2017/06/08 03:21
1/7
CentOS 7 - OpenLDAP - Multi-Master with TLS
CentOS 7 - OpenLDAP - Multi-Master with TLS
Install OpenLDAP on CentOS 7 with memberOf overlay, install fusiondirectory, configure TLS and
Multi-master.
Prerequisite
Check your DNS :
need to have answer from : oldap1.k.local / oldap2.k.local
1 - Configure certificate
You can use the same documentation for Debian :
https://documentation.fusiondirectory.org/en/documentation/tls_support
Certificate creation
Install TLS utilities:
yum install gnutls-utils -y
First step: create a CA (certificate authority) wich will create and sign (authenticate) certificates.
mkdir -p /etc/ssl/private/
certtool --generate-privkey > /etc/ssl/private/ca_key.pem
Edit /etc/ssl/ca.info
cn = k.local
ca
cert_signing_key
expiration_days = 3650
And we create the self-signed CA's certificate:
certtool --generate-self-signed --load-privkey /etc/ssl/private/ca_key.pem -template /etc/ssl/ca.info --outfile /etc/ssl/certs/ca_cert.pem
Create a private key for the LDAP servers
certtool --generate-privkey > /etc/ssl/private/oldap1.key
certtool --generate-privkey > /etc/ssl/private/oldap2.key
FusionDirectory Documentation - https://documentation.fusiondirectory.org/
Last
update:
en:documentation_howto:centos7_openldap_multi_master_tls https://documentation.fusiondirectory.org/en/documentation_howto/centos7_openldap_multi_master_tls
2016/12/07
17:38
Edit /etc/ssl/oldap1.info
organization = k.local
cn = oldap1.k.local
tls_www_server
encryption_key
signing_key
expiration_days = 3650
Edit /etc/ssl/oldap2.info
organization = k.local
cn = oldap2.k.local
tls_www_server
encryption_key
signing_key
expiration_days = 3650
And create the LDAP server's certificate:
certtool --generate-certificate --load-privkey /etc/ssl/private/oldap1.key -load-ca-certificate /etc/ssl/certs/ca_cert.pem --load-ca-privkey
/etc/ssl/private/ca_key.pem --template /etc/ssl/oldap1.info --outfile
/etc/ssl/certs/oldap1.pem
certtool --generate-certificate --load-privkey /etc/ssl/private/oldap2.key -load-ca-certificate /etc/ssl/certs/ca_cert.pem --load-ca-privkey
/etc/ssl/private/ca_key.pem --template /etc/ssl/oldap2.info --outfile
/etc/ssl/certs/oldap2.pem
2 - OpenLdap server configuration
Install OpenLDAP server:
yum install openldap-servers openldap-clients -y
Edit /etc/openldap/slapd.conf :
#############################################################
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include
include
/etc/openldap/schema/corba.schema
/etc/openldap/schema/core.schema
https://documentation.fusiondirectory.org/
Printed on 2017/06/08 03:21
2017/06/08 03:21
3/7
CentOS 7 - OpenLDAP - Multi-Master with TLS
include
/etc/openldap/schema/cosine.schema
include
/etc/openldap/schema/duaconf.schema
include
/etc/openldap/schema/dyngroup.schema
include
/etc/openldap/schema/inetorgperson.schema
include
/etc/openldap/schema/java.schema
include
/etc/openldap/schema/misc.schema
include
/etc/openldap/schema/nis.schema
include
/etc/openldap/schema/openldap.schema
include
/etc/openldap/schema/ppolicy.schema
include
/etc/openldap/schema/collective.schema
# Do not enable referrals until AFTER you have a working directory # service
AND an understanding of referrals.
#referral
ldap://root.openldap.org
pidfile
argsfile
/var/run/openldap/slapd.pid
/var/run/openldap/slapd.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package # - dyngroup.la
and dynlist.la cannot be used at the same time
# modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a #
FusionDirectory Documentation - https://documentation.fusiondirectory.org/
Last
update:
en:documentation_howto:centos7_openldap_multi_master_tls https://documentation.fusiondirectory.org/en/documentation_howto/centos7_openldap_multi_master_tls
2016/12/07
17:38
dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may
balk # at self-signed certificates, however.
TLSCertificateFile /etc/openldap/certs/oldap1.pem
TLSCertificateKeyFile /etc/openldap/certs/oldap1.key
TLSCipherSuite TLSv1+RSA:!NULL
# The following directive is the default but
# is explicitly included for visibility
TLSVerifyClient never
# Sample security restrictions
#
Require integrity protection (prevent hijacking)
#
Require 112-bit (3DES or better) encryption for updates
#
Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
#
Root DSE: allow anyone to read it
#
Subschema (sub)entry DSE: allow anyone to read it
#
Other DSEs:
#
Allow self write access
#
Allow authenticated users read access
#
Allow anonymous users to authenticate
#
Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read # access to *
#
by self write
#
by users read
#
by anonymous auth
#
# if no access controls are present, the default policy # allows anyone and
everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read") # # rootdn can always
read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read
by dn.exact="cn=admin,dc=k,dc=local" read
by * none
https://documentation.fusiondirectory.org/
Printed on 2017/06/08 03:21
2017/06/08 03:21
5/7
CentOS 7 - OpenLDAP - Multi-Master with TLS
#######################################################################
# database definitions
#######################################################################
database
hdb
suffix
"dc=k,dc=local"
checkpoint 1024 15
rootdn
"cn=admin,dc=k,dc=local"
# To generate password : slappasswd -h {SSHA} -s YOURPASSWORD
rootpw
{SSHA}xvxvcvxvxvvxv
loglevel
256
sizelimit
unlimited
# The database directory MUST exist prior to running slapd AND # should only
be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory
/var/lib/ldap
# Indices to maintain for this database
index objectClass
index ou,cn,mail,surname,givenname
index uidNumber,gidNumber,loginShell
index uid,memberUid
index nisMapName,nisMapEntry
index entryCSN,entryUUID
eq,pres
eq,pres,sub
eq,pres
eq,pres,sub
eq,pres,sub
eq
### add Overlay memberof
overlay memberof
### Sync provider
overlay
syncprov
syncprov-checkpoint 100 5
syncprov-sessionlog 100
# Replicas of this database
serverID
1
# syncrepl directive
syncrepl
rid=1
provider=ldaps://oldap2.k.local
bindmethod=simple
binddn="cn=admin,dc=k,dc=local"
credentials=Pass
searchbase="dc=k,dc=local"
filter=objectclass=*
scope=sub
schemachecking=on
type=refreshAndPersist
retry="30 +"
tls_cacert=/etc/openldap/certs/ca_cert.pem
FusionDirectory Documentation - https://documentation.fusiondirectory.org/
Last
update:
en:documentation_howto:centos7_openldap_multi_master_tls https://documentation.fusiondirectory.org/en/documentation_howto/centos7_openldap_multi_master_tls
2016/12/07
17:38
# Enable mirror mode
mirrormode on
Edit /etc/openldap/ldap.conf
TLS_CACERT
/etc/openldap/certs/ca_cert.pem
Edit /etc/sysconfig/slapd
SLAPD_URLS="ldaps:/// ldap:/// ldapi:///"
Copy CA's certificate
cp /etc/ssl/certs/ca_cert.pem /etc/openldap/certs/
Copy OpenLDAP server's certificate
cp /etc/ssl/certs/oldap1.pem /etc/openldap/certs/
cp /etc/ssl/private/oldap1.key /etc/openldap/certs/
Remove old configuration and restart OpenLDAP
service slapd stop
/bin/rm -rf /etc/openldap/slapd.d/*
/bin/rm -rf /var/lib/ldap/*
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG &&
/bin/chown -R ldap: /etc/openldap/slapd.d/ && /usr/sbin/slaptest -f
/etc/openldap/slapd.conf -F /etc/openldap/slapd.d
/bin/chown -R ldap: /etc/openldap/slapd.d/ && /bin/chown -R ldap:
/var/lib/ldap/ && /sbin/service slapd restart
Check your OpenLDAP
ldapsearch -H ldapi:/// -b "cn=schema,cn=config"
#or ldapsearch -Y -H ldapi:/// -b "cn=schema,cn=config"
[...]
# search result
search: 3
result: Success
# numResponses: 14
https://documentation.fusiondirectory.org/
Printed on 2017/06/08 03:21
2017/06/08 03:21
7/7
CentOS 7 - OpenLDAP - Multi-Master with TLS
# numEntries: 13
Your OpenLDAP is ready.
3 - Install FusionDirectory
You can use this doc :
https://documentation.fusiondirectory.org/en/documentation/admin_installation_redhat_7
Check your OpenLDAP again
ldapsearch
-H ldapi:/// -b "cn=schema,cn=config"
[...]
# search result
search: 3
result: Success
# numResponses: 18
# numEntries: 17
configure fusiondirectory : On step 4 : LDAP setup
When you try to bind your admin account, you need to have this message :
Bind as user 'cn=admin,dc=k,dc=local' to server 'ldaps://localhost:636'
succeeded!
4 - Configure the second OpenLDAP server
From:
https://documentation.fusiondirectory.org/ - FusionDirectory Documentation
Permanent link:
https://documentation.fusiondirectory.org/en/documentation_howto/centos7_openldap_multi_master_tls
Last update: 2016/12/07 17:38
FusionDirectory Documentation - https://documentation.fusiondirectory.org/