Back to the sea ; the Lightweight Directory (LDAP), episode V

    

OpenBSD 4.8 ships with a home-made LDAP daemon called ldapd.
According to the man page, “ldapd does not fully work yet” ; but for basic authentication directory, it seems to work just fine.

Basics

There’s nearly nothing to do except install OpenBSD.
The daemon comes configured with a default configuration file:

# /usr/sbin/ldapd -dv
parsing config /etc/ldapd.conf
parsing schema file '/etc/ldap/core.schema'
parsing schema file '/etc/ldap/inetorgperson.schema'
parsing schema file '/etc/ldap/nis.schema'
startup
listening on /var/run/ldapi
listening on fe80:3::1:389
listening on ::1:389
listening on 127.0.0.1:389
ldape: entering event loop

Now, let’s configure the base and admin user:

# vi /etc/ldapd.conf
namespace "dc=tumfatig,dc=net" {
        rootdn          "cn=admin,dc=tumfatig,dc=net"
        rootpw          "{SSHA}xxx"
        index           sn
        index           givenName
        index           cn
        index           mail
}

Remote connexion

The only twitch is that it listens on localhost and there are no ldap tools installed by default :) We can either install the openldap-client-*.tgz package or modify the installation so that it’s manageable from a remote location.

Configure ldapd to listen on the NIC:

# /etc/ldapd.conf  
listen on em0  

# /usr/sbin/ldapd -dv  
(...)  
listening on 192.168.12.144:389  
listening on ::1:389  
listening on 127.0.0.1:389  
(...) 

And connect to it:

# ldapsearch -x -H ldap://192.168.12.144 -D "cn=admin,dc=tumfatig,dc=net" -W
Enter LDAP Password:
ldap_bind: Confidentiality required (13)

On the server-side, your can see

accepted connection from 192.168.12.1 on fd 15
got request type 0, id 1
bind dn = cn=admin,dc=tumfatig,dc=net
refusing non-anonymous bind on insecure connection
sending response 1 with result 13
end-of-file on connection 15
closing connection 15

Of course, send the admin password on the network via an unsecured channel is… not secure :)

Configuring SSL

The service will be used as ldap.tumfatig.net and the SSL certificate was generated during episode IV (the Certificate Authority). So let’s configure the system and the daemon for TLS encryption:

# cp -p /etc/ssl/TMFCA/certs/ldap.tumfatig.net.crt \
  /etc/ssl/TMFCA/private/ldap.tumfatig.net.key     \
  /etc/ldap/certs/
# cp -p /etc/ssl/TMFCA/certs/localhost.crt         \
  /etc/ssl/TMFCA/private/localhost.key /etc/ldap/certs/

# vi /etc/ldapd.conf
(...)
listen on lo0 ldaps certificate localhost
listen on em0 ldaps certificate ldap.tumfatig.net
(...)
# /usr/sbin/ldapd -dv
(...)
loading certificate file /etc/ldap/certs/ldap.tumfatig.net.crt
loading key file /etc/ldap/certs/ldap.tumfatig.net.key
(...)
listening on fe80:1::20c:29ff:fe17:3948:636
ssl_setup: ssl setup finished for listener: 0x207fc0800
listening on 192.168.12.144:636
ssl_setup: ssl setup finished for listener: 0x20e9c6800
(...)

Copy the CA certificate and configure LDAP tools to use it. Then, you’ll be able to communicate with ldapd:

# cat ~/.ldaprc
TLS_CACERT /Users/jca/ca.tumfatig.net.pem
# ldapsearch -x -H ldaps://ldap.tumfatig.net -D "cn=admin,dc=tumfatig,dc=net" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

On the server-side:

accepted connection from 192.168.12.1 on fd 15
ssl_session_init: switching to SSL
ssl_session_accept: accepting client
ssl_session_accept: accepting client
ssl_session_accept: accepted ssl client
got request type 0, id 1
bind dn = cn=admin,dc=tumfatig,dc=net
successfully authenticated as cn=admin,dc=tumfatig,dc=net
sending response 1 with result 0
got request type 3, id 2
base dn = , scope = 2
requesting 01 access to  by cn=admin,dc=tumfatig,dc=net, in namespace global
sending response 5 with result 32
finished search on msgid 2
got request type 2, id 3
current bind dn = cn=admin,dc=tumfatig,dc=net
end-of-file on connection 15
closing connection 15

Automatic start

The LDAP daemon is started from the standard rc scripts:

# vi /etc/rc.conf.local
ldapd_flags=""
# /usr/sbin/ldapd

Schema modification

I aim to use ldapd to store my application services (Mail, Web…).

Let’s enhanced the LDAP schema to be used by Postfix and friends:

# ftp -o /etc/ldap/courier.schema \
  http://courier.cvs.sourceforge.net/viewvc/courier/libs/authlib/authldap.schema

# vi /etc/ldapd.conf
(...)
schema "/etc/ldap/core.schema"
schema "/etc/ldap/nis.schema"
schema "/etc/ldap/courier.schema"
schema "/etc/ldap/inetorgperson.schema"
(...)

# diff courier.schema.orig courier.schema
78,82c78,82
< #attributetype ( 1.3.6.1.4.1.10018.1.1.14 NAME 'mailhost'
< #        DESC 'Host to which incoming POP/IMAP connections should be proxied'
< #        EQUALITY caseIgnoreIA5Match
< #        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
< #
---
> attributetype ( 1.3.6.1.4.1.10018.1.1.14 NAME 'mailhost'
>         DESC 'Host to which incoming POP/IMAP connections should be proxied'
>         EQUALITY caseIgnoreIA5Match
>         SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
>

Now create the LDAP tree and import/create you objects.

Filtering access

Various tasks

Filling the directory

Create a LDIF file:

# vi tmf.ldif
# TuM'Fatig LDAP Tree
#
dn: dc=tumfatig,dc=net
objectClass: top
objectClass: domain
dc: tumfatig

dn: ou=users,dc=tumfatig,dc=net
objectClass: top
objectClass: organizationalUnit
description: Utilisateurs
ou: users

dn: ou=alias,dc=tumfatig,dc=net
objectClass: top
objectClass: organizationalUnit
description: Aliases
ou: alias

# Users
#
dn: uid=jca,ou=users,dc=tumfatig,dc=net
objectClass: top
objectClass: CourierMailAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Joel Carnat
givenName: Joel
homeDirectory: /home/vmail
mail: joel@carnat.net
mailbox: jca/
sn: Carnat
uid: jca
userPassword: {SSHA}...

# E-mail aliases
#
dn: mail=jca@tumfatig.net,ou=alias,dc=tumfatig,dc=net
objectClass: top
objectClass: CourierMailAlias
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Joel Carnat
givenName: Joel
mail: jca@tumfatig.net
maildrop: joel@carnat.net
sn: Carnat

And import the data:

# ldapadd -x -H ldaps://ldap.tumfatig.net -D "cn=admin,dc=tumfatig,dc=net" -W -f tmf.ldif
Enter LDAP Password:
adding new entry "dc=tumfatig,dc=net"

adding new entry "ou=users,dc=tumfatig,dc=net"

adding new entry "ou=alias,dc=tumfatig,dc=net"

adding new entry "uid=jca,ou=users,dc=tumfatig,dc=net"

adding new entry "mail=jca@tumfatig.net,ou=alias,dc=tumfatig,dc=net"

Pretty easy and standard, huh :)

Indexes

LDAP makes faster replies if it has indexes of objects it hosts:

# ldapctl index  
Password:  
indexing namespace dc=tumfatig,dc=net 

Statistics

You can get stats from your LDAP daemon:

# ldapctl stats  
start time: Tue Jan 4 17:41:43 2011  
requests: 35  
search requests: 9  
bind requests: 5  
modify requests: 17  
timeouts: 0  
unindexed searches: 0  
active connections: 0  
active searches: 0

suffix: dc=tumfatig,dc=net  
data timestamp: Tue Jan 4 17:43:44 2011  
data page size: 16384  
data depth: 1  
data revisions: 26  
data entries: 10  
data branch/leaf/overflow pages: 0/1/0  
data cache size: 27 of 1024 (2.6% full)  
data page reads: 2  
data cache hits: 40 (95.2%)  
indx timestamp: Tue Jan 4 17:43:44 2011  
indx page size: 16384  
indx depth: 1  
indx revisions: 21  
indx entries: 40  
indx branch/leaf/overflow pages: 0/1/0  
indx cache size: 18 of 512 (3.5% full)  
indx page reads: 2  
indx cache hits: 63 (96.9%) 

That’s All Folks!