Chroot OpenLDAP on NetBSD

    

Installing a LDAP directory on NetBSD is really easy with OpenLDAP and pkgsrc. But chrooting it requires a few particular steps.

Installation

Install the NetBSD system than add the OpenLDAP package:

# pkg_add -uu http://nyftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/openldap-server-2.4.23nb1.tgz 

Configuration

Create the chroot environnement where OpenLDAP will installed:

# set -o braceexpand  
# mkdir -p /home/ldap/{etc,data,dev,etc}  
# chown slapd:ldap /home/ldap/data  
# cp -p /usr/pkg/share/examples/openldap/DB_CONFIG /home/ldap/data/  
# install -d -m 0755 -o slapd -g ldap /home/ldap/var/run 

Enable UID and GID identification:

# grep slapd /etc/master.passwd > /home/ldap/etc/master.passwd  
# pwd_mkdb -d /home/ldap /home/ldap/etc/master.passwd  
# grep ldap /etc/group > /home/ldap/etc/group 

Initial schema and configuration file:

# install -p -m 0644 -o root -g wheel /usr/pkg/etc/openldap/schema/core.schema /home/ldap/etc/core.schema  
# install -p -m 0640 -o slapd -g ldap /usr/pkg/etc/openldap/slapd.conf /home/ldap/etc/slapd.conf 

OpenLDAP will run chrooted but the rc.d file and other tools (slapindex…) can’t deal with it. What I did is configure an “inside” slapd.conf (used from slapd) and an “outside” one (used by the tools). The only difference lies in the path configured to access the various files.

Edit the “inside” configuration file ; set the administrative password and database path:

# slappasswd  
# vi /home/ldap/etc/slapd.conf  
(...)  
include /etc/core.schema  
(...)  
rootpw {SSHA}Bp1uq7j3vcON95fsRtvxQ386dmC8WFUW  
(...)  
directory /data 

The “outside” file looks quite the same:

# diff /home/ldap/etc/slapd.conf /usr/pkg/etc/openldap/slapd.conf
3,7c3,7
< include               /etc/core.schema
< include               /etc/cosine.schema
< include               /etc/nis.schema
< include               /etc/authldap.schema
< include               /etc/inetorgperson.schema
---
> include               /home/ldap/etc/core.schema
> include               /home/ldap/etc/cosine.schema
> include               /home/ldap/etc/nis.schema
> include               /home/ldap/etc/authldap.schema
> include               /home/ldap/etc/inetorgperson.schema
9,34c9,10
< pidfile               /var/openldap/run/slapd.pid
< argsfile      /var/openldap/run/slapd.args
---
> pidfile               /home/ldap/var/openldap/run/slapd.pid
> argsfile      /home/ldap/var/openldap/run/slapd.args
41c17
< directory     /data
---
> directory     /home/ldap/data

Edit the rc.conf and rc.local files to enable daemon autostart:

# vi /etc/rc.conf  
slapd=YES  
slapd_flags="-u slapd -g ldap -r /home/ldap -f /etc/slapd.conf"  
# vi /etc/rc.local  
[ -x /usr/pkg/share/examples/rc.d/slapd ] &&  
/usr/pkg/share/examples/rc.d/slapd start 

Additionnal tweaks

Securing with SSL

Configuring SSL requires copying the certificates to the chroot directory and modifying slapd.conf:

# mkdir /home/ldap/dev
# cd /home/ldap/dev && sh /dev/MAKEDEV random
# mkdir -p /home/ldap/etc/ssl
# cp -p ca.tumfatig.local.pem ldap.tumfatig.local.crt ldap.tumfatig.local.key /home/ldap/etc/ssl/
# chown slapd:ldap /home/ldap/etc/ssl/*
# vi /home/ldap/etc/slapd.conf
TLSCipherSuite          HIGH:MEDIUM:+SSLv2
TLSCACertificateFile    /etc/ssl/ca.tumfatig.local.pem
TLSCertificateFile      /etc/ssl/ldap.tumfatig.local.crt
TLSCertificateKeyFile   /etc/ssl/ldap.tumfatig.local.key
# vi /etc/rc.conf
slapd_flags="-u slapd -g ldap -r /home/ldap -f /etc/slapd.conf -h 'ldaps:///'"
# /usr/pkg/share/examples/rc.d/slapd restart

The OpenLDAP tools will require the CA file reference:

# cat /etc/openldap/ldap.conf  
TLS_CACERT /etc/openssl/certs/ca.tumfatig.local.pem 

The CA file should also be installed on every computer you’ll use to connect to the ldaps service.
On Mac OS X (Snow Leopard), you’d have to import the CA file with the Keychain Access application.

Note that a correct DNS resolving is important.

Schema modification

I extended the LDAP schema using the Courier Authentication ressource:

# cd /home/ldap/etc
# ftp http://courier.cvs.sourceforge.net/viewvc/courier/libs/authlib/authldap.schema
# vi authldap.schema
attributetype ( 1.3.6.1.4.1.10018.1.1.14 NAME 'mailhost'
        DESC 'Host to which incoming POP/IMAP connections should be proxied'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
# set -o braceexpand
# cp -p /usr/pkg/etc/openldap/schema/{nis,cosine,inetorgperson}.schema .
# vi /home/ldap/etc/slapd.conf
include         /etc/core.schema
include         /etc/cosine.schema
include         /etc/nis.schema
include         /etc/authldap.schema
include         /etc/inetorgperson.schema