Commit 8b5db5f5 authored by pedrolab's avatar pedrolab

Merge branch 'undefined' into 'master'

Upload LDAP installation README

See merge request !11
parents 9ef504ff 9202ba4c
# openLDAP
http://www.zytrax.com/books/ldap/ \
http://www.openldap.org/doc/admin24/ \
https://oav.net/mirrors/LDAP-ObjectClasses.html \
## Install openLDAP server
```
apt-get install slapd ldap-utils
```
`Enter Admin password: ****`
This will be the password for cn=admin,cn=config
```
dpkg-reconfigure slapd
```
`Enter domain: example.com `
Create base DN dc=example,dc=com
`Enter admin password: ****`
This will be the password for cn=admin,dc=example,dc=com
`Database type: mdb`
(default)
### You can change cn=admin,cn=config password like this
Create a file chg_admin_pass.ldif with content
```
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: foobar123
```
Then import the file
`ldapmodify -Y EXTERNAL -H ldapi:/// -f chg_admin_pass`
## Basic config
Edit `/etc/default/slapd`
We will use ldap on localhost, ldapi on localhost, and ldaps for connections from the outside.
```
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
```
Find openldap config files here `/etc/ldap/slapd.d`
### Post install config
We import configuration directly into the DIT (Directory Information Tree) using the olc (Online configuration) syntax organized in files. So, let's create a directory to store those files
```
mkdir /etc/ldap/ldif
```
### See your config!
```
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}mdb,cn=config
slapdcat -b cn=config
```
# unique uid and mail attributes
We want to avoid duplicate user ids. LDAP will accept uid=david,ou=group1 and uid=david,ou=group2 because they represent two different entries in the DIT. However, this may lead to uid confusion. We also wish the mail attribute to be unique for similar reasons.
Edit `/etc/ldap/ldif/unique.ldif`
We make uid and mail attributes unique across the `dc=example,dc=com` tree
```
# import the unique module library
dn: cn=module{1},cn=config
cn: module{1}
objectClass: olcModuleList
olcModuleLoad: unique
olcModulePath: /usr/lib/ldap
# define the module overlay
dn: olcOverlay={0}unique,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcUniqueConfig
olcOverlay: {0}unique
olcUniqueBase: dc=example,dc=com
olcUniqueAttribute: uid
olcUniqueAttribute: mail
```
And now we import the config
```
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/unique.ldif
```
## Group membership and integrity
We want to use groups of users to make permission assignment easier.
Edit `/etc/ldap/ldif/memberof.ldif`
```
# import the memberof module library
dn: cn=module{2},cn=config
cn: module{2}
objectClass: olcModuleList
olcModuleLoad: memberof
olcModulePath: /usr/lib/ldap
# configure the overlay
dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: {1}memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
```
And now we import the config
```
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/memberof.ldif
```
What happens with we add a user's DN to a group, and then at some later date delete that user? Well, the deleted user's DN remains as a member of the group. That's not good. We want some consistency.
First we import the library into `cn=module{2},cn=config`, the same DN we use for the memberof module.
Edit `/etc/ldap/ldif/refint-1.ldif`
```
# add the refint module to the existing cn=module{2},cn=config entry
dn: cn=module{2},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: refint
```
And now we import the modification
```
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/refint-1.ldif
```
Then we define the overlay configuration
Edit `/etc/ldap/ldif/refint-2.ldif`
```
# configure the refint overylay
dn: olcOverlay={2}refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {2}refint
olcRefintAttribute: memberof member manager owner
```
And import the configuration
```
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/refint-2.ldif
```
#### Delete members from a group
Edit `add_member.ldif`
```
dn: cn=group_name,dc=commonscloud,dc=coop
changetype: modify
delete: member
member: uid=a_user,ou=users,dc=commonscloud,dc=coop
```
```
ldapmodify -x -W -D "uid=my-user,dc=commonscloud,dc=coop" -f ./member_test.ldif
```
## password policy
http://www.zytrax.com/books/ldap/ch6/ppolicy.html \
We can define many password policies.
Password policy schema is not part of the default schema. We need to import it.
```
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
```
**Load the module**
`Edit /etc/ldap/ldif/pwdpolicy-1.ldif`
```
dn: cn=module{3},cn=config
objectClass: olcModuleList
cn: module{3}
olcModuleLoad: ppolicy.la
```
And import the config
```
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/pwdpolicy-1.ldif
```
**Configure the overlay**
`Edit /etc/ldap/ldif/pwdpolicy-2.ldif`
```
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
# the dn can be anywhere in the tree, we have chosen this
olcPPolicyDefault: cn=defaultpwdpolicy,dc=example,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE
```
And import the config
```
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif/pwdpolicy-2.ldif
```
**Define password policies**
`Edit /etc/ldap/ldif/pwdpolicy-3.ldif`
```
# add default policy to DIT
# attributes preceded with # indicate the defaults and
# can be omitted
# passwords must be reset every 1 year (pwdMaxAge 31536000)
# have a minimum length of 6 (pwdMinLength: 6), and users will
# get a expiry warning starting 1 week (pwdExpireWarning: 604800) before
# expiry, when the consecutive fail attempts exceed 5 (pwdMaxFailure: 5)
# the count will be locked for 5 minutes (pwdLockoutDuration: 300) before
# the user can login again, users do not need to supply the old
# password when changing (pwdSafeModify: FALSE)
# Users can change their own password (pwdAllowUserChange: TRUE)
dn: cn=defaultpwdpolicy,dc=example,dc=com
objectClass: pwdPolicy
objectClass: applicationProcess
objectClass: top
cn: defaultpwdpolicy
pwdMaxAge: 31536000
pwdExpireWarning: 604800
pwdAttribute: userPassword
pwdInHistory: 0
pwdCheckQuality: 1
pwdMaxFailure: 5
pwdLockout: FALSE
pwdLockoutDuration: 300
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdMinLength: 6
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
```
Just a note about `pwdLockout: TRUE` This can cause headaches when users have the wrong password in a client like the nextcloud desktop sync client. It will try to log in again and again, and eventually the account will be locked and the user will not be able to log in.
We import this ldif into the dc=example,dc=com tree, so we do it as the admin of that tree
```
ldapadd -D "cn=admin,dc=example,dc=com" -W -f /etc/ldap/ldif/pwdpolicy-3.ldif
```
## olcPasswordHash: {SSHA512}
In the ppolicy config we set `olcPPolicyHashCleartext: TRUE`
Openldap uses SHA-1 and salted {SSHA} to hash passwords. We can use SHA-2 by importing the module.
edit `pw-sha2_moduleload.ldif`
```
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleLoad: pw-sha2.la
```
`ldapadd -Y EXTERNAL -H ldapi:/// -f ./pw-sha2_moduleload.ldif`
And now make ssha512 the hash by default
edit `default_hash.ldif`
```
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {SSHA512}
```
`ldapadd -Y EXTERNAL -H ldapi:/// -f ./default_hash.ldif`
## Warning
After a year, I've got a problem with `pwdMaxAge: 31536000`
I use a simpleSecurityObject `cn=nobody,dc=xxx,dc=xxx` that is used to bind. It's password has expired and now I have this error and intermitent binding fails on servers.
`ppolicy_bind: Entry cn=nobody,dc=example,dc=com has an expired password: 0 grace logins`
I created a User Specific Password Policy to be able to define pwdMaxAge to 0 just for the simpleSecurityObject. http://www.zytrax.com/books/ldap/ch6/ppolicy.html#examples
However I cannot add `pwdPolicySubentry: "cn=user,ou=pwpolicies,dc=example,dc=com"` to the" simpleSecutiryObject.
Until I find a solution I have changed `pwdMaxAge: 0` for everyone.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment