I want my OpenBSD 6.4 services to authenticate users from a remote LDAP server ; namely a Synology Directory Server (DSM 6.2.x). It turns out that this a standard OpenLDAP 2.4.x configured to accept replication refreshAndPersist mode. So let’s configure a Master / Slave Replication system between Synology and OpenBSD.
Get stuff from Synology (Master)
From the DSM instance, we’ll need extra LDAP schemas (that don’t come with OpenLDAP release on OpenBSD) and an initial dump of data:
root@synology:~# cd /usr/syno/etc.defaults/openldap/schema/ root@synology:/usr/syno/etc.defaults/openldap/schema/# tar cvzpf ~/syno-schemas.tar.gz apple.schema apple_auxillary.schema samba.schema syno.schema apple.schema apple_auxillary.schema samba.schema syno.schema root@synology:~# slapcat -F /var/packages/DirectoryServer/target/etc/data/slapd.d > syno-dump.ldif 5bd85e20 [monitor.c:362] bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
Then, simply transfer both files to the OpenBSD server.
Configure stuff on OpenBSD (Slave)
First of all, install and enable OpenLDAP:
# pkg_add openldap-server-2.4.45p5 # rcctl enable slapd # rcctl set slapd flags -h ldap://127.0.0.1
Then install the schema files:
# tar xvzpf syno-schemas.tar.gz -C /etc/openldap/schema/ apple.schema apple_auxillary.schema samba.schema syno.schema
There a small modification to apply to the syno.schema file:
# diff -U2 /etc/openldap/schema/syno.schema.orig /etc/openldap/schema/syno.schema --- /etc/openldap/schema/syno.schema.orig Fri Sep 7 10:56:21 2018 +++ /etc/openldap/schema/syno.schema Tue Oct 30 15:00:13 2018 @@ -146,5 +146,5 @@ attributetype ( 1.3.6.1.4.1.6574.5.2.1.25 - NAME 'SynoExcludeCommonPwd' + NAME 'pwdSynoExcludeCommonPwd' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
Configure OpenLDAP using the Synology schemas, suffix and enable replication:
# vi /etc/openldap/slapd.conf (...) include /etc/openldap/schema/samba.schema include /etc/openldap/schema/apple_auxillary.schema include /etc/openldap/schema/apple.schema include /etc/openldap/schema/syno.schema (...) suffix "dc=synology,dc=tumfatig,dc=local" rootdn "uid=root,cn=users,dc=synology,dc=tumfatig,dc=local" (...) syncrepl rid=000 provider=ldaps://synology.tumfatig.local type=refreshAndPersist retry="5 10 300 +" searchbase="dc=synology,dc=tumfatig,dc=local" attrs="*,+" bindmethod=simple binddn="uid=root,cn=users,dc=synology,dc=tumfatig,dc=local" credentials=change_me overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 250 #EOF # doas -u _openldap slaptest -u config file testing succeeded
Before starting the OpenLDAP daemon, restore the initial dump.
# doas -u _openldap slapadd -f /etc/openldap/slapd.conf -l syno-dump.ldif 5bd86476 hdb_monitor_db_open: monitoring disabled; configure monitor database to enable _#################### 100.00% eta none elapsed none fast! Closing DB...
Finally, the OpenLDAP daemon can be started:
# rcctl start slapd slapd(ok) # rcctl check slapd slapd(ok)
In my case, I only use the slave locally. So it only listens on localhost without SSL.
# ldap search -x -b "cn=users,dc=synology,dc=tumfatig,dc=local" -H ldap://localhost "(mail=*)" gecos dn: uid=joe,cn=users,dc=synology,dc=tumfatig,dc=local gecos: Joel Carnat # ldap search -x -b "cn=groups,dc=synology,dc=tumfatig,dc=local" -H ldap://localhost "(member=*)" description member dn: cn=users,cn=groups,dc=synology,dc=tumfatig,dc=local description: Directory default group member: uid=joe,cn=users,dc=synology,dc=tumfatig,dc=local member: uid=tom,cn=users,dc=synology,dc=tumfatig,dc=local (...)
Changing attributes is done from the Synology DSM interface. And in seconds, the changes are accessible from the localhost slave instance.
Every services can now use this local user database copy. Even when OpenBSD would lose connexion to the OpenLDAP master.
It should be possible to maintain an LDAP copy on the OpenBSD server using the native ldapd(8) and scheduling some ldapsearch/ldapsadd commands. So far I didn’t try it…