Chroot OpenLDAP on NetBSD

Installing a LDAP directory on NetBSD is really easy with OpenLDAP and pkgsrc. But chrooting it requires a few particular steps.

Installation

Install the NetBSD system than add the OpenLDAP package:

# pkg_add -uu http://nyftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/openldap-server-2.4.23nb1.tgz

Configuration

Create the chroot environnement where OpenLDAP will installed:

# set -o braceexpand
# mkdir -p /home/ldap/{etc,data,dev,etc}
# chown slapd:ldap /home/ldap/data
# cp -p /usr/pkg/share/examples/openldap/DB_CONFIG /home/ldap/data/
# install -d -m 0755 -o slapd -g ldap /home/ldap/var/run

Enable UID and GID identification:

# grep slapd /etc/master.passwd > /home/ldap/etc/master.passwd
# pwd_mkdb -d /home/ldap /home/ldap/etc/master.passwd
# grep ldap /etc/group > /home/ldap/etc/group

Initial schema and configuration file:

# install -p -m 0644 -o root -g wheel /usr/pkg/etc/openldap/schema/core.schema /home/ldap/etc/core.schema
# install -p -m 0640 -o slapd -g ldap /usr/pkg/etc/openldap/slapd.conf /home/ldap/etc/slapd.conf

OpenLDAP will run chrooted but the rc.d file and other tools (slapindex…) can’t deal with it. What I did is configure an “inside” slapd.conf (used from slapd) and an “outside” one (used by the tools). The only difference lies in the path configured to access the various files.

Edit the “inside” configuration file ; set the administrative password and database path:

# slappasswd
# vi /home/ldap/etc/slapd.conf
(…)
include /etc/core.schema
(…)
rootpw {SSHA}Bp1uf9a5asFQnni7NC51fjgzdmC8WFUW
(…)
directory /data

The “outside” file looks quite the same:

# diff /home/ldap/etc/slapd.conf /usr/pkg/etc/openldap/slapd.conf
3,7c3,7
< include               /etc/core.schema
< include               /etc/cosine.schema
< include               /etc/nis.schema
< include               /etc/authldap.schema
< include               /etc/inetorgperson.schema
---
> include               /home/ldap/etc/core.schema
> include               /home/ldap/etc/cosine.schema
> include               /home/ldap/etc/nis.schema
> include               /home/ldap/etc/authldap.schema
> include               /home/ldap/etc/inetorgperson.schema
9,34c9,10
< pidfile               /var/openldap/run/slapd.pid
< argsfile      /var/openldap/run/slapd.args
---
> pidfile               /home/ldap/var/openldap/run/slapd.pid
> argsfile      /home/ldap/var/openldap/run/slapd.args
41c17
< directory     /data
---
> directory     /home/ldap/data

Edit the rc.conf and rc.local files to enable daemon autostart:

# vi /etc/rc.conf
slapd=YES
slapd_flags=”-u slapd -g ldap -r /home/ldap -f /etc/slapd.conf”
# vi /etc/rc.local
[ -x /usr/pkg/share/examples/rc.d/slapd ] &&
/usr/pkg/share/examples/rc.d/slapd start

Additionnal tweaks

Securing with SSL

Configuring SSL requires copying the certificates to the chroot directory and modifying slapd.conf:

# mkdir /home/ldap/dev
# cd /home/ldap/dev && sh /dev/MAKEDEV random
# mkdir -p /home/ldap/etc/ssl
# cp -p ca.tumfatig.local.pem ldap.tumfatig.local.crt ldap.tumfatig.local.key /home/ldap/etc/ssl/
# chown slapd:ldap /home/ldap/etc/ssl/*
# vi /home/ldap/etc/slapd.conf
TLSCipherSuite          HIGH:MEDIUM:+SSLv2
TLSCACertificateFile    /etc/ssl/ca.tumfatig.local.pem
TLSCertificateFile      /etc/ssl/ldap.tumfatig.local.crt
TLSCertificateKeyFile   /etc/ssl/ldap.tumfatig.local.key
# vi /etc/rc.conf
slapd_flags="-u slapd -g ldap -r /home/ldap -f /etc/slapd.conf -h 'ldaps:///'"
# /usr/pkg/share/examples/rc.d/slapd restart

The OpenLDAP tools will require the CA file reference:

# cat /etc/openldap/ldap.conf
TLS_CACERT /etc/openssl/certs/ca.tumfatig.local.pem

The CA file should also be installed on every computer you’ll use to connect to the ldaps service.
On Mac OS X (Snow Leopard), you’d have to import the CA file with the Keychain Access application.

Note that a correct DNS resolving is important.

Schema modification

I extended the LDAP schema using the Courier Authentication ressource:

# cd /home/ldap/etc
# ftp http://courier.cvs.sourceforge.net/viewvc/courier/libs/authlib/authldap.schema
# vi authldap.schema
attributetype ( 1.3.6.1.4.1.10018.1.1.14 NAME 'mailhost'
        DESC 'Host to which incoming POP/IMAP connections should be proxied'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
# set -o braceexpand
# cp -p /usr/pkg/etc/openldap/schema/{nis,cosine,inetorgperson}.schema .
# vi /home/ldap/etc/slapd.conf
include         /etc/core.schema
include         /etc/cosine.schema
include         /etc/nis.schema
include         /etc/authldap.schema
include         /etc/inetorgperson.schema

No Comments

Leave a Reply

%d bloggers like this: