Back to the sea ; the Lightweight Directory (LDAP), episode V

OpenBSD 4.8 ships with a home-made LDAP daemon called ldapd.
According to the man page, “ldapd does not fully work yet” ; but for basic authentication directory, it seems to work just fine.

Basics

There’s nearly nothing to do except install OpenBSD.
The daemon comes configured with a default configuration file:

# /usr/sbin/ldapd -dv
parsing config /etc/ldapd.conf
parsing schema file '/etc/ldap/core.schema'
parsing schema file '/etc/ldap/inetorgperson.schema'
parsing schema file '/etc/ldap/nis.schema'
startup
listening on /var/run/ldapi
listening on fe80:3::1:389
listening on ::1:389
listening on 127.0.0.1:389
ldape: entering event loop

Now, let’s configure the base and admin user:

# vi /etc/ldapd.conf
namespace "dc=tumfatig,dc=net" {
        rootdn          "cn=admin,dc=tumfatig,dc=net"
        rootpw          "{SSHA}xxx"
        index           sn
        index           givenName
        index           cn
        index           mail
}

Remote connexion

The only twitch is that it listens on localhost and there are no ldap tools installed by default 🙂
We can either install the openldap-client-*.tgz package or modify the installation so that it’s manageable from a remote location.

Configure ldapd to listen on the NIC:

# /etc/ldapd.conf
listen on em0
# /usr/sbin/ldapd -dv
(…)
listening on 192.168.12.144:389
listening on ::1:389
listening on 127.0.0.1:389
(…)

And connect to it:

# ldapsearch -x -H ldap://192.168.12.144 -D "cn=admin,dc=tumfatig,dc=net" -W
Enter LDAP Password:
ldap_bind: Confidentiality required (13)

On the server-side, your can see
accepted connection from 192.168.12.1 on fd 15
got request type 0, id 1
bind dn = cn=admin,dc=tumfatig,dc=net
refusing non-anonymous bind on insecure connection
sending response 1 with result 13
end-of-file on connection 15
closing connection 15

Of course, send the admin password on the network via an unsecured channel is… not secure 🙂

Configuring SSL

The service will be used as ldap.tumfatig.net and the SSL certificate was generated during episode IV (the Certificate Authority). So let’s configure the system and the daemon for TLS encryption:

# cp -p /etc/ssl/TMFCA/certs/ldap.tumfatig.net.crt /etc/ssl/TMFCA/private/ldap.tumfatig.net.key /etc/ldap/certs/
# cp -p /etc/ssl/TMFCA/certs/localhost.crt /etc/ssl/TMFCA/private/localhost.key /etc/ldap/certs/
# vi /etc/ldapd.conf
(...)
listen on lo0 ldaps certificate localhost
listen on em0 ldaps certificate ldap.tumfatig.net
(...)
# /usr/sbin/ldapd -dv
(...)
loading certificate file /etc/ldap/certs/ldap.tumfatig.net.crt
loading key file /etc/ldap/certs/ldap.tumfatig.net.key
(...)
listening on fe80:1::20c:29ff:fe17:3948:636
ssl_setup: ssl setup finished for listener: 0x207fc0800
listening on 192.168.12.144:636
ssl_setup: ssl setup finished for listener: 0x20e9c6800
(...)

Copy the CA certificate and configure LDAP tools to use it. Then, you’ll be able to communicate with ldapd:

# cat ~/.ldaprc
TLS_CACERT /Users/ptijo/ca.tumfatig.net.pem
# ldapsearch -x -H ldaps://ldap.tumfatig.net -D "cn=admin,dc=tumfatig,dc=net" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

On the server-side:

accepted connection from 192.168.12.1 on fd 15
ssl_session_init: switching to SSL
ssl_session_accept: accepting client
ssl_session_accept: accepting client
ssl_session_accept: accepted ssl client
got request type 0, id 1
bind dn = cn=admin,dc=tumfatig,dc=net
successfully authenticated as cn=admin,dc=tumfatig,dc=net
sending response 1 with result 0
got request type 3, id 2
base dn = , scope = 2
requesting 01 access to  by cn=admin,dc=tumfatig,dc=net, in namespace global
sending response 5 with result 32
finished search on msgid 2
got request type 2, id 3
current bind dn = cn=admin,dc=tumfatig,dc=net
end-of-file on connection 15
closing connection 15

Automatic start

The LDAP daemon is started from the standard rc scripts:

# vi /etc/rc.conf.local
ldapd_flags=""
# /usr/sbin/ldapd

Schema modification

I aim to use ldapd to store my application services (Mail, Web…).

Let’s enhanced the LDAP schema to be used by Postfix and friends:

# ftp -o /etc/ldap/courier.schema http://courier.cvs.sourceforge.net/viewvc/courier/libs/authlib/authldap.schema
# vi /etc/ldapd.conf
(...)
schema "/etc/ldap/core.schema"
schema "/etc/ldap/nis.schema"
schema "/etc/ldap/courier.schema"
schema "/etc/ldap/inetorgperson.schema"
(...)
# diff courier.schema.orig courier.schema
78,82c78,82
< #attributetype ( 1.3.6.1.4.1.10018.1.1.14 NAME 'mailhost'
< #        DESC 'Host to which incoming POP/IMAP connections should be proxied'
< #        EQUALITY caseIgnoreIA5Match
< #        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
< #
---
> attributetype ( 1.3.6.1.4.1.10018.1.1.14 NAME 'mailhost'
>         DESC 'Host to which incoming POP/IMAP connections should be proxied'
>         EQUALITY caseIgnoreIA5Match
>         SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
>

Now create the LDAP tree and import/create you objects.

Filtering access

Various tasks

Filling the directory

Create a LDIF file:

# vi tmf.ldif
# TuM'Fatig LDAP Tree
#
dn: dc=tumfatig,dc=net
objectClass: top
objectClass: domain
dc: tumfatig

dn: ou=users,dc=tumfatig,dc=net
objectClass: top
objectClass: organizationalUnit
description: Utilisateurs
ou: users

dn: ou=alias,dc=tumfatig,dc=net
objectClass: top
objectClass: organizationalUnit
description: Aliases
ou: alias

# Users
#
dn: uid=ptijo,ou=users,dc=tumfatig,dc=net
objectClass: top
objectClass: CourierMailAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Joel Carnat
givenName: Joel
homeDirectory: /home/vmail
mail: joel@carnat.net
mailbox: ptijo/
sn: Carnat
uid: ptijo
userPassword: {SSHA}...

# E-mail aliases
#
dn: mail=ptijo@tumfatig.net,ou=alias,dc=tumfatig,dc=net
objectClass: top
objectClass: CourierMailAlias
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Joel Carnat
givenName: Joel
mail: ptijo@tumfatig.net
maildrop: joel@carnat.net
sn: Carnat

And import the data:

# ldapadd -x -H ldaps://ldap.tumfatig.net -D "cn=admin,dc=tumfatig,dc=net" -W -f tmf.ldif
Enter LDAP Password:
adding new entry "dc=tumfatig,dc=net"

adding new entry "ou=users,dc=tumfatig,dc=net"

adding new entry "ou=alias,dc=tumfatig,dc=net"

adding new entry "uid=ptijo,ou=users,dc=tumfatig,dc=net"

adding new entry "mail=ptijo@tumfatig.net,ou=alias,dc=tumfatig,dc=net"

Pretty easy and standard, huh 🙂

Indexes

LDAP makes faster replies if it has indexes of objects it hosts:

# ldapctl index
Password:
indexing namespace dc=tumfatig,dc=net

Statistics

You can get stats from your LDAP daemon:

# ldapctl stats
start time: Tue Jan 4 17:41:43 2011
requests: 35
search requests: 9
bind requests: 5
modify requests: 17
timeouts: 0
unindexed searches: 0
active connections: 0
active searches: 0

suffix: dc=tumfatig,dc=net
data timestamp: Tue Jan 4 17:43:44 2011
data page size: 16384
data depth: 1
data revisions: 26
data entries: 10
data branch/leaf/overflow pages: 0/1/0
data cache size: 27 of 1024 (2.6% full)
data page reads: 2
data cache hits: 40 (95.2%)
indx timestamp: Tue Jan 4 17:43:44 2011
indx page size: 16384
indx depth: 1
indx revisions: 21
indx entries: 40
indx branch/leaf/overflow pages: 0/1/0
indx cache size: 18 of 512 (3.5% full)
indx page reads: 2
indx cache hits: 63 (96.9%)

That’s All Folks!

2 Comments

  • John Fri, 29 Nov 2013 00:36:30 +0000 Reply

    Thanks for the guide, I seem to run into trouble getting ldapsearch to bind properly… I have an almost identical configuration but when I run:

    ldapsearch -vv -x -H ldaps://10.0.2.13 -D “cn=admin,dc=oxygen16,dc=com” -W

    I get:

    Enter LDAP Password:
    ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

    Haven’t had much time to poke around with it but it seems like something is awry. The daemon output is:

    Nov 28 16:24:31.828 [8298] accepted connection from 10.0.2.5 on fd 14
    Nov 28 16:24:31.828 [8298] ssl_session_init: switching to SSL
    Nov 28 16:24:31.894 [8298] ssl_session_accept: accepting client
    Nov 28 16:24:31.902 [8298] ssl_session_accept: accepting client
    Nov 28 16:24:31.902 [8298] closing connection 14

    ldapd.conf:

    schema “/etc/ldap/core.schema”
    schema “/etc/ldap/inetorgperson.schema”
    schema “/etc/ldap/nis.schema”

    listen on lo0 ldaps certificate ldapd
    listen on em0 ldaps certificate ldapd
    listen on “/var/run/ldapi”

    namespace “dc=oxygen16,dc=com” {
    rootdn “cn=admin,dc=oxygen16,dc=com”
    rootpw “ldapsupersecret”
    index sn
    index givenName
    index cn
    index mail
    }

    I generated my certs as described in starttls(8).

    *shrug*

    • Joel Carnat Fri, 20 Dec 2013 09:27:06 +0000 Reply Author

      Maybe the CA is not referenced in ldap.conf and used by ldaptools.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

%d bloggers like this: