Chroot OpenLDAP on NetBSD

Installing a LDAP directory on NetBSD is really easy with OpenLDAP and pkgsrc. But chrooting it requires a few particular steps.


Install the NetBSD system than add the OpenLDAP package:

# pkg_add -uu


Create the chroot environnement where OpenLDAP will installed:

# set -o braceexpand
# mkdir -p /home/ldap/{etc,data,dev,etc}
# chown slapd:ldap /home/ldap/data
# cp -p /usr/pkg/share/examples/openldap/DB_CONFIG /home/ldap/data/
# install -d -m 0755 -o slapd -g ldap /home/ldap/var/run

Enable UID and GID identification:

# grep slapd /etc/master.passwd > /home/ldap/etc/master.passwd
# pwd_mkdb -d /home/ldap /home/ldap/etc/master.passwd
# grep ldap /etc/group > /home/ldap/etc/group

Initial schema and configuration file:

# install -p -m 0644 -o root -g wheel /usr/pkg/etc/openldap/schema/core.schema /home/ldap/etc/core.schema
# install -p -m 0640 -o slapd -g ldap /usr/pkg/etc/openldap/slapd.conf /home/ldap/etc/slapd.conf

OpenLDAP will run chrooted but the rc.d file and other tools (slapindex…) can’t deal with it. What I did is configure an “inside” slapd.conf (used from slapd) and an “outside” one (used by the tools). The only difference lies in the path configured to access the various files.

Edit the “inside” configuration file ; set the administrative password and database path:

# slappasswd
# vi /home/ldap/etc/slapd.conf
include /etc/core.schema
rootpw {SSHA}Bp1uf9a5asFQnni7NC51fjgzdmC8WFUW
directory /data

The “outside” file looks quite the same:

# diff /home/ldap/etc/slapd.conf /usr/pkg/etc/openldap/slapd.conf
< include               /etc/core.schema
< include               /etc/cosine.schema
< include               /etc/nis.schema
< include               /etc/authldap.schema
< include               /etc/inetorgperson.schema
> include               /home/ldap/etc/core.schema
> include               /home/ldap/etc/cosine.schema
> include               /home/ldap/etc/nis.schema
> include               /home/ldap/etc/authldap.schema
> include               /home/ldap/etc/inetorgperson.schema
< pidfile               /var/openldap/run/
< argsfile      /var/openldap/run/slapd.args
> pidfile               /home/ldap/var/openldap/run/
> argsfile      /home/ldap/var/openldap/run/slapd.args
< directory     /data
> directory     /home/ldap/data

Edit the rc.conf and rc.local files to enable daemon autostart:

# vi /etc/rc.conf
slapd_flags=”-u slapd -g ldap -r /home/ldap -f /etc/slapd.conf”
# vi /etc/rc.local
[ -x /usr/pkg/share/examples/rc.d/slapd ] &&
/usr/pkg/share/examples/rc.d/slapd start

Additionnal tweaks

Securing with SSL

Configuring SSL requires copying the certificates to the chroot directory and modifying slapd.conf:

# mkdir /home/ldap/dev
# cd /home/ldap/dev && sh /dev/MAKEDEV random
# mkdir -p /home/ldap/etc/ssl
# cp -p ca.tumfatig.local.pem ldap.tumfatig.local.crt ldap.tumfatig.local.key /home/ldap/etc/ssl/
# chown slapd:ldap /home/ldap/etc/ssl/*
# vi /home/ldap/etc/slapd.conf
TLSCipherSuite          HIGH:MEDIUM:+SSLv2
TLSCACertificateFile    /etc/ssl/ca.tumfatig.local.pem
TLSCertificateFile      /etc/ssl/ldap.tumfatig.local.crt
TLSCertificateKeyFile   /etc/ssl/ldap.tumfatig.local.key
# vi /etc/rc.conf
slapd_flags="-u slapd -g ldap -r /home/ldap -f /etc/slapd.conf -h 'ldaps:///'"
# /usr/pkg/share/examples/rc.d/slapd restart

The OpenLDAP tools will require the CA file reference:

# cat /etc/openldap/ldap.conf
TLS_CACERT /etc/openssl/certs/ca.tumfatig.local.pem

The CA file should also be installed on every computer you’ll use to connect to the ldaps service.
On Mac OS X (Snow Leopard), you’d have to import the CA file with the Keychain Access application.

Note that a correct DNS resolving is important.

Schema modification

I extended the LDAP schema using the Courier Authentication ressource:

# cd /home/ldap/etc
# ftp
# vi authldap.schema
attributetype ( NAME 'mailhost'
        DESC 'Host to which incoming POP/IMAP connections should be proxied'
        EQUALITY caseIgnoreIA5Match
        SYNTAX{256} )
# set -o braceexpand
# cp -p /usr/pkg/etc/openldap/schema/{nis,cosine,inetorgperson}.schema .
# vi /home/ldap/etc/slapd.conf
include         /etc/core.schema
include         /etc/cosine.schema
include         /etc/nis.schema
include         /etc/authldap.schema
include         /etc/inetorgperson.schema

Author: Joel Carnat

@work Technical Architect and SysAdmin ; @home OpenBSD and FOSS, Karate, Kobudō, Jōdō, Bodyweight workout, Photography & Music

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.