CentOS 7 - OpenLDAP - Multi-Master with TLS

Install OpenLDAP on CentOS 7 with memberOf overlay, install fusiondirectory, configure TLS and Multi-master.

Prerequisite

Check your DNS :

need to have answer from : oldap1.k.local / oldap2.k.local

1 - Configure certificate

You can use the same documentation for Debian : https://documentation.fusiondirectory.org/en/documentation/tls_support

Certificate creation

Install TLS utilities:

yum install gnutls-utils -y

First step: create a CA (certificate authority) wich will create and sign (authenticate) certificates.

mkdir -p /etc/ssl/private/
certtool --generate-privkey > /etc/ssl/private/ca_key.pem

Edit /etc/ssl/ca.info

cn = k.local
ca
cert_signing_key
expiration_days = 3650

And we create the self-signed CA's certificate:

certtool --generate-self-signed --load-privkey /etc/ssl/private/ca_key.pem --template /etc/ssl/ca.info --outfile /etc/ssl/certs/ca_cert.pem

Create a private key for the LDAP servers

certtool --generate-privkey > /etc/ssl/private/oldap1.key
certtool --generate-privkey > /etc/ssl/private/oldap2.key

Edit /etc/ssl/oldap1.info

organization = k.local
cn = oldap1.k.local
tls_www_server
encryption_key
signing_key
expiration_days = 3650

Edit /etc/ssl/oldap2.info

organization = k.local
cn = oldap2.k.local
tls_www_server
encryption_key
signing_key
expiration_days = 3650
And create the LDAP server's certificate:
certtool --generate-certificate --load-privkey /etc/ssl/private/oldap1.key --load-ca-certificate /etc/ssl/certs/ca_cert.pem --load-ca-privkey /etc/ssl/private/ca_key.pem --template /etc/ssl/oldap1.info --outfile /etc/ssl/certs/oldap1.pem
certtool --generate-certificate --load-privkey /etc/ssl/private/oldap2.key --load-ca-certificate /etc/ssl/certs/ca_cert.pem --load-ca-privkey /etc/ssl/private/ca_key.pem --template /etc/ssl/oldap2.info --outfile /etc/ssl/certs/oldap2.pem

2 - OpenLdap server configuration

Install OpenLDAP server:

yum install openldap-servers openldap-clients -y

Edit /etc/openldap/slapd.conf :

#############################################################
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
 
include     /etc/openldap/schema/corba.schema
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/duaconf.schema
include     /etc/openldap/schema/dyngroup.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/java.schema
include     /etc/openldap/schema/misc.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/openldap.schema
include     /etc/openldap/schema/ppolicy.schema
include     /etc/openldap/schema/collective.schema
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals.
#referral   ldap://root.openldap.org
 
pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args
 
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package # - dyngroup.la and dynlist.la cannot be used at the same time
 
# modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
 
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
 
# The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk # at self-signed certificates, however.
TLSCertificateFile /etc/openldap/certs/oldap1.pem
TLSCertificateKeyFile /etc/openldap/certs/oldap1.key
TLSCipherSuite TLSv1+RSA:!NULL
# The following directive is the default but
# is explicitly included for visibility
TLSVerifyClient never
 
# Sample security restrictions
#   Require integrity protection (prevent hijacking)
#   Require 112-bit (3DES or better) encryption for updates
#   Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
 
# Sample access control policy:
#   Root DSE: allow anyone to read it
#   Subschema (sub)entry DSE: allow anyone to read it
#   Other DSEs:
#       Allow self write access
#       Allow authenticated users read access
#       Allow anonymous users to authenticate
#   Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read # access to *
#   by self write
#   by users read
#   by anonymous auth
#
# if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
 
# enable on-the-fly configuration (cn=config)
database config
access to *
    by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
    by * none
 
# enable server status monitoring (cn=monitor)
database monitor
access to *
    by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=admin,dc=k,dc=local" read
        by * none
 
#######################################################################
# database definitions
#######################################################################
 
database    hdb
suffix      "dc=k,dc=local"
checkpoint  1024 15
rootdn      "cn=admin,dc=k,dc=local"
# To generate password : slappasswd -h {SSHA} -s YOURPASSWORD
rootpw      {SSHA}xvxvcvxvxvvxv
loglevel    256
sizelimit   unlimited
 
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory   /var/lib/ldap
 
# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index entryCSN,entryUUID                eq
 
### add Overlay memberof
overlay memberof
 
### Sync provider
overlay     syncprov
syncprov-checkpoint 100 5
syncprov-sessionlog 100
 
# Replicas of this database
 
serverID    1
# syncrepl directive
syncrepl    rid=1
            provider=ldaps://oldap2.k.local
            bindmethod=simple
            binddn="cn=admin,dc=k,dc=local"
            credentials=Pass
            searchbase="dc=k,dc=local"
            filter=objectclass=*
            scope=sub
            schemachecking=on
            type=refreshAndPersist
            retry="30 +"
            tls_cacert=/etc/openldap/certs/ca_cert.pem
 
# Enable mirror mode
mirrormode on

Edit /etc/openldap/ldap.conf

TLS_CACERT      /etc/openldap/certs/ca_cert.pem

Edit /etc/sysconfig/slapd

SLAPD_URLS="ldaps:/// ldap:/// ldapi:///"

Copy CA's certificate

cp /etc/ssl/certs/ca_cert.pem /etc/openldap/certs/

Copy OpenLDAP server's certificate

cp /etc/ssl/certs/oldap1.pem /etc/openldap/certs/
cp /etc/ssl/private/oldap1.key /etc/openldap/certs/

Remove old configuration and restart OpenLDAP

service slapd stop
/bin/rm -rf /etc/openldap/slapd.d/*
/bin/rm -rf /var/lib/ldap/*
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG && /bin/chown -R ldap: /etc/openldap/slapd.d/ && /usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
 
/bin/chown -R ldap: /etc/openldap/slapd.d/  && /bin/chown -R ldap: /var/lib/ldap/ && /sbin/service slapd restart

Check your OpenLDAP

ldapsearch  -H ldapi:/// -b "cn=schema,cn=config"
#or ldapsearch -Y -H ldapi:/// -b "cn=schema,cn=config"
 
[...]
# search result
search: 3
result: 0 Success
 
# numResponses: 14
# numEntries: 13

Your OpenLDAP is ready.

3 - Install FusionDirectory

Check your OpenLDAP again

ldapsearch  -H ldapi:/// -b "cn=schema,cn=config"
 
[...]
# search result
search: 3
result: 0 Success
 
# numResponses: 18
# numEntries: 17

configure fusiondirectory : On step 4 : LDAP setup

When you try to bind your admin account, you need to have this message :

Bind as user 'cn=admin,dc=k,dc=local' to server 'ldaps://localhost:636' succeeded!

4 - Configure the second OpenLDAP server

en/documentation_howto/centos7_openldap_multi_master_tls.txt · Last modified: 2017/10/31 10:32 (external edit)
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0