Cloud plumber, bit wrangler, solution engineer, hockey nut.
Secure OpenLDAP Server With Kerberos Authentication
There are some things we need to set up prior to installing and configuring OpenLDAP.
You will need a working KDC somewhere in your domain. You also need to have the server configured as a Kerberos client (/etc/krb5.conf) and be able to kinit without issue.
There are two principals that you will need in your /etc/krb5.keytab:
If you do not already have this working, see my guide on how to set it up.
You need the following for our setup:
krb5-server-ldap (for the Kerberos schema)
You will need SSL certificates matching the hostname you intend your LDAP server to listen on (ldap.example.com is different than server.example.com). Procure these from your PKI administrator. I place mine in the default directories as shown:
Server Public Key - /etc/pki/tls/certs/slapd.pem
Server Private Key - /etc/pki/tls/private/slapd.pem
CA Certificate - /etc/pki/tls/cert.pem
The LDAP user needs to be able to read the private key and keytab you configured earlier. Ensure that it can.
We will be re-creating ldap.conf later on with the settings that we want.
Copy /usr/share/doc/krb5-server-ldap-1.9/kerberos.schema into your schema directory (default: /etc/openldap/schema. This contains all of the definitions for Kerberos-related attributes.
Decide where you want your data directory to be. By default this is /var/lib/ldap Copy over the standard DB_CONFIG file to that directory from /usr/share/openldap-servers/DB_CONFIG.example. This contains optimization information about the structure of the database.
Some systems require you to explicitly enable LDAPS listening. On Red Hat Enterprise Linux-based distributions, this is done by changing SLAPD_LDAPS to YES in /etc/sysconfig/ldap.
Create a /etc/openldap/slapd.conf to configure your server. You can grab a copy of my basic configuration file here.
# Include base schema files provided by the openldap-servers package.
# Site-specific schema and ACL includes. These are either third-party or custom.
# Daemon files needed for the running of the daemon
# Limit SASL options to only GSSAPI and not other client-favorites. Apparently there is an issue where
# clients will default to non-working SASL mechanisms and will make you angry.
# SASL connection information. The realm should be your Kerberos realm as configured for the system. The
# host should be the LEGITIMATE hostname of this server
# SSL certificate file paths
# Rewrite certain SASL bind DNs to more readable ones. Otherwise you bind as some crazy default
# that ends up in a different base than your actual one. This uses regex to rewrite that weird
# DN and make it become one that you can put within your suffix.
authz-regexp "^uid=[^,/]+/admin,cn=example\.com,cn=gssapi,cn=auth" "cn=ldaproot,dc=example,dc=com"
authz-regexp "^uid=host/([^,]+)\.example\.com,cn=example\.com,cn=gssapi,cn=auth" "cn=$1,ou=hosts,dc=example,dc=com"
authz-regexp "^uid=([^,]+),cn=example\.com,cn=gssapi,cn=auth" "uid=$1,ou=users,dc=example,dc=com"
# Actual LDAP database for things you want
# Indicies for the database. These are used to improve performance of the database
index entryCSN eq
index entryUUID eq
index objectClass eq,pres
index ou,cn,mail eq,pres,sub,approx
index uidNumber,gidNumber,loginShell eq,pres
# Configuration database
# Monitoring database
To generate a password for your directory and hash it, you can use the slappasswd utility. See my guide on LDAP utilities for details. After that you should be all set. Start the slapd service, but dont query it yet.
The /etc/openldap/ldap.conf file is the system-wide default LDAP connection settings. This way you do not have to specify the host and protocol each time you want to run a command. Make it now.
# OpenLDAP client configuration file. Used for host default settings
Right now you should have a running server, but with no data in it. I created a simple example setup file to get a basic tree set up. At this point you need to architect how you want your directory to be organized. You may chose to follow this or chose your own.