zum Entpacken von .../libodbc1_2.3.1-3_amd64.deb ...
14 Entpacken von libodbc1:amd64 (2.3.1-3) ...
15 Vormals nicht ausgewähltes Paket libperl5.18 wird gewählt.
16 Vorbereitung zum Entpacken von .../libperl5.18_5.18.2-7_amd64.deb ...
17 Entpacken von libperl5.18 (5.18.2-7) ...
18 Vormals nicht ausgewähltes Paket libslp1 wird gewählt.
19 Vorbereitung zum Entpacken von .../libslp1_1.2.1-9_amd64.deb ...
20 Entpacken von libslp1 (1.2.1-9) ...
21 Vormals nicht ausgewähltes Paket slapd wird gewählt.
22 Vorbereitung zum Entpacken von .../slapd_2.4.39-1_amd64.deb ...
23 Entpacken von slapd (2.4.39-1) ...
24 Trigger für man-db (2.6.7.1-1) werden verarbeitet ...
25 libltdl7:amd64 (2.4.2-1.7) wird eingerichtet ...
26 libodbc1:amd64 (2.3.1-3) wird eingerichtet ...
27 libperl5.18 (5.18.2-7) wird eingerichtet ...
28 libslp1 (1.2.1-9) wird eingerichtet ...
29 slapd (2.4.39-1) wird eingerichtet ...
30 Creating initial configuration... done.
31 Creating LDAP directory... done.
32 [ ok ] Starting OpenLDAP: slapd.
33 Trigger für libc-bin (2.19-7) werden verarbeitet ...
Sollten im Dateisystem unter /var/lib/ldap/ bereits Dateien liegen, so werden diese nach /var/backups verschoben, jedoch nicht gelöscht.
First Steps
Gaining Access
Bitte nicht im Online-Konfigurationsbaum editieren - dann kommt der Dienst mit eigiger Wahrscheinlichkeit nicht mehr hoch.s Bei Replikation der Konfiguration ist die schon gar keine Option. Konfigurierbar ist der Dienst optimal und zur Laufzeit über ldapmodify - also man ldif und los geht´s. Die Default ACLs geben root über den SASL MECH EXTERNAL die "manage" Rechte.
Der SASL MECH EXTERNAL steht ohne Kryptographie zunächst nur auf dem Unix-Domain-Socket zur Verfügung.
Dies äußert sich in Fehlern wie diesem
Nun zum Vergleich auf dem Socket.
GOT MANAGE
Show ldap rootDSE
1 ldapsearch -x -s base -b "" "(objectclass=*)"
Manager Passwort online setzen
Das Manager-Password versalzen und hashen:
Ein Stückchen LDIF schreiben
LDIF einspielen
Konfiguration kontrollieren
1 # ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={0}config
2 SASL/EXTERNAL authentication started
3 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
4 SASL SSF: 0
5 dn: olcDatabase={0}config,cn=config
6 objectClass: olcDatabaseConfig
7 olcDatabase: {0}config
8 olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
9 ,cn=auth manage by * break
10 olcRootDN: cn=admin,cn=config
11 olcRootPW: {SSHA}63L0JP9sDn7SoG+4I8xbdybDJG6DH5cC
Solange noch keine sichere Verbindung zur Verfügung steht, sollte eine Verbindung die Authentisierung benötigt nicht über unsichere Netzwerke genutzt werden. Siehe Openldap#Tunneling LDAP-Connection via SSH
Lokal mag das in Ordnung sein
1 # ldapsearch -xLLL -H ldapi:/// -WD 'cn=admin,cn=config' -b cn=config olcDatabase={0}config
2 Enter LDAP Password:
3 dn: olcDatabase={0}config,cn=config
4 objectClass: olcDatabaseConfig
5 olcDatabase: {0}config
6 olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
7 ,cn=auth manage by * break
8 olcRootDN: cn=admin,cn=config
9 olcRootPW: {SSHA}63L0JP9sDn7SoG+4I8xbdybDJG6DH5cC
Logging/Debugging
Hier die Direktiven zur Konfiguration
Siehe auch
1 root@ldap2 ~ # man 5 slapd-config
2 …
3 olcLogLevel: <integer> [...]
4 Specify the level at which debugging statements and operation statistics should be syslogged (cur‐
5 rently logged to the syslogd(8) LOG_LOCAL4 facility). They must be considered subsystems rather than
6 increasingly verbose log levels. Some messages with higher priority are logged regardless of the
7 configured loglevel as soon as any logging is configured. Log levels are additive, and available
8 levels are:
9 1 (0x1 trace) trace function calls
10 2 (0x2 packets) debug packet handling
11 4 (0x4 args) heavy trace debugging (function args)
12 8 (0x8 conns) connection management
13 16 (0x10 BER) print out packets sent and received
14 32 (0x20 filter) search filter processing
15 64 (0x40 config) configuration file processing
16 128 (0x80 ACL) access control list processing
17 256 (0x100 stats) stats log connections/operations/results
18 512 (0x200 stats2) stats log entries sent
19 1024 (0x400 shell) print communication with shell backends
20 2048 (0x800 parse) entry parsing
21 16384 (0x4000 sync) LDAPSync replication
22 32768 (0x8000 none) only messages that get logged whatever log level is set
23 The desired log level can be input as a single integer that combines the (ORed) desired levels, both
24 in decimal or in hexadecimal notation, as a list of integers (that are ORed internally), or as a list
25 of the names that are shown between brackets, such that
26
27 olcLogLevel: 129
28 olcLogLevel: 0x81
29 olcLogLevel: 128 1
30 olcLogLevel: 0x80 0x1
31 olcLogLevel: acl trace
32
33 are equivalent. The keyword any can be used as a shortcut to enable logging at all levels (equiva‐
34 lent to -1). The keyword none, or the equivalent integer representation, causes those messages that
35 are logged regardless of the configured olcLogLevel to be logged. In fact, if no olcLogLevel (or a 0
36 level) is defined, no logging occurs, so at least the none level is required to have high priority
37 messages logged.
38 …
Das Logging des Servers ist über einen einzelnen numerischen Eintrag und/oder mit mehreren Attributen des cn=config recht filigran einstellbar. Wichtig ist, dass die Schlüsselwörter klein geschrieben werden … Für den alltäglichen Gebrauch wird der Log-Level stats = 256 empfohlen. http://www.openldap.org/doc/admin24/tuning.html#Logging
Für das Debugging des SASL_MECH EXTERNAL werde ich einen anderen Log-Level einsetzen.
1 trace package stats
Ldap-Clients
Apache Directory Studio is my recommendation
- from Debian Repos
- ldap-utils as command line interface
- ldapvi as a gui in the shell
- jxplorer as a graphical user interface in X
KDE Plasma Konqueror supports ldap-urls like
ldap://hostname.domain.tld:389/dc=domain,dc=tld??sub
ldap-utils: ignore with invalid certificates
As man 5 ldap.conf states in section DESCRIPTION line 5:
- Environmental variables may also be used to augment the file based defaults. The name of the variable is the option name with an added prefix of LDAP. For example, to define BASE via the environment, set the variable LDAPBASE to the desired value.
PREFIX="LDAP" + "VARIABLEN_NAME aus ldap.conf"
Also können wir auch das Verhalten der Zertifikatsvalidierung ändern, in dem wir einfach eine Umgebungsvariable setzen, welche die Abfrage des Zertifikats und damit auch die Überprüfung unterbindet.
1 LDAPTLS_REQCERT=never ldapsearch -x -H …
Tunneling LDAP-connection via SSH
Potentiell kann jeder den TCP-Strom z.B. über Port-Mirroring, ARP-Spoofing oder MAC-Flooding (HUB) mitsniffen. Darum sollten einige Vorsichtsmaßnahmen getroffen werden, die Authentizität, Vertraulichkeit und Integrität schaffen. Das ist mit einem kleinen SSH-Tunnel auch kein Hexenwerk. Hier ein lokaler Port-Forward.
1 ssh -L 8389:localhost:389 destination-server.domain.tld
Dann mit dem Apache Directory Studio zu localhost:8389 verbinden.
Crypto
Ohne Kryptographie ist der Verzeichnisdienst wertlos für Authentisierung, Autorisierung und Accounting. Wir erstellen also eine Zertifikatsautorität und stellen damit Server- und Client- Zertifikate aus.
Vorbetrachtungen
Diese Zertifikate sind allesamt abhängig von einen funktionierenden DNS. In diesem Beispielfall wird daher die Datei /etc/hosts konfiguriert. In der /etc/resolv.conf sollte dennoch ein DNS-Server eingetragen sein.
Bitte beachten Sie das zuerst den fully qualified domain name, dann eventuelle Aliase ohne Domänen-Suffix auf der Zeile eingetragen werden. Apache2 beschwert sich gern, das er nicht zuverlässig den Server Name bestimmen können, wenn dies nicht der Fall ist.
Zertifikatsautorität erstellen
FreeBSD-Weg
Muss nochmal geprüft werden - bitte nicht weiter verfolgen - der nächste Weg geht auf jeden Fall.
Struktur muss sein
Einen privaten Schlüssel generieren
Der erzeugte öffentliche Schlüssel wird zu einem Certificate Sign Request (CSR) weiterverarbeitet.
1 root@ldap2 /etc/ssl # openssl req -new \
2 -key /etc/ssl/demoCA/private/cakey.pem
3 -out /etc/ssl/demoCA/csr/cacert.csr
4 You are about to be asked to enter information that will be incorporated
5 into your certificate request.
6 What you are about to enter is what is called a Distinguished Name or a DN.
7 There are quite a few fields but you can leave some blank
8 For some fields there will be a default value,
9 If you enter '.', the field will be left blank.
10 -----
11 Country Name (2 letter code) [AU]:
12 State or Province Name (full name) [Some-State]:
13 Locality Name (eg, city) []:
14 Organization Name (eg, company) [Internet Widgits Pty Ltd]:
15 Organizational Unit Name (eg, section) []:
16 Common Name (e.g. server FQDN or YOUR name) []:demoCA Root
17 Email Address []:
18
19 Please enter the following 'extra' attributes
20 {{{#!highlight bash
21 to be sent with your certificate request
22 A challenge password []:
23 An optional company name []:
Das CA-Zertifikat signiert sich schließlich selbst und ist bereit andere Zertifikate zu unterschreiben.
Die Metadaten des Zertifikates sehen wie folgt aus
1 root@ldap2 /etc/ssl # openssl x509 \
2 -in /etc/ssl/demoCA/cacert.pem \
3 -text -noout
4 Certificate:
5 Data:
6 Version: 1 (0x0)
7 Serial Number: 11649341435721446634 (0xa1aac6509f6a74ea)
8 Signature Algorithm: sha256WithRSAEncryption
9 Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=demoCA Root
10 Validity
11 Not Before: Aug 3 12:46:05 2014 GMT
12 Not After : Aug 2 12:46:05 2018 GMT
13 Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=demoCA Root
14 Subject Public Key Info:
15 Public Key Algorithm: rsaEncryption
16 Public-Key: (4096 bit)
Jetzt wird der CSR für das eigentliche Server-Zertifikat erzeugt
1 root@ldap2 /etc/ssl # openssl req -new \
2 -key /etc/ssl/demoCA/private/com.example.ldap2.key \
3 -out /etc/ssl/demoCA/csr/com.example.ldap2.csr
4 You are about to be asked to enter information that will be incorporated
5 into your certificate request.
6 What you are about to enter is what is called a Distinguished Name or a DN.
7 There are quite a few fields but you can leave some blank
8 For some fields there will be a default value,
9 If you enter '.', the field will be left blank.
10 -----
11 Country Name (2 letter code) [AU]:
12 State or Province Name (full name) [Some-State]:
13 Locality Name (eg, city) []:
14 Organization Name (eg, company) [Internet Widgits Pty Ltd]:
15 Organizational Unit Name (eg, section) []:
16 Common Name (e.g. server FQDN or YOUR name) []:ldap2.example.com
17 Email Address []:
18
19 Please enter the following 'extra' attributes
20 to be sent with your certificate request
21 A challenge password []:
22 An optional company name []:
Der CSR wird anschließend unterschrieben und wir haben ein fertiges Zertifikat
1 root@ldap2 /etc/ssl # openssl x509 -req \
2 -days 1024 -in /etc/ssl/demoCA/csr/com.example.ldap2.csr \
3 -CA /etc/ssl/demoCA/cacert.pem \
4 -CAkey /etc/ssl/demoCA/private/cakey.pem \
5 -out /etc/ssl/demoCA/certs/com.example.ldap2.crt
6 Signature ok
7 subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ldap2.example.com
8 Getting CA Private Key
9 /etc/ssl/demoCA/cacert.srl: No such file or directory
10 140162129761936:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/ssl/demoCA/cacert.srl','r')
11 140162129761936:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
Die Schlüssel bedürfen unseres Schutzes.
Hat bei mir nicht funktioniert … Das Verzeichnis /etc/ssl/demoCA wird aus dem Weg geräumt, damit ein neues an dessen Platz treten kann.
1 mv /etc/ssl/demoCA /etc/ssl/demoCA_fail1
Bitte auch die ca-certificates nicht vergessen, falls das Zertifikat bereits dort gelandet sein sollte.
Openldap-Weg
http://www.openldap.org/faq/data/cache/185.html
1 root@ldap2 ~ # locate CA.sh
2 /usr/lib/ssl/misc/CA.sh
3 root@ldap2 ~ # ll /usr/lib/ssl/misc/
4 insgesamt 40
5 -rwxr-xr-x 1 root root 5875 Jun 14 23:56 CA.pl*
6 -rwxr-xr-x 1 root root 5175 Jun 14 23:56 CA.sh*
7 -rwxr-xr-x 1 root root 119 Jun 14 23:56 c_hash*
8 -rwxr-xr-x 1 root root 152 Jun 14 23:56 c_info*
9 -rwxr-xr-x 1 root root 112 Jun 14 23:56 c_issuer*
10 -rwxr-xr-x 1 root root 110 Jun 14 23:56 c_name*
11 -rwxr-xr-x 1 root root 6419 Jun 14 23:56 tsget*
Wir erstellen uns eine Arbeitskopie des Verzeichnisses und fügen es zu root's Pfad-Variable hinzu.
In dieser Arbeitskopie können wir schon mal die Laufzeiten der Zertifikate anpassen.
Wie in man ca beschrieben, nutzt openssl ca ein anderes Config-File. Um dies wirklich hübsch zu machen, wird auch noch der Parameter -config an die richtige Stelle des Skript eingebaut werden müssen.
1 FILES
2 Note: the location of all files can change either by compile time options, configuration file entries, environment variables or command line options. The values below reflect the default values.
3
4 /usr/local/ssl/lib/openssl.cnf - master configuration file
5 ./demoCA - main CA directory
6 ./demoCA/cacert.pem - CA certificate
7 ./demoCA/private/cakey.pem - CA private key
8 ./demoCA/serial - CA serial number file
9 ./demoCA/serial.old - CA serial number backup file
10 ./demoCA/index.txt - CA text database file
11 ./demoCA/index.txt.old - CA text database backup file
12 ./demoCA/certs - certificate output file
13 ./demoCA/.rnd - CA random seed information
Neue CA anlegen
1 root@ldap2 /etc/ssl # CA.pl -newca
2 CA certificate filename (or enter to create)
3
4 Making CA certificate ...
5 Generating a 2048 bit RSA private key
6 .............................+++
7 ...+++
8 writing new private key to './demoCA/private/cakey.pem'
9 Enter PEM pass phrase:
10 Verifying - Enter PEM pass phrase:
11 -----
12 You are about to be asked to enter information that will be incorporated
13 into your certificate request.
14 What you are about to enter is what is called a Distinguished Name or a DN.
15 There are quite a few fields but you can leave some blank
16 For some fields there will be a default value,
17 If you enter '.', the field will be left blank.
18 -----
19 Country Name (2 letter code) [AU]:
20 State or Province Name (full name) [Some-State]:
21 Locality Name (eg, city) []:
22 Organization Name (eg, company) [Internet Widgits Pty Ltd]:
23 Organizational Unit Name (eg, section) []:
24 Common Name (e.g. server FQDN or YOUR name) []:demoCA Root
25 Email Address []:
26
27 Please enter the following 'extra' attributes
28 to be sent with your certificate request
29 A challenge password []:
30 An optional company name []:
31 Using configuration from /usr/lib/ssl/openssl.cnf
32 Enter pass phrase for ./demoCA/private/cakey.pem:
33 Check that the request matches the signature
34 Signature ok
35 Certificate Details:
36 Serial Number: 13719391450812347002 (0xbe6511d60833727a)
37 Validity
38 Not Before: Aug 7 07:38:46 2014 GMT
39 Not After : Aug 6 07:38:46 2024 GMT
40 Subject:
41 countryName = AU
42 stateOrProvinceName = Some-State
43 organizationName = Internet Widgits Pty Ltd
44 commonName = demoCA Root
45 X509v3 extensions:
46 X509v3 Subject Key Identifier:
47 4C:CF:71:78:3E:2B:9E:23:FE:30:F5:77:B9:6D:4A:1E:84:C6:89:EE
48 X509v3 Authority Key Identifier:
49 keyid:4C:CF:71:78:3E:2B:9E:23:FE:30:F5:77:B9:6D:4A:1E:84:C6:89:EE
50
51 X509v3 Basic Constraints:
52 CA:TRUE
53 Certificate is to be certified until Aug 6 07:38:46 2024 GMT (3652 days)
54
55 Write out database with 1 new entries
56 Data Base Updated
Neuen CSR erzeugen
1 root@ldap2 /etc/ssl # CA.pl -newreq-nodes
2 Generating a 2048 bit RSA private key
3 ........+++
4 .................................+++
5 writing new private key to 'newkey.pem'
6 -----
7 You are about to be asked to enter information that will be incorporated
8 into your certificate request.
9 What you are about to enter is what is called a Distinguished Name or a DN.
10 There are quite a few fields but you can leave some blank
11 For some fields there will be a default value,
12 If you enter '.', the field will be left blank.
13 -----
14 Country Name (2 letter code) [AU]:
15 State or Province Name (full name) [Some-State]:
16 Locality Name (eg, city) []:
17 Organization Name (eg, company) [Internet Widgits Pty Ltd]:
18 Organizational Unit Name (eg, section) []:
19 Common Name (e.g. server FQDN or YOUR name) []:ldap2.example.com
20 Email Address []:
21
22 Please enter the following 'extra' attributes
23 to be sent with your certificate request
24 A challenge password []:
25 An optional company name []:
26 Request is in newreq.pem, private key is in newkey.pem
27 root@ldap2 /etc/ssl # ll
28 insgesamt 84
29 drwxr-xr-x 2 root root 20480 Aug 4 23:17 certs/
30 drwxr-xr-x 6 root ssl-cert 4096 Aug 7 09:38 demoCA/
31 drwxr-xr-x 7 root ssl-cert 101 Aug 3 14:59 demoCA_fail1/
32 -rw-r--r-- 1 root root 1704 Aug 7 09:49 newkey.pem
33 -rw-r--r-- 1 root root 997 Aug 7 09:49 newreq.pem
34 -rw-r--r-- 1 root root 10834 Aug 3 13:01 openssl.cnf
35 -rw-r--r-- 1 root root 10835 Aug 3 12:46 openssl.cnf_bak
36 drwx--x--- 2 root ssl-cert 53 Aug 5 08:04 private/
Den Certificate Sign Request zeichnen.
1 root@ldap2 /etc/ssl # CA.pl -sign
2 Using configuration from /usr/lib/ssl/openssl.cnf
3 Enter pass phrase for ./demoCA/private/cakey.pem:
4 Check that the request matches the signature
5 Signature ok
6 Certificate Details:
7 Serial Number: 13719391450812347003 (0xbe6511d60833727b)
8 Validity
9 Not Before: Aug 7 07:57:33 2014 GMT
10 Not After : Aug 6 07:57:33 2018 GMT
11 Subject:
12 countryName = AU
13 stateOrProvinceName = Some-State
14 organizationName = Internet Widgits Pty Ltd
15 commonName = ldap2.example.com
16 X509v3 extensions:
17 X509v3 Basic Constraints:
18 CA:FALSE
19 Netscape Comment:
20 OpenSSL Generated Certificate
21 X509v3 Subject Key Identifier:
22 3D:AA:70:76:30:08:98:73:43:CE:80:DC:40:64:23:88:C7:1F:7C:1A
23 X509v3 Authority Key Identifier:
24 keyid:4C:CF:71:78:3E:2B:9E:23:FE:30:F5:77:B9:6D:4A:1E:84:C6:89:EE
25
26 Certificate is to be certified until Aug 6 07:57:33 2018 GMT (1460 days)
27 Sign the certificate? [y/n]:y
28
29
30 1 out of 1 certificate requests certified, commit? [y/n]y
31 Write out database with 1 new entries
32 Data Base Updated
33 Signed certificate is in newcert.pem
Die Zertifikate werden nun in die Verzeichnisstruktur eingeordnet. Dabei sollten ca-key und server-key in verschiedenen Verzeichnissen liegen. Für meine DemoCA ist dies aber irrelevant. Hier auch bitte 2 mal hinschauen - auf der Openldap-Seite ist ein kleiner Fehler eingewandert - dort wurde der Request zum Key kopiert.
Die Schlüssel bedürfen unseres Schutzes.
OpenLDAP Krypto konfigurieren
Eigene CA zu den System-CAs hinzufügen
LDIF erstellen
Nun werden slapd die Zertifikatsdateien bekannt gemacht.
1 dn: cn=config
2 changetype: modify
3 add: olcTLSCACertificateFile
4 olcTLSCACertificateFile: /etc/ssl/demoCA/cacert.pem
5 -
6 add: olcTLSCertificateFile
7 olcTLSCertificateFile: /etc/ssl/demoCA/certs/com.example.ldap2.crt
8 -
9 add: olcTLSCertificateKeyFile
10 olcTLSCertificateKeyFile: /etc/ssl/demoCA/private/com.example.ldap2.key
Nebenbemerkung: Um alle von Debian akzeptieren CAs zur Authentisierung von Klienten zuzulassen, muss das TLSCACertificateFile gegen das systemweite getauscht werden. Im Rahmen meiner Versuche liegt dies zwar nicht in meinem Interesse, aber folgender LDIF Schnipsel sollte dies bewerkstelligen:
Wenn bei der Nachfolgenden Modify-Operation der Ldap-Server stirbt sind vermutlich die Dateisystemberechtigungen des Pfades oder der Dateien nicht korrekt. Optimal lässt sich dies mit einem folgenden Befehl herausfinden.
DH Parameter
Das hier wird sehr lange dauern, wenn das System (z.B. VM) nur eine sehr geringe Entropie besitzt. Darum wird der Vorgang innerhalb eines Terminal-Multiplexers gestartet (tmux(, screen (, nohup))).
1 aptitude install tmux
Eine benannte tmux-Sitzung wird erstellt.
1 tmux new -s dhparams
Die großen Primzahlen werden erzeugt.
1 root@ldap2 ~ # openssl dhparam -out /etc/ssl/private/dhparams.pem 4096
2 Generating DH parameters, 4096 bit long safe prime, generator 2
3 This is going to take a long time
4 ................
5 <output omited>
6 ..........++*++*
7 openssl dhparam -out /etc/ssl/private/dhparams.pem 4096 447,46s user 0,04s system 99% cpu 7:27,61 total
Diese Datei soll nicht gleich jeder lesen - wir gönnen den Initialisierungs-Vektoren den gleichen Schutz wie den Zertifikaten.
LDIF erstellen
Kommandozeilen Paramenter
Die Datei /etc/default/slapd muss angepasst werden, damit auf den Bind-Sockets alle gewünschten Protokolle gesprochen werden. Dabei stehen die 3 slashes für 0.0.0.0/0.
- unix domain socket + ldap[+starttls]
- 389 plaintext ldap
- 389 ldap+start
- 636 ldaps
/etc/default/slapd
1 # Default location of the slapd.conf file or slapd.d cn=config directory. If
2 # empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
3 # /etc/ldap/slapd.conf).
4 SLAPD_CONF=
5
6 # System account to run the slapd server under. If empty the server
7 # will run as root.
8 SLAPD_USER="openldap"
9
10 # System group to run the slapd server under. If empty the server will
11 # run in the primary group of its user.
12 SLAPD_GROUP="openldap"
13
14 # Path to the pid file of the slapd server. If not set the init.d script
15 # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
16 # default)
17 SLAPD_PIDFILE=
18
19 # slapd normally serves ldap only on all TCP-ports 389. slapd can also
20 # service requests on TCP-port 636 (ldaps) and requests via unix
21 # sockets.
22 # Example usage:
23 # SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
24 SLAPD_SERVICES="ldapi:/// ldap:/// ldaps:///"
25
26 # If SLAPD_NO_START is set, the init script will not start or restart
27 # slapd (but stop will still work). Uncomment this if you are
28 # starting slapd via some other means or if you don't want slapd normally
29 # started at boot.
30 #SLAPD_NO_START=1
31
32 # If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
33 # the init script will not start or restart slapd (but stop will still
34 # work). Use this for temporarily disabling startup of slapd (when doing
35 # maintenance, for example, or through a configuration management system)
36 # when you don't want to edit a configuration file.
37 SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
38
39 # For Kerberos authentication (via SASL), slapd by default uses the system
40 # keytab file (/etc/krb5.keytab). To use a different keytab file,
41 # uncomment this line and change the path.
42 #export KRB5_KTNAME=/etc/krb5.keytab
43
44 # Additional options to pass to slapd
45 SLAPD_OPTIONS=""
Crypto testen
1 root@ldap2 ~ # openssl s_client -showcerts \
2 -connect ldap2.example.com:636 \
3 -CAfile /etc/ssl/certs/cacert.pem \
4 -cert /etc/ssl/demoCA/certs/com.example.ldap2.crt \
5 -key /etc/ssl/demoCA/private/com.example.ldap2.key \
6 -tls1_2
7
8 CONNECTED(00000003)
9 ---
10 Certificate chain
11 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ldap2.example.com
12 i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=demoCA Root
13 -----BEGIN CERTIFICATE-----
14 MIIDujCCAqKgAwIBAgIJAL5lEdYIM3J7MA0GCSqGSIb3DQEBCwUAMFsxCzAJBgNV
15 BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
16 aWRnaXRzIFB0eSBMdGQxFDASBgNVBAMMC2RlbW9DQSBSb290MB4XDTE0MDgwNzA3
17 NTczM1oXDTE4MDgwNjA3NTczM1owYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNv
18 bWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgG
19 A1UEAwwRbGRhcDIuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
20 ggEKAoIBAQDZOi8DJX66QXx2QlWLny5BmS12hrQ9b5rQ0d4SJLst238oAQFvGo8H
21 XpE7ra5Gv/P0Od/vcionqpk/BcT9r72U4KdeQrvim5L/IBJpQp95/KzXBwy2sJzv
22 sPp3ShNNS4+m6foOqo5HglmQlrmzyusFBnafh21QmFQUhxJeIY1JdfqAtx0DMJ8f
23 nmZZIDr3o8uqU0H6aWxKaIgW4I6q+oRBnNqZI2Eq9+7XIkqzN2OGIRbrqYRuJ55A
24 SMkMx1zfDORUUwBKr+xAFtgwzu2v+2q7d/eo2oWfnZPHuCZGLENDZeYs8ZNzSzSn
25 KHJ7jQHaKMqJZsd9st0VoON1CXf6dWfNAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJ
26 YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud
27 DgQWBBQ9qnB2MAiYc0POgNxAZCOIxx98GjAfBgNVHSMEGDAWgBRMz3F4PiueI/4w
28 9Xe5bUoehMaJ7jANBgkqhkiG9w0BAQsFAAOCAQEAvUB1dhQeB8FfiQl89THUcoiH
29 qqslrcKQ17KcjbAm8KNY1Gz7E67QpEjl0ljigMjmSYSSA17br1xV8Ch7yypt1c2y
30 82u39Cye3u9WVHFHaQqEeBcdoaTf5SwB5tZ2Z5XivAZ/5nSk1GrJ+XU9OgoBaSV8
31 Nn7b7CvlUw9cU1fhG3p1g71gI/Tjs4nfxSjQHyYFvKt7a5XhMg/+L75l5o2gcmLs
32 aStVqrdbyoZhSOjCmkr7C8oEdVM3+XWgIG9XCmrD4COPynNLBBB3vfv13lpTumLF
33 JhYZSlZ4nL9lgN8ElxQqwK1m4IW5OAaVsdvLTjIoSSBXXh31oM1LZPB1vh078w==
34 -----END CERTIFICATE-----
35 1 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=demoCA Root
36 i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=demoCA Root
37 -----BEGIN CERTIFICATE-----
38 MIIDiTCCAnGgAwIBAgIJAL5lEdYIM3J6MA0GCSqGSIb3DQEBCwUAMFsxCzAJBgNV
39 BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
40 aWRnaXRzIFB0eSBMdGQxFDASBgNVBAMMC2RlbW9DQSBSb290MB4XDTE0MDgwNzA3
41 Mzg0NloXDTI0MDgwNjA3Mzg0NlowWzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNv
42 bWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIG
43 A1UEAwwLZGVtb0NBIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
44 AQDR2Wwf73YrEaudt5C04EahU7NuVAmJgJzIJHEz3UGM90v8fV0QosvvMmvhH3O4
45 o/rF8+bKL4INuWb+FRY7QQXr1w9shNVDNVioB02YEKALVXbvbcLPMGiJcM0ZV4FS
46 YYSb13JLTH9T392MEipazVpSXf959B+XUZK62UrAyrpfk5Bxhe0cOjUtPAn0YI47
47 YD6YtvJfk39l2k67mE9oZtbEjLZn+3voot51lfuBxwFsUJ4+x5tdFF5ED0LzikG9
48 PDDkqv0KW7UA0sJJD3SMuTZOgL/HhYHsDJmdUzrzmIyOK+cGCBT4iTgoYHowbhmS
49 DmbtfdFWIBLFCYWBHzvS+2ebAgMBAAGjUDBOMB0GA1UdDgQWBBRMz3F4PiueI/4w
50 9Xe5bUoehMaJ7jAfBgNVHSMEGDAWgBRMz3F4PiueI/4w9Xe5bUoehMaJ7jAMBgNV
51 HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDNIbt+mbZPhhvUy6Xd3ccYvmJQ
52 lawByS2zECaODr3mIakmWD2GnZMrtVnCIsbzTZKm8SL0WasLM+ipCRGV3uHQu3QZ
53 r3POmEsd+dUxx0w7lMor+twMVr6jDV1G1yRhSit5BUc65oyh1MQi46F+KrD1CC9+
54 Ug4uymi3TV1QMGRlKxGVF0JWiHBL7pA1/21B/GzJy2+UNjpleDsHhiFFYsW6hdOD
55 vHpIYaHWGQnfpWSrMDgj1AsiZWN+XUEqdkq16I20r/KMQsxjeCai56U/M0qGw37v
56 Ex9hCzgytQoLQIqC6XCyHIJqcCce020ZujZ3fL94MoqBlJZIuAUkwMD+mOfk
57 -----END CERTIFICATE-----
58 ---
59 Server certificate
60 subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ldap2.example.com
61 issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=demoCA Root
62 ---
63 Acceptable client certificate CA names
64 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=demoCA Root
65 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=demoCA Root
66 ---
67 SSL handshake has read 2333 bytes and written 2835 bytes
68 ---
69 New, TLSv1/SSLv3, Cipher is AES256-SHA256
70 Server public key is 2048 bit
71 Secure Renegotiation IS supported
72 Compression: NONE
73 Expansion: NONE
74 SSL-Session:
75 Protocol : TLSv1.2
76 Cipher : AES256-SHA256
77 Session-ID: 22CA047FB23183EEA781EF78B78C7B935DC0FD0FDBC96579B00300781C20DA6D
78 Session-ID-ctx:
79 Master-Key: 9B9E340135D7D084F127197584A5B8F522F151EF4C9B762131A23E1ED7125D734D6F9664FE021B01F64E6605CE442FAA
80 Key-Arg : None
81 PSK identity: None
82 PSK identity hint: None
83 SRP username: None
84 Start Time: 1407665836
85 Timeout : 7200 (sec)
86 Verify return code: 0 (ok)
87 ---
Authentisierung mittels SASL EXTERNAL TLS
Die Krypto funtioniert schon mal.
Der Klient darf sich fortan mit seinem Zertifikat authentisieren.
Client Konfiguration
Um eine erfolgreiche Authentisierung zu erhalten, werden folgende Annahmen getroffen:
1. Der Klient muss
- eine verschlüsselte Verbindung öffnen
-ZZZ || -H ldaps:///
- der CA vertrauen, welche das Server Zertifikat signiert hat
ca-certificates || cacert.pem
- sich mit einem Zeritfikat beim Server ausweisen, das von einer CA signiert wurde, welcher der Server vertraut
x509v3_extension clientAuthentication
~/.ldaprc nicht systemweit in /etc/ldap/ldap.conf
2. Der Server muss
- erlauben das ein Klient sich mit Zertifikaten an diesem authentisiert
olcTLSVerifyClient: allow
- Verschlüsselung mit einem gültigen Zertifikat anbieten, dem der Klient vertraut
x509v3_extension serverAuthentication
Die systemweite Konfigurationsdatei befindet sich in der Datei /etc/ldap/ldap.conf. Durch Modifikation dieser Datei können wir nun herausfinden unter welchen Umständen SASL EXTERNAL funktioniert. Ich bau mir gern eine Konfigurationsdatei aus der Man-Page So sieht die Default-Einstellung aus:
1 #
2 # LDAP Defaults
3 #
4
5 # See ldap.conf(5) for details
6 # This file should be world readable but not world writable.
7
8 #BASE dc=example,dc=com
9 #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
10
11 #SIZELIMIT 12
12 #TIMELIMIT 15
13 #DEREF never
14
15 # TLS certificates (needed for GnuTLS)
16 TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Anpassung der /etc/ldap/ldap.conf - zunächst die destillierten Informationen:
1 root@ldap2 ~ # sed -r '/^\s*#/d;/^$/d' /etc/ldap/ldap.conf
2 URI ldaps://ldap2.example.com
3 BASE dc=example,dc=com
4 SASL_MECH EXTERNAL
5 TLS_CACERT /etc/ssl/certs/cacert.pem
6 TLS_CERT /etc/ssl/demoCA/certs/com.example.ldap2.crt
7 TLS_KEY /etc/ssl/demoCA/private/com.example.ldap2.key
8 TLS_REQCERT demand
To aquire gnutls ciphers install and read the man page at --priority
1 apt install gnutls-bin
Konfigurationsdatei aus der Man-Page - sieht dann so aus
1 root@ldap2 ~ # info ldap.conf | sed -r 's/^[[:space:]]+/\t# /;s/^([^[:space:]])/### \1/' |vi -
2 ### NAME
3 # ldap.conf, .ldaprc - LDAP configuration file/environment variables
4
5 ### SYNOPSIS
6 # /etc/ldap/ldap.conf, ldaprc, .ldaprc, $LDAP<option-name>
7
8 ### OPTIONS
9 # The different configuration options are:
10
11 # URI <ldap[si]://[name[:port]] ...>
12 # Specifies the URI(s) of an LDAP server(s) to which the LDAP
13 # library should connect. The URI scheme may be any of ldap,
14 # ldaps or ldapi, which refer to LDAP over TCP, LDAP over SSL
15 # (TLS) and LDAP over IPC (UNIX domain sockets), respectively.
16 # Each server's name can be specified as a domain-style name or an
17 # IP address literal. Optionally, the server's name can followed
18 # by a ':' and the port number the LDAP server is listening on.
19 # If no port number is provided, the default port for the scheme
20 # is used (389 for ldap://, 636 for ldaps://). For LDAP over IPC,
21 # name is the name of the socket, and no port is required, nor
22 # allowed; note that directory separators must be URL-encoded,
23 # like any other characters that are special to URLs; so the
24 # socket
25
26 # /usr/local/var/ldapi
27
28 # must be specified as
29
30 # ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi
31
32 # A space separated list of URIs may be provided.
33
34 # BASE <base>
35 # Specifies the default base DN to use when performing ldap opera‐
36 # tions. The base must be specified as a Distinguished Name in
37 # LDAP format.
38
39 # BINDDN <dn>
40 # Specifies the default bind DN to use when performing ldap opera‐
41 # tions. The bind DN must be specified as a Distinguished Name in
42 # LDAP format. This is a user-only option.
43
44 # DEREF <when>
45 # Specifies how alias dereferencing is done when performing a
46 # search. The <when> can be specified as one of the following key‐
47 # words:
48
49 # never Aliases are never dereferenced. This is the default.
50
51 # searching
52 # Aliases are dereferenced in subordinates of the base
53 # object, but not in locating the base object of the
54 # search.
55
56 # finding
57 # Aliases are only dereferenced when locating the base
58 # object of the search.
59
60 # always Aliases are dereferenced both in searching and in locat‐
61 # ing the base object of the search.
62
63
64 # HOST <name[:port] ...>
65 # Specifies the name(s) of an LDAP server(s) to which the
66 # LDAP library should connect. Each server's name can be
67 # specified as a domain-style name or an IP address and
68 # optionally followed by a ':' and the port number the ldap
69 # server is listening on. A space separated list of hosts
70 # may be provided. HOST is deprecated in favor of URI.
71
72 # NETWORK_TIMEOUT <integer>
73 # Specifies the timeout (in seconds) after which the
74 # poll(2)/select(2) following a connect(2) returns in case
75 # of no activity.
76
77 # PORT <port>
78 # Specifies the default port used when connecting to LDAP
79 # servers(s). The port may be specified as a number. PORT
80 # is deprecated in favor of URI.
81
82 # REFERRALS <on/true/yes/off/false/no>
83 # Specifies if the client should automatically follow
84 # referrals returned by LDAP servers. The default is on.
85 # Note that the command line tools ldapsearch(1) &co always
86 # override this option.
87
88 # SIZELIMIT <integer>
89 # Specifies a size limit (number of entries) to use when
90 # performing searches. The number should be a non-negative
91 # integer. SIZELIMIT of zero (0) specifies a request for
92 # unlimited search size. Please note that the server may
93 # still apply any server-side limit on the amount of
94 # entries that can be returned by a search operation.
95
96 # TIMELIMIT <integer>
97 # Specifies a time limit (in seconds) to use when perform‐
98 # ing searches. The number should be a non-negative inte‐
99 # ger. TIMELIMIT of zero (0) specifies unlimited search
100 # time to be used. Please note that the server may still
101 # apply any server-side limit on the duration of a search
102 # operation. VERSION {2|3} Specifies what version of the
103 # LDAP protocol should be used.
104
105 # TIMEOUT <integer>
106 # Specifies a timeout (in seconds) after which calls to
107 # synchronous LDAP APIs will abort if no response is
108 # received. Also used for any ldap_result(3) calls where a
109 # NULL timeout parameter is supplied.
110
111 ### SASL OPTIONS
112 # If OpenLDAP is built with Simple Authentication and Security
113 # Layer support, there are more options you can specify.
114
115 # SASL_MECH <mechanism>
116 # Specifies the SASL mechanism to use. This is a user-only
117 # option.
118
119 # SASL_REALM <realm>
120 # Specifies the SASL realm. This is a user-only option.
121
122 # SASL_AUTHCID <authcid>
123 # Specifies the authentication identity. This is a user-
124 # only option.
125
126 # SASL_AUTHZID <authcid>
127 # Specifies the proxy authorization identity. This is a
128 # user-only option.
129
130 # SASL_SECPROPS <properties>
131 # Specifies Cyrus SASL security properties. The <proper‐
132 # ties> can be specified as a comma-separated list of the
133 # following:
134
135 # none (without any other properties) causes the proper‐
136 # ties defaults ("noanonymous,noplain") to be
137 # cleared.
138
139 # noplain
140 # disables mechanisms susceptible to simple passive
141 # attacks.
142
143 # noactive
144 # disables mechanisms susceptible to active attacks.
145
146 # nodict disables mechanisms susceptible to passive dictio‐
147 # nary attacks.
148
149 # noanonymous
150 # disables mechanisms which support anonymous login.
151
152 # forwardsec
153 # requires forward secrecy between sessions.
154
155 # passcred
156 # requires mechanisms which pass client credentials
157 # (and allows mechanisms which can pass credentials
158 # to do so).
159
160 # minssf=<factor>
161 # specifies the minimum acceptable security strength
162 # factor as an integer approximating the effective
163 # key length used for encryption. 0 (zero) implies
164 # no protection, 1 implies integrity protection
165 # only, 56 allows DES or other weak ciphers, 112
166 # allows triple DES and other strong ciphers, 128
167 # allows RC4, Blowfish and other modern strong
168 # ciphers. The default is 0.
169
170 # maxssf=<factor>
171 # specifies the maximum acceptable security strength
172 # factor as an integer (see minssf description).
173 # The default is INT_MAX.
174
175 # maxbufsize=<factor>
176 # specifies the maximum security layer receive buf‐
177 # fer size allowed. 0 disables security layers.
178 # The default is 65536.
179
180 ### GSSAPI OPTIONS
181 # If OpenLDAP is built with Generic Security Services Application
182 # Programming Interface support, there are more options you can
183 # specify.
184
185 # GSSAPI_SIGN <on/true/yes/off/false/no>
186 # Specifies if GSSAPI signing (GSS_C_INTEG_FLAG) should be
187 # used. The default is off.
188
189 # GSSAPI_ENCRYPT <on/true/yes/off/false/no>
190 # Specifies if GSSAPI encryption (GSS_C_INTEG_FLAG and
191 # GSS_C_CONF_FLAG) should be used. The default is off.
192
193 # GSSAPI_ALLOW_REMOTE_PRINCIPAL <on/true/yes/off/false/no>
194 # Specifies if GSSAPI based authentication should try to
195 # form the target principal name out of the ldapServiceName
196 # or dnsHostName attribute of the targets RootDSE entry.
197 # The default is off.
198
199 ### TLS OPTIONS
200 # If OpenLDAP is built with Transport Layer Security support,
201 # there are more options you can specify. These options are used
202 # when an ldaps:// URI is selected (by default or otherwise) or
203 # when the application negotiates TLS by issuing the LDAP StartTLS
204 # operation.
205
206 # TLS_CACERT <filename>
207 # Specifies the file that contains certificates for all of
208 # the Certificate Authorities the client will recognize.
209
210 # TLS_CACERTDIR <path>
211 # Specifies the path of a directory that contains Certifi‐
212 # cate Authority certificates in separate individual files.
213 # The TLS_CACERT is always used before TLS_CACERTDIR. This
214 # parameter is ignored with GnuTLS. On Debian openldap is
215 # linked against GnuTLS.
216
217 # When using Mozilla NSS, <path> may contain a Mozilla NSS
218 # cert/key database. If <path> contains a Mozilla NSS
219 # cert/key database and CA cert files, OpenLDAP will use
220 # the cert/key database and will ignore the CA cert files.
221
222 # TLS_CERT <filename>
223 # Specifies the file that contains the client certificate.
224 # This is a user-only option.
225
226 # When using Mozilla NSS, if using a cert/key database
227 # (specified with TLS_CACERTDIR), TLS_CERT specifies the
228 # name of the certificate to use:
229 # TLS_CERT Certificate for Sam Carter
230 # If using a token other than the internal built in token,
231 # specify the token name first, followed by a colon:
232 # TLS_CERT my hardware device:Certificate for Sam Carter
233 # Use certutil -L to list the certificates by name:
234 # certutil -d /path/to/certdbdir -L
235
236 # TLS_KEY <filename>
237 # Specifies the file that contains the private key that
238 # matches the certificate stored in the TLS_CERT file. Cur‐
239 # rently, the private key must not be protected with a
240 # password, so it is of critical importance that the key
241 # file is protected carefully. This is a user-only option.
242
243 # When using Mozilla NSS, TLS_KEY specifies the name of a
244 # file that contains the password for the key for the cer‐
245 # tificate specified with TLS_CERT. The modutil command
246 # can be used to turn off password protection for the
247 # cert/key database. For example, if TLS_CACERTDIR speci‐
248 # fies /home/scarter/.moznss as the location of the
249 # cert/key database, use modutil to change the password to
250 # the empty string:
251 # modutil -dbdir ~/.moznss -changepw 'NSS Certificate DB'
252 # You must have the old password, if any. Ignore the WARN‐
253 # ING about the running browser. Press 'Enter' for the new
254 # password.
255
256
257 # TLS_CIPHER_SUITE <cipher-suite-spec>
258 # Specifies acceptable cipher suite and preference order.
259 # <cipher-suite-spec> should be a cipher specification for
260 # the TLS library in use (OpenSSL, GnuTLS, or Mozilla NSS).
261 # Example:
262
263 # OpenSSL:
264 # TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv2
265
266 # GnuTLS:
267 # TLS_CIPHER_SUITE SECURE256:!AES-128-CBC
268
269 # To check what ciphers a given spec selects in OpenSSL,
270 # use:
271
272 # openssl ciphers -v <cipher-suite-spec>
273
274 # With GnuTLS the available specs can be found in the man‐
275 # ual page of gnutls-cli(1) (see the description of the
276 # option --priority).
277
278 # In older versions of GnuTLS, where gnutls-cli does not
279 # support the option --priority, you can obtain the — more
280 # limited — list of ciphers by calling:
281
282 # gnutls-cli -l
283
284 # When using Mozilla NSS, the OpenSSL cipher suite specifi‐
285 # cations are used and translated into the format used
286 # internally by Mozilla NSS. There isn't an easy way to
287 # list the cipher suites from the command line. The
288 # authoritative list is in the source code for Mozilla NSS
289 # in the file sslinfo.c in the structure
290 # static const SSLCipherSuiteInfo suiteInfo[]
291
292 # TLS_PROTOCOL_MIN <major>[.<minor>]
293 # Specifies minimum SSL/TLS protocol version that will be
294 # negotiated. If the server doesn't support at least that
295 # version, the SSL handshake will fail. To require TLS 1.x
296 # or higher, set this option to 3.(x+1), e.g.,
297
298 # TLS_PROTOCOL_MIN 3.2
299
300 # would require TLS 1.1. Specifying a minimum that is
301 # higher than that supported by the OpenLDAP implementation
302 # will result in it requiring the highest level that it
303 # does support. This parameter is ignored with GnuTLS.
304
305 # TLS_RANDFILE <filename>
306 # Specifies the file to obtain random bits from when
307 # /dev/[u]random is not available. Generally set to the
308 # name of the EGD/PRNGD socket. The environment variable
309 # RANDFILE can also be used to specify the filename. This
310 # parameter is ignored with GnuTLS and Mozilla NSS. On
311 # Debian openldap is linked against GnuTLS.
312
313 # TLS_REQCERT <level>
314 # Specifies what checks to perform on server certificates
315 # in a TLS session, if any. The <level> can be specified as
316 # one of the following keywords:
317
318 # never The client will not request or check any server
319 # certificate.
320
321 # allow The server certificate is requested. If no cer‐
322 # tificate is provided, the session proceeds nor‐
323 # mally. If a bad certificate is provided, it will
324 # be ignored and the session proceeds normally.
325
326 # try The server certificate is requested. If no cer‐
327 # tificate is provided, the session proceeds nor‐
328 # mally. If a bad certificate is provided, the ses‐
329 # sion is immediately terminated.
330
331 # demand | hard
332 # These keywords are equivalent. The server certifi‐
333 # cate is requested. If no certificate is provided,
334 # or a bad certificate is provided, the session is
335 # immediately terminated. This is the default set‐
336 # ting.
337
338 # TLS_CRLCHECK <level>
339 # Specifies if the Certificate Revocation List (CRL) of the
340 # CA should be used to verify if the server certificates
341 # have not been revoked. This requires TLS_CACERTDIR param‐
342 # eter to be set. This parameter is ignored with GnuTLS and
343 # Mozilla NSS. On Debian openldap is linked against GnuTLS.
344 # <level> can be specified as one of the following key‐
345 # words:
346
347 # none No CRL checks are performed
348
349 # peer Check the CRL of the peer certificate
350
351 # all Check the CRL for a whole certificate chain
352
353 # TLS_CRLFILE <filename>
354 # Specifies the file containing a Certificate Revocation
355 # List to be used to verify if the server certificates have
356 # not been revoked. This parameter is only supported with
357 # GnuTLS and Mozilla NSS.
358
Probe aufs Exempel
Ldap Authentisierungsinfo abfragen
Parallel den output im Logbuch beobachten
1 Aug 10 18:40:21 ldap2 slapd[31955]: slap_listener_activate(11):
2 Aug 10 18:40:21 ldap2 slapd[31955]: >>> slap_listener(ldaps:///)
3 Aug 10 18:40:21 ldap2 slapd[31955]: conn=1067 fd=22 ACCEPT from IP=127.0.0.1:59834 (IP=0.0.0.0:636)
4 Aug 10 18:40:21 ldap2 slapd[31955]: connection_get(22): got connid=1067
5 Aug 10 18:40:21 ldap2 slapd[31955]: connection_read(22): checking for input on id=1067
6 Aug 10 18:40:21 ldap2 slapd[31955]: connection_get(22): got connid=1067
7 Aug 10 18:40:21 ldap2 slapd[31955]: connection_read(22): checking for input on id=1067
8 Aug 10 18:40:21 ldap2 slapd[31955]: connection_get(22): got connid=1067
9 Aug 10 18:40:21 ldap2 slapd[31955]: connection_read(22): checking for input on id=1067
10 Aug 10 18:40:21 ldap2 slapd[31955]: connection_read(22): unable to get TLS client DN, error=49 id=1067
11 Aug 10 18:40:21 ldap2 slapd[31955]: conn=1067 fd=22 TLS established tls_ssf=128 ssf=128
12 Aug 10 18:40:21 ldap2 slapd[31955]: connection_get(22): got connid=1067
13 Aug 10 18:40:21 ldap2 slapd[31955]: connection_read(22): checking for input on id=1067
14 Aug 10 18:40:21 ldap2 slapd[31955]: op tag 0x42, time 1407688821
15 Aug 10 18:40:21 ldap2 slapd[31955]: ber_get_next on fd 22 failed errno=0 (Success)
16 Aug 10 18:40:21 ldap2 slapd[31955]: conn=1067 op=0 do_unbind
17 Aug 10 18:40:21 ldap2 slapd[31955]: conn=1067 op=0 UNBIND
18 Aug 10 18:40:21 ldap2 slapd[31955]: connection_close: conn=1067 sd=22
19 Aug 10 18:40:21 ldap2 slapd[31955]: conn=1067 fd=22 closed
Lösung der Zielstellung
Wieder und wieder die Doku durchgehen und dann steht er plötzlich glasklar auf dem Schirm - der missing Hint (zweiter Satz des Absatz TLS_CERT): http://www.openldap.org/doc/admin24/tls.html#TLS_CERT%20%3Cfilename%3E
Zitat der Doku entnommen:
16.2.2.3. TLS_CERT <filename>
This directive specifies the file that contains the client certificate. This is a user-only directive and can only be specified in a user's .ldaprc file.
Also ist ein symbolischer Link aus Root´s-Home auf die /etc/ldap/ldap.conf gesetzt worden.
1 ln -s /etc/ldap/ldap.conf /root/.ldaprc
Funktion hergestellt
Mission erfüllt
1 root@ldap2 ~ # ldapsearch -ZZLLLH ldap:/// -b '' -s base supportedSASLMechanisms
2 SASL/EXTERNAL authentication started
3 SASL username: cn=ldap2.example.com,o=Internet Widgits Pty Ltd,st=Some-State,c=AU
4 SASL SSF: 0
5 dn:
6 supportedSASLMechanisms: DIGEST-MD5
7 supportedSASLMechanisms: EXTERNAL
8 supportedSASLMechanisms: CRAM-MD5
9 supportedSASLMechanisms: NTLM
10 supportedSASLMechanisms: PLAIN
11 supportedSASLMechanisms: LOGIN
Schemas
Check Schemas
Use ApacheDirectoryStudio or ldapsearch to determine the per default imported schemas. This is where we start.
1 root@mail /etc # ldapsearch -LLLb cn=schema,cn=config -H ldapi:/// -Y EXTERNAL cn
2 SASL/EXTERNAL authentication started
3 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
4 SASL SSF: 0
5 dn: cn=schema,cn=config
6 cn: schema
7
8 dn: cn={0}core,cn=schema,cn=config
9 cn: {0}core
10
11 dn: cn={1}cosine,cn=schema,cn=config
12 cn: {1}cosine
13
14 dn: cn={2}nis,cn=schema,cn=config
15 cn: {2}nis
16
17 dn: cn={3}inetorgperson,cn=schema,cn=config
18 cn: {3}inetorgperson
Schema-files are in Debian located at /etc/ldap/schema in to formats/suffixes
- .schema is for the deprecated offline configuration (/etc/slapd/slapd.conf)
- .ldif is ready to be imported into the online configuration for Openldap 2.4+
ls -l /etc/ldap/schema
1 insgesamt 252
2 -rw-r--r-- 1 root root 36394 Okt 26 2014 amavis.schema
3 -rw-r--r-- 1 root root 2036 Sep 11 18:15 collective.ldif
4 -rw-r--r-- 1 root root 2180 Apr 23 2013 collective.schema
5 -rw-r--r-- 1 root root 1845 Sep 11 18:15 corba.ldif
6 -rw-r--r-- 1 root root 2084 Apr 23 2013 corba.schema
7 -rw-r--r-- 1 root root 21196 Sep 11 18:15 core.ldif
8 -rw-r--r-- 1 root root 21083 Sep 11 18:15 core.schema
9 -rw-r--r-- 1 root root 12006 Sep 11 18:15 cosine.ldif
10 -rw-r--r-- 1 root root 14030 Apr 23 2013 cosine.schema
11 -rw-r--r-- 1 root root 4842 Sep 11 18:15 duaconf.ldif
12 -rw-r--r-- 1 root root 6249 Sep 11 18:15 duaconf.schema
13 -rw-r--r-- 1 root root 3330 Sep 11 18:15 dyngroup.ldif
14 -rw-r--r-- 1 root root 3289 Sep 11 18:15 dyngroup.schema
15 -rw-r--r-- 1 root root 3481 Sep 11 18:15 inetorgperson.ldif
16 -rw-r--r-- 1 root root 3915 Sep 11 18:15 inetorgperson.schema
17 -rw-r--r-- 1 root root 2979 Sep 11 18:15 java.ldif
18 -rw-r--r-- 1 root root 3295 Apr 23 2013 java.schema
19 -rw-r--r-- 1 root root 2082 Sep 11 18:15 misc.ldif
20 -rw-r--r-- 1 root root 2387 Sep 11 18:15 misc.schema
21 -rw-r--r-- 1 root root 6809 Sep 11 18:15 nis.ldif
22 -rw-r--r-- 1 root root 7640 Sep 11 18:15 nis.schema
23 -rw-r--r-- 1 root root 3308 Sep 11 18:15 openldap.ldif
24 -rw-r--r-- 1 root root 1514 Sep 11 18:15 openldap.schema
25 -rw-r--r-- 1 root root 6904 Sep 11 18:15 pmi.ldif
26 -rw-r--r-- 1 root root 21051 Sep 11 18:15 pmi.schema
27 -rw-r--r-- 1 root root 4356 Sep 11 18:15 ppolicy.ldif
28 -rw-r--r-- 1 root root 5038 Sep 11 18:15 ppolicy.schema
29 -rw-r--r-- 1 root root 3512 Sep 11 18:15 README
Schema dependencies are to be found in the comments inside the files (-> := depends upon).
1 core
2 cosine -> core
3 nis -> core
4 -> cosine
5 inetorgperson -> core
6 -> cosine
7 dyngroup -> core
8 # openldap is a example file for schema conversion
9 openldap -> core
10 -> cosine
11 -> inetorgperson
12 java -> core
13 corba -> core
14 collective
15 corba
16 duaconf
17 # not recommended for production use
18 misc
19 pmi
20 # not recommended for production use
21 ppolicy
So we get a reversed order
- already imported
- core
- cosine
- nis
- inetorgperson
- to be imported
- dyngroup
- duaconf
- collective
- pmi
- ppolicy
- misc
Import the basic schemas
1 root@mail /etc/ldap/schema # for SCHEMA in dyngroup duaconf collective pmi ppolicy misc; do
2 ldapadd -H ldapi:/// -Y EXTERNAL -f "$SCHEMA".ldif;
3 done
4 SASL/EXTERNAL authentication started
5 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
6 SASL SSF: 0
7 adding new entry "cn=dyngroup,cn=schema,cn=config"
8
9 SASL/EXTERNAL authentication started
10 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
11 SASL SSF: 0
12 adding new entry "cn=duaconf,cn=schema,cn=config"
13
14 SASL/EXTERNAL authentication started
15 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
16 SASL SSF: 0
17 adding new entry "cn=collective,cn=schema,cn=config"
18
19 SASL/EXTERNAL authentication started
20 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
21 SASL SSF: 0
22 adding new entry "cn=pmi,cn=schema,cn=config"
23
24 SASL/EXTERNAL authentication started
25 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
26 SASL SSF: 0
27 adding new entry "cn=ppolicy,cn=schema,cn=config"
28
29 SASL/EXTERNAL authentication started
30 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
31 SASL SSF: 0
32 adding new entry "cn=misc,cn=schema,cn=config"
Convert .schema to .ldif
Alt 1
You lose commments in files -> see #Alt 2
- Conversion is possible with a little config-file "$config" that includes the schemas slaptest -f "$config" -F "$outdir"
Alt 2
- Here's a dirty little script i wrote, that preserves the comments.
- Maybe you need to adjust it to your specific needs. Mine is adjusted to fix broken "kolab3.ldif".
/usr/local/bin/schema2ldif.sh
1 #!/bin/bash
2 ### Convert .schema to .ldif
3 # As explained in /etc/ldap/schema/openldap.conf
4
5 FILE_INPUT="$1"
6 FILE_OUTPUT="$2"
7 SCHEMA=$(basename ${FILE_INPUT/\.schema})
8 DN="cn=$SCHEMA,cn=schema,cn=config"
9
10 cp "$FILE_INPUT" "$FILE_OUTPUT"
11
12 # substitution
13 sed -ir 's/objectIdentifier/olcObjectIdentifier:/I' "$FILE_OUTPUT"
14 sed -ir 's/objectClass/olcObjectClasses:/I' "$FILE_OUTPUT"
15 sed -ir 's/attributeType/olcAttributeTypes:/I' "$FILE_OUTPUT"
16
17 # leading white spaces to 2 spaces
18 sed -ir 's/^\s+/ /' "$FILE_OUTPUT"
19
20 # generate header
21 sed -ri 's/^dn:\s*cn=schema\s*$/dn: '"$DN"'\nobjectClass: olcSchemaConfig\ncn: '"$SCHEMA"'\n/' "$FILE_OUTPUT"
22
23 head -n 80 "$FILE_OUTPUT" | tail -n 40
Execute script
Import fixed schema
Check schemas once again - up'n'runnin'
1 root@mail /etc/ldap/schema # ldapsearch -LLLb cn=schema,cn=config -H ldapi:/// -Y EXTERNAL cn
2 SASL/EXTERNAL authentication started
3 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
4 SASL SSF: 0
5 dn: cn=schema,cn=config
6 cn: schema
7
8 dn: cn={0}core,cn=schema,cn=config
9 cn: {0}core
10
11 dn: cn={1}cosine,cn=schema,cn=config
12 cn: {1}cosine
13
14 dn: cn={2}nis,cn=schema,cn=config
15 cn: {2}nis
16
17 dn: cn={3}inetorgperson,cn=schema,cn=config
18 cn: {3}inetorgperson
19
20 dn: cn={4}dyngroup,cn=schema,cn=config
21 cn: {4}dyngroup
22
23 dn: cn={5}duaconf,cn=schema,cn=config
24 cn: {5}duaconf
25
26 dn: cn={6}collective,cn=schema,cn=config
27 cn: {6}collective
28
29 dn: cn={7}pmi,cn=schema,cn=config
30 cn: {7}pmi
31
32 dn: cn={8}ppolicy,cn=schema,cn=config
33 cn: {8}ppolicy
34
35 dn: cn={9}misc,cn=schema,cn=config
36 cn: {9}misc
37
38 dn: cn={10}kolab3,cn=schema,cn=config
39 cn: {10}kolab3
SASL
Passthrough authentication
sasl2-bin nachinstallieren
1 root@ldap2 ~ # aptitude install sasl2-bin libsasl2-modules-ldap db-util db5.3-util
2 Die folgenden NEUEN Pakete werden zusätzlich installiert:
3 db-util db5.3-util libsasl2-modules-ldap sasl2-bin
4 0 Pakete aktualisiert, 4 zusätzlich installiert, 0 werden entfernt und 38 nicht aktualisiert.
5 298 kB an Archiven müssen heruntergeladen werden. Nach dem Entpacken werden 864 kB zusätzlich belegt sein.
6 Holen: 1 http://ftp.debian.org/debian/ jessie/main db5.3-util amd64 5.3.28-5 [63,9 kB]
7 Holen: 2 http://ftp.debian.org/debian/ jessie/main db-util all 5.3.0 [2.696 B]
8 Holen: 3 http://ftp.debian.org/debian/ jessie/main sasl2-bin amd64 2.1.26.dfsg1-11 [166 kB]
9 Holen: 4 http://ftp.debian.org/debian/ jessie/main libsasl2-modules-ldap amd64 2.1.26.dfsg1-11 [65,5 kB]
10 298 kB wurden in 0 s heruntergeladen (1.085 kB/s)
11 Vorkonfiguration der Pakete ...
12 Vormals nicht ausgewähltes Paket db5.3-util wird gewählt.
13 (Lese Datenbank ... 45827 Dateien und Verzeichnisse sind derzeit installiert.)
14 Vorbereitung zum Entpacken von .../db5.3-util_5.3.28-5_amd64.deb ...
15 Entpacken von db5.3-util (5.3.28-5) ...
16 Vormals nicht ausgewähltes Paket db-util wird gewählt.
17 Vorbereitung zum Entpacken von .../archives/db-util_5.3.0_all.deb ...
18 Entpacken von db-util (5.3.0) ...
19 Vormals nicht ausgewähltes Paket sasl2-bin wird gewählt.
20 Vorbereitung zum Entpacken von .../sasl2-bin_2.1.26.dfsg1-11_amd64.deb ...
21 Entpacken von sasl2-bin (2.1.26.dfsg1-11) ...
22 Vormals nicht ausgewähltes Paket libsasl2-modules-ldap:amd64 wird gewählt.
23 Vorbereitung zum Entpacken von .../libsasl2-modules-ldap_2.1.26.dfsg1-11_amd64.deb ...
24 Entpacken von libsasl2-modules-ldap:amd64 (2.1.26.dfsg1-11) ...
25 Trigger für man-db (2.6.7.1-1) werden verarbeitet ...
26 db5.3-util (5.3.28-5) wird eingerichtet ...
27 db-util (5.3.0) wird eingerichtet ...
28 sasl2-bin (2.1.26.dfsg1-11) wird eingerichtet ...
29 To enable saslauthd, edit /etc/default/saslauthd and set START=yes ... (warning).
30 libsasl2-modules-ldap:amd64 (2.1.26.dfsg1-11) wird eingerichtet ...
saslauthd starten
Info abgreifen
Let' play around
No Config …
1 root@ldap2 ~src/sasl/cyrus-sasl2-2.1.26.dfsg1 # aptitude install cyrus-sasl2-doc
2 Die folgenden NEUEN Pakete werden zusätzlich installiert:
3 cyrus-sasl2-doc
4 0 Pakete aktualisiert, 1 zusätzlich installiert, 0 werden entfernt und 0 nicht aktualisiert.
5 107 kB an Archiven müssen heruntergeladen werden. Nach dem Entpacken werden 256 kB zusätzlich belegt sein.
6 Holen: 1 http://ftp.debian.org/debian/ jessie/main cyrus-sasl2-doc all 2.1.26.dfsg1-11 [107 kB]
7 107 kB wurden in 0 s heruntergeladen (681 kB/s)
8 Vormals nicht ausgewähltes Paket cyrus-sasl2-doc wird gewählt.
9 (Lese Datenbank ... 45858 Dateien und Verzeichnisse sind derzeit installiert.)
10 Vorbereitung zum Entpacken von .../cyrus-sasl2-doc_2.1.26.dfsg1-11_all.deb ...
11 Entpacken von cyrus-sasl2-doc (2.1.26.dfsg1-11) ...
12 cyrus-sasl2-doc (2.1.26.dfsg1-11) wird eingerichtet ...
1 2 root@ldap2 ~src/sasl/cyrus-sasl2-2.1.26.dfsg1 # dpkg -c /var/cache/apt/archives/cyrus-sasl2-doc_2.1.26.dfsg1-11_all.deb
2 drwxr-xr-x root/root 0 2014-07-11 11:04 ./
3 drwxr-xr-x root/root 0 2014-07-11 11:04 ./usr/
4 drwxr-xr-x root/root 0 2014-07-11 11:04 ./usr/share/
5 drwxr-xr-x root/root 0 2014-07-11 11:04 ./usr/share/doc-base/
6 -rw-r--r-- root/root 274 2014-07-11 10:59 ./usr/share/doc-base/cyrus-sasl2-doc
7 drwxr-xr-x root/root 0 2014-07-11 11:04 ./usr/share/doc/
8 drwxr-xr-x root/root 0 2014-07-11 11:04 ./usr/share/doc/cyrus-sasl2-doc/
9 -rw-r--r-- root/root 16550 2012-01-28 00:31 ./usr/share/doc/cyrus-sasl2-doc/plugprog.html
10 -rw-r--r-- root/root 7768 2012-01-28 00:31 ./usr/share/doc/cyrus-sasl2-doc/gssapi.html
11 -rw-r--r-- root/root 35836 2012-10-12 16:05 ./usr/share/doc/cyrus-sasl2-doc/changelog.gz
12 -rw-r--r-- root/root 17370 2014-07-11 10:59 ./usr/share/doc/cyrus-sasl2-doc/changelog.Debian.gz
13 -rw-r--r-- root/root 3640 2012-01-28 00:31 ./usr/share/doc/cyrus-sasl2-doc/LDAP_SASLAUTHD.gz
14 -rw-r--r-- root/root 7486 2012-01-28 00:31 ./usr/share/doc/cyrus-sasl2-doc/mechanisms.html
15 -rw-r--r-- root/root 41697 2012-01-28 00:31 ./usr/share/doc/cyrus-sasl2-doc/programming.html
16 -rw-r--r-- root/root 11851 2012-10-12 16:05 ./usr/share/doc/cyrus-sasl2-doc/macosx.html
17 -rw-r--r-- root/root 4845 2012-01-28 00:31 ./usr/share/doc/cyrus-sasl2-doc/appconvert.html
18 -rw-r--r-- root/root 3099 2014-07-11 10:59 ./usr/share/doc/cyrus-sasl2-doc/copyright
19 -rw-r--r-- root/root 9191 2012-01-28 00:31 ./usr/share/doc/cyrus-sasl2-doc/components.html
20 -rw-r--r-- root/root 6244 2012-10-12 16:05 ./usr/share/doc/cyrus-sasl2-doc/windows.html
21 -rw-r--r-- root/root 4765 2012-01-28 00:31 ./usr/share/doc/cyrus-sasl2-doc/readme.html
22 -rw-r--r-- root/root 10372 2012-10-12 16:05 ./usr/share/doc/cyrus-sasl2-doc/install.html
23 -rw-r--r-- root/root 5491 2012-01-28 00:31 ./usr/share/doc/cyrus-sasl2-doc/index.html
24 -rw-r--r-- root/root 4167 2012-01-28 00:31 ./usr/share/doc/cyrus-sasl2-doc/upgrading.html
25 -rw-r--r-- root/root 1733 2012-01-28 00:31 ./usr/share/doc/cyrus-sasl2-doc/advanced.html
26 -rw-r--r-- root/root 22379 2012-01-28 00:31 ./usr/share/doc/cyrus-sasl2-doc/sysadmin.html
27 -rw-r--r-- root/root 11792 2012-01-28 00:31 ./usr/share/doc/cyrus-sasl2-doc/options.html
28 -rw-r--r-- root/root 371 2014-07-11 10:59 ./usr/share/doc/cyrus-sasl2-doc/NEWS.Debian.gz
SASL Mechanism Properties/Features This table shows what security flags and features are supported by each of the mechanisms provided by the Cyrus SASL Library. ┌─────────────────┬─────┬────────────────────────────────────────────────────────────────┬──────────────────────────────────────────────┐ │ │ MAX │ SECURITY PROPERTIES │ FEATURES │ │ │ SSF ├─────────┬──────────┬────────┬─────────┬────────┬──────┬────────┼───────────┬───────────────┬──────────┬───────┤ │ │ │ NOPLAIN │ NOACTIVE │ NODICT │ FORWARD │ NOANON │ CRED │ MUTUAL │ CLT FIRST │ SRV FIRST │ SRV LAST │ PROXY │ ├─────────────────┼─────┼─────────┼──────────┼────────┼─────────┼────────┼──────┼────────┼───────────┼───────────────┼──────────┼───────┤ │ ANONYMOUS │ 0 │ X │ │ │ │ │ │ │ X │ │ │ │ ├─────────────────┼─────┼─────────┼──────────┼────────┼─────────┼────────┼──────┼────────┼───────────┼───────────────┼──────────┼───────┤ │ CRAM-MD5 │ 0 │ X │ │ │ │ X │ │ │ │ X │ │ │ ├─────────────────┼─────┼─────────┼──────────┼────────┼─────────┼────────┼──────┼────────┼───────────┼───────────────┼──────────┼───────┤ │ DIGEST-MD5 │ 128 │ X │ │ │ │ X │ │ X │ reauth │ initial auth │ X │ X │ ├─────────────────┼─────┼─────────┼──────────┼────────┼─────────┼────────┼──────┼────────┼───────────┼───────────────┼──────────┼───────┤ │ EXTERNAL │ 0 │ X │ │ X │ │ X │ │ │ X │ │ │ X │ ├─────────────────┼─────┼─────────┼──────────┼────────┼─────────┼────────┼──────┼────────┼───────────┼───────────────┼──────────┼───────┤ │ GSSAPI │ 56 │ X │ X │ │ │ X │ │ X │ X │ │ │ X │ ├─────────────────┼─────┼─────────┼──────────┼────────┼─────────┼────────┼──────┼────────┼───────────┼───────────────┼──────────┼───────┤ │ KERBEROS_V4 │ 56 │ X │ X │ │ │ X │ │ X │ │ X │ │ X │ ├─────────────────┼─────┼─────────┼──────────┼────────┼─────────┼────────┼──────┼────────┼───────────┼───────────────┼──────────┼───────┤ │ LOGIN │ 0 │ │ │ │ │ X │ X │ │ │ X │ │ │ ├─────────────────┼─────┼─────────┼──────────┼────────┼─────────┼────────┼──────┼────────┼───────────┼───────────────┼──────────┼───────┤ │ NTLM │ 0 │ X │ │ │ │ X │ │ │ X │ │ │ │ ├─────────────────┼─────┼─────────┼──────────┼────────┼─────────┼────────┼──────┼────────┼───────────┼───────────────┼──────────┼───────┤ │ OTP │ 0 │ X │ │ │ X │ X │ │ │ X │ │ │ X │ ├─────────────────┼─────┼─────────┼──────────┼────────┼─────────┼────────┼──────┼────────┼───────────┼───────────────┼──────────┼───────┤ │ PASSDSS-3DES-1 │ 112 │ X │ X │ X │ X │ X │ X │ X │ X │ │ │ X │ ├─────────────────┼─────┼─────────┼──────────┼────────┼─────────┼────────┼──────┼────────┼───────────┼───────────────┼──────────┼───────┤ │ PLAIN │ 0 │ │ │ │ │ X │ X │ │ X │ │ │ X │ ├─────────────────┼─────┼─────────┼──────────┼────────┼─────────┼────────┼──────┼────────┼───────────┼───────────────┼──────────┼───────┤ │ SRP │ 128 │ X │ X │ X │ X │ X │ │ X │ X │ │ X │ X │ └─────────────────┴─────┴─────────┴──────────┴────────┴─────────┴────────┴──────┴────────┴───────────┴───────────────┴──────────┴───────┘ Understanding this table: • MAX SSF - The maximum Security Strength Factor supported by the mechanism (roughly the number of bits of encryption provided, but may have other meanings, for example an SSF of 1 indicates integrity protection only, no encryption). • NOPLAIN - Mechanism is not susceptable to simple passive (eavesdropping) attack. • NOACTIVE - Protection from active (non-dictionary) attacks during authentication exchange. (Implies MUTUAL). • NODICT - Not susceptable to passive dictionary attack. • FORWARD - Breaking one session won't help break the next. • NOANON - Don't permit anonymous logins. • CRED - Mechanism can pass client credentials. • MUTUAL - Supports mutual authentication (authenticates the server to the client) • CLTFIRST - The client should send first in this mechanism. • SRVFIRST - The server must send first in this mechanism. • SRVLAST - This mechanism supports server-send-last configurations. • PROXY - This mechanism supports proxy authentication.
Convert to online config
Convert old config file to online config (Openldap v >= 2.4)
Recalculate CRC32 checksums of the online configuration
Install libarchive-zip-perl for the Perl script crc32
1 aptitude install libarchive-zip-perl
/usr/local/bin/crc32.sh
1 #!/bin/bash
2
3 FILE_INPUT="${1}"
4 if [ -f "$FILE_INPUT" ]; then
5 cat <<- EOF
6 Input file does not exist!
7 Remember to quote filenames with "{}" in ''
8 example: $0 'path/to/file_with_special_characters_like\{2\}.ldif'
9 EOF
10 exit 1
11 fi
12
13 if [ ! -w "$FILE_INPUT" ]; then
14 echo "Input file is not writeable!"
15 exit 2
16 fi
17
18 FILE_TMP="$(mktemp)"
19 eval grep -v '^#' "$FILE_INPUT" > "$FILE_TMP"
20 CHK_SUM="$(crc32 "$FILE_TMP")"
21 sed -ri 's/(# CRC32).\+/\1 '"$CHK_SUM"'/' $(eval echo "$FILE_INPUT")
22 rm "$FILE_TMP"
Replication
Modes of replication
- syncrepl LDAP Sync Replication engine
- slurpd (deprecated and removed in v2.4)
Replacing Slurpd
From Openldap Reference Manual Replacing Slurpd
The old slurpd mechanism only operated in provider-initiated push mode. Slurpd replication was deprecated in favor of Syncrepl replication and has been completely removed from OpenLDAP 2.4.
The slurpd daemon was the original replication mechanism inherited from UMich's LDAP and operated in push mode: the master pushed changes to the slaves. It was replaced for many reasons, in brief:
- It was not reliable
- It was extremely sensitive to the ordering of records in the replog
- It could easily go out of sync, at which point manual intervention was required to resync the slave database with the master directory
- It wasn't very tolerant of unavailable servers. If a slave went down for a long time, the replog could grow to a size that was too large for slurpd to process
- It only worked in push mode
- It required stopping and restarting the master to add new slaves
- It only supported single master replication
Syncrepl has none of those weaknesses:
- Syncrepl is self-synchronizing; you can start with a consumer database in any state from totally empty to fully synced and it will automatically do the right thing to achieve and maintain synchronization
- It is completely insensitive to the order in which changes occur
- It guarantees convergence between the consumer and the provider content without manual intervention
- It can resynchronize regardless of how long a consumer stays out of contact with the provider
- Syncrepl can operate in either direction
- Consumers can be added at any time without touching anything on the provider
- Multi-master replication is supported
Syncrepl
Slurpd
Tools
ldapmodrdn
If you want to rename or move objects around in the tree, this means to modify the distinguished name (dn) of the object. This cannot be done be ldapmodify, you need to utilize ldapmodrdn.
slapcat
Export the ldap-directory to a file. This operation can be performed online and may therfor be used for backups.
/usr/local/sbin/backup_ldap.sh
Set script executable
1 chmod u+x /usr/local/sbin/backup_ldap.sh
Create a systemd timer or a cron-job. Make sure to make a remote backup.
P.S. I ♥ zsh
Thanks 4 GRML ZSH config