(SimpleBind + SSL/TLS/start_tls + without-sasl + automount + netgroup + sudo + apache)
(See also related documents at http://web.singnet.com.sg/~garyttt/)
http://www.openldap.org/project/
Purpose:
This document describes the steps involved in installing and configuring an OpenLDAP Directory Server on RedHat EL3. This is to be accessed by RedHat or Solaris8/9 LDAP Client. Many useful productivity UNIX Shell scripts are also provided in this document.
To use LDAP centralized authentication with nss_ldap and pam_ldap, i.e. to use LDAP "uid" and "userPassword" for UNIX account id and password lookup, you must also complete the setup documented in “Installing and configuring OpenSSH with pam_ldap for RedHat Enterprise Linux3” and/or " Installing and configuring OpenSSH with pam_ldap for Solaris9".
Another related document "Deploying Solaris Native LDAP Client by using automated scripts", describes the steps involved in building up an infrastructure environment for rapid deployment of Native LDAP Client.
Useful URLs:
· QuickStart to OpenLDAP: http://www.openldap.org/doc/admin23/quickstart.html
· Replication with slurpd: http://www.openldap.org/doc/admin23/replication.html
· How to install and configure Solaris 9 for Authentication with OpenLDAP 2.1 http://netmojo.ca/howto/solaris-openldap.html
· OpenLDAP SSL/TLS How-To: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
· Replacing NIS with Kerberos and LDAP: http://ofb.net/~jheiss/krbldap/
· Replacing NIS with Kerberos and LDAP: http://www.ofb.net/~jheiss/krbldap/kerberos_and_ldap.html
· SUN Solaris9's “System Administration Guide: Naming and Directory Services - May 2002”: http://docs.sun.com/app/docs/doc/816-4856
· SUN Solaris10's “System Administration Guide: Naming and Directory Services”: http://docs.sun.com/app/docs/doc/816-4556
· Using TLS (from OpenLDAP Admin. Guide)
http://www.openldap.org/doc/admin23/tls.html
· Chinese version of OpenLDAP HOW-TO
http://www.ringkee.com/note/opensource/openldap.htm
· Highly Available LDAP
http://linuxjournal.com/article/5505
· OpenSSH LDAP Public Key Patch
http://www.opendarwin.org/projects/openssh-lpk/
· BIND9.NET LDAP Page
· LDAP Error and Status Codes
http://www.directory-info.com/LDAP/LDAPErrorCodes.html
· LDAP Client Login Authentication
http://yolinux.com/TUTORIALS/LDAP_Authentication.html
· Integrating AIX into Heterogenous LDAP Environments
http://www.redbooks.ibm.com/redbooks/pdfs/sg247165.pdf
· Integrating UNIX/Linux LDAP Clients into Active Directory – ad4unix
http://sourceforge.net/projects/ad4unix/
· Integrating Windows Clients into UNIX/Linux LDAP Server - pGina
http://sourceforge.net/projects/pgina/
Public Mail Lists:
http://lists.fini.net/mailman/listinfo/ldap-interop
http://www.openldap.org/lists/openldap-software (please search FAQ/MailList archives before posting)
http://www.dbforums.com/ (comp.unix.solaris)
http://bbs.chinaunix.net/ (Chinese web site)
Freeware tools used:
· Berkeley DB 4.2.52 or later - http://www.sleepycat.com/
· NSS_LDAP 2.2.X and PAM_LDAP 1.6.X or later – http://www.padl.com/
· OpenSSL 0.9.7e or later – http://www.openssl.org/
· OpenLDAP 2.3.XX or later - http://www.openldap.org/
· BIND9.NET LDAP Tools: http://www.bind9.net/ldap-tools
· LDAP Browser/Editor: http://www-unix.mcs.anl.gov/~gawor/ldap/
· JXplorer Java LDAP Browser/Editor: http://pegacat.com/jxplorer/ (can do SSL connection)
· PHP-LDAP-ADMIN: http://freshmeat.net/projects/phpldapadmin/
· Other Graphical LDAP Tools: http://en.tldp.org/HOWTO/LDAP-HOWTO/graphicaltools.html
· Novell LDAP CoolTools http://www.novell.com/coolsolutions/tools/bycategory/168.html
Example used:
· MASTER OpenLDAP Server: ldap1.example.com, 192.168.1.168
· SLAVE OpenLDAP Server: ldap2.example.com, 192.168.1.178
· RedHat EL3 LDAP Client: client1.example.com, 192.168.1.188
· Solaris8 LDAP Client: client2.example.com, 192.168.1.198
· Solaris9 LDAP Client: client3.example.com, 192.168.1.208
It is highly recommended that OS level Security Hardening be applied to all LDAP Servers. Note that MASTER and SLAVE OpenLDAP Server can be based on RedHat Linux or Solaris operating system.
Preparation Steps:
This step is for BOTH OpenLDAP Server(s) as well as Clients
Please ensure that IP addresses of LDAP Servers are defined in DNS and/or /etc/hosts
It is important that the Fully Qualified Domain Name (eg: ldap1.example.com) be listed as the first entry right after the IP address, as shown below:
192.168.1.168 ldap1.example.com ldap1
Please ensure that LDAP domain example.com is defined in /etc/resolv.conf
Run the following command to set LDAP domainname
# domainname example.com
# rpm -qa | grep openldap
openldap-devel-2.X.XX-X
openldap-servers-2.X.XX-X
openldap-2.X.XX-X
openldap-clients-2.X.XX-X
# mv /etc/init.d/ldap /etc/init.d/ldap.saved
# rpm -e --nodeps
openldap-servers-2.0.27-1X
# rpm -e --nodeps openldap-clients-2.0.27-1X
# mv /etc/init.d/ldap.saved /etc/init.d/ldap
Add two lines to the “start” function in /etc/init.d/ldap, this is to fix slapd start issue complaining about file permissions of slapd.pid and slapd.args.
function start() {
# gtay, 23-Jan-2006, added 2 lines to fix OpenLDAP 2.3.XX startup issue
touch /var/run/slapd.pid; chown ldap:ldap /var/run/slapd.pid
touch /var/run/slapd.args; chown ldap:ldap /var/run/slapd.args
# Start daemons.
prog=`basename ${slapd}`
echo -n $"Starting $prog: "
…
}
Optional steps as "rpm -e" of openldap-servers rpm renamed the existing files
with .rpmsave extentions
# cd /etc/openldap
# mv slapd.conf.rpmsave
slapd.conf
# cd schema/redhat
#
mv autofs.schema.rpmsave autofs.schema
# chown -R ldap:ldap /etc/openldap
Note 1: RHEL3 has OpenLDAP 2.0.27-XX rpm and RHEL4 has OpenLDAP 2.2.13-XX rpm.
Note 2: In case “rpm –e” invokes post-removal script and removes the useful /etc/init.d/ldap script, the two “mv” commands are used to retain it.
===For those who does not want to build from source:
Buchan has done a great job building RHEL/Mandriva OpenLDAP 2.3.XX RPMS for us, see:
For the future, either:
a)Upgrade to 2.3 which doesn't/shouldn't need the operations listed
below (hint: http://anorien.csc.warwick.ac.uk/mirrors/buchan/openldap/ has
packages which are parallel installable with the original RH packages and affect
no other aspects of the OS or any packages provided by it)
b)Do some things RH missed out which are necessary on 2.2: -ensure
database recover is run any time that it is likely that slapd has been
shut down uncleanly. The strategy I prefer is doing database recovery in
the start() function of the initscript (not restart though). -ensure the
database is checkpointed (run db_checkpoint with appropriate
options from and as the appropriate user from cron)
Regards,
Buchan
===
This step is for OpenLDAP Server(s) ONLY. Not for LDAP Clients. Latest RedHat Client like RHFC3 or later will most likely have a workable supported OpenLDAP Client, PADL, BDB and OpenSSL library RPMs, for Solaris LDAP Client, I recommend using its Native LDAP Library.
IMPORTANT: It is highly recommended that these configuration steps be carried up at the LOCAL SYSTEM CONSOLE while logging in as root, ON TOP OF THIS, MULTIPLE REMOTE root sessions should be opened. In case of any incorrect configuration that messes up your system, it can be repaired.
Installing these packages are OPTIONAL as RedHat EL3 comes bundled with them, you may also OPTIONALLY compile/install OpenSSL 0.9.7e from source and overwrite the OpenSSL 0.9.7a comes with RedHat EL3.
Log in as root at ldap1.example.com
If you are using 4.2.52, please apply these four patches:
# cd /var/tmp
# wget http://downloads.sleepycat.com/db-4.2.52.tar.gz
#
wget http://www.sleepycat.com/update/4.2.52/patch.4.2.52.1
# wget http://www.sleepycat.com/update/4.2.52/patch.4.2.52.2
# wget http://www.sleepycat.com/update/4.2.52/patch.4.2.52.3
# wget http://www.sleepycat.com/update/4.2.52/patch.4.2.52.4
# gzip –d db-4.2.52.tar.gz
# tar xvf db-4.2.52.tar
#
chmod u+w db-4.2.52/mp/mp_fget.c
# chmod u+w db-4.2.52/lock/lock.c
# cd
db-4.2.52
# patch -p0 -i ../patch.4.2.52.1
# patch -p0 -i
../patch.4.2.52.2
# patch -p0 -i ../patch.4.2.52.3
# patch -p0 -i ../patch.4.2.52.4
Otherwise,
# cd db-4.X.XX/build_unix
# ../dist/configure --prefix=/usr
# make clean
# make
# make install
# cd openssl-0.9.7e
# ./config shared --prefix=/usr # Build shared library
# make clean
# make
# make install
Note 1: --prefix=/usr is required so as to overwrite RedHat EL3 built-in rpm.
Note 2: db-4.X.XX in the above case overwrites the db-4.X.XX-XX built-into RedHat EL3
Note 3: openssl-0.9.7e in the above case overwrites the openssl-0.9.7a built-into RedHat EL3
Additional steps shown bellow are required to rename and hide openssl-0.9.7a original files (due to the fact that RedHat stores libssl and libcrypto shared object files at odd location, i.e. /lib), and to edit /etc/man.config to include /usr/ssl/man
# cd /lib
# mv -f libssl.so.4 libssl.so.4.orig
# ln -s /usr/lib/libssl.so.0.9.7 libssl.so.4
# mv -f libcrypto.so.4 libcrypto.so.4.orig
# ln -s /usr/lib/libcrypto.so.0.9.7 libcrypto.so.4
Note: if OpenSSL is installed in other prefix location, please make sure it could be referenced by editing /etc/ld.so.conf and run "ldconfig" to effect the changes.
# vi /etc/ld.so.conf
# ldconfig
Optionally setting up MANPATH for OpenSSL:
# vi /etc/man.config
Add /usr/ssl/man in front of other MANPATHs
Verify the version of OpenSSL:
# /usr/bin/openssl version
OpenSSL 0.9.7X DD Mmm YYYY
This step is for OpenLDAP Server(s) ONLY. Not for LDAP Clients. Latest RedHat Client like RHFC3 or later will most likely have a workable supported OpenLDAP Client, PADL, BDB and OpenSSL library RPMs, for Solaris LDAP Client, I recommend using its Native LDAP Library.
If you have done the Preparation Steps stated above, you may skip this step, otherwise you may want to try out the following steps to gain the experience of compiling and installing it from source.
Log in as root at ldap1.example.com
# cd openldap-2.3.XX
# ./configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/sbin --mandir=/usr/share/man --enable-bdb --enable-crypt --with-tls --without-cyrus-sasl --enable-ldbm
(Note: enable-ldbm if you need older DB backend)
# make depend
# make clean
Optionally, apply “result.c” patch (See Appendix)
# make
# make install
This will install OpenLDAP server and client binaries/libraries, using default configuration directory /etc/openldap, default schema directory /etc/openldap/schema, and default data directory /usr/var/openldap-data, you may change the default data directory in /etc/openldap/slapd.conf to RedHat default, i.e., /var/lib/ldap by editing the "directory" directive.
IMPORTANT NOTE: Whenever RedHat “up2date” is run and if it overwrites the version you have built from source codes, remember to restore your intended version back by running “make install” from the build directory again. Alternatively, you may choose to remove “openldap*.rpm” by using “rpm -e --nodeps --force” options prior to building OpenLDAP from source.
This step is for OpenLDAP Server(s).
If you did not install RedHat OpenLDAP RPMs and choose to compile/install the package from source, then please create a user for the OpenLDAP owner of data/binary files, prior to anything. User id of 55 and Group id of 55 are intentionally chosen to tally with the ldap:ldap user created by installing from RedHat RPMs.
# groupadd –g 55 ldap
# useradd -u 55 -g 55 -d /var/lib/ldap -s /bin/false ldap
Create a blank default OpenLDAP data directory, protect this directory
# mkdir -p /var/lib/ldap # directory already exists if RedHat rpms are installed
# chmod 700 /var/lib/ldap
# chown -R ldap:ldap /var/lib/ldap # user ldap:ldap already exists if RH rpms are installed
# chown -R ldap:ldap /etc/openldap
Create a blank /home/ldap directory, this will be used to keep .ldif generated by the productivity scripts db2ldif_group.sh and db2ldif_People.sh, and used for my script-based LDAP replication scripts, openldap_repl_group.sh and openldap_repl_People.sh. Alternatively, you may also use the OpenLDAP built-in replication feature.
# mkdir -p /home/ldap; chown ldap:ldap /home/ldap
Create SSL self-signing certificates for local LDAP Server, if you intend to use SSL or TLS.
This can be achieved by running this productivity script, cr_ssl_certs_openldap.sh, at the MASTER LDAP Server, which generates a self-signed CA Cert and a signed Server Cert for MASTER LDAP Server. Later on, please use the SAME CA Cert to sign a Server Cert created at SLAVE LDAP Server.
# ./cr_ssl_certs_openldap.sh
Content of cr_ssl_certs_openldap.sh:
#! /bin/sh
#
# cr_ssl_certs_openldap.sh - Create self-signed SSL Certs for OpenLDAP server
#
# Gary Tay, 6-Mar-2004
#
mkdir demoCA >/dev/null 2>&1
cd demoCA
mkdir certs crl newcerts private >/dev/null 2>&1
echo "01" > serial
cp /dev/null index.txt
# Un-comment next two lines for RedHat
cp /usr/share/ssl/openssl.cnf openssl.cnf
ETC_OPENLDAP=/etc/openldap
# Un-comment next two lines for Others
#cp /usr/local/ssl/openssl.cnf openssl.cnf
#ETC_OPENLDAP=/usr/local/etc/openldap
sed -e 's/GB/SG/' \
-e 's/Berkshire/Singapore/' \
-e 's/Newbury/Singapore/' \
-e 's/My Company Ltd/Example Company Ltd/' \
-e '/default_days/s/365/3652/' \
openssl.cnf > openssl.cnf.new
mv openssl.cnf.new openssl.cnf
echo "" >>openssl.cnf
echo "[
usr_cert ] " >>openssl.cnf
echo
"subjectAltName=DNS:ldap.`domainname`,DNS:loadbalancer.`domainname`"
>>openssl.cnf
echo "" >>openssl.cnf
echo "Creating CA cert..."
echo "Please enter server's FQDN when prompted for Common Name:"
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem \
-days 3652 -config openssl.cnf
echo "Creating server cert..."
echo "Please enter server's FQDN when prompted for Common Name:"
openssl req -new -x509 -nodes -keyout newreq.pem -out newreq.pem \
-days 3652 -config openssl.cnf
echo "Self signing server cert..."
echo "Please enter server's FQDN when prompted for Common Name:"
openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
cd ..
openssl ca -config demoCA/openssl.cnf -policy policy_anything \
-out demoCA/newcert.pem -infiles demoCA/tmp.pem
rm -f demoCA/tmp.pem
echo "Please copy CA Cert, New Cert and Key to OpenLDAP config dir..."
echo "using the following commands" echo "cp demoCA/cacert.pem $ETC_OPENLDAP"
echo "cp demoCA/newcert.pem $ETC_OPENLDAP/slapd-cert-ldap1.pem"
echo "cp demoCA/newreq.pem $ETC_OPENLDAP/slapd-key-ldap1.pem"
echo "chmod 640 $ETC_OPENLDAP/slapd-key-ldap1.pem"
# Uncomment for RedHat
echo "chown ldap:ldap $ETC_OPENLDAP/*.pem"
# Uncomment for Others
#echo "chown ldap:daemon $ETC_OPENLDAP/*.pem"
echo ""
The following is the output of running cr_ssl_certs_openldap.sh
# ./cr_ssl_certs_openldap.sh
Creating CA cert...
Please enter server's FQDN when prompted for Common Name:
Generating a 1024 bit RSA private key
.....................................................++++++
....++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase: secret
Verifying - Enter PEM pass phrase: secret
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SG]:
State or Province Name (full name) [Singapore]:
Locality Name (eg, city) [Singapore]:
Organization Name (eg, company) [Example Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ldap1.example.com
Email Address []: first_last@example.com
Creating server cert...
Please enter server's FQDN when prompted for Common Name:
Generating a 1024 bit RSA private key
....................++++++
..................................................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SG]:
State or Province Name (full name) [Singapore]:
Locality Name (eg, city) [Singapore]:
Organization Name (eg, company) [Example Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ldap1.example.com
Email Address []: first_last@example.com
Self -signing server cert...
Please enter server's FQDN when prompted for Common Name:
Getting request Private Key
Generating certificate request
Using configuration from demoCA/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: secret
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 15 05:50:15 2004 GMT
Not After : Mar 15 05:50:15 2005 GMT
Subject:
countryName = SG
stateOrProvinceName = Singapore
localityName = Singapore
organizationName = Example Ltd
commonName = ldap1.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
51:F4:FB:11:07:35:79:56:B8:11:DA:5F:54:16:2C:3A:95:1C:03:2C
X509v3 Authority Key Identifier:
keyid:CC:95:06:D3:EF:09:13:57:1F:A2:75:B4:28:AC:E2:B7:5C:1B:5D:66
DirName:/C=SG/ST=Singapore/L=Singapore/O=Example Ltd/CN=ldap1.example.com
serial:00
Certificate is to be certified until Mar 15 05:50:15 2015 GMT (3652 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Please copy CA Cert, New Cert and Key to OpenLDAP config dir...
using the following commands:
cp demoCA/cacert.pem /etc/openldap
cp demoCA/newcert.pem /etc/openldap/slapd-cert-ldap1.pem
cp demoCA/newreq.pem /etc/openldap/slapd-key-ldap1.pem
chmod 640 /etc/openldap/slapd-key-ldap1.pem
chown ldap:ldap /etc/openldap/*.pem
Copy cacart.pem, slapd-cert-ldap1.pem and slapd-key-ldap1.pem created by the above script to /etc/openldap and setup file permission protection.
Also please copy cacert.pem to all the LDAP clients that use SSL_TLS to authenticate with this LDAP Server.
IMPORTANT NOTE: Make sure the CommonName (CN) of the SSL Server Certificate is in Fully Qualified Domain Name (FQDN) format, eg: ldap1.example.com, and this FQDN must be defined in DNS AND /etc/hosts file.
ADDITIONAL STEPS if SLAVE LDAP Server is built:
At the SLAVE LDAP Server, login as root and run:
# ./cr_unsigned_ssl_cert.sh
Go back to the MASTER LDAP Server, login as root and run :
# ./ sign_ssl_cert_from_slave.sh
Both scripts could be found in Appendix.
The followings show the expected outputs:
# ./cr_unsigned_ssl_cert.sh
Please enter an
unique number as Certificate Serial Number
Examples: if 01 is reserved for
MASTER LDAP Server
02
can be used for 1st SLAVE LDAP Server
03
can be used for 2nd SLAVE LDAP Server
02
Creating un-signed SLAVE LDAP Server cert...
Please enter SLAVE LDAP Server's FQDN when prompted for Common Name:
Generating a 1024 bit RSA private key
.................++++++
...............................................++++++
writing new private key to 'newreq_slave.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]: SG
State or Province Name (full name) [New York]: Singapore
Locality Name (eg, city) []: Singapore
Organization Name (eg, company) [Example Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:ldap2.example.com
Email Address []:first_last@example.com
# ./sign_ssl_cert_from_slave.sh
Please enter an
unique number as Certificate Serial Number
Examples: if 01 is reserved for
MASTER LDAP Server
02
can be used for 1st SLAVE LDAP Server
03
can be used for 2nd SLAVE LDAP Server
02
We must copy the unsigned SSL Server Cert from SLAVE LDAP Server
Enter HOSTNAME/IP of SLAVE LDAP Server: \c
ldap2
Enter directory to locate un-signed server cert/key: \c
/home/gtay/demoCA
Copying un-signed server cert/key from SLAVE LDAP Server...
newreq_slave.pem newreq_slave.pem 100% 2319 627.1KB/s 00:00
Self signing server cert for SLAVE LDAP Server...
Please enter SLAVE LDAP Server's FQDN when prompted for Common Name:
Getting request Private Key
Generating certificate request
Using configuration from demoCA/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: secret
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 22 16:05:32 2004 GMT
Not After : Oct 22 16:05:32 2005 GMT
Subject:
countryName = SG
stateOrProvinceName = Singapore
localityName = Singapore
organizationName = Example Ltd
organizationalUnitName =
commonName = ldap2.example.com
emailAddress = first_last@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F7:C2:5F:54:C1:3F:E3:16:F2:1D:F7:5E:B0:CA:C8:95:35:45:DA:A9
X509v3 Authority Key Identifier:
keyid:25:BC:A0:B3:45:F1:E5:25:7B:46:E5:E7:30:0F:45:EB:98:B8:36:37
DirName:/C=SG/ST=Singapore/L=Singapore/O=Example Ltd/OU=/CN=ldap1.example.com/emailAddress=first_last@example.com
serial:00
X509v3 Subject Alternative Name:
DNS:ldap.example.com, DNS:loadbalancer.example.com
Certificate is to be certified until Oct 22 16:05:32 2015 GMT (3652 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Please copy, New Cert and Key to SLAVE OpenLDAP Server config dir...
Example: assuming ldap2:/etc/openldap is the target directory on SLAVE:
scp demoCA/cacert.pem ldap2:/etc/openldap
scp demoCA/newcert_slave.pem ldap2:/etc/openldap/slapd-cert-ldap2.pem
scp demoCA/newreq_slave.pem ldap2:/etc/openldap/slapd-key-ldap2.pem
ssh ldap2 chmod 640 /etc/openldap/slapd-key-ldap2.pem
ssh ldap2 chown ldap:ldap /etc/openldap/*.pem
Now add these three lines to /etc/openldap/slapd.conf.
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /etc/openldap/slapd-key-ldap1.pem
Next start slapd to listen on BOTH ports 389 and 636, note the two “” enclosing BOTH ldap:/// and ldaps:///.
/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:///"
Use the following command to show the details of the CA/Chain/Server Certificate(s):
# openssl s_client -connect localhost:636 –showcerts
---
<Ctrl-C or Ctrl-Break to exit>
In the above output please ignore these non-critical errors as we sign-self the certs:
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
verify return code: 21 (unable to verify the first certificate)
IMPORTANT NOTE: please ensure that the FQDN (Fully Qualified Domain Name) as shown by CN=<FQDN> match the “host” entry (or entries) in /etc/ldap.conf (nss_ldap) and $ETC_OPENLDAP/ldap.conf (LDAP Client), its IP address MUST be defined in /etc/hosts file.
Also please copy cacert.pem to all the LDAP clients that use TLS to authenticate with this LDAP Server.
Edit /etc/openldap/ldap.conf, add the following lines in BLUE, this is for local LDAP commands
# vi /etc/openldap/ldap.conf
HOST ldap1.example.com
BASE dc=example,dc=com
# Un-comment for RedHat
TLS_CACERT /etc/openldap/cacert.pem
# Un-comment for others
#TLS_CACERT /usr/local/etc/openldap/cacert.pem
IMPORTANT NOTE:
Some options such as TLS_CACERT are missing from the ldap.conf man pages for some versions of OpenLDAP, see:
http://www.openldap.org/lists/openldap-bugs/200206/msg00092.html
Useful information on START_TLS options is described in:
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
Now we are ready to create configuration file for OpenLDAP server daemon, slapd.
Make a copy of /etc/openldap/slapd.conf.default to /etc/openldap/slapd.conf, and modify it to include the following lines in BLUE. You should copy DUAConfgProfile.schema and solaris.schema, which are attached in Appendix and needed for Solaris LDAP client/server to the schema directory.
# cp /etc/openldap/slapd.conf.default /etc/openldap/slapd.conf
# chmod 600 /etc/openldap/slapd.conf
# vi /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/DUAConfigProfile.schema
## solaris.schema provides nisDomainObject, which is absent from nis.schema
include /etc/openldap/schema/solaris.schema
# example will NOT work:
# allow bind_v2
# allow bind_anon_dn
# The second entry (bind_anon_dn) overrides the first
# one (bind_v2) since they are in separate lines.
# The line below WILL work.
allow bind_v2 bind_anon_dn
# ACL directives
access to attrs=userPassword
by self write
by * auth
access to
dn.base=""
by *
read
access to
dn.base="cn=Subschema" by * read
# Change “anonymous auth” to “anonymous
read” or “anonymous none” depending on your need
access to dn.subtree="ou=People,dc=example,dc=com"
by self write
by dn="cn=proxyagent,ou=profile,dc=example,dc=com" read
by users read
by anonymous auth
access to * by self write
by * read
# DB directives
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
#rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
directory /var/lib/ldap
index objectClass,uid,uidNumber,gidNumber,ou eq
index cn,mail,surname,givenname eq,subinitial
index memberUid eq
index nisDomain eq
index uniqueMember pres
# Performance tuning directives
sizelimit 5000
threads 8
idletimeout 14400
cachesize 10000
checkpoint 256 15
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /etc/openldap/slapd-key-ldap1.pem
# Use the following if client authentication is required
#TLSVerifyClient demand
# ... or not desired at all
#TLSVerifyClient never
password-hash {CRYPT}
Note: you may use “slaptest” (OpenLDAP 2.3.XX) to test the syntax of slapd.conf.
Copy/Create my productivity UNIX scripts (as provided here in Appendix section) to/in /home/gtay, or any directory you so prefer, eg: /home/ldap, use the scripts to create and rebuild a fully populated MASTER OpenLDAP Server.
Note: before running the scripts, please create a sample People.ldif and group.ldif.
It helps if you would take some times to browse and study all the productivity scripts, especially the two main scripts, i.e. cr_example_com_ldif.sh and rebuild_example_com.sh.
# cp cr_ssl_certs_openldap.sh /home/gtay
# cp cr_unsigned_ssl_cert.sh /home/gtay
# cp sign_ssl_cert_from_slave.sh /home/gtay
# cp cr_People_ldif.sh /home/gtay
# cp cr_group_ldif.sh /home/gtay
# cp cr_example_com_ldif.sh /home/gtay
# cp openldap_add.sh /home/gtay
# cp openldap_delete_Peoples.sh /home/gtay
# cp openldap_delete_groups.sh /home/gtay
# cp openldap_repl_People.sh /home/gtay
# cp openldap_repl_group.sh /home/gtay
# cp openldap_search.sh /home/gtay
# cp rebuild_example_com.sh /home/gtay
Copy/Create these three scripts to/in /home/ldap as they are meant for LDAP Backup and Replication:
# cp db2ldif_backup.sh /home/ldap
# cp db2ldif_People.sh /home/ldap
# cp db2ldif_group.sh /home/ldap
# cp openldap_add.sh /home/ldap
# cp openldap_delete_groups.sh /home/ldap
# cp openldap_delete_Peoples.sh /home/ldap
# cp openldap_repl_group.sh /home/ldap
# cp openldap_repl_People.sh /home/ldap
Some of these scripts are optional or specific to a particular environment, for instances, cr_People_ldif.sh is used if People.ldif is an exported ldif file created from an existing iPlanet Directory Server; so does cr_group_ldif.sh.
Create and protect LDAP rootdn password file, for OpenLDAP’s “Manager”, in script directories (/home/gtay and /home/ldap in these cases)
# cd /home/gtay
# echo “secret” >mgr.pwd
# chmod 600 mgr.pwd
# cd /home/ldap
# echo “secret” >mgr.pwd
# chmod 600 mgr.pwd
Prepare People.ldif and group.ldif in /home/gtay (or your preferred script directory).
Tips: Use /usr/local/sbin/slappasswd command to find the encrypted format of LDAP userPassword.
A sample People.ldif with only two entries is shown here
dn: uid=gtay, ou=People, dc=example,dc=com
givenName: Gary
sn: Tay
loginShell: /bin/bash
uidNumber: 6167
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: gtay
cn: Gary Tay
homeDirectory: /home/gtay
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Gary Tay
userPassword: {CRYPT}U8bo2twhJ9Kkg
dn: uid=tuser, ou=People, dc=example,dc=com
givenName: Test
sn: User
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: tuser
cn: Test User
homeDirectory: /home/tuser
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Test User
userPassword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=
A sample group.ldif with only one entry is shown here
dn: cn=Users,ou=group,dc=example,dc=com
cn: Users
gidNumber: 102
objectClass: top
objectClass: posixGroup
IMPORTANT NOTE ABOUT LDIF IMPORT FILES:
When you copy and paste the content of People.ldif and group.ldif, or any other .ldif files from this document for preparation of LDAP data import using ldapadd command, please make sure that ALL TRAILING SPACES at every line in the .ldif files be removed or else “openldap_add.sh” which calls “ldapadd” command will throw errors.
Create OpenLDAP server start/stop script /etc/init.d/openldap.server, this step is OPTIONAL and you may want to use the original RedHat EL3 OpenLDAP start/stop script instead, i.e. /etc/init.d/ldap
If you prefer to use RedHat original start/stop script /etc/init.d/ldap, please customize it to work by editing /etc/sysconfig/ldap.
Tips: You may also add this line to /etc/sysconfig/ldap ONLY when you are debugging /etc/init.d/ldap
SLAPD_OPTIONS="-d 10"
Otherwise, create your own OpenLDAP start/stop script
# touch /etc/init.d/openldap.server
# chmod 744 /etc/init.d/openldap.server
# vi /etc/init.d/openldap.server
#! /bin/sh
#
# openldap.server - OpenLDAP start script
#
# Gary Tay, 19-Feb-2004
#
# Un-Comment for RedHat
ETC_OPENLDAP_DIR=/etc/openldap
SLAPD_DIR=/usr/sbin
# Un-Comment for Others
#ETC_OPENLDAP_DIR=/usr/local/etc/openldap
#SLAPD_DIR=/usr/local/libexec
# Pls customize
DEBUG=""
# Un-Comment to debug
#DEBUG="-d 10"
case "$1" in
'start')
if [ -f $ETC_OPENLDAP_DIR/slapd.conf -a -f $SLAPD_DIR/slapd ]; then
echo 'OpenLDAP slapd service starting.'
$SLAPD_DIR/slapd $DEBUG -u ldap -h "ldap:/// ldaps:///"
fi
;;
'stop')
PID=`ps -ef | grep slapd | grep -v grep | awk '{print $2}'`
if [ -n "$PID" ]; then
echo 'OpenLDAP slapd service stopping.'
# using INT signal is less drastic and less prone to LDAP data corruption
kill -INT $PID
fi
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
Create cr_example_com_ldif.sh, do not run it as it will be "called" by the other script, rebuild_example_com.sh.
# vi cr_example_com_ldif.sh
Content of cr_example_com_ldif.sh
#! /bin/sh
# cr_example_com_ldif.sh - Create initial ldif entries for dc=example,dc=com
# OpenLDAP initial root entries
cat <<EOF >example_com.ldif
dn: dc=example,dc=com
objectclass: top
# For RedHat use the next line
objectclass: organization
# For Solaris use the next line
#objectclass: domain
objectClass: nisDomainObject
nisDomain: example.com
objectclass: dcObject
o: Example Companies
dc: example
dn: cn=Manager,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
dn: ou=People,dc=example,dc=com
objectclass: organizationalUnit
ou: People
dn: ou=group,dc=example,dc=com
objectclass: organizationalUnit
ou: group
dn: ou=profile,dc=example,dc=com
ou: profile
objectClass: top
objectClass: organizationalUnit
dn: cn=proxyagent,ou=profile,dc=example,dc=com
cn: proxyagent
sn: proxyagent
objectClass: top
objectClass: person
userPassword: {CRYPT}l14aeXtphVSUg
dn: cn=sol8profile,ou=profile,dc=example,dc=com
ObjectClass: top
ObjectClass: SolarisNamingProfile
SolarisLDAPServers: 192.168.1.168
SolarisBindDN: cn=proxyagent,ou=profile,dc=example,dc=com
SolarisBindPassword: {NS1}ecfa88f3a945c411
SolarisSearchBaseDN: dc=example,dc=com
SolarisAuthMethod: NS_LDAP_AUTH_NONE
SolarisTransportSecurity: NS_LDAP_SEC_NONE
SolarisSearchReferral: NS_LDAP_FOLLOWREF
SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit: 30
SolarisCacheTTL: 43200
cn: sol8profile
dn: cn=sol9profile,ou=profile,dc=example,dc=com
objectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: simple
followReferrals: TRUE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
cn: sol9profile
credentialLevel: proxy
bindTimeLimit: 2
dn: cn=default,ou=profile,dc=example,dc=com
objectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: simple
followReferrals: TRUE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
cn: default
credentialLevel: proxy
bindTimeLimit: 2
dn: cn=tls_profile,ou=profile,dc=example,dc=com
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example, dc=com
authenticationMethod: tls:simple
followReferrals: FALSE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
bindTimeLimit: 10
cn: tls_profile
credentialLevel: proxy
serviceSearchDescriptor: passwd: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: group: ou=group,dc=example,dc=com?one
serviceSearchDescriptor: shadow: ou=People,dc=example,dc=com?one
serviceSearchDescriptor: netgroup: ou=netgroup,dc=example,dc=com?one
EOF
cp example_com.ldif ldap_add.ldif
cp example_com.ldif openldap_add.ldif
Create DB_CONFIG in OpenLDAP data directory (it is usually /usr/local/var/openldap-data, for RedHat, it is /var/lib/ldap , this file contains performance parameters for Berkeley DB, consult Internet or OpenLDAP maillist and adjust the content as per need.
# vi /usr/local/var/openldap-data/DB_CONFIG
or
# vi /var/lib/ldap/DB_CONFIG
Content of DB_CONFIG, below is an example for a LDAP Server with 640MB RAM, 1000 users
set_cachesize 0 20971520 0
set_lg_regionmax
131072
set_lg_bsize
2097152
set_flags DB_LOG_AUTOREMOVE
Create rebuild_example_com.sh, edit and uncomment those OS specific lines.
# vi rebuild_example_com.sh
Content of rebuild_example_com.sh
#! /bin/sh
# rebuild_example_com.sh - ReBuild LDAP Server for dc=example,dc=com
# Un-comment for RedHat
OPENLDAP_DATA_DIR=/var/lib/ldap
# Un-comment for Others
#OPENLDAP_DATA_DIR=/usr/local/var/openldap-data
echo "WARNING: LDAP Data in $OPENLDAP_DATA_DIR will be gzipped!!!"
echo " and rebuilt from scratch, make sure you know what it means"
echo "Press [Ctrl-C] to abort, enter [Yes] to continue..."
read a_key
[ "$a_key" != "Yes" ] && exit 1
/etc/init.d/openldap.server stop
mkdir -p $OPENLDAP_DATA_DIR
chmod 750 $OPENLDAP_DATA_DIR
chown ldap:daemon $OPENLDAP_DATA_DIR
#/bin/rm -f $OPENLDAP_DATA_DIR/*.bdb
#/bin/rm -f $OPENLDAP_DATA_DIR/__db.*
#/bin/rm -f $OPENLDAP_DATA_DIR/log.*
#/bin/rm -f $OPENLDAP_DATA_DIR/alock
gzip -f $OPENLDAP_DATA_DIR/*.bdb
gzip -f $OPENLDAP_DATA_DIR/__db.*[0-9]
gzip -f $OPENLDAP_DATA_DIR/log.*[0-9]
gzip -f $OPENLDAP_DATA_DIR/alock
/etc/init.d/openldap.server start
sleep 3
./cr_example_com_ldif.sh
./openldap_add.sh
./cr_People_ldif.sh
./openldap_add.sh
./cr_group_ldif.sh
./openldap_add.sh
Execute this script:
# ./rebuild_example_com.sh
WARNING: LDAP Data in /usr/local/var/openldap-data will be deleted!!!
and rebuilt from scratch, make sure you know what it means
Press [Ctrl-C] to abort, enter [Yes] to continue...
OpenLDAP slapd service stopping.
OpenLDAP slapd service starting.
adding new entry "dc=example,dc=com"
adding new entry "cn=Manager,dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=group,dc=example,dc=com"
adding new entry "uid=gtay,ou=People, dc=example,dc=com"
adding new entry "uid=tuser,ou=People, dc=example,dc=com"
adding new entry "cn=Users,ou=group,dc=example,dc=com"
…
Congratulation!!! You have created an OpenLDAP Server
IMPORTANT Note: rebuild_example_com.sh is a VERY DESTRUCTIVE script, make sure you understand what every step of the script is trying to do, avoid testing this script in production environment.
For massive import of People and group entries, you may use PADL’s MigrationTools.
http://www.padl.com/OSS/MigrationTools.html
Try stopping and starting OpenLDAP server
# /etc/init.d/openldap.server stop
# /etc/init.d/openldap.server start
OR use the RedHat's way:
One-Time setup:
# chkconfig --add ldap
# chkconfig --level 2345 ldap on
LDAP Restart
# service ldap restart
Verify:
# ps -ef | grep slapd
root 706 702 0 03:31:03 pts/3 0:00 grep slapd
root 216 1 0 Feb 23 ? 2:11 /usr/sbin/slapd -u ldap -h ldap:/// ldaps:///
Tips: whenever you have problem starting OpenLDAP server, i.e. it is not shown in process status, comment out this line in /etc/init.d/openldap.server and re-try.
#DEBUG="-d 10"
Prepare LDAP Client's (LDAP Client local to LDAP Server) ldap.conf file in /etc/openldap, the following is a typical content:
HOST ldap1.example.com
BASE dc=example,dc=com
# Un-comment for RedHat
TLS_CACERT /etc/openldap/cacert.pem
# Un-comment for others
#TLS_CACERT /usr/local/etc/openldap/cacert.pem
Try to list the LDAP content locally at the server, note that userPassword never get listed.
# ./openldap_search.sh | less
dn: dc=example,dc=com
objectClass: top
objectClass: organization
objectClass: dcObject
o: Example Companies
dc: example
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
dn: uid=gtay,ou=People,dc=example,dc=com
givenName: Gary
sn: Tay
loginShell: /usr/bin/bash
uidNumber: 6167
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: gtay
cn: Gary Tay
homeDirectory: /home/gtay
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Gary Tay
dn: uid=tuser,ou=People,dc=example,dc=com
givenName: Test
sn: User
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: tuser
cn: Test User
homeDirectory: /home/tuser
shadowLastChange: -1
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
gecos: Test User
dn: cn=Users,ou=group,dc=example,dc=com
cn: Users
gidNumber: 102
objectClass: top
objectClass: posixgroup
…
You could also test if slapd is running fine locally by using simple authentication and with "start_tls":
# ldapsearch -x -LLL
# ldapsearch -x -LLL –ZZ
Use “-d -1” option to debug
# ldapsearch -d -1 -x -LLL –ZZ
Congratulation!!! You have created an OpenLDAP server capable for answering name service (uid) lookup requests from any LDAP Client.
TIPS 1: LDAP Logging
Logging is used to help debugging. OpenLDAP by default logs through "LOCAL4" local syslog user, you may setup /etc/syslog.conf and restart syslogd, if you do this, please take care of log file trimming and rotation.
# vi /etc/syslog.conf
Add this line:
local4.debug /var/log/ldap.log
IMPORTANT NOTE 1: use one or more <TAB> in between “local4.debug” and “/var/log/ldap.log”, if spaces are used, syslog will log NOTHING.
IMPORTANT NOTE 2: if you are using "service" script in RedHat to stop/start slapd, please also edit /etc/sysconfig/ldap to define SLAPD_OPTIONS for "-l" syslog local facility user, to be passed to /etc/init.d/ldap script, or else nothing will get logged in syslog.
# vi /etc/sysconfig/ldap
Add this line for normal debug level
SLAPD_OPTIONS="-l local4"
Note: Do not set "-d" flag for SLAPD_OPTIONS as it will hang "service ldap start" as "-d" is meant for non-forked, terminal based debugging, see "man slapd"
# touch /var/log/ldap.log
# pkill –HUP syslogd; service ldap restart
Setup log rotation using RedHat “logrotate”, add “/var/log/ldap.log” to /etc/logrotate.d/syslog.
# cat
/etc/logrotate.d/syslog
/var/log/messages /var/log/secure
/var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron
/var/log/ldap.log {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null ||
true
endscript
}
TIPS 2: LDAP Account Maintenance
To easily maintain the LDAP account details, it is highly recommended that the Java Based LDAP Browser-Editor (downloadable from http://www.iit.edu/~gawojar/ldap/) Tool be used.
What is required to configure this tool is to simply define JAVA_HOME in LBE.BAT and create a program icon LBE on your desktop pointing to it, don't forget the start directory must be the same as LBE.BAT. For OpenLDAP Server,
To add a NEW LDAP user, choose the "Edit/Add Entry" and select the "posixAccount" Template.
Another good GUI tool is Web-based PHP-LDAP-ADMIN: http://freshmeat.net/projects/phpldapadmin/, this tool requires more setup steps.
This step is for LDAP Clients ONLY.
Assuming client1.example.com is the RedHat EL3 LDAP Client to be configured
Log in to client1 as ‘root’ at the SYSTEM CONSOLE, so that if there is any misconfiguration, repair can be done at the console.
The following RedHat RPMs are typically required for a LDAP Client:
nss_ldap-2XX-X
openldap-devel-2.X.XX-X
openldap-2.X.XX-X
openldap-clients-2.X.XX-X
IMPORTANT NOTE: If you intend to build OpenLDAP Server and Clients with SSL_TLS support, you MUST download and install the latest OpenLDAP RPMs from RedHat web site, SSL_TLS requires OpenLDAP 2.1.X or later.
As shown in previous steps, you may obtain the source for the above and compile them.
These lines should be present in /etc/openldap/ldap.conf of the LDAP Client
# List two or more LDAP servers if failover is required
HOST ldap1.example.com ldap2.example.com
# URI ldap://ldap1.example.com ldap://ldap2.example.com
BASE dc=example, dc=com
# Un-comment for RedHat
TLS_CACERT /etc/openldap/cacert.pem
# Un-comment for others
#TLS_CACERT /usr/local/etc/openldap/cacert.pem
Package NSS_LDAP includes /etc/ldap.conf which is said to be shared among Name Service Switch for LDAP (NSS_LDAP) and Pluggable Authentication Module for LDAP (PAM_LDAP), do not confuse this ldap.conf with OpenLDAP client configuration file, in our case, /etc/openldap/ldap.conf.
Edit /etc/ldap.conf, below is a well-commented sample, the lines in GREEN are usually changed
# List two or more LDAP servers if failover is required
host ldap1.example.com ldap2.example.com
# “host” directive may be deprecated in future releases,
# you may wish to use ‘uri’ directive to replace “host” directive
# uri ldap://ldap1.example.com ldap://ldap2.example.com
base dc=example,dc=com
ldap_version 3
binddn cn=proxyagent,ou=profile,dc=example,dc=com
bindpw password
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=Manager,dc=example,dc=com
port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind timelimit
#bind_timelimit 30
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Filter to AND with uid=%s
#pam_filter objectclass=account
pam_filter objectclass=posixAccount
# The user ID attribute (defaults to uid)
pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
# Group member attribute
#pam_member_attribute uniquemember
pam_member_attribute memberUid
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group ou=group,dc=example,dc=com?one
#nss_base_hosts ou=Hosts,dc=example,dc=com?one
#nss_base_services ou=Services,dc=example,dc=com?one
#nss_base_networks ou=Networks,dc=example,dc=com?one
#nss_base_protocols ou=Protocols,dc=example,dc=com?one
#nss_base_rpc ou=Rpc,dc=example,dc=com?one
#nss_base_ethers ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=example,dc=com?one
#nss_base_aliases ou=Aliases,dc=example,dc=com?one
nss_base_netgroup ou=netgroup,dc=example,dc=com?one
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member
# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
#pam_password nds
# For IBM SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# Un-comment for RedHat
tls_cacertfile /etc/openldap/cacert.pem
# Un-comment for Others
#tls_cacertfile /usr/local/etc/openldap/cacert.pem
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
Now from LDAP Client, we could test again the openssl “CAfile” command:
# openssl s_client -connect ldap1.example.com:636 -CAfile /etc/openldap/cacert.pem -debug
---
<Ctrl-C or Ctrl-Break to exit> it should not display verification error
# openssl s_client -connect ldap2.example.com:636 -CAfile /etc/openldap/cacert.pem -debug
---
<Ctrl-C or Ctrl-Break to exit> it should not display verification error
IMPORTANT NOTE: please ensure that the FQDN (Fully Qualified Domain Name) as shown by CN=<FQDN> match the “host” entry (or entries) in /etc/ldap.conf (nss_ldap) and $ETC_OPENLDAP/ldap.conf (LDAP Client), its IP address MUST be defined in /etc/hosts file.
You should test if LDAP client could connect to LDAP Server (slapd) by using simple authentication (-x), without or with START_TLS (-ZZ).
# ldapsearch -x -LLL
# ldapsearch -x -LLL -ZZ
# grep ldap /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
# service nscd restart
# id tuser
uid=99999(tuser) gid=102(Users)
# getent passwd gtay
…
This step is for Solaris8 or later (Solaris9/10) Native LDAP Clients only.
The prcocedures are also applicable to Solaris10, there is specific step for “crle” command, you may like to refer to this URL:
http://www.sunmanagers.org/pipermail/summaries/2005-August/006688.html
For Solaris10 LDAP Client, it is noted that the entry “ipnodes: files ldap” in /etc/nsswitch.conf should be replaced with just “ipnodes: files” or else ldapclient initialization will hang.
Assuming client2.example.com and client3.example.com are Solaris8 and Solaris9 Native LDAP Clients respectively.
Please note that for Solaris8 LDAP Client, “SUNWnisu” package (from Solaris8 OS CD, it contains “ldapclient” command), lastest kernel patch and ldapv2 Patch 108993-XX must be installed, for Solaris9 LDAP Client, latest kernel patch abd ldap Patch 112960-XX must be installed.
Log in to client2 or client3 as ‘root’.
e would first need to generate two files /var/ldap/cert7.db and /var/ldap/key3.db such that cert7.db contains self-signed SSL Web Server certificate(s).
Run "netscape" browser locally, or from a remote Windows PC, and capture the self-signed SSL Server certificates from ldap1.example.com and ldap2.example.com into $HOME/.netscape/cert7.db or c:\Program Files\Netscape\users\user_name\cert7.db.
The URL to capture cert7.db is https://ldapserver_fqdn:636/, ignore "The document contained no data" message. FQDN means Fully Qualified Domain Name.
https://ldap1.example.com:636/
https://ldap2.example.com:636/
To view the content of cert7.db in Netscape Browser, click Communicator/Tools/Security Info/Web Sites.
Copy this cert7.db and the corresponding key3.db to /var/ldap of all Solaris LDAP Clients.
Don’t forget to:
# chmod 644 /var/ldap/cert7.db
# chmod 644 /var/ldap/key3.db
To test if TLS connection is OK remotely from LDAP Client to LDAP Server, you could run "test_native_client_tls.sh" which requires /var/ldap/cert7.db.
IMPORTANT NOTE: the orginal /usr/bin/ldapsearch on Solaris8/9 LDAP Client DOES NOT HAVE “-Z” and “-P” options to perform this test, please download SUN ONE DS5.2 software and perform a dummy install to say a SERVER_ROOT of /var/Sun/mps, so that there is this /var/Sun/mps/shared/bin/ldapsearch that provides these options.
$ cat test_native_client_tls.sh
IDS5_PATH=/var/Sun/mps
LD_LIBRARY_PATH=$IDS5_PATH/lib:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
echo "Testing MASTER LDAP Server..."
$IDS5_PATH/shared/bin/ldapsearch -h ldap1.example.com -p 636 -b "" -s base -Z -P /var/ldap/cert7.db "(objectclass=*)" “+”
echo "Press any key"
read any_key
echo "Testing SLAVE LDAP Server..."
$IDS5_PATH/shared/bin/ldapsearch -h ldap2.example.com -p 636 -b "" -s base -Z -P /var/ldap/cert7.db "(objectclass=*)" “+”
echo "Done"
Note 1: the “+” is needed for OpenLDAP Server to return full details in RootDSE entry.
Note 2: Please note that /usr/bin/ldapsearch DOES NOT support “-Z” and “-P” options, but $IDS5_PATH/shared/bin/ldapsearch DOES, how do you obtain this version of “ldapsearch”?
For Solaris9, $IDS_PATH is more likely already there and usually is named /usr/iplanet/ds5, you may amend the script to reflect its actual location, if it id not there, you may download and install SUN Java System Directory Server 5.2 or SUN ONE Directory Server 5.2, walk through one round of “dummy” CONSOLE ONLY installation to obtain all the supported library and client command files at $IDS5_PATH Directory, which default to /var/Sun/mps.
For Solaris8, you would have to download and install SUN Java System Directory Server 5.2 or SUN ONE Directory Server 5.2, walk through one round of “dummy” CONSOLE ONLY installation to obtain all the supported library and client command files at $IDS5_PATH Directory, which default to /var/Sun/mps.
Note 3: please note that you ONLY need to test cert7.db and key3.db by running the BASELINE test script “test_native_client_tls.sh” ONCE at ONE of the Solaris LDAP Clients.
Now run the TLS BASELINE test.
$ ./test_native_client_tls.sh
Testing Master LDAP Server...
version: 1
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
namingContexts: dc=example,dc=com
supportedControl:
2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl:
1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.319
supportedControl:
1.2.826.0.1.334810.2.3
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension:
1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures:
1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
supportedSASLMechanisms: OTP
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
Press any key
Testing SLAVE LDAP Server...
version: 1
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
namingContexts: dc=example,dc=com
supportedControl:
2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl:
1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.319
supportedControl:
1.2.826.0.1.334810.2.3
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension:
1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures:
1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
Done
(Note: without result.c patch to slapd, ONLY the first five lines will be shown)
Next we will configure LDAP Client, there are two files /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred need to be created, the first contain all parameters and the second the password of “proxyAgent”.
IMPORTANT NOTE: DO NOT RUN “ldapclient” to generate these two files for Solaris Native LDAP Client against OpenLDAP Server (be it RedHat or Solaris) as “ldapclient” will throw “Cannot find the rootDN” error, unless you have applied “result.c” patch (See Appendix) during server binary build.
Content of /var/ldap/ldap_client_file:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ldap1.example.com, ldap2.example.com
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=example,dc=com?one
NS_LDAP_BIND_TIME= 10
Content of /var/ldap/ldap_client_cred:
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com
NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
(Tips: see Appendix for a script called cr_proyAgent_pw_in_NS1_format.sh to find out the {NS1} formatted password of proxyAgent, this script can only be run on Solaris8)
Alternatively, if result.c patch is applied to Server “slapd” binary the following script, ldapclient_init_tlsprofile_sol9.sh may be used to initialize Solaris9 Native LDAP Client and generate the above two files. For Solaris8 Native LDAP Client, use another script ldapclient_init_tlsprofile_sol.sh which shows different ldapclient command syntax.
Content of ldapclient_init_tlsprofile_sol9.sh:
#! /usr/bin/sh
#
# ldapclient_init_tlsprofile_sol9.sh
#
# Gary Tay, 18-Feb-2005, written
#
# Make sure root account is used
[ -z "`id | egrep 'uid=0|euid=0'`" ] && exit 1
# Please customize the values of profileName and LDAP Server IP Address
ldapclient -v init \
-a profileName=tls_profile \
-a domainName=example.com \
-a proxyDn=cn=proxyagent,ou=profile,dc=example,dc=com \
-a proxyPassword=password 192.168.1.168
# As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
# which contains a bug in "hosts:" entry, we need to repair it
sed -e '/^hosts:/s/ldap.*files$/files dns/' \
-e '/^passwd:/a\
shadow: files ldap' \
/etc/nsswitch.ldap >/etc/nsswitch.work
cp /etc/nsswitch.work /etc/nsswitch.conf
# Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf
/etc/init.d/nscd stop
/etc/init.d/nscd start
# Refresh
autofs and sendmail to fix high-CPU bugs for autmount and sendmail
/etc/init.d/sendmail stop
sleep 1
/etc/init.d/sendmail start
pkill -9 automount
/etc/init.d/autofs stop
sleep 3
/etc/init.d/autofs start
# ./ ldapclient_init_tlsprofile_sol9.sh
Parsing profileName=tls_profile
Parsing domainName=example.com
Parsing defaultSearchBase=dc=example,dc=com
Parsing proxyDn=cn=proxyagent,ou=profile,dc=example,dc=com
Parsing proxyPassword=password
Arguments parsed:
defaultSearchBase: dc=example,dc=com
domainName: example.com
proxyDN: cn=proxyagent,ou=profile,dc=example,dc=com
profileName: tls_profile
proxyPassword: password
defaultServerList: 192.168.1.168
Handling init option
Proxy DN: cn=proxyagent,ou=profile,dc=example,dc=com
Proxy password: {NS1}ecfa88f3a945c411
Authentication method: 0
Authentication method: 0
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
Stopping nscd
Stopping autofs
Stopping ldap
nisd not running
nis_cache not running
nispasswd not running
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/etc/.rootkey)=-1
file_backup: No /etc/.rootkey file.
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "example.com"
file_backup: stat(/var/yp/binding/example.com)=-1
file_backup: No /var/yp/binding/example.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname example.com... success
start: /usr/lib/ldap/ldap_cachemgr... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
start: /etc/init.d/sendmail start... success
System successfully configured
#
Content of ldapclient_init_tlsprofile_sol8.sh:
#
#
ldapclient_init_tlsprofile_sol8.sh
#
# Gary Tay, 28-Jul-2005,
written
#
# Make sure root account is used
[ -z "`id |
egrep 'uid=0|euid=0'`" ] && exit 1
echo We first initialize a
/var/ldap/ldap_client_file with "default" profile
/usr/sbin/ldapclient -v -i -a simple -b dc=example,dc=com -c
proxy \
-D cn=proxyAgent,ou=profile,dc=example,dc=com
-w password \
-S "passwd: ou=People,dc=example,dc=com?one"
\
-S "shadow: ou=People,dc=example,dc=com?one"
\
-S "group: ou=group,dc=example,dc=com?one"
\
-S "netgroup:
ou=netgroup,dc=example,dc=com?one" \
192.168.1.168
echo ...
echo As
ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
echo which
contains a bug in "hosts:" entry, we need to repair it
sed -e
'/^hosts:/s/ldap.*files$/files dns/' \
-e
'/^passwd:/a\
shadow: files ldap' \
/etc/nsswitch.ldap
>/etc/nsswitch.work
cp /etc/nsswitch.work /etc/nsswitch.conf
echo
...
echo Refresh Name Service Cache Daemon after repairing
/etc/nsswitch.conf
/etc/init.d/nscd stop
/etc/init.d/nscd start
echo
...
echo We then overwrite /var/ldap/ldap_client_file with
"tls_profile" version
echo and refresh ldap_cachemgr
echo Please
customize the NS_LDAP_XXX parameters in this script
cat
<<EOF >/var/ldap/ldap_client_file.tls_profile
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ldap1.example.com
NS_LDAP_SEARCH_BASEDN=
dc=example,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF=
FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL=
proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:
ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:
ou=group,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:
ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC=
netgroup: ou=netgroup,dc=example,dc=com?one
NS_LDAP_BIND_TIME= 10
EOF
cp
/var/ldap/ldap_client_file.tls_profile /var/ldap/ldap_client_file
/etc/init.d/ldap.client stop
/etc/init.d/ldap.client start
echo
Done.
(Note: if you are not using TLS, comment out the relevant section of the script)
# ./ldapclient_init_tlsprofile_sol8.sh
Check and change the file permission of BOTH ldap_client_file and ldap_client_cred if needed
# cd /var/ldap
# chmod 400 ldap_client_file ldap_client_cred
Edit /etc/nsswitch.conf, make sure that these lines exist:
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
IMPORTANT NOTE: One side effect of running “ldapclient” is that it resets “hosts: files dns” in /etc/nsswitch.conf to “hosts: ldap files” and this affects the DNS names lookup, the above script will attempt to revert it back, but in case the script does not run to completion, it is always advisable to double check the “hosts:” entry in /etc/nsswitch.conf and adjust it back to the desired “files dns” setting.
Now try refreshing ldap_cachemgr and nscd
# /etc/init.d/ldap.client stop
# /etc/init.d/ldap.client start
# ps -ef | grep ldap
# /etc/init.d/nscd stop
# /etc/init.d/nscd start
# ps -ef | grep nscd
Make sure also that ldap1.example and ldap2.example.com are defined in BOTH "/etc/hosts" files and DNS, and that "hosts: files dns" instead of "host: files ldap" is defined in /etc/nsswitch.conf. If "hosts: files ldap" is used, there will be error messages during login, i.e. "unknown host or invalid literal address".
(IMPORTANT NOTE: if you are using SUN Native LDAP Client, there is no need to build NSS_LDAP and PAM_LDAP from source to support OpenLDAP Client Library, simply just use the SUN's built-in /usr/lib/nss_ldap.so,1 and /usr/lib/security/pam_ldap.so.1)
To test the name service, on top of using "id" and "getent", there is also "ldaplist" command
# /usr/lib/ldap/ldap_cachemgr -g
# id tuser
uid=9999(tuser) gid=102(Users)
# getent passwd tuser
tuser::9999:102::/home/tuser:/bin/bash
# ldaplist -l passwd tuser
dn: uid=tuser,ou=People,dc=example,dc=com
givenName: Test
sn: User
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
uid: tuser
cn: Test User
homeDirectory: /home/tuser
Tips: If there is problem looking up the LDAP entries, try to look for errors in /var/log/messages and/or /var/log/ldap.log.
Assumtions: one or more NFS Servers, eg: nfs_server and nfs_server2 have exported /home directories.
First, at the LDAP Server, add “solaris_automount.schema” to slapd.conf and restart slapd.
# touch solaris_automount.schema; chown ldap:daemon solaris_automount.schema
The definition of these automount attributes and objectclasses are taken from SUN ONE DS5.2 $SERVER_ROOT/config/schema/S99user.ldif and modified to suit OpenLDAP schema.
Please note that optional attribute "ou" is added to objectclass "automountMap" and "cn" is added to objectclass "automount".
# vi solaris_automount.schema
attributetype (
1.3.6.1.1.1.1.33
NAME
'automountInformation'
DESC
'automount information'
EQUALITY
caseExactIA5Match
SYNTAX
1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'user
defined' )
attributetype ( 1.3.6.1.1.1.1.31
NAME 'automountMapName'
DESC 'automount Map Name'
EQUALITY caseExactIA5Match
SYNTAX
1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'user
defined' )
attributetype ( 1.3.6.1.1.1.1.32
NAME 'automountKey'
DESC 'automount Key Value'
EQUALITY caseExactIA5Match
SYNTAX
1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'user
defined' )
objectclass ( 1.3.6.1.1.1.2.16
NAME 'automountMap'
SUP top
STRUCTURAL
MUST automountMapName
MAY ( description $
ou )
X-ORIGIN 'user defined' )
objectclass ( 1.3.6.1.1.1.2.17
NAME 'automount'
SUP top
STRUCTURAL
MUST ( automountInformation $
automountKey )
MAY (
cn $ description )
X-ORIGIN 'user defined' )
# vi slapd.conf
Add the following line after solaris.schema
line
include /etc/openldap/schema/solaris_automount.schema
Second, at the LDAP Server, create the automount maps for OpenLDAP, below is a sample, there are two sets, auto_* for Solaris Native LDAP Client and auto.* for RedHat LDAP Client.
# cat automount_openldap.ldif
dn: ou=automount,dc=example,dc=com
ou: automount
objectClass: top
objectClass: organizationalUnit
dn: nisMapName=auto.master,dc=example,dc=com
objectClass: top
objectClass: nisMap
nisMapName: auto.master
dn: cn=/home,nisMapName=auto.master,dc=example,dc=com
objectClass: top
objectClass: nisObject
cn: /home
nisMapEntry:
ldap:nisMapName=auto.home,dc=example,dc=com
nisMapName: auto.master
dn: nisMapName=auto.home,dc=example,dc=com
objectClass: top
objectClass: nisMap
nisMapName: auto.home
dn: cn=/,nisMapName=auto.home,dc=example,dc=com
objectClass: top
objectClass: nisObject
cn: /
nisMapEntry: nfs_server:/home/&
nisMapName:auto.home
dn: automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automountMap
automountMapName: auto_master
ou:
auto_master
dn: automountkey=/home,automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /home
cn:
/home
automountInformation: auto_home -nobrowse
dn: automountKey=/-,automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /-
cn: /-
automountInformation: auto_direct
dn: automountMapName=auto_home,dc=example,dc=com
objectClass: top
objectClass: automountMap
automountMapName: auto_home
ou: auto_home
dn: automountKey=*,automountMapName=auto_home,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: *
cn: *
automountInformation: nfs_server:/home/&
dn: automountMapName=auto_direct,dc=example,dc=com
objectClass: top
objectClass: automountMap
automountMapName: auto_direct
ou:
auto_direct
dn: automountKey=/home2,automountMapName=auto_direct,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /home2
cn:
/home2
automountInformation: nfs_server2:/home
And add it into the DIT.
# ldapadd -c –x -D "cn=Manager,dc=example,dc=com" –W –f automount_openldap.ldif
Third, at LDAP Server, create cn=tls_automount_profile under ou=profile,dc=example,dc=com
# cat tls_automount_profile
dn: cn=tls_automount_profile,ou=profile,dc=example,dc=com
ObjectClass:
top
ObjectClass: DUAConfigProfile
defaultServerList: ldap1.example.com
ldap2.example.com
defaultSearchBase:
dc=example,dc=com
authenticationMethod: tls:simple
followReferrals:
FALSE
defaultSearchScope: sub
searchTimeLimit: 30
profileTTL:
43200
bindTimeLimit: 10
cn: tls_automount_profile
credentialLevel:
proxy
serviceSearchDescriptor: passwd:
ou=People,dc=example,dc=com?one
serviceSearchDescriptor: group:
ou=group,dc=example,dc=com?one
serviceSearchDescriptor: shadow:
ou=People,dc=example,dc=com?one
serviceSearchDescriptor: netgroup:
ou=netgroup,dc=example,dc=com?one
serviceSearchDescriptor: auto.master:
nisMapName=auto.master,dc=example,dc=com?one
serviceSearchDescriptor:
auto.home:
nisMapName=auto.home,dc=example,dc=com?one
serviceSearchDescriptor:
auto_master:
automountMapName=auto_master,dc=example,dc=com?one
serviceSearchDescriptor:
auto_home:
automountMapName=auto_home,dc=example,dc=com?one
serviceSearchDescriptor:
auto_direct:
automountMapName=auto_direct,dc=example,dc=com?one
objectclassMap: automount:
automount=nisObject
objectclassMap: automount:
automountMap=nisMap
attributeMap: automount:
automountInformation=nisMapEntry
attributeMap: automount:
automountKey=cn
attributeMap: automount:
automountMapName=nisMapName
Note: either line of below is OK
attributeMap: automount: automountMapName=nisMapName
OR
attributeMap: automount: automountMapName=ou
# ldapadd -c -x -D "cn=Manager,dc=example,dc=com" -W -f tls_automount_profile.ldif
# cat ldap_client_file
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ldap1.example.com ldap2.example.com
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_automount_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.master: nisMapName=auto.master,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.home: nisMapName=auto.home,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_master: automountMapName=auto_master,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_home: automountMapName=auto_home,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_direct: automountMapName=auto_direct,dc=example,dc=com?one
NS_LDAP_BIND_TIME= 10
NS_LDAP_ATTRIBUTEMAP= automount: automountMapName=nisMapName
NS_LDAP_ATTRIBUTEMAP= automount: automountKey=cn
NS_LDAP_ATTRIBUTEMAP= automount: automountInformation=nisMapEntry
NS_LDAP_OBJECTCLASSMAP= automount: automountMap=nisMap
NS_LDAP_OBJECTCLASSMAP= automount: automount=nisObject
Note: either line of below is OK
NS_LDAP_ATTRIBUTEMAP= automount: automountMapName=nisMapName
OR
NS_LDAP_ATTRIBUTEMAP= automount: automountMapName=ou
# /etc/init.d/ldap.client stop (For Solaris only)
# /etc/init.d/ldap.client start (For Solaris only)
Make sure that /etc/nsswitch.conf contains “automount: files ldap” (optional if it is “automount: files” and local /etc/auto_xxx files contain +auto_xxx directives)
# /etc/init.d/nscd stop
# /etc/init.d/nscd start
# ldaplist –l auto.master; ldaplist –l auto.home; ldaplist –l auto.direct (For Solaris only)
# ldapsearch -x -LLL -ZZ "objectclass=automountMap" (For RedHat)
Fifth, create /etc/auto_master, /etc/auto_home and /etc/auto_direct for Solaris, create /etc/auto.master and /etc/auto.home for RedHat and restart autofs/automountd.
IMPORTANT NOTE 1: RedHat autofs/automountd has bug, please download and install the latest autofs rpm from Fedora Core3 download site: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/i386/autofs-4.1.3-114.i386.rpm
IMPORTANT NOTE 2: For RedHat autofs/automountd to work, please ensure that $ETC_OPENLDAP/ldap.conf (usually it contains “host” and “base” statements for automountd to read, please note that RH automountd does not read /etc/ldap.conf)
Sample contents for Solaris Native LDAP Client:
# cat /etc/auto_master
# Master map for automounter
#
+auto_master
/net -hosts -nosuid,nobrowse
/home auto_home -nobrowse
/xfn -xfn
/- auto_direct
# cat /etc/auto_home
# Home directory map for automounter
#
+auto_home
# cat /etc/auto_direct
+auto_direct
Sample contents for RedHat LDAP Client, note that RedHat does not have auto.direct.
# cat /etc/auto.master
+auto.master
# cat /etc/auto.home
+auto.home
# /etc/init.d/auto.fs restart
# /etc/init.d/auto.fs start
OR to debug on Solaris Native LDAP Client, run these two
lines in sequence to start autofs:
# /usr/lib/autofs/automountd
-Tvn
# /usr/sbin/automount &
Sixth, test autofs/automount by logging in as “uid”, check “df –k” to see if /home/uid is mounted, do a “cd /home/uid2” and check again.
$ pwd
/home/uid
$ df -k
Filesystem kbytes used avail capacity Mounted on
…
nfs_server:/home/uid
355069743 160782087 190736959 46% /home/uid
$ cd /home/uid2
$ df -k
(i.e. controlling user access to host using netgroup LDAP maps)
Pre-requisites:
. For Solaris, latest kernel patch and Patch 112960 must be applied
. For RedHat, RHFC3 or RHEL4 clients are recommended
. “shadowAccount” objectClass must be defined for People entries in LDAP DIT, on top of “posixAccount”
. to fix issue related to Solaris Native LDAP Client netgroup query, apply the following patch to nis.schema on the LDAP Server, then restart OpenLDAP server
# rfc2307
#attributetype ( 1.3.6.1.1.1.1.14 NAME
'nisNetgroupTriple'
# DESC 'Netgroup triple'
# SYNTAX 1.3.6.1.1.1.0.0 )
#
rfc2307bis
attributetype ( 1.3.6.1.1.1.1.14 NAME
'nisNetgroupTriple'
DESC 'Netgroup triple'
EQUALITY caseIgnoreIA5Match
SUBSTR
caseIgnoreIA5SubstringsMatch
SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 )
At the RedHat or Solaris LDAP Client, edit /etc/nsswitc.conf, change the following lines.
From:
passwd: files ldap
netgroup: files
To:
passwd: compat
passwd_compat: ldap
netgroup: ldap
Restart nscd.
# /etc/init.d/nscd stop
# /etc/init.d/nscd start
Add the following sample lines to the end of /etc/passwd, note that there are SIX semi-colons (6 ‘:’s) and only the first two colons enclose a ‘x’ character.
+@netgroup1:x:::::
+@netgroup2:x:::::
Add the CORRESPONDING lines to the end of /etc/shadow, note that there are EIGHT semi-colons (8 ‘:’s) and between them there are NULL content:
+@netgroup1::::::::
+@netgroup2::::::::
Note: there is no need to run “pwconv” as root.
At the LDAP Server, add these netgroup entries. Assuming these People entries (gtay, tuser, tuser2) already exist.
# cat netgroup.ldif
dn:
cn=netgroup1,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass:
nisNetgroup
cn: netgroup1
nisNetgroupTriple:
(,gtay,)
nisNetgroupTriple: (,tuser,)
dn:
cn=netgroup2,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass:
nisNetgroup
cn: netgroup2
nisNetgroupTriple: (,tuser2,)
# ldapadd -c -x -D “cn=Manager,dc=example,dc=com” -W -f netgroup.ldif
For advance netgroup usage, see the following examples:
# nisNetgroupTriple Examples: (host,user,domain)
# jdoe
is in the appusers netgroup for all servers, all domains.
# scarter is in the
appusers netgroup only on the server mars.
# all users are in the appusers
netgroup on the server pluto.
dn:
cn=appusers,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass:
nisNetgroup
nisNetgroupTriple: (,jdoe,)
nisNetgroupTriple:
(mars,scarter,)
nisNetgroupTriple: (pluto,,)
cn: appusers
dn:
cn=prod_appservers,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
memberNisNetgroup:
appusers
memberNisNetgroup: unixadmin
memberNisNetgroup:
security
memberNisNetgroup: architecture
cn: prod_appservers
At the LDAP Client, login as ‘root” and test the following commands:
# getent passwd tuser
# id tuser
# su - tuser
The above commands should all work for users in netgroup1 and netgroup2, but not others.
Assuming “test” is a user account exists in LDAP (as shown by ldaplist command) and not belonged to either netgroup1 and netgroup2.
# ldaplist -l passwd test
something
# getent passwd test
nothing
# id test; su - test
Solaris will say:
id: invalid user name:
"userid"
su: unknown id: userid
RedHat will say:
id: userid: No such
user
su: user userid does not exist
Now try logging in using user accounts in netgroup1 or netgroup2, eg: “tuser” or “tuser2”, they should all succeed, others will always fail, of course “root” is not affected by netgroup host access feature.
# ssh -v tuser@localhost
Congratulation!!! You have managed to use netgroup LDAP maps to control user access to host.
This step is for LDAP Server only.
You may use the following UNIX root cron jobs for Daily OpenLDAP Data Backup, assuming you have created a /home/ldap to hold the scripts and exported ldif files, please adjust the runtime if required
0,15,30,45 * * * * /bin/chmod 600 /home/ldap/*.ldif /home/gtay/*.ldif
0,15,30,45 * * * * /bin/chmod 600 /home/ldap/mgr.pwd /home/gtay/mgr.pwd
0 3,15 * * * /home/ldap/db2ldif_backup.sh
1 3,15 * * * /home/ldap/db2ldif_People.sh
2 3,15 * * * /home/ldap/db2ldif_group.sh
Scripts could be found in Appendix.
IMPORTANT NOTE: the db2ldif_backup.sh and db2ldif_People.sh may NOT be able to list the content of userPassword due to security protection by LDAP Access Control List (ACL) directives.
This step is for LDAP Server only.
The following UNIX root cron jobs are examples of TWICE Daily Replication, modify to suit your need.
Note that Replication Script should run shortly after Backup Script.
# Note: LDAP Replication should start only after LDAP backup is done
# Adjust the cron jon timing if needed
15 3,15 * * * /home/ldap/openldap_repl_People.sh ldap2.example.com
16 3,15 * * * /home/ldap/openldap_repl_group.sh ldap2.example.com
Scripts could be found in Appendix.
For these scripts to be successfully automated, “PermitRootLogin” must be enabled for SSH Server running on ldap1 and ldap2, and a ONE-WAY SSH trust using public key be setup from ldap1 to ldap2
Also, copy the following LDAP Replication scripts to /home/ldap of SLAVE LDAP Server:
openldap_repl_People.sh
openldap_repl_group.sh
openldap_delete_Peoples.sh
openldap_delete_groups.sh
openldap_add.sh
You may also setup MASTER to SLAVE Replication using "slurpd", this gives instant change replication rather than scheduled changes.
This step is for LDAP Server only. Assuming ldap1.example.com is the MASTER and ldap2.example.com is the SLAVE.
First, create the Replicator user account at MASTER LDAP Server:
# cat Replicator.ldif
dn: cn=Replicator,dc=example,dc=com
cn: Replicator
objectClass: top
objectClass: Person
sn: Replicator
userPassword: {MD5}6zRvR8/osVedM+TTNqfoVw==
# ldapadd -c -x -D "cn=Manager,dc=example,dc=com" –W –f Replicator.ldif
Second, define "replica" and “replogfile” in MASTER LDAP Server's slapd.conf, place the following directives AFTER the "database" directive.
# vi slapd.conf
replica uri=ldaps://ldap2.example.com:636
binddn="cn=Replicator,dc=example,dc=com"
bindmethod=simple credentials=xxxxxxxx
replogfile /var/lib/ldap/replication.log
Third, define "updatedn" and “updateref” in SLAVE LDAP Server's slapd.conf, place the following directives AFTER the "database" directive.
updatedn "cn=Replicator,dc=example,dc=com"
updateref ldaps://ldap1.example.com:636
Also, very importantly, don’t forget to grant “Replicator” user write access to “ALL” in SLAVE’s slapd.conf, place the following line BEFORE any other ACLs, i.e. the FIRST ACL.
access to *
by dn.exact="cn=Replicator,dc=example,dc=com" write
by * none break
Forth, export all data from MASTER and import them into SLAVE.
At MASTER LDAP: shutdown slapd (or restart it in read-only mode), this is required prior to exporting its data to SLAVE LDAP.
# /etc/init.d/openldap.server stop
# slapcat >master.ldif
Copy "master.ldif" over to SLAVE LDAP.
At SLAVE LDAP:
Execute this script "slapadd_master_ldif_to_slave.sh"
#! /bin/sh
#
# slapadd_master_ldif_to_slave.sh
#
[ -z "`id | egrep 'uid=0|euid=0'`" ] && exit 1
# Please customize LD_LIBRARY_PATH, SLAPADD_BINDIR, DATADIR, LDIFDIR and OWNER
LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/local/BerkeleyDB.4.2/lib:/usr/local/ssl/lib; export LD_LIBRARY_PATH
SLAPADD_BINDIR=/usr/local/sbin
DATADIR=/usr/local/var/openldap-data
LDIFDIR=/home/ldap
OWNER="ldap:daemon"
/etc/init.d/openldap.server stop
cd $DATADIR
/bin/rm -f __db.* log.* *.bdb
$SLAPADD_BINDIR/slapadd -v -l $LDIFDIR/master.ldif
if [ $? -eq 0 ]; then
chown $OWNER *
/etc/init.d/openldap.server start
echo "slapadd OK."
else
echo "slapadd failed."
fi
# ./slapadd_master_ldif_to_slave.sh
slapadd OK.
Fifth, restart "slapd" (usually run as "ldap" id), start "slurpd" (using "root") at MASTER, and start "slapd" at SLAVE, this completes the replication setup.
At MASTER LDAP:
# /etc/init.d/openldap.server start
# slurpd
At SLAVE LDAP:
# /etc/init.d/openldap.server start
Try changing LDAP data at MASTER and see if it is reflected in SLAVE.
Note that the actual changes, in ldif format, is located at /usr/var/openldap-slurp/replica on MASTER LDAP, called slurpd.replog.
# cd /usr/var/openldap-slurp/replica; ls -alrt
total 28
drwx------ 3 root root 4096 Mar 6 23:23 ..
drwxr-xr-x 2 root root 4096 Mar 7 04:28 .
-rw-r--r-- 1 root root 44 Mar 24 05:08 slurpd.status
-rw-r--r-- 1 root root 14193 Mar 24 05:08 slurpd.replog
-rw-r--r-- 1 root root 0 Mar 24 05:33 slurpd.status.lock
-rw-r--r-- 1 root root 0 Mar 24 05:33 slurpd.replog.lock
Note that if there is replication error or issue, typically you will find the rejection log (.rej) in the above directory, if there is no error, there will be line containing “host:port:0” in slurpd.status.
Login as “root” at the LDAP Server.
Prepare sudo.schema
Content of
sudo.schema:
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME
'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY
caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 )
attributetype (
1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run
sudo'
EQUALITY caseExactIA5Match
SUBSTR
caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC
'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 )
attributetype (
1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by
sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
)
attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC
'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.4.1.15953.9.2.1
NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn
)
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption
$
description )
)
(The above is provided by README.LDAP from
sudo source)
Include sudo.schema in slapd.conf and restart
slapd to load schema.
Login as “root” at the LDAP Client.
For BOTH
Solaris8/9 Native LDAP Client and RedHat OpenLDAP+PADL LDAP Client
Use
gcc 3.2.1 or later to compile sudo source code with BOTH LDAP and PAM support, please note that the “sudo” RPM provided by RedHat does not
have LDAP support compiled in, this could be easily verified by the fact that
“ldd `which sudo`” will not show “libldap-2.2.so.7”.
# ldd `which sudo`
To compile and build sudo:
# cd /var/tmp
#
tar xvf sudo-1.6.8p9.tar
# cd /var/tmp/sudo-1.6.8p9
#
./configure --with-ldap=/usr
--with-pam
(For SUN Solaris
Native LDAP Client or RedHat OpenLDAP+PADL LDAP Client where LDAP library
directory prefix is /usr/lib)
OR
# ./configure
--with-ldap=/usr/local --with-pam
(For OpenLDAP+PADL LDAP Client
or any Linux/UNIX LDAP Client built from source where LDAP library directory
prefix is /usr/local/lib)
# make
clean
# make
If there are already previous version of sudoers configuration files, please back them up
# mv /etc/sudoers /etc/sudoers.orig
For RedHat:
# mv /etc/pam.d/sudo /etc/pam.d/sudo.orig
# mv /usr/bin/sudo
/usr/bin/sudo.orig
# make install
For RedHat:
# cp sample.pam /etc/pam.d/sudo
For BOTH RedHat and Solaris
# ln -s /usr/local/bin/sudo /usr/bin/sudo
# sudo -V |
head
Sudo version 1.6.8p9
Authentication methods: 'pam'
Syslog facility
if syslog is being used for logging: local2
Syslog priority to use when user
authenticates successfully: notice
Syslog priority to use when user
authenticates unsuccessfully: alert
Send mail if the user is not in
sudoers
Lecture user the first time they run sudo
Require users to
authenticate by default
Root may run sudo
Prepare sample sudoers.ldif using:
Method 1) sudoers2ldif.sh which will call the
sudoers2ldif tool provided by sudo build (it is in the build directory,
copy it to /usr/bin or any shared area that can be referenced by $PATH), and
convert existing /etc/sudoers.
Content of
sudoers2ldif.sh:
#!
/bin/sh
SUDOERS_BASE=ou=sudoers,dc=example,dc=com
export SUDOERS_BASE
[
-n "$1" ] && INPUT_FILE=$1
[ -z "$1" ] &&
INPUT_FILE=/etc/sudoers
sudoers2ldif $INPUT_FILE
Below shows
the content of a text file /etc/sudoers.orig and how it is converted to
ldif, the example here shows no additional sudoRole entry.
# cat /etc/sudoers.orig
root ALL=(ALL)
ALL
# sudoers2ldif.sh
/etc/sudoers.orig
dn:
cn=defaults,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass:
sudoRole
cn: defaults
description: Default sudoOption's go here
dn:
cn=root,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass:
sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoCommand:
ALL
Method 2) By hand using vi,
the example here shows some sample sudoRole entries.
# vi sudoers.ldif
dn:
ou=sudoers,dc=example,dc=com
objectclass: organizationalUnit
ou:
sudoers
dn: cn=defaults,ou=sudoers,dc=example,dc=com
objectClass:
top
objectClass: sudoRole
cn: defaults
description: Default
sudoOption's go here
sudoOption: logfile=/var/log/sudolog
dn:
cn=root,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass:
sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoCommand:
ALL
# Everyone can "su - tuser" without giving password
dn:
cn=su_tuser_wo_pw,ou=sudoers,dc=example,dc=com
objectClass:
top
objectClass: sudoRole
cn: su_tuser_wo_pw
sudoUser: ALL
sudoHost:
ALL
sudoCommand: /bin/su - tuser
sudoOption: !authenticate
# tuser2
can reboot host1 server as default RunAs is "root"
dn:
cn=tuser2_can_reboot_host1,ou=sudoers,dc=example,dc=com
objectClass:
top
objectClass: sudoRole
cn: tuser2_can_reboot_host1
sudoUser:
tuser2
sudoHost: host1
sudoCommand: /usr/sbin/shutdown -y -g0
-i6
sudoOption:
Populate LDAP Server.
For against OpenLDAP Server
# ldapadd -c -D "cn=Manager,dc=example,dc=com" -f
sudoers.ldif
For against SUN ONE DS5.2 Server
# ldapadd -c -D "cn=Directory Manager” -f
sudoers.ldif
For Solaris Natvive LDAP Client, prepare a
/etc/ldap.conf (mode 644 is OK as no sensitive info) containing the
following THREE lines, for RedHat, only the LAST LINE
needs to be added as the FIRST TWO LINES are most likely
present.
host
ldap1.example.com
base dc=example,dc=com
sudoers_base
ou=sudoers,dc=example,dc=com
For Solaris Native LDAP Client,
edit /var/ldap/ldap_client_file to add:
NS_LDAP_SERVICE_SEARCH_DESC=
sudoers: ou=sudoers,dc=example,dc=com
Don’t forget to add ADDITIONAL SSD (Service Search
Descriptor) for sudoers LDAP maps lookup in LDAP DIT, using SUN ONE DS5.2
Administration Console.
Restarte ldap_cachemgr /etc/init.d/ldap.client
and name service daemon /etc/init.d/nscd.
(note that README.LDAP
says the "sudoers: files ldap" statement in /etc/nsswitch.conf is
RESERVED but NOT YET implemented, so this line is optional)
Try the
following commands to verify LDAP query OK.
For Solaris:
# ldaplist
-l sudoers
# ldaplist -l sudoers
root
# ldaplist -l sudoers
su_tuser_wo_pw
For RedHat:
# ldapsearch -x -LLL
objectclass=sudoRole
Note that “getent sudoers root”
won't work but that does not matter.
Make sure there is a
/etc/pam.d/sudo, if there isn't copy sample.pam from sudo source build to
it, the difference between sample.pam and the original
/etc/pam.d/sudo is most likely additional commented lines.
To
REALLY TEST if sudo+LDAP is working you MUST have
EITHER an EMPTY /etc/sudoers or leaving the ORIGINAL /etc/sudoers file which
contains effectively only ONE DEFAULT LINE “root ALL=(ALL) ALL”.
Now try to login as "gtay" and try both "su -
tuser" and "sudo su - tuser"
$ su -
tuser
Password:
Sun Microsystems Inc. SunOS 5.9 Generic May
2002
$ id
uid=9999(tuser)
gid=102(Users)
$ exit
$ sudo -l
$
sudo su - tuser (No password
required)
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
$ id
uid=9999(tuser) gid=102(Users)
Now
try to login as "tuser2" and try to reboot the server
$ id
uid=9998(tuser2) gid=102(Users)
$
/usr/sbin/shutdown -y -g0 -i6
We
trust you have received the usual lecture from the local
System
Administrator. It usually boils down to these three things:
#1)
Respect the privacy of others.
#2) Think before you type.
#3) With great
power comes great responsibility.
Password:
Shutdown started. Fri May
20 15:23:20 SGT 2005
Changing to init state 6 - please wait
Broadcast
Message from root (pts/3) on host1 Fri May 20 15:23:20...
THE SYSTEM
sins001u5 IS BEING SHUT DOWN NOW ! ! !
Log off now or risk your files being
damaged
Congratulation!!! You have
successfully setup sudo+LDAP.
IMPORTANT NOTES:
1) With the absence of /etc/sudoers,
"sudo -l" will complain and it will not retrieve sudo LDAP maps
sudo: can't
stat /etc/sudoers: No such file or directory
2) "sudo -L" shows one
option related to LDAP
…
ignore_local_sudoers: If LDAP directory is up, do
we ignore local sudoers file
...
3) Don't forget to set LDAP Object
Access permission to all objects under ou=sudoers,dc=example,dc=com using ACI in
SUN ONE DS5.2 or ACL in OpenLDAP
The auth_ldap modules built-into Apache 2 is “experiemental” and may not be stable, you may use:
Apache 1.X: http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html
Apache
2.X: http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html
Apache must be built with .so (shared object) support and
SSL support if StartTLS is used.
To configure Apache2 with shared object
and SSL support:
./configure --enable-so
--enable-ssl --with-ssl-dir=/usr/local/ssl
(Refer to the URL above for Apache 1.X syntax)
IMPORTANT NOTE: DO NOT add
--enable-ldap or --enable-auth-ldap or --with-ldap, to the above, they are for
the "experiemental" ldap module support built-into Apache 2.x, and they DID NOT
work for me, no sure of experience of others.
To configure
“mod_auth_ldap” from muquit.com:
# OpenLDAP
./configure
--with-apxs=/usr/local/apache2/bin/apxs --with-ldap-dir=/usr/local
#
iPlanet LDAP
./configure --with-apxs=/usr/local/apache2/bin/apxs
--with-ldap-dir=/usr
After that, modify httpd.conf, add
the following lines in GREEN for
testing purposes.
LoadModule
auth_ldap_module modules/mod_auth_ldap.so
Alias /syslog "/var/log/"
<Directory
"/var/log/">
Options Indexes FollowSymLinks MultiViews IncludesNoExec
ExecCGI
AddOutputFilter Includes html
AllowOverride All
Order
allow,deny
Allow from all
</Directory>
<Location
/syslog>
AuthType Basic
AuthName "syslog"
require
valid-user
#LDAP_Debug On
#LDAP_StartTLS On
LDAP_Server
ldap1.example.com
# Add SLAVE LDAP Server for failover
LDAP_Server
ldap2.example.com
LDAP_Port 389
Base_DN dc=example,dc=com
UID_Attr
uid
</Location>
Restart httpd, and test this URL:
http://apache.example.com/syslog/
Appendix:
Some of the scripts may assume a script directory /home/gtay (or /home/ldap), please feel free to modify to suit your project need.
You would also notice that mgr.pwd needs to be created for some of the scripts to be executed automatically.
The author would disclaim from holding any responsibility resulting from any logic error(s) or destruction(s) the scripts might have caused upon.
Content of cr_group_ldif.sh (is used to strip unwanted lines from Netscape exported ldif file)
cat group.ldif | egrep -v "^ |^nsUniqueId:|^aci:|^mod|^creat|^ ot|^ t" >group_ldapadd.ldif
cp group_ldapadd.ldif ldap_add.ldif
cp group_ldapadd.ldif openldap_add.ldif
Content of cr_People_ldif.sh (is used to strip unwanted lines from Netscape exported ldif file)
cat People.ldif | egrep -v "^gecos:|^ |nsUniqueId:|^aci:|^mod|^creat|^ ot|^ t" >People_ldapadd.ldif
cp People_ldapadd.ldif ldap_add.ldif
cp People_ldapadd.ldif openldap_add.ldif
Content of cr_unsigned_ssl_cert.sh
#! /bin/sh
#
# cr_unsigned_ssl_cert.sh - Create un-signed SSL Cert at SLAVE LDAP Server
#
# Gary Tay,
22-Oct-2004, written
# 10-Jun-2005,
modified openssl.cnf, 3652 days validity now
# 22-Jul-2005,
added code to prompt for SSL Cert. SERIAL Number
# Note: after creation of un-signed cert, login as root
# at MASTER LDAP Server and run sign_ssl_cert_from_slave.sh
# Un-comment for RedHat
#PATH=$PATH:/usr/bin; export PATH
# Un-comment for Others
PATH=$PATH:/usr/local/ssl/bin; export PATH
mkdir demoCA >/dev/null 2>&1
cd demoCA
mkdir certs crl newcerts private >/dev/null 2>&1
echo "Please
enter an unique number as Certificate Serial Number"
echo "Examples: if 01
is reserved for MASTER LDAP Server"
echo
" 02 can
be used for 1st SLAVE LDAP Server"
echo
" 03 can
be used for 2nd SLAVE LDAP Server"
read SERIAL
echo $SERIAL
>serial
cp /dev/null index.txt
# Un-comment next two lines for RedHat
#cp /usr/share/ssl/openssl.cnf openssl.cnf
# Un-comment next two lines for Others
cp /usr/local/ssl/openssl.cnf openssl.cnf
sed -e 's/AU/SG/' \
-e 's/Some-State/Singapore/' \
-e 's/Newbury/Singapore/' \
-e 's/Internet Widgits Pty Ltd/Example Ltd/' \
-e '/default_days/s/365/3652/' \
openssl.cnf > openssl.cnf.new
mv openssl.cnf.new openssl.cnf
echo ""
>>openssl.cnf
echo "[ usr_cert ] " >>openssl.cnf
echo
"subjectAltName=DNS:ldap.`domainname`,DNS:loadbalancer.`domainname`"
>>openssl.cnf
echo "" >>openssl.cnf
echo "Creating un-signed SLAVE LDAP Server cert..."
echo "Please enter SLAVE LDAP Server's FQDN when prompted for Common Name:"
openssl req -new -x509 -nodes -keyout newreq_slave.pem -out newreq_slave.pem \
-days 3652 -config openssl.cnf
Content of sign_ssl_cert_from_slave.sh
#! /bin/sh
#
# sign_ssl_cert_from_slave.sh
#
# Self sign un-signed SSL Cert copied from SLAVE LDAP Server
#
# Gary Tay,
22-Oct-2004, written
# 10-Jun-2005,
modified openssl.cnf, 3652 days validity now
# 22-Jul-2005,
added code to prompt for SSL Cert. SERIAL Number
# Un-comment for RedHat
#PATH=$PATH:/usr/bin; export PATH
# Un-comment for Others
PATH=$PATH:/usr/local/ssl/bin; export PATH
mkdir demoCA >/dev/null 2>&1
cd demoCA
mkdir certs crl newcerts private >/dev/null 2>&1
echo "Please
enter an unique number as Certificate Serial Number"
echo "Examples: if 01
is reserved for MASTER LDAP Server"
echo
" 02 can
be used for 1st SLAVE LDAP Server"
echo
" 03 can
be used for 2nd SLAVE LDAP Server"
read SERIAL
echo $SERIAL
>serial
cp /dev/null index.txt
# Un-comment next two lines for RedHat
cp /usr/share/ssl/openssl.cnf openssl.cnf
ETC_OPENLDAP=/etc/openldap
# Un-comment next two lines for Others
#cp /usr/local/ssl/openssl.cnf openssl.cnf
#ETC_OPENLDAP=/usr/local/etc/openldap
sed -e 's/AU/SG/' \
-e 's/Some-State/Singapore/' \
-e 's/Newbury/Singapore/' \
-e 's/Internet Widgits Pty Ltd/Example Ltd/' \
-e '/default_days/s/365/3652/' \
openssl.cnf > openssl.cnf.new
mv openssl.cnf.new openssl.cnf
echo ""
>>openssl.cnf
echo "[ usr_cert ] " >>openssl.cnf
echo
"subjectAltName=DNS:ldap.`domainname`,DNS:loadbalancer.`domainname`"
>>openssl.cnf
echo "" >>openssl.cnf
echo "We must copy the unsigned SSL Server Cert from SLAVE LDAP Server"
echo ""
echo "Enter HOSTNAME/IP of SLAVE LDAP Server: \c"
read SLAVE_LDAP
echo "Enter directory to locate un-signed server cert/key: \c"
read DEMOCA_DIR
echo "Copying un-signed server cert/key from SLAVE LDAP Server..."
scp $SLAVE_LDAP:$DEMOCA_DIR/newreq_slave.pem .
echo "Self signing server cert for SLAVE LDAP Server..."
echo "Please enter SLAVE LDAP Server's FQDN when prompted for Common Name:"
openssl x509 -x509toreq -in newreq_slave.pem -signkey newreq_slave.pem -out tmp.pem
cd ..
openssl ca -config demoCA/openssl.cnf -policy policy_anything \
-out demoCA/newcert_slave.pem -infiles demoCA/tmp.pem
rm -f demoCA/tmp.pem
echo "Please copy, New Cert and Key to SLAVE OpenLDAP Server config dir..."
echo "Example: assuming ldap2:$ETC_OPENLDAP is the target directory on SLAVE:"
echo "scp demoCA/cacert.pem ldap2:$ETC_OPENLDAP"
echo "scp demoCA/newcert_slave.pem ldap2:$ETC_OPENLDAP/slapd-cert-ldap2.pem"
echo "scp demoCA/newreq_slave.pem ldap2:$ETC_OPENLDAP/slapd-key-ldap2.pem"
echo "ssh ldap2 ‘chmod 640 $ETC_OPENLDAP/slapd-key-ldap2.pem’"
# Uncomment for RedHat
echo "ssh ldap2 ‘chown ldap:ldap $ETC_OPENLDAP/*.pem’"
# Uncomment for Others
#echo "ssh ldap2 ‘chown ldap:daemon $ETC_OPENLDAP/*.pem’"
echo ""
Content of db2ldif_backup.sh
#
# db2ldif_backup.sh
#
BASEDN="dc=example,dc=com"
LDIF_FILE=/home/ldap/full_backup.ldif
if [ -n "`ps -ef | grep 'slapd' | grep -v grep`" ]
then
# For RedHat
BINDIR=/usr/bin
# For Others
#BINDIR=/usr/local/bin
$BINDIR/ldapsearch -x -LLL -b "$BASEDN" \
-D "cn=Manager,$BASEDN" \
-w `cat /home/ldap/mgr.pwd` \
"objectclass=*" >$LDIF_FILE
echo "Full user data backup written to $LDIF_FILE"
fi
chmod 600 $LDIF_FILE /home/ldap/mgr.pwd
Content of db2ldif_group.sh
#
# db2ldif_group.sh
#
BASEDN="dc=example,dc=com"
LDIF_FILE=/home/ldap/group.ldif
if [ -n "`ps -ef | grep 'slapd' | grep -v grep`" ]
then
# For RedHat
BINDIR=/usr/bin
# For Others
#BINDIR=/usr/local/bin
$BINDIR/ldapsearch -x -LLL -b "ou=group,$BASEDN" \
-D "cn=Manager,$BASEDN" \
-w `cat /home/ldap/mgr.pwd` \
"objectclass=*" >$LDIF_FILE
fi
chmod 600 $LDIF_FILE /home/ldap/mgr.pwd
Content of db2ldif_People.sh
#
# db2ldif_People.sh
#
BASEDN="dc=example,dc=com"
LDIF_FILE=/home/ldap/People.ldif
if [ -n "`ps -ef | grep 'slapd' | grep -v grep`" ]
then
# For RedHat
BINDIR=/usr/bin
# For Others
#BINDIR=/usr/local/bin
$BINDIR/ldapsearch -x -LLL -b "ou=People,$BASEDN" \
-D "cn=Manager,$BASEDN" \
-w `cat /home/ldap/mgr.pwd` \
"objectclass=*" >$LDIF_FILE
fi
chmod 600 $LDIF_FILE /home/ldap/mgr.pwd
Content of openldap_add.sh
#! /bin/sh
# openldap_add.sh
# Un-Comment for RedHat
BINDIR=/usr/bin
# Un-Comment for others
#BINDIR=/usr/local/bin
if [ -f mgr.pwd ]
then
$BINDIR/ldapadd -c -x -D "cn=Manager,dc=example,dc=com" -w `cat mgr.pwd` -f openldap_add.ldif
else
echo "mgr.pwd not found"
echo "Please enter LDAP password for cn=Manager,dc=example,dc=com..."
$BINDIR/ldapadd -c -x -D "cn=Manager,dc=example,dc=com" -W -f openldap_add.ldif
fi
Content of openldap_delete_groups.sh
#! /bin/sh
# openldap_delete_groups.sh
# Destructive script
# Never do deletion at LDAP Master Server
# Do deletion only at LDAP Slave Server
[ "`uname -n`" = "ldap1" ] && exit
# Un-Comment for RedHat
BINDIR=/usr/bin
# Un-Comment for others
#BINDIR=/usr/local/bin
grep "^dn:" group.ldif | sed 's/^dn: //' >openldap_delete_groups.ldif
if [ -f mgr.pwd ]
then
$BINDIR/ldapdelete -c -x -D "cn=Manager,dc=example,dc=com" -w `cat mgr.pwd` -f openldap_delete_groups.ldif
else
echo "mgr.pwd not found"
echo "Please enter LDAP password for cn=Manager,dc=example,dc=com..."
$BINDIR/ldapdelete -c -x -D "cn=Manager,dc=example,dc=com" -W -f openldap_delete_groups.ldif
fi
Content of openldap_delete_Peoples.sh
#! /bin/sh
# openldap_delete_Peoples.sh
# Destructive script
# Never do deletion at LDAP Master Server
# Do deletion only at LDAP Slave Server
[ "`uname -n`" = "ldap1" ] && exit
# Un-Comment for RedHat
BINDIR=/usr/bin
# Un-Comment for others
#BINDIR=/usr/local/bin
grep "^dn:" People.ldif | sed 's/^dn: //' >openldap_delete_Peoples.ldif
if [ -f mgr.pwd ]
then
$BINDIR/ldapdelete -c -x -D "cn=Manager,dc=example,dc=com" -w `cat mgr.pwd` -f openldap_delete_Peoples.ldif
else
echo "mgr.pwd not found"
echo "Please enter LDAP password for cn=Manager,dc=example,dc=com..."
$BINDIR/ldapdelete -c -x -D "cn=Manager,dc=example,dc=com" -W -f openldap_delete_Peoples.ldif
fi
Content of openldap_repl_group.sh
#! /bin/sh
#
# openldap_repl_group.sh
#
# Gary Tay, 10-Oct-2003, written
#
# Assumption: root@$MASTER_LDAP has been SSH trusted by root@$SLAVE_LDAP
#
# Required these modular scripts/files:
#
# 1. db2ldif_group.sh
# 2. openldap_delete_groups.sh
# 3. openldap_add.sh
# 4. mgr.pwd contains password for "Manager"
#
MASTER_LDAP="ldap1"
SLAVE_LDAP="ldap2"
# Make sure current hostname is Master LDAP Server
[ "`uname -n`" != "$MASTER_LDAP" ] && exit 1
# Make sure root account is used
[ -z "`id | egrep 'uid=0|euid=0'`" ] && exit 1
if [ $# -le 0 ]
then
echo ""
echo "OpenLDAP Replicate group data to Slave LDAP Server"
echo ""
echo "Usage: $0 <HOSTNAME or IP of Slave LDAP Server>"
echo "Example: $0 $SLAVE"
exit 1
fi
SSH=/usr/bin/ssh
SCP=/usr/bin/scp
cd /home/ldap
# Export group ldif file
./db2ldif_group.sh
cp group.ldif openldap_add.ldif
# Copy ldif files to Slave LDAP Server
$SCP group.ldif $1:/home/ldap
$SCP openldap_add.ldif $1:/home/ldap
# Execute script at Slave LDAP Server
$SSH $1 "cd /home/ldap; chmod 600 mgr.pwd; chmod 750 db2ldif_group.sh; ./db2ldif_group.sh; chmod 750 openldap_delete_groups.sh; ./openldap_delete_groups.sh; chmod 750 openldap_add.sh; ./openldap_add.sh"
Content of openldap_repl_People.sh
#! /bin/sh
#
# openldap_repl_People.sh
#
# Gary Tay, 10-Oct-2003, written
#
# Assumption: root@$MASTER_LDAP has been SSH trusted by root@$SLAVE_LDAP
#
# Required these modular scripts/files:
#
# 1. db2ldif_People.sh
# 2. openldap_delete_Peoples.sh
# 3. openldap_add.sh
# 4. mgr.pwd contains password for "Manager"
#
MASTER_LDAP="ldap1"
SLAVE_LDAP="ldap2"
# Make sure current hostname is Master LDAP Server
[ "`uname -n`" != "$MASTER_LDAP" ] && exit 1
# Make sure root account is used
[ -z "`id | egrep 'uid=0|euid=0'`" ] && exit 1
if [ $# -le 0 ]
then
echo ""
echo "OpenLDAP Replicate People data to Slave LDAP Server"
echo ""
echo "Usage: $0 <HOSTNAME or IP of Slave LDAP Server>"
echo "Example: $0 $SLAVE_LDAP"
exit 1
fi
SSH=/usr/bin/ssh
SCP=/usr/bin/scp
cd /home/ldap
# Export People ldif file
./db2ldif_People.sh
cp People.ldif openldap_add.ldif
# Copy ldif files to Slave LDAP Server
$SCP People.ldif $1:/home/ldap
$SCP openldap_add.ldif $1:/home/ldap
# Execute script at Slave LDAP Server
$SSH $1 "cd /home/ldap; chmod 600 mgr.pwd; chmod 750 db2ldif_People.sh; ./db2ldif_People.sh; chmod 750 openldap_delete_Peoples.sh; ./openldap_delete_Peoples.sh; chmod 750 openldap_add.sh; ./openldap_add.sh"
Content of openldap_search.sh
# Un-Comment for RedHat
BINDIR=/usr/bin
# Un-Comment for others
#BINDIR=/usr/local/bin
$BINDIR/ldapsearch -x -LLL –w `cat mgr.pwd` "objectclass=*"
See http://web.singnet.com.sg/~garyttt/DUAConfigProfile.schema.txt
See http://web.singnet.com.sg/~garyttt/solaris.schema.txt
See http://web.singnet.com.sg/~garyttt/result_c_patch.txt
Steps to apply result.c patch:
# cd /var/tmp/openldap-2.2.X
# patch -p0 -i
result_c_patch.txt
patching file servers/slapd/result.c
Hunk #1
succeeded at 916 with fuzz 1 (offset 37 lines).
Hunk #2 succeeded at 1082
with fuzz 1 (offset 5 lines).
# cat cr_proxyAgent_pw_in_NS1_format.sh
/usr/sbin/ldap_gen_profile -P testprofile -b
"dc=example,dc=com" \
-D
"cn=proxyAgent,ou=profiLe,dc=example,dc=com" -w password \
192.168.1.168
#
./cr_proxyAgent_pw_in_NS1_format.sh
dn:
cn=testprofile,ou=profile,dc=example,dc=com
SolarisBindDN:
cn=proxyAgent,ou=profiLe,dc=example,dc=com
SolarisBindPassword: {NS1}ecfa88f3a945c411
SolarisLDAPServers:
192.168.1.168
SolarisSearchBaseDN: dc=example,dc=com
SolarisAuthMethod:
NS_LDAP_AUTH_NONE
SolarisTransportSecurity: NS_LDAP_SEC_NONE
SolarisSearchReferral:
NS_LDAP_FOLLOWREF
SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit: 30
SolarisCacheTTL: 43200
cn: testprofile
SolarisBindTimeLimit: 30
ObjectClass: top
ObjectClass: SolarisNamingProfile