24-Aug-2004, minor changes, replace “defaultServerList
192.168.1.168 192.168.1.178” with “defaultServerList ldap1.example.com
ldap2.example.com” in sol9profile and default profile in LDAP Data.
25-Aug-2004, minor changes/corrections, usually in GREEN BOLD texts.
26-Aug-2004, minor changes/corrections in LDAP logging through UNIX
syslog, added Solaris9 “logadm” configuration for log rotation.
05-Sep-2004, added DB_CONFIG for Berkeley DB, and modified
rebuild_example_com.sh, only remove the needed files prior to rebuild.
13-Sep-2004, modified LDAP Server’s ACL to allow “anonymous read”
to People branch as Solaris8 LDAP Client can only bind as anonymous.
18-Sep-2004, minor changes, added comments to output of “openssl …
showcerts” command to indicate that those error messages are non-critical due
to Self-Signing.
24-Sep-2004, minor changes, changed “pam_password md5” to
“pam_password crypt” in /etc/ldap.conf on LDAP Client, to tally with setting in
slapd.conf on LDAP Server.
2-Nov-2004,
added back ldap_failover_controller.sh for the benefit of readers who do not
want to go through the hassles of applying Patch 108993 (LDAPv2) and its many
dependent patches for Solaris8.
5-Nov-2004,
tested Patch 108993-38 (Solaris8 LDAPv2 libraries) works with OpenLDAP
Authentication using the version 2 /var/ldap/ldap_client_file.
10-Nov-2004, as
per reader’s request, .txt text format of Centralized LDAP document provided.
11-Nov-2004,
minor changes, commented in $ETC_OPENLDAP/ldap.conf and/or /etc/ldap.conf that
“HOST” directive may be deprecated in future releases, use “URI” (upper or
lowercase does not matter) directive to replace “HOST” directive.
Purpose:
This document describes the steps involved in installing and configuring an OpenLDAP Directory Server on Soalris8/9. This is to be accessed by RedHat Linux or Solaris8/9 LDAP Client. Many useful productivity UNIX Shell scripts are also provided in this document.
To
use LDAP centralized authentication with nss_ldap and pam_ldap, i.e. to use
LDAP "uid" and "userPassword" for UNIX account id and
password lookup, you must also complete the setup documented in “Installing and
configuring OpenSSH with pam_ldap for Solaris9” and/or" Installing and
configuring OpenSSH with pam_ldap for RedHat Enterprise Linux3"
Another
related document "Deploying OpenLDAP Client by using automated scripts",
describes the steps involved in building up an infrastructure environment for
rapid deployment of OpenLDAP Client.
References used:
·
QuickStart to
OpenLDAP: http://www.openldap.org/doc/admin21/quickstart.html
·
Practical
LDAP on Linux: http://www.lugs.org.sg/lugsfiles/presentations/2002-08-Practical-LDAP-and-Linux.pdf
·
How
to install and configure Solaris 9 for Authentication with OpenLDAP 2.1 http://netmojo.ca/howto/solaris-openldap.html
·
OpenLDAP SSL/TLS How-To:
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
· Replacing NIS with
Kerberos and LDAP: http://ofb.net/~jheiss/krbldap/
· Replacing NIS with
Kerberos and LDAP: http://www.ofb.net/~jheiss/krbldap/kerberos_and_ldap.html
·
SUN’s “System
Administration Guide: Naming and Directory Services - May 2002” (could be found at http://docs.sun.com)
Freeware tools used:
·
Berkeley DB 4.2.52 or later - http://www.sleepycat.com
·
NSS_LDAP 2.2.0 and PAM_LDAP 1.6.9 or later – http://www.padl.com
·
OpenSSL 0.9.7d or later – http://www.openssl.org
·
OpenLDAP 2.2.17 or later - http://www.openldap.org
·
LDAP Browser/Editor: http://www.iit.edu/~gawojar/ldap/
·
PHP-LDAP-ADMIN: http://freshmeat.net/projects/phpldapadmin/
·
Other Graphical LDAP Tools: http://en.tldp.org/HOWTO/LDAP-HOWTO/graphicaltools.html
Example used:
·
MASTER
OpenLDAP Server: ldap1.example.com,
192.168.1.168
·
SLAVE
OpenLDAP Server: ldap2.example.com,
192.168.1.178
·
RedHat
EL3 LDAP Client: client1.example.com,
192.168.1.188
·
Solaris8
LDAP Client: client2.example.com,
192.168.1.198
·
Solaris9
LDAP Client: client3.example.com,
192.168.1.208
It is highly
recommended that OS level Security Hardening be applied to all LDAP Servers.
Note that MASTER and SLAVE OpenLDAP Server can be based on RedHat Linux or Solaris
operating system.
Preparation Steps:
This step is for BOTH
OpenLDAP Server(s) as well as Clients
Please
ensure that IP addresses of LDAP Server(s) are defined in DNS and/or /etc/hosts
Please
ensure that LDAP domain example.com is defined in /etc/resolv.conf, in case of Solaris LDAP clients and servers, /etc/defaultdomain should contain
"example.com" as the LDAP domain.
This step is for BOTH
OpenLDAP Server(s) as well as Clients
IMPORTANT: It is
highly recommended that these configuration steps be carried up at the LOCAL
SYSTEM CONSOLE while logging in as root, ON TOP OF THIS, MULTIPLE REMOTE root
sessions should be opened. In case of any incorrect configuration that messes
up your system, it can be repaired.
Log in as root.
# cd /var/tmp
# tar xvf db-4.2.52.tar
# cd db-4.2.52/build_unix
# env CC=gcc
../dist/configure
# make clean
# make
# make install
# cd /var/tmp
# tar xvf openssl-0.9.7d.tar
# cd openssl-0.9.7d
# ./config
# make clean
# make
# make install
IMPORTANT NOTE 1:
For Solaris9/8, just run "./config" instead of "./config
shared", i.e. do not generate shared library files (.so) for OpenSSL, we
will link them STATICALLY into OpenLDAP.
IMPORTANT NOTE 2:
For Solaris8, Patch 102438 is required if /dev/random instead of prngd is used
to support OpenSSL.
This step is for BOTH
OpenLDAP Server(s) as well as Clients
IMPPORTAN NOTE:
If you intend to build OpenLDAP Server and Clients with SSL_TLS support, you
MUST download the latest OpenLDAP source and compile it, SSL_TLS requires
OpenLDAP 2.1.X or later.
Log
in as root.
# cd /var/tmp
# tar xvf
openldap-2.2.17.tar
# cd openldap-2.2.17
# env
LD_LIBRARY_PATH="/usr/lib:/usr/local/lib:/usr/local/BerkeleyDB.4.2/lib:/usr/local/ssl/lib"
LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.4.2/lib
-L/usr/local/ssl/lib" CPPFLAGS="-I/usr/local/include
-I/usr/local/BerkeleyDB.4.2/include -I/usr/local/ssl/include" ./configure
--enable-bdb --enable-crypt --with-tls --without-cyrus-sasl
# make depend
# make clean
# make
# make install
This
will install OpenLDAP server and client binaries/libraries, using default
configuration directory /usr/local/etc/openldap,
default schema directory /usr/local/etc/openldap/schema,
and default data directory /usr/local/var/openldap-data
This step is for OpenLDAP
Server(s).
Create
UNIX account for LDAP files' ownership, it could be member of
"daemon" of "ldap".
# groupadd –g 55 ldap
# useradd -u 55 -g 55 -d
/home/ldap -s /bin/false ldap
Create
a blank default OpenLDAP data directory, protect this directory
# mkdir –p
/usr/local/var/openldap-data
# chmod 700
/usr/local/var/openldap-data
# chown –R ldap:daemon /usr/local/var/openldap-data
# chown –R ldap:daemon
/usr/local/etc/openldap
Copy
DUAConfigProfile.schema and solaris.schema provided here in Appendix to
/usr/local/etc/openldap/schema directory
# cp DUAConfigProfile.schema
/usr/local/etc/openldap/schema
# cp solaris.schema
/usr/local/etc/openldap/schema
Create
a blank /home/ldap directory, this will be used to keep .ldif generated by the
productivity scripts db2ldif_group.sh
and db2ldif_People.sh, and used for
my script-based LDAP replication scripts, openldap_repl_group.sh
and openldap_repl_People.sh.
Alternatively, you may also use the OpenLDAP built-in replication feature.
# mkdir -p /home/ldap; chown
ldap:ldap /home/ldap
Create
SSL self-signing certificates for local LDAP Server, if you intend to use SSL
or TLS.
This
can be achieved by running this productivity script, cr_ssl_certs_openldap.sh, at the
MASTER LDAP Server, which generates a self-signed CA Cert and a signed Server
Cert for MASTER LDAP Server. Later on, please use the SAME CA Cert to sign a
Server Cert created at SLAVE LDAP Server.
# ./cr_ssl_certs_openldap.sh
Content
of cr_ssl_certs_openldap.sh:
#! /bin/sh
#
#
cr_ssl_certs_openldap.sh - Create self-signed SSL Certs for OpenLDAP server
#
# Gary Tay,
6-Mar-2004
#
mkdir demoCA
>/dev/null 2>&1
cd demoCA
mkdir certs crl
newcerts private >/dev/null 2>&1
echo
"01" > serial
cp /dev/null
index.txt
# Un-comment next
two lines for RedHat
#cp
/usr/share/ssl/openssl.cnf openssl.cnf
#ETC_OPENLDAP=/etc/openldap
# Un-comment next
two lines for Others
cp
/usr/local/ssl/openssl.cnf openssl.cnf
ETC_OPENLDAP=/usr/local/etc/openldap
sed -e 's/GB/SG/'
\
-e 's/Berkshire/Singapore/' \
-e 's/Newbury/Singapore/' \
-e 's/My Company Ltd/Example Company Ltd/'
\
openssl.cnf > openssl.cnf.new
mv openssl.cnf.new
openssl.cnf
echo
"Creating CA cert..."
echo "Please
enter server's FQDN when prompted for Common Name:"
openssl req -new
-x509 -keyout private/cakey.pem -out cacert.pem \
-days 3650 -config openssl.cnf
echo
"Creating server cert..."
echo "Please
enter server's FQDN when prompted for Common Name:"
openssl req -new
-x509 -nodes -keyout newreq.pem -out newreq.pem \
-days 3650 -config openssl.cnf
echo "Self
signing server cert..."
echo "Please
enter server's FQDN when prompted for Common Name:"
openssl x509
-x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
cd ..
openssl ca
-config demoCA/openssl.cnf -policy policy_anything \
-out demoCA/newcert.pem -infiles
demoCA/tmp.pem
rm -f
demoCA/tmp.pem
echo "Please
copy CA Cert, New Cert and Key to OpenLDAP config dir..."
echo "using
the following commands" echo "cp demoCA/cacert.pem
$ETC_OPENLDAP"
echo "cp
demoCA/newcert.pem $ETC_OPENLDAP/slapd-cert-ldap1.pem"
echo "cp
demoCA/newreq.pem $ETC_OPENLDAP/slapd-key-ldap1.pem"
echo "chmod
640 $ETC_OPENLDAP/slapd-key-ldap1.pem"
# Uncomment for
RedHat
#echo "chown
ldap:ldap $ETC_OPENLDAP/*.pem"
# Uncomment for
Others
echo "chown
ldap:daemon $ETC_OPENLDAP/*.pem"
echo ""
The
following is the output of running cr_ssl_certs_openldap.sh
# ./cr_ssl_certs_openldap.sh
Creating CA cert...
Please enter server's FQDN when prompted for Common Name:
Generating a 1024 bit RSA private key
.....................................................++++++
....++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase: secret
Verifying - Enter PEM pass phrase: secret
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SG]:
State or Province Name (full name) [Singapore]:
Locality Name (eg, city) [Singapore]:
Organization Name (eg, company) [Example Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ldap1.example.com
Email Address []: first_last@example.com
Creating server cert...
Please enter server's FQDN when prompted for Common Name:
Generating a 1024 bit RSA private key
....................++++++
..................................................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SG]:
State or Province Name (full name) [Singapore]:
Locality Name (eg, city) [Singapore]:
Organization Name (eg, company) [Example Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ldap1.example.com
Email Address []: first_last@example.com
Self-signing server cert...
Please enter server's FQDN when prompted for Common Name:
Getting request Private Key
Generating certificate request
Using configuration from demoCA/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: secret
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1
(0x1)
Validity
Not Before: Mar
15 05:50:15 2004 GMT
Not After : Mar 15 05:50:15 2005 GMT
Subject:
countryName = SG
stateOrProvinceName =
Singapore
localityName = Singapore
organizationName =
Example Ltd
commonName = ldap1.example.com
X509v3 extensions:
X509v3 Basic
Constraints:
CA:FALSE
Netscape
Comment:
OpenSSL Generated
Certificate
X509v3 Subject
Key Identifier:
51:F4:FB:11:07:35:79:56:B8:11:DA:5F:54:16:2C:3A:95:1C:03:2C
X509v3 Authority
Key Identifier:
keyid:CC:95:06:D3:EF:09:13:57:1F:A2:75:B4:28:AC:E2:B7:5C:1B:5D:66
DirName:/C=SG/ST=Singapore/L=Singapore/O=Example
Ltd/CN=ldap1.example.com
serial:00
Certificate is to be certified until Mar 15 05:50:15 2005 GMT (365
days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Please copy CA Cert, New Cert and Key to OpenLDAP config dir...
using the following commands:
cp demoCA/cacert.pem /usr/local/etc/openldap
cp demoCA/newcert.pem /usr/local/etc/openldap/slapd-cert-ldap1.pem
cp demoCA/newreq.pem /usr/local/etc/openldap/slapd-key-ldap1.pem
chmod 640 /usr/local/etc/openldap/slapd-key-ldap1.pem
chown ldap:daemon /usr/local/etc/openldap/*.pem
Copy
cacart.pem, slapd-cert-ldap1.pem and slapd-key-ldap1.pem created by the above
script to /usr/local/etc/openldap and setup file permission protection.
Also
please copy cacert.pem to all the LDAP clients that use SSL_TLS to authenticate
with this LDAP Server.
ADDITIONAL
STEPS if SLAVE LDAP Server is built:
At the SLAVE LDAP Server, login as root and run:
# ./cr_unsigned_ssl_cert.sh
Go back to the MASTER LDAP Server, login as root and run :
# ./ sign_ssl_cert_from_slave.sh
The followings show the expected outputs:
# ./cr_unsigned_ssl_cert.sh
Creating un-signed SLAVE LDAP Server cert...
Please enter SLAVE LDAP Server's FQDN when prompted for Common
Name:
Generating a 1024 bit RSA private key
.................++++++
...............................................++++++
writing new private key to 'newreq_slave.pem'
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]: SG
State or Province Name (full name) [New York]: Singapore
Locality Name (eg, city) []: Singapore
Organization Name (eg, company) [Example Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:ldap2.example.com
Email Address []:first_last@example.com
# ./sign_ssl_cert_from_slave.sh
We must copy the unsigned SSL Server Cert from SLAVE LDAP Server
Enter HOSTNAME/IP of SLAVE LDAP Server: \c
ldap2
Enter directory to locate un-signed server cert/key: \c
/home/gtay/demoCA
Copying un-signed server cert/key from SLAVE LDAP Server...
newreq_slave.pem
newreq_slave.pem 100%
2319 627.1KB/s 00:00
Self signing server cert for SLAVE LDAP Server...
Please enter SLAVE LDAP Server's FQDN when prompted for Common
Name:
Getting request Private Key
Generating certificate request
Using configuration from demoCA/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: secret
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1
(0x1)
Validity
Not Before: Oct
22 16:05:32 2004 GMT
Not After : Oct
22 16:05:32 2005 GMT
Subject:
countryName = SG
stateOrProvinceName =
Singapore
localityName = Singapore
organizationName =
Example Ltd
organizationalUnitName =
commonName = ldap2.example.com
emailAddress =
first_last@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape
Comment:
OpenSSL
Generated Certificate
X509v3 Subject
Key Identifier:
F7:C2:5F:54:C1:3F:E3:16:F2:1D:F7:5E:B0:CA:C8:95:35:45:DA:A9
X509v3 Authority Key Identifier:
keyid:25:BC:A0:B3:45:F1:E5:25:7B:46:E5:E7:30:0F:45:EB:98:B8:36:37
DirName:/C=SG/ST=Singapore/L=Singapore/O=Example
Ltd/OU=/CN=ldap1.example.com/emailAddress=first_last@example.com
serial:00
Certificate is to be certified until Oct 22 16:05:32 2005 GMT (365
days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Please copy, New Cert and Key to SLAVE OpenLDAP Server config
dir...
Example: assuming ldap2:/etc/openldap is the target directory on
SLAVE:
scp demoCA/cacert.pem ldap2:/etc/openldap
scp demoCA/newcert_slave.pem
ldap2:/etc/openldap/slapd-cert-ldap2.pem
scp demoCA/newreq_slave.pem ldap2:/etc/openldap/slapd-key-ldap2.pem
ssh ldap2 chmod 640 /etc/openldap/slapd-key-ldap2.pem
ssh ldap2
chown ldap:ldap /etc/openldap/*.pem
Use
the following command to show the details of the CA/Chain/Server
Certificate(s):
# openssl s_client -connect
localhost:636 –showcerts
---
Server certificate
subject=/C=SG/ST=Singapore/L=Singapore/O=Example
Ltd/CN=ldap1.example.com/emailAddress=first_last@example.com
issuer=/C=SG/ST=Singapore/L=Singapore/O=Example
Ltd/CN=ldap1.example.com/emailAddress=first_last@example.com
---
<Ctrl-C or Ctrl-Break to exit>
In the above output please ignore these non-critical errors as we sel-sign the certs:
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
Verify return code: 21 (unable to verify the first certificate)
In
the “Server Certificate section” please ensure that the FQDN (Fully Qualified
Domain Name) as defined in CN=<FQDN> always matches the “host” entry (or
entries) in /etc/ldap.conf (nss_ldap) and $ETC_OPENLDAP/ldap.conf (LDAP Client)
and DNS/hosts file.
Also
please copy cacert.pem to all the LDAP clients that use SSL_TLS to authenticate
with this LDAP Server.
Edit
/usr/local/etc/openldap/ldap.conf, add the following lines in BLUE,
this is for local LDAP commands
# vi
/usr/local/etc/openldap/ldap.conf
HOST ldap1.example.com
BASE dc=example,dc=com
# Un-comment for
RedHat
#TLS_CACERT /etc/openldap/cacert.pem
# Un-comment for
others
TLS_CACERT /usr/local/etc/openldap/cacert.pem
IMPORTANT NOTE:
Some options such as TLS_CACERT are missing
from the ldap.conf man pages for some versions of OpenLDAP, see:
http://www.openldap.org/lists/openldap-bugs/200206/msg00092.html
Useful
information on START_TLS options is described in:
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
Now
we are ready to create configuration file for OpenLDAP server daemon, slapd.
Make a copy of /usr/local/etc/openldap/slapd.conf.default to /usr/local/etc/openldap/slapd.conf, and modify it to include the following lines in BLUE. You should copy DUAConfgProfile.schema and solaris.schema, which are attached in Appendix and needed for Solaris LDAP client/server to the schema directory.
# cp
/usr/local/etc/openldap/slapd.conf.default /usr/local/etc/openldap/slapd.conf
# chmod 600
/usr/local/etc/openldap/slapd.conf
# vi /usr/local/etc/openldap/slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/DUAConfigProfile.schema
## solaris.schema
provides nisDomainObject, which is absent from nis.schema
include
/usr/local/etc/openldap/schema/solaris.schema
# example will
NOT work:
# allow bind_v2
# allow
bind_anon_dn
# The second
entry (bind_anon_dn) overrides the first
# one (bind_v2)
since they are in separate lines.
# The line below
WILL work.
allow bind_v2
bind_anon_dn
# ACL directives
access to
attr=userPassword
by self write
by * auth
access to dn="ou=People,dc=example,dc=com"
by self write
by
dn="cn=proxyagent,ou=profile,dc=example,dc=com" read
by users auth
by anonymous read
access to * by
self write
by * read
# Performance
tuning directives (OPTIONAL)
sizelimit 5000
threads 8
idletimeout 14400
cachesize 10000
checkpoint 256 15
# DB directives
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
#rootpw {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
directory /usr/local/var/openldap-data
index objectClass,uid,uidNumber,gidNumber,ou eq
index cn,mail,surname,givenname eq,subinitial
index memberUid eq
index nisDomain eq
TLSCipherSuite
HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile
/usr/local/etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile
/usr/local/etc/openldap/slapd-key-ldap1.pem
# Use the
following if client authentication is required
#TLSVerifyClient
demand
# ... or not
desired at all
#TLSVerifyClient
never
password-hash
{CRYPT}
Copy/Detach my productivity UNIX scripts (as provided here in Appendix section) to /home/gtay, or any directory you so prefer, eg: /home/ldap, use these scripts to create and rebuild a fully populated MASTER OpenLDAP Server.
Note: before running the scripts, please create a sample
People.ldif and group.ldif.
It helps if you would take some times to browse and study all the productivity scripts, especially the two main scripts, i.e. cr_example_com_ldif.sh and rebuild_example_com.sh.
# cp
cr_ssl_certs_openldap.sh /home/gtay
# cp
cr_unsigned_ssl_cert.sh /home/gtay
# cp
sign_ssl_cert_from_slave.sh /home/gtay
# cp cr_People_ldif.sh
/home/gtay
# cp cr_group_ldif.sh
/home/gtay
# cp cr_example_com_ldif.sh
/home/gtay
# cp openldap_add.sh
/home/gtay
# cp
openldap_delete_Peoples.sh /home/gtay
# cp
openldap_delete_groups.sh /home/gtay
# cp openldap_repl_People.sh
/home/gtay
# cp openldap_repl_group.sh
/home/gtay
# cp openldap_search.sh
/home/gtay
# cp rebuild_example_com.sh
/home/gtay
Copy
these three scripts to /home/ldap as they are meant for LDAP Backup and
Replication:
# cp db2ldif_backup.sh
/home/ldap
# cp db2ldif_People.sh
/home/ldap
# cp db2ldif_group.sh
/home/ldap
# cp openldap_add.sh
/home/ldap
# cp
openldap_delete_groups.sh /home/ldap
# cp
openldap_delete_Peoples.sh /home/ldap
# cp openldap_repl_group.sh
/home/ldap
# cp openldap_repl_People.sh
/home/ldap
Some
of these scripts are optional or specific to a particular environment, for
instances, cr_People_ldif.sh is used
if People.ldif is an exported ldif file created from an existing iPlanet
Directory Server; so does cr_group_ldif.sh.
Create
and protect LDAP rootdn password file, for OpenLDAP’s “Manager”, in /etc and in
script directories (/home/gtay and /home/ldap in these cases)
# cd /etc
# echo “secret” >ldap.secret
# chmod 600 ldap.secret
# cd /home/gtay
# echo “secret” >mgr.pwd
# chmod 600 mgr.pwd
# cd /home/ldap
# echo “secret” >mgr.pwd
# chmod 600 mgr.pwd
Prepare People.ldif and group.ldif in /home/gtay (or your preferred script directory).
Tips: Use /usr/local/sbin/slappasswd
command to find the encrypted format of LDAP userPassword.
A
sample People.ldif with only two entries is shown here
dn: uid=gtay,
ou=People, dc=example,dc=com
givenName: Gary
sn: Tay
loginShell:
/bin/bash
uidNumber: 6167
gidNumber: 102
objectClass: top
objectClass:
person
objectClass:
organizationalPerson
objectClass:
inetorgperson
objectClass:
posixAccount
uid: gtay
cn: Gary Tay
homeDirectory:
/home/gtay
userPassword:
{CRYPT}U8bo2twhJ9Kkg
dn: uid=tuser,
ou=People, dc=example,dc=com
givenName: Test
sn: User
loginShell:
/bin/bash
uidNumber: 99999
gidNumber: 102
objectClass: top
objectClass:
person
objectClass:
organizationalPerson
objectClass:
inetorgperson
objectClass:
posixAccount
uid: tuser
cn: Test User
homeDirectory:
/home/tuser
userPassword:
{SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=
A
sample group.ldif with only one entry is shown here
dn:
cn=Users,ou=group,dc=example,dc=com
cn: Users
gidNumber: 102
objectClass: top
objectClass:
posixGroup
IMPORTANT NOTE ABOUT LDIF IMPORT FILES:
When you copy and paste the content of People.ldif and group.ldif,
or any other .ldif files from this document for preparation of LDAP data import using ldapadd command,
please make sure that ALL TRAILING SPACES at every line in the .ldif files be
removed or else “openldap_add.sh” which calls “ldapadd” command will throw
errors.
Create
OpenLDAP server start/stop script /etc/init.d/openldap.server.
# touch
/etc/init.d/openldap.server
# chmod 744
/etc/init.d/openldap.server
# vi
/etc/init.d/openldap.server
#! /bin/sh
#
# openldap.server
- OpenLDAP start script
#
# Gary Tay,
19-Feb-2004
#
# Un-Comment for
RedHat
#ETC_OPENLDAP_DIR=/etc/openldap
#SLAPD_DIR=/usr/sbin
# Un-Comment for
Others
ETC_OPENLDAP_DIR=/usr/local/etc/openldap
SLAPD_DIR=/usr/local/libexec
# Pls customize
DEBUG=""
# Un-Comment to
debug
#DEBUG="-d
10"
case
"$1" in
'start')
if [ -f $ETC_OPENLDAP_DIR/slapd.conf
-a -f $SLAPD_DIR/slapd ]; then
echo 'OpenLDAP slapd service
starting.'
$SLAPD_DIR/slapd $DEBUG -u ldap -h
"ldap:/// ldaps:///"
fi
;;
'stop')
PID=`ps -ef | grep slapd | grep -v
grep | awk '{print $2}'`
if [ -n "$PID" ]; then
echo 'OpenLDAP slapd service
stopping.'
#
For testing on small LDAP DB, use kill -9
kill -9 $PID
# For production on large LDAP DB,
develop killproc() to kill gracefully
# killproc()
fi
;;
*)
echo "Usage: $0 { start | stop
}"
exit 1
;;
esac
Create
cr_example_com_ldif.sh, do not run it as it will be "called" by the
other script, rebuild_example_com.sh.
# vi cr_example_com_ldif.sh
Content
of cr_example_com_ldif.sh
#! /bin/sh
# cr_example_com_ldif.sh - Create initial ldif entries for
dc=example,dc=com
# OpenLDAP initial root entries
cat <<EOF >example_com.ldif
dn: dc=example,dc=com
objectclass: top
# For RedHat use the next line
#objectclass: organization
# For Solaris use the next line
objectclass: domain
objectClass: nisDomainObject
nisDomain: example.com
objectclass: dcObject
o: Example Companies
dc: example
dn: cn=Manager,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
dn: ou=People,dc=example,dc=com
objectclass: organizationalUnit
ou: People
dn: ou=group,dc=example,dc=com
objectclass: organizationalUnit
ou: group
dn: ou=profile,dc=example,dc=com
ou: profile
objectClass: top
objectClass: organizationalUnit
dn: cn=proxyagent,ou=profile,dc=example,dc=com
cn: proxyagent
sn: proxyagent
objectClass: top
objectClass: person
userPassword: {CRYPT}l14aeXtphVSUg
dn: cn=sol8profile,ou=profile,dc=example,dc=com
ObjectClass: top
ObjectClass: SolarisNamingProfile
SolarisLDAPServers: 192.168.1.168
SolarisBindDN: cn=proxyagent,ou=profile,dc=example,dc=com
SolarisBindPassword: {NS1}ecfa88f3a945c411
SolarisSearchBaseDN: dc=example,dc=com
SolarisAuthMethod: NS_LDAP_AUTH_NONE
SolarisTransportSecurity: NS_LDAP_SEC_NONE
SolarisSearchReferral: NS_LDAP_FOLLOWREF
SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit: 30
SolarisCacheTTL: 43200
cn: sol8profile
dn: cn=sol9profile,ou=profile,dc=example,dc=com
objectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: simple
followReferrals: TRUE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
cn: sol9profile
credentialLevel: proxy
bindTimeLimit: 2
dn: cn=default,ou=profile,dc=example,dc=com
objectClass: DUAConfigProfile
defaultServerList: ldap1.example.com ldap2.example.com
defaultSearchBase: dc=example,dc=com
authenticationMethod: simple
followReferrals: TRUE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
cn: default
credentialLevel: proxy
bindTimeLimit: 2
EOF
cp example_com.ldif ldap_add.ldif
cp example_com.ldif openldap_add.ldif
Create DB_CONFIG in OpenLDAP data directory (it is usually
/usr/local/var/openldap-data, for RedHat, it is /var/lib/ldap), this file
contains performance parameters for Berkeley DB, consult Internet or OpenLDAP
maillist and adjust the content as per need.
# vi /usr/local/var/openldap-data/DB_CONFIG
or
# vi
/var/lib/ldap/DB_CONFIG
Content of DB_CONFIG, below is an example for a LDAP Server with
640MB RAM, 1000 users
set_cachesize 0
20971520 0
set_lg_regionmax
131072
set_lg_bsize
2097152
Create
rebuild_example_com.sh, edit and uncomment those OS specific lines.
# vi rebuild_example_com.sh
Content
of rebuild_example_com.sh
#! /bin/sh
#
rebuild_example_com.sh - ReBuild LDAP Server for dc=example,dc=com
# Un-comment for
RedHat
#OPENLDAP_DATA_DIR=/var/lib/ldap
# Un-comment for
Others
OPENLDAP_DATA_DIR=/usr/local/var/openldap-data
echo
"WARNING: LDAP Data in $OPENLDAP_DATA_DIR will be deleted!!!"
echo " and rebuilt from scratch, make sure
you know what it means"
echo "Press
[Ctrl-C] to abort, enter [Yes] to continue..."
read a_key
[
"$a_key" != "Yes" ] && exit 1
/etc/init.d/openldap.server
stop
mkdir -p
$OPENLDAP_DATA_DIR
chmod 750
$OPENLDAP_DATA_DIR
chown ldap:ldap
$OPENLDAP_DATA_DIR
/bin/rm -f
$OPENLDAP_DATA_DIR/*.bdb
/bin/rm -f
$OPENLDAP_DATA_DIR/__db.*
/bin/rm -f
$OPENLDAP_DATA_DIR/log.*
/etc/init.d/openldap.server
start
sleep 3
./cr_example_com_ldif.sh
./openldap_add.sh
./cr_People_ldif.sh
./openldap_add.sh
./cr_group_ldif.sh
./openldap_add.sh
Execute
this script:
# ./rebuild_example_com.sh
WARNING:
LDAP Data in /var/lib/ldap will be deleted!!!
and rebuilt from scratch, make sure
you know what it means
Press
[Ctrl-C] to abort, enter [Yes] to continue...
OpenLDAP
slapd service stopping.
OpenLDAP
slapd service starting.
adding
new entry "dc=example,dc=com"
adding
new entry "cn=Manager,dc=example,dc=com"
adding
new entry "ou=People,dc=example,dc=com"
adding
new entry "ou=group,dc=example,dc=com"
adding
new entry "uid=gtay,ou=People, dc=example,dc=com"
adding
new entry "uid=tuser,ou=People, dc=example,dc=com"
adding
new entry "cn=Users,ou=group,dc=example,dc=com"
…
Congratulation!!!
You have created an OpenLDAP Server
IMPORTANT Note:
rebuild_example_com.sh is a VERY DESTRUCTIVE script, make sure you understand
what every step of the script is trying to do, avoid testing this script in
production environment.
Try
stopping and starting OpenLDAP server
#
/etc/init.d/openldap.server stop
#
/etc/init.d/openldap.server start
Verify:
# ps -ef | grep slapd
root
706 702 0 03:31:03 pts/3 0:00 grep slapd
root
216 1 0
Feb 23 ? 2:11
/usr/local/libexec/slapd -u ldap -h ldap:/// ldaps:///
Tips: whenever
you have problem starting OpenLDAP server, i.e. it is not shown in process
status, comment out this line in /etc/init.d/openldap.server and re-try.
#DEBUG="-d
10"
Prepare
LDAP Client's (LDAP Client local to LDAP Server) ldap.conf file in
/usr/local/etc/openldap, the following is a typical content:
HOST ldap1.example.com
BASE dc=example,dc=com
# Un-comment for
RedHat
#TLS_CACERT /etc/openldap/cacert.pem
# Un-comment for
others
TLS_CACERT /usr/local/etc/openldap/cacert.pem
Try to list the LDAP content locally at the server, note that userPassword never get listed.
# ./openldap_search.sh |
less
dn:
dc=example,dc=com
objectClass:
top
objectClass:
organization
objectClass:
dcObject
o:
Example Companies
dc:
example
dn:
cn=Manager,dc=example,dc=com
objectClass:
organizationalRole
cn:
Manager
dn:
uid=gtay,ou=People,dc=example,dc=com
givenName:
Gary
sn:
Tay
loginShell:
/usr/bin/bash
uidNumber:
6167
gidNumber:
102
objectClass:
top
objectClass:
person
objectClass:
organizationalPerson
objectClass:
inetorgperson
objectClass:
posixAccount
uid:
gtay
cn:
Gary Tay
homeDirectory:
/home/gtay
dn:
uid=tuser,ou=People,dc=example,dc=com
givenName:
Test
sn:
User
loginShell:
/bin/bash
uidNumber:
99999
gidNumber:
102
objectClass:
top
objectClass:
person
objectClass:
organizationalPerson
objectClass:
inetorgperson
objectClass:
posixAccount
uid:
tuser
cn:
Test User
homeDirectory:
/home/tuser
dn:
cn=Users,ou=group,dc=example,dc=com
cn:
Users
gidNumber:
102
objectClass:
top
objectClass:
posixgroup
…
You
should test if LDAP client could connect to LDAP Server (slapd) by using simple
authentication (-x), without or with START_TLS (-ZZ).
# ldapsearch -x -LLL
# ldapsearch -x -LLL -ZZ
Congratulation!!! You have
created an OpenLDAP server capable for answering name service (uid) lookup
requests from any LDAP Client.
TIPS 1: LDAP Logging
Logging is used to help
debugging. OpenLDAP by default logs through "LOCAL4" local syslog
user, you may setup /etc/syslog.conf and restart syslogd, if you do this,
please take care of log file trimming and rotation.
# vi /etc/syslog.conf
Add this line:
local4.debug /var/log/ldap.log
IMPORTANT NOTE:
use one or more <TAB> in between “local4.debug” and “/var/log/ldap.log”,
if spaces are used, syslog will log NOTHING.
# touch /var/log/ldap.log
# pkill –HUP syslogd
Setup log rotation using
Solaris9 “logadm” command by adding the following line in /etc/logadm.conf:
/var/log/ldap.log -C 8 -a 'kill -HUP `cat
/var/run/syslog.pid`'
root cron jobs usually
contain /usr/sbin/logadm, you may run this command manually to observe
the rotation of log files.
If you wish to log OpenLDAP
syslog messages through other local facility, use the "-l" option
while starting slapd server daemon, eg: "-l LOCAL8"
TIPS 2: LDAP Account Maintenance
To easily maintain the LDAP
account details, it is highly recommended that the Java Based LDAP
Browser-Editor (downloadable from http://www.iit.edu/~gawojar/ldap/) Tool be used.
What is required to configure
this tool is to simply define JAVA_HOME
in LBE.BAT and create a program icon LBE on your desktop pointing to it,
don't forget the start directory must be the same as LBE.BAT. For OpenLDAP
Server,
To add a NEW LDAP user,
choose the "Edit/Add Entry" and select the "posixAccount"
Template.
Another good GUI
tool is Web-based PHP-LDAP-ADMIN: http://freshmeat.net/projects/phpldapadmin/,
this tool requires more setup steps.
This step is for LDAP Clients
ONLY.
Assuming
client3.example.com is the Solaris9 LDAP Client to be configured
Log
in to client3 as ‘root’ at the SYSTEM
CONSOLE, so that if there is any misconfiguration, repair can be done at
the console.
These
lines should be present in /usr/local/etc/openldap/ldap.conf
of the LDAP Client
# List two or
more LDAP servers if failover is required
HOST ldap1.example.com
ldap2.example.com
# URI
ldap://ldap1.example.com ldap://ldap2.example.com
BASE dc=example, dc=com
# Un-comment for
RedHat
#TLS_CACERT /etc/openldap/cacert.pem
# Un-comment for
others
TLS_CACERT /usr/local/etc/openldap/cacert.pem
Package
NSS_LDAP includes /etc/ldap.conf
which is said to be shared among Name Service Switch for LDAP (NSS_LDAP) and
Pluggable Authentication Module for LDAP (PAM_LDAP), do not confuse this
ldap.conf with OpenLDAP client configuration file, in our case, /usr/local/etc/openldap/ldap.conf.
Edit
/etc/ldap.conf, below is a well-commented sample, the lines in GREEN
are usually changed
# List two or
more LDAP servers if failover is required
host
ldap1.example.com ldap2.example.com
# “host”
directive may be deprecated in future releases,
# you may wish
to use ‘uri’ directive to replace “host” directive
# uri
ldap://ldap1.example.com ldap://ldap2.example.com
base
dc=example,dc=com
ldap_version 3
binddn
cn=proxyagent,ou=profile,dc=example,dc=com
bindpw password
# The
distinguished name to bind to the server with
# if the
effective user ID is root. Password is
# stored in
/etc/ldap.secret (mode 600)
rootbinddn
cn=Manager,dc=example,dc=com
port 389
# The search
scope.
#scope sub
#scope one
#scope base
# Search
timelimit
#timelimit 30
# Bind timelimit
#bind_timelimit
30
# Idle timelimit;
client will close connections
# (nss_ldap only)
if the server has not been contacted
# for the number
of seconds specified below.
#idle_timelimit
3600
# Filter to AND
with uid=%s
#pam_filter
objectclass=account
pam_filter
objectclass=posixAccount
# The user ID
attribute (defaults to uid)
pam_login_attribute
uid
# Search the root
DSE for the password policy (works
# with Netscape
Directory Server)
#pam_lookup_policy
yes
# Check the
'host' attribute for access control
# Default is no;
if set to yes, and user has no
# value for the
host attribute, and pam_ldap is
# configured for
account management (authorization)
# then the user
will not be allowed to login.
#pam_check_host_attr
yes
# Group to
enforce membership of
#pam_groupdn
cn=PAM,ou=Groups,dc=example,dc=com
# Group member
attribute
#pam_member_attribute
uniquemember
pam_member_attribute
memberUid
# Specify a
minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login
attribute, default template user
# (can be
overriden by value of former attribute
# in user's
entry)
#pam_login_attribute
userPrincipalName
#pam_template_login_attribute
uid
#pam_template_login
nobody
# HEADS UP: the
pam_crypt, pam_nds_passwd,
# and
pam_ad_passwd options are no
# longer
supported.
# Do not hash the
password at all; presume
# the directory
server will do it, if
# necessary. This
is the default.
#pam_password
clear
# Hash password
locally; required for University of
# Michigan LDAP
server, and works with Netscape
# Directory
Server if you're using the UNIX-Crypt
# hash mechanism
and not using the NT Synchronization
# service.
pam_password
crypt
# Remove old
password first, then update in
# cleartext.
Necessary for use with Novell
# Directory
Services (NDS)
#pam_password nds
# Update Active
Directory password, by
# creating
Unicode password and updating
# unicodePwd
attribute.
#pam_password ad
# Use the
OpenLDAP password change
# extended operation
to update the password.
#pam_password
exop
# Redirect users
to a URL or somesuch on password
# changes.
#pam_password_prohibit_message
Please visit http://internal to change your password.
# RFC2307bis
naming contexts
# Syntax:
#
nss_base_XXX base?scope?filter
# where scope is
{base,one,sub}
# and filter is a
filter to be &'d with the
# default filter.
# You can omit
the suffix eg:
#
nss_base_passwd ou=People,
# to append the
default base DN but this
# may incur a
small performance impact.
nss_base_passwd
ou=People,dc=example,dc=com?one
nss_base_shadow
ou=People,dc=example,dc=com?one
nss_base_group ou=group,dc=example,dc=com?one
#nss_base_hosts ou=Hosts,dc=example,dc=com?one
#nss_base_services ou=Services,dc=example,dc=com?one
#nss_base_networks ou=Networks,dc=example,dc=com?one
#nss_base_protocols ou=Protocols,dc=example,dc=com?one
#nss_base_rpc ou=Rpc,dc=example,dc=com?one
#nss_base_ethers ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=example,dc=com?one
#nss_base_aliases ou=Aliases,dc=example,dc=com?one
nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
#
attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure
--enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute
uniqueMember member
# configure --enable-mssfu-schema
is no longer supported.
# For MSSFU now
do:
#nss_map_objectclass
posixAccount User
#nss_map_attribute
uid msSFUName
#nss_map_attribute
uniqueMember posixMember
#nss_map_attribute
userPassword msSFUPassword
#nss_map_attribute
homeDirectory msSFUHomeDirectory
#nss_map_objectclass
posixGroup Group
#pam_login_attribute
msSFUName
#pam_filter
objectclass=User
#pam_password ad
# configure
--enable-authpassword is no longer supported
# For
authPassword support, now do:
#nss_map_attribute
userPassword authPassword
#pam_password nds
# For IBM
SecureWay support, do:
#nss_map_objectclass
posixAccount aixAccount
#nss_map_attribute
uid userName
#nss_map_attribute
gidNumber gid
#nss_map_attribute
uidNumber uid
#nss_map_attribute
userPassword passwordChar
#nss_map_objectclass
posixGroup aixAccessGroup
#nss_map_attribute
cn groupName
#nss_map_attribute
uniqueMember member
#pam_login_attribute
userName
#pam_filter
objectclass=aixAccount
#pam_password
clear
# Netscape SDK
LDAPS
#ssl on
# Netscape SDK
SSL options
#sslpath
/etc/ssl/certs/cert7.db
# OpenLDAP SSL
mechanism
# start_tls
mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on
# OpenLDAP SSL
options
# Require and
verify server certificate (yes/no)
# Default is
"no"
tls_checkpeer
yes
# CA certificates
for server certificate verification
# At least one of
these are required if tls_checkpeer is "yes"
#tls_cacertfile
/etc/ssl/ca.cert
#tls_cacertdir
/etc/ssl/certs
# Un-comment for
RedHat
#tls_cacertfile
/etc/openldap/cacert.pem
# Un-comment for
Others
tls_cacertfile
/usr/local/etc/openldap/cacert.pem
# Seed the PRNG
if /dev/urandom is not provided
#tls_randfile
/var/run/egd-pool
# SSL cipher
suite
# See man ciphers
for syntax
#tls_ciphers
TLSv1
# Client
certificate and key
# Use these, if
your server requires client authentication.
#tls_cert
#tls_key
Now
from LDAP Client, we could test again the openssl showcerts command:
# openssl s_client -connect
ldap1.example.com:636 –showcerts
---
Server certificate
subject=/C=SG/ST=Singapore/L=Singapore/O=Example
Ltd/CN=ldap1.example.com/emailAddress=first_last@example.com
issuer=/C=SG/ST=Singapore/L=Singapore/O=Example
Ltd/CN=ldap1.example.com/emailAddress=first_last@example.com
---
<Ctrl-C or Ctrl-Break to exit>
In the above output please ignore these non-critical errors as we sign-self the certs:
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
Verify return code: 21 (unable to verify the first certificate)
In
the “Server Certificate section” please ensure that the FQDN (Fully Qualified
Domain Name) as defined in CN=<FQDN> always matches the “host” entry (or
entries) in /etc/ldap.conf (nss_ldap) and $ETC_OPENLDAP/ldap.conf (LDAP Client)
and DNS/hosts file.
You
should test if LDAP client could connect to LDAP Server (slapd) by using simple
authentication (-x), without or with START_TLS (-ZZ).
# ldapsearch -x -LLL
# ldapsearch -x -LLL -ZZ
# grep ldap /etc/nsswitch.conf
passwd: files ldap
group: files ldap
# /etc/init.d/nscd stop;
/etc/init.d/nscd start
# id tuser
uid=99999(tuser)
gid=102(Users)
# getent passwd gtay
…
Setup
/etc/ldap.secret and protect it using root cron job:
#
echo “secret” >/etc/ldap.secret
#
chmod 600 /etc/ldap.*
Setup root cron
job to protect /etc/ldap.conf which contains the bind password for
“cn=proxyagent,ou=profile,dc=example,dc=com”
0,15,30,45 * * *
* /bin/chmod 600 /etc/ldap.*
This step is for Solaris LDAP
Clients ONLY.
Assuming you already had GCC
Compiler 3.1 or later installed
# gcc -v
Reading
specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.9/3.1/specs
Configured
with: ./configure --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld
--disable-nls
Thread
model: posix
gcc
version 3.1
Perform
Step 1) and 2), on top of these, there are additional steps to be performed to
make Solaris 8/9 OpenLDAP Client usable if LDAP authentication scheme is to be
used.
Assuming
client2.example.com is the Solaris8 LDAP Client to be configured
Log
in to client2 as ‘root’ at the SYSTEM
CONSOLE, if there is any misconfiguration, repair can be done at the
console.
Edit
/etc/profile to include the library
search paths for OpenSource products:
MANPATH=/usr/share/man:/usr/local/man;
export MANPATH
PATH=$PATH:/usr/local/bin:/usr/local/sbin:/usr/ccs/bin;
export PATH
LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/local/ssl/lib:/usr/local/BerkeleyDB.4.2/lib;
export LD_LIBRARY_PATH
Note:
The above LD_LIBRARY_PATH is required for Solaris 8/9 as OpenLDAP binaries may
(Solaris8) reference GCC Library files libgcc_s.so.1,
OpenSSL and Berkerley DB shared libraries.
Create
/var/ldap/ldap_client_file, the
following is a sample for Solaris9 LDAP Client.
Note that you must use ldap1.example.com instead of LDAP Server IP
address 192.168.1.168 if you want SSL/START_TLS to recognize the LDAP Server
self-signed certificate.
NS_LDAP_FILE_VERSION=
2.0
NS_LDAP_SERVERS=
ldap1.example.com, ldap2.example.com
NS_LDAP_SEARCH_BASEDN=
dc=example.com
NS_LDAP_AUTH=
simple
NS_LDAP_SEARCH_REF=
TRUE
NS_LDAP_SEARCH_SCOPE=
one
NS_LDAP_SEARCH_TIME=
30
NS_LDAP_CACHETTL=
43200
NS_LDAP_PROFILE=
sol9profile
NS_LDAP_CREDENTIAL_LEVEL=
proxy
NS_LDAP_BIND_TIME=
2
For Solaris8 LDAP Client, the following is an example for /var/ldap/ldap_client_file:
NS_LDAP_FILE_VERSION= 1.0
NS_LDAP_SERVERS= 192.168.1.168
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= NS_LDAP_AUTH_NONE
NS_LDAP_TRANSPORT_SEC= NS_LDAP_SEC_NONE
NS_LDAP_SEARCH_REF= NS_LDAP_FOLLOWREF
NS_LDAP_DOMAIN=
example.com
NS_LDAP_EXP= 1088564197
NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_ONELEVEL
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_BIND_TIME= 30
Note: Solaris9
DOES support fail-over LDAP Server(s) for the NS_LDAP_SERVERS parameter.
Note: Solaris8
DOES NOT support more than one LDAP Server in the NS_LDAP_SERVERS parameter.
Note: Solaris8
DOES support fail-over LDAP Server(s) for the NS_LDAP_SERVERS parameter
provided Patch 108993-20 or later is applied, if you system have this patch,
you could use “version 2” of the /var/ldap/ldap_client_file and specify one or
more failover servers in NS_LDAP_SERVERS.
Create
a /var/ldap/ldap_client_cred file,
content as follows, it is the same for Solaris9 and Solaris8 LDAP Clients:
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com
NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
Change
the file permission of BOTH ldap_client_file and ldap_client_cred.
# cd /var/ldap
# chmod 400 ldap_client_file
ldap_client_cred
IMPORTANT AND
INTERESTING DISCOVERY:
For some reason,
both ldap_client_file and ldap_client_cred MUST HAVE permission
"400", if not after restarting /etc/init.d/ldap.client,
"ldaplist" command will not work.
# /etc/init.d/ldap.client
stop
# /etc/init.d/ldap.client
start
# /etc/init.d/nscd stop
# /etc/init.d/nscd start
Make
sure that keyword "ldap" appears in /etc/nsswitch.conf for name service lookup of passwd and group:
# grep ldap
/etc/nsswitch.conf
passwd: files ldap
group: files ldap
To
test the name service, on top of using "id" and "getent",
there is also "ldaplist"
command
bash-2.03#
id tuser
uid=99999(tuser)
gid=102(Users)
bash-2.03#
getent passwd tuser
tuser::99999:102::/home/tuser:/bin/bash
bash-2.03#
ldaplist -l passwd tuser
dn:
uid=tuser,ou=People,dc=example,dc=com
givenName: Test
sn: User
loginShell: /bin/bash
uidNumber: 99999
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: tuser
cn: Test User
homeDirectory: /home/tuser
Tips: If there is
problem looking up the LDAP entries, try to look for errors in
/var/adm/messages and/or /var/log/ldap.log.
This
step is for LDAP Server only.
You
may use the following UNIX root cron jobs for Daily OpenLDAP Data Backup,
assuming you have created a /home/ldap to hold the scripts and exported ldif
files, please adjust the runtime if required
0,15,30,45 * * *
* /bin/chmod 600 /etc/ldap.*
0,15,30,45 * * *
* /bin/chmod 600 /home/ldap/*.ldif /home/gtay/*.ldif
0,15,30,45 * * *
* /bin/chmod 600 /home/ldap/mgr.pwd /home/gtay/mgr.pwd
0 3,15 * * *
/home/ldap/db2ldif_backup.sh
1 3,15 * * *
/home/ldap/db2ldif_People.sh
2 3,15 * * *
/home/ldap/db2ldif_group.sh
Scripts
could be found in Appendix.
IMPORTANT NOTE:
the db2ldif_backup.sh and db2ldif_People.sh may NOT be able to list the content
of userPassword due to security protection by LDAP Access Control List (ACL)
directives. Please fine-tune the ACLs until userPasswords are captured by
db2ldif_bacup.sh (FULL BACKUP) as well as db2ldif_People.sh (People SubSchema
BACKUP)
This
step is for LDAP Server only.
The following UNIX root cron jobs are examples of TWICE Daily Replication, modify to suit your need.
Note that Replication Script should run shortly after Backup Script.
# Note: LDAP
Replication should start only after LDAP backup is done
# Adjust the cron jon timing if
needed
15 3,15 * * *
/home/ldap/openldap_repl_People.sh ldap2.example.com
16 3,15 * * *
/home/ldap/openldap_repl_group.sh ldap2.example.com
Scripts could be found in Appendix.
For these scripts to be successfully automated, “PermitRootLogin” must be enabled for SSH Server running on ldap1 and ldap2, and a ONE-WAY SSH trust using public key be setup from ldap1 to ldap2
Also, copy the following LDAP Replication scripts to
/home/ldap of SLAVE LDAP Server:
openldap_repl_People.sh
openldap_repl_group.sh
openldap_delete_Peoples.sh
openldap_delete_groups.sh
openldap_add.sh
RedHat's "passwd"
has the intelligence to change and synchronize both local and LDAP passwords,
for Solaris, you may use "passwd –r files" to change local password
and "/usr/bin/lpasswd.sh" to change LDAP password, keeping both
passwords in sync is your own responsibility.
Content of /usr/bin/lpasswd.sh
#! /bin/sh
#
# lpasswd.sh - Change OpenLDAP userPassword
#
# Gary Tay, 18-Jul-2004 written
#
clear
echo ""
echo "lpasswd.sh - Change OpenLDAP
userPassword"
echo ""
echo "It is highly recommended that 'slappasswd'
be run to generate"
echo "the required NEW LDAP userPassword in
hashed format for subsequent"
echo "copying and pasting, in this case
encrypted password is stored"
echo "into LDAP Database, rather than cleartext
password"
echo ""
LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/local/BerkeleyDB.4.2/lib
export LD_LIBRARY_PATH
echo "Running slappasswd now..."
if [ -x /usr/local/sbin/slappasswd ]; then
OPENLDAP_SBINDIR=/usr/local/sbin
else
if [ -x
/usr/sbin/slappasswd ]; then
OPENLDAP_SBINDIR=/usr/sbin
else
echo
"Enter the search path for slappasswd (Ctrl-C to exit): \c";
read
OPENLDAP_SBINDIR
fi
fi
RC=1
while [ $RC -ne 0 ]
do
echo
"$OPENLDAP_SBINDIR/slappasswd -h {SHA}"
$OPENLDAP_SBINDIR/slappasswd
-h {SHA}
RC=$?
done
if [ -x /usr/local/bin/ldapmodify ]; then
# Usual
location
OPENLDAP_BINDIR=/usr/local/bin
else
if [ -x
/usr/bin/ldapmodify ]; then
#
Usually Solaris9 and RedHat have ldapmodify in /usr/bin
OPENLDAP_BINDIR=/usr/bin
else
echo
"Enter the search path for ldapmodify (Ctrl-C to exit): \c";
read
OPENLDAP_BINDIR
fi
fi
PATH=$OPENLDAP_BINDIR:$PATH; export PATH
# Define your defaults here
HOST=ldap1.example.com
PORT=389
BASE=dc=example,dc=com
echo ""
echo "HOST: $HOST"; echo "PORT:
$PORT"; echo "BASE: $BASE"
echo ""
YN='Y'
echo "Do you want to use the above defaults?
Y/N, default to Y) \c"; read YN
echo ""
if [ "YN" = "N" ]; then
echo
"Enter LDAP HOST (eg: ldap1.example.com): \c"; read HOST
echo
"Enter LDAP PORT (eg: 389): \c"; read PORT
echo
"Enter LDAP BASE (eg: dc=example,dc=com): \c"; read BASE
echo
""
fi
# UID should not be blank
UID=""
while [ -z "$UID" ]
do
echo
"Enter LDAP userID (eg: `logname`, blank not allowed): \c"; read UID
done
# Remove tmp files when program interrupted
trap '/bin/rm -f /tmp/ldapmodify*.tmp' 2 3 9 15
# Enter NEW passwords TWICE, loop if they are
different
USERPASSWORD="";
USERPASSWORDX="X"
while [ "$USERPASSWORD" !=
"$USERPASSWORDX" ]
do
echo
""
echo
"Please COPY and PASTE the above {SHA} hashed password TWICE here"
echo
"NOTE 1: you should include the {SHA} prefix tag in your copying"
echo
"NOTE 2: no echoing of passwords"
echo
""
echo
"Enter NEW LDAP userPassword: \c";
stty -echo;
read USERPASSWORD; stty echo; echo ""
echo
"Enter NEW LDAP userPassword again: \c";
stty -echo;
read USERPASSWORDX; stty echo; echo ""
echo
""
done
# Prepare input tmp file for ldapmodify
touch /tmp/ldapmodify$$.tmp; chmod 600 /tmp/ldapmodify$$.tmp
cat <<EOF >/tmp/ldapmodify$$.tmp
dn: uid=$UID,ou=People,$BASE
changetype: modify
replace: userPassword
userPassword: $USERPASSWORD
-
EOF
# Go change it
echo "Please enter EXISTING LDAP userPassword
when prompted..."
echo ""
PW_PROMPT=""
[ "`uname -s`" = "SunOS" -a
"`uname -r`" = "5.9" ] && PW_PROMPT=""
[ "`uname -s`" = "Linux" ]
&& PW_PROMPT="-x -W"
[ "$OPENLDAP_BINDIR" =
"/usr/local/bin" ] && PW_PROMPT="-x -W"
ldapmodify -h $HOST -p $PORT \
-D
"uid=$UID,ou=People,$BASE" $PW_PROMPT -f /tmp/ldapmodify$$.tmp
# Check return code
if [ $? -eq 0 ]; then
echo
"LDAP userPassword change for $UID was done successfully..."
else
echo
"LDAP userPassword change for $UID failed!!!"
fi
/bin/rm -f /tmp/ldapmodify$$.tmp
If you do not intend to
apply Patch 108993-20 or later for Solaris8 LDAP Client, then you may use the
following script, ldap_failover_controller.sh, to alter the NS_LDAP_SERVERS
parameter in /var/ldap/ldap_client_file when MASTER LDAP is down or recovered,
therefore to achieve LDAP lookup failover or failback.
Submit this script into root
cron jobs, running at every minute interval.
Content of /var/ldap/ldap_failover_controller.sh
#! /bin/sh
#
# ldap_failover_controller.sh
#
# Check connection status of MASTER LDAP Server, if
MASTER LDAP Server is
# down restart LDAP Client processes so as to
activate the failover SLAVE
# LDAP Server.
#
# This script is specific ONLY to Solaris8 LDAP
Clients
# Solaris9 LDAP Client could auto-failover and does
not need this script
#
# Gary Tay, 18-Aug-2004 written
#
# 13-Sep-2004: gtay, modified to failover for
Solaris8 LDAP Client
#
assuming there is a stand-by SLAVE LDAP
# 22-Oct-2004: gtay, fixed a Solaris8 bug that
cleared the NS_LDAP_DOMAIN
#
# 28-Oct-2004: gtay, fixed the logic of checking
NS_LDAP_DOMAIN
#
and modified it to exit if OS is Solaris9
#
# Setup Instruction: Submit this script into Solaris8
root cron job as
# * * * * * /var/ldap/ldap_failover_controller.sh
>/dev/null 2>&1
#
# NOTES:
# . For
Solaris8 LDAP Client failover to work with OpenLDAP Server
# the
OpenLDAP Server must allow anonymous read to ou=People branch
#
# This script is
# Applicable to Solaris8 ONLY
# Not required for Solaris9
# Not Applicable to Solaris 2.6, Solaris7 and Linux
OS=`uname -s`; RELEASE=`uname -r`
[ "$OS" = "SunOS" -a
"$RELEASE" = "5.6" ] && exit 1
[ "$OS" = "SunOS" -a
"$RELEASE" = "5.7" ] && exit 1
[ "$OS" = "SunOS" -a
"$RELEASE" = "5.9" ] && exit 1
[ "$OS" = "Linux" ] &&
exit 1
# Pls customize the followings
OPENLDAP_BINDIR=/usr/local/bin
MASTER_LDAP_SERVER="ldap1"
SLAVE_LDAP_SERVER="ldap2"
# Check heart-beat of MASTER LDAP Server and act on
it
$OPENLDAP_BINDIR/ldapsearch -h $MASTER_LDAP_SERVER
>/dev/null 2>&1
if [ $? -ne 0 ]; then
# ldaplist
may fail when ldap_cachemgr gets refreshed at the next internal
/usr/bin/ldaplist -l passwd >/dev/null 2>&1
# When
ldaplist fails, act on it
if [ $? -ne
0 ]; then
# switch
ldap_client_file to SLAVE LDAP Server
if [
"$RELEASE" = "5.8" ]; then
IP_MASTER=`grep $MASTER_LDAP_SERVER /etc/hosts | awk '{print $1}'`
IP_SLAVE=`grep $SLAVE_LDAP_SERVER /etc/hosts | awk '{print $1}'`
sed
-e "s/$IP_MASTER/$IP_SLAVE/" \
/var/ldap/ldap_client_file >/var/ldap/ldap_client_file.slave
cp
/var/ldap/ldap_client_file.slave /var/ldap/ldap_client_file
fi
/etc/init.d/ldap.client stop
sleep 1
pkill -9
ldap_cachemgr # in case
/bin/rm -f /var/ldap/cachemgr.log
/etc/init.d/ldap.client start
/etc/init.d/nscd stop
sleep 1
/etc/init.d/nscd start
fi
else
# switch
ldap_client_file back to MASTER LDAP Server
if [
"$RELEASE" = "5.8" ]; then
IP_MASTER=`grep
$MASTER_LDAP_SERVER /etc/hosts | awk '{print $1}'`
IP_SLAVE=`grep $SLAVE_LDAP_SERVER /etc/hosts | awk '{print $1}'`
sed -e
"s/$IP_SLAVE/$IP_MASTER/" \
/var/ldap/ldap_client_file >/var/ldap/ldap_client_file.master
cp /var/ldap/ldap_client_file.master
/var/ldap/ldap_client_file
fi
fi
# Fix a bug that NS_LDAP_DOMAIN becomes blank at
times
if [ "$RELEASE" = "5.8" ]; then
LDAP_DOMAIN=`domainname`
DOMAIN_NAME_FOUND=`grep "$LDAP_DOMAIN"
/var/ldap/ldap_client_file`
if [ -z
"$DOMAIN_NAME_FOUND" ]; then
sed -e
"s/NS_LDAP_DOMAIN=/NS_LDAP_DOMAIN= $LDAP_DOMAIN/" \
/var/ldap/ldap_client_file >/var/ldap/ldap_client_file.tmp
cp
/var/ldap/ldap_client_file.tmp /var/ldap/ldap_client_file
fi
fi
chmod 400 /var/ldap/ldap_client_file*
chmod 400 /var/ldap/ldap_client_cred*
Some
of the scripts may assume a script directory /home/gtay (or /home/ldap), please
feel free to modify to suit your project need.
You
would also notice that mgr.pwd needs
to be created for some of the scripts to be executed automatically.
The author would
disclaim from holding any responsibility resulting from any logic error(s) or
destruction(s) the scripts might have caused upon.
Content of
cr_example_com_ldif.sh
#!
/bin/sh
#
cr_example_com_ldif.sh - Create initial ldif entries for dc=example,dc=com
#
OpenLDAP initial root entries
cat
<<EOF >example_com.ldif
dn:
dc=example,dc=com
objectclass:
top
#
For RedHat use the next line
#objectclass:
organization
#
For Solaris use the next line
objectclass:
domain
objectClass:
nisDomainObject
nisDomain:
example.com
objectclass:
dcObject
o:
Example Companies
dc:
example
dn:
cn=Manager,dc=example,dc=com
objectclass:
organizationalRole
cn:
Manager
dn:
ou=People,dc=example,dc=com
objectclass:
organizationalUnit
ou:
People
dn:
ou=group,dc=example,dc=com
objectclass:
organizationalUnit
ou:
group
dn:
ou=profile,dc=example,dc=com
ou:
profile
objectClass:
top
objectClass:
organizationalUnit
dn:
cn=proxyagent,ou=profile,dc=example,dc=com
cn:
proxyagent
sn:
proxyagent
objectClass:
top
objectClass:
person
userPassword:
{CRYPT}l14aeXtphVSUg
dn:
cn=sol8profile,ou=profile,dc=example,dc=com
ObjectClass:
top
ObjectClass:
SolarisNamingProfile
SolarisLDAPServers:
192.168.1.168
SolarisBindDN:
cn=proxyagent,ou=profile,dc=example,dc=com
SolarisBindPassword:
{NS1}ecfa88f3a945c411
SolarisSearchBaseDN:
dc=example,dc=com
SolarisAuthMethod:
NS_LDAP_AUTH_NONE
SolarisTransportSecurity:
NS_LDAP_SEC_NONE
SolarisSearchReferral:
NS_LDAP_FOLLOWREF
SolarisSearchScope:
NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit:
30
SolarisCacheTTL:
43200
cn:
sol8profile
dn:
cn=sol9profile,ou=profile,dc=example,dc=com
objectClass:
DUAConfigProfile
defaultServerList:
ldap1.example.com ldap2.example.com
defaultSearchBase:
dc=example,dc=com
authenticationMethod:
simple
followReferrals:
TRUE
defaultSearchScope:
one
searchTimeLimit:
30
profileTTL:
43200
cn:
sol9profile
credentialLevel:
proxy
bindTimeLimit:
2
dn:
cn=default,ou=profile,dc=example,dc=com
objectClass:
DUAConfigProfile
defaultServerList:
ldap1.example.com ldap2.example.com
defaultSearchBase:
dc=example,dc=com
authenticationMethod:
simple
followReferrals:
TRUE
defaultSearchScope:
one
searchTimeLimit:
30
profileTTL:
43200
cn:
default
credentialLevel:
proxy
bindTimeLimit:
2
EOF
cp
example_com.ldif ldap_add.ldif
cp
example_com.ldif openldap_add.ldif
Content of cr_group_ldif.sh
cat
group.ldif | egrep -v "^ |^nsUniqueId:|^aci:|^mod|^creat|^ ot|^ t"
>group_ldapadd.ldif
cp
group_ldapadd.ldif ldap_add.ldif
cp
group_ldapadd.ldif openldap_add.ldif
Content of cr_People_ldif.sh
cat
People.ldif | egrep -v "^gecos:|^ |nsUniqueId:|^aci:|^mod|^creat|^ ot|^
t" >People_ldapadd.ldif
cp
People_ldapadd.ldif ldap_add.ldif
cp
People_ldapadd.ldif openldap_add.ldif
Content of cr_ssl_certs_openldap.sh
#!
/bin/sh
#
#
cr_ssl_certs_openldap.sh - Create self-signed SSL Certs for OpenLDAP server
#i
#
Gary Tay, 6-Mar-2004
#
mkdir
demoCA >/dev/null 2>&1
cd
demoCA
mkdir
certs crl newcerts private >/dev/null 2>&1
echo
"01" > serial
cp
/dev/null index.txt
#
Un-comment next two lines for RedHat
#cp
/usr/share/ssl/openssl.cnf openssl.cnf
#ETC_OPENLDAP=/etc/openldap
#
Un-comment next two lines for Others
cp
/usr/local/ssl/openssl.cnf openssl.cnf
ETC_OPENLDAP=/usr/local/etc/openldap
sed
-e 's/GB/SG/' \
-e 's/Berkshire/Singapore/' \
-e 's/Newbury/Singapore/' \
-e 's/My Company Ltd/Example Company Ltd/'
\
openssl.cnf > openssl.cnf.new
mv
openssl.cnf.new openssl.cnf
echo
"Creating CA cert..."
echo
"Please enter server's FQDN when prompted for Common Name:"
openssl
req -new -x509 -keyout private/cakey.pem -out cacert.pem \
-days 3650 -config openssl.cnf
echo
"Creating server cert..."
echo
"Please enter server's FQDN when prompted for Common Name:"
openssl
req -new -x509 -nodes -keyout newreq.pem -out newreq.pem \
-days 3650 -config openssl.cnf
echo
"Self signing server cert..."
echo
"Please enter server's FQDN when prompted for Common Name:"
openssl
x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
cd
..
openssl
ca -config demoCA/openssl.cnf -policy policy_anything \
-out demoCA/newcert.pem -infiles
demoCA/tmp.pem
rm
-f demoCA/tmp.pem
echo
"Please copy CA Cert, New Cert and Key to OpenLDAP config dir..."
echo
"using the following commands:"
echo
"cp demoCA/cacert.pem $ETC_OPENLDAP"
echo
"cp demoCA/newcert.pem $ETC_OPENLDAP/slapd-cert-ldap1.pem"
echo
"cp demoCA/newreq.pem $ETC_OPENLDAP/slapd-key-ldap1.pem"
echo
"chmod 640 $ETC_OPENLDAP/slapd-key-ldap1.pem"
#
Uncomment for RedHat
#echo
"chown ldap:ldap $ETC_OPENLDAP/*.pem"
#
Uncomment for Others
echo
"chown ldap:daemon $ETC_OPENLDAP/*.pem"
echo
""
Content of cr_unsigned_ssl_cert.sh
#!
/bin/sh
#
#
cr_unsigned_ssl_cert.sh - Create un-signed SSL Cert at SLAVE LDAP Server
#
#
Gary Tay, 22-Oct-2004
#
#
Note: after creation of un-signed cert, login as root
# at MASTER LDAP Server and run
sign_ssl_cert_from_slave.sh
#
Un-comment for RedHat
#PATH=$PATH:/usr/bin;
export PATH
#
Un-comment for Others
PATH=$PATH:/usr/local/ssl/bin;
export PATH
mkdir
demoCA >/dev/null 2>&1
cd
demoCA
mkdir
certs crl newcerts private >/dev/null 2>&1
echo
"01" > serial
cp
/dev/null index.txt
#
Un-comment next two lines for RedHat
#cp
/usr/share/ssl/openssl.cnf openssl.cnf
#
Un-comment next two lines for Others
cp
/usr/local/ssl/openssl.cnf openssl.cnf
sed
-e 's/AU/SG/' \
-e 's/Some-State/Singapore/' \
-e 's/Newbury/Singapore/' \
-e 's/Internet Widgits Pty Ltd/Example
Ltd/' \
openssl.cnf > openssl.cnf.new
mv
openssl.cnf.new openssl.cnf
echo
"Creating un-signed SLAVE LDAP Server cert..."
echo
"Please enter SLAVE LDAP Server's FQDN when prompted for Common
Name:"
openssl
req -new -x509 -nodes -keyout newreq_slave.pem -out newreq_slave.pem \
-days 3650 -config openssl.cnf
Content of sign_ssl_cert_from_slave.sh
#!
/bin/sh
#
#
sign_ssl_cert_from_slave.sh
#
#
Self sign un-signed SSL Cert copied from SLAVE LDAP Server
#
#
Gary Tay, 22-Oct-2004
#
#
Un-comment for RedHat
#PATH=$PATH:/usr/bin;
export PATH
#
Un-comment for Others
PATH=$PATH:/usr/local/ssl/bin;
export PATH
mkdir
demoCA >/dev/null 2>&1
cd
demoCA
mkdir
certs crl newcerts private >/dev/null 2>&1
echo
"01" > serial
cp
/dev/null index.txt
#
Un-comment next two lines for RedHat
cp
/usr/share/ssl/openssl.cnf openssl.cnf
ETC_OPENLDAP=/etc/openldap
#
Un-comment next two lines for Others
#cp
/usr/local/ssl/openssl.cnf openssl.cnf
#ETC_OPENLDAP=/usr/local/etc/openldap
sed
-e 's/AU/SG/' \
-e 's/Some-State/Singapore/' \
-e 's/Newbury/Singapore/' \
-e 's/Internet Widgits Pty Ltd/Example
Ltd/' \
openssl.cnf > openssl.cnf.new
mv
openssl.cnf.new openssl.cnf
echo
"We must copy the unsigned SSL Server Cert from SLAVE LDAP Server"
echo
""
echo
"Enter HOSTNAME/IP of SLAVE LDAP Server: \c"
read
SLAVE_LDAP
echo
"Enter directory to locate un-signed server cert/key: \c"
read
DEMOCA_DIR
echo
"Copying un-signed server cert/key from SLAVE LDAP Server..."
scp
$SLAVE_LDAP:$DEMOCA_DIR/newreq_slave.pem .
echo
"Self signing server cert for SLAVE LDAP Server..."
echo
"Please enter SLAVE LDAP Server's FQDN when prompted for Common
Name:"
openssl
x509 -x509toreq -in newreq_slave.pem -signkey newreq_slave.pem -out tmp.pem
cd
..
openssl
ca -config demoCA/openssl.cnf -policy policy_anything \
-out demoCA/newcert_slave.pem
-infiles demoCA/tmp.pem
rm
-f demoCA/tmp.pem
echo
"Please copy, New Cert and Key to SLAVE OpenLDAP Server config
dir..."
echo
"Example: assuming ldap2:$ETC_OPENLDAP is the target directory on
SLAVE:"
echo
"scp demoCA/cacert.pem ldap2:$ETC_OPENLDAP"
echo
"scp demoCA/newcert_slave.pem
ldap2:$ETC_OPENLDAP/slapd-cert-ldap2.pem"
echo
"scp demoCA/newreq_slave.pem ldap2:$ETC_OPENLDAP/slapd-key-ldap2.pem"
echo
"ssh ldap2 chmod 640 $ETC_OPENLDAP/slapd-key-ldap2.pem"
#
Uncomment for RedHat
echo
"ssh ldap2 chown ldap:ldap $ETC_OPENLDAP/*.pem"
#
Uncomment for Others
#echo
"ssh ldap2 chown ldap:daemon $ETC_OPENLDAP/*.pem"
echo
""
Content of db2ldif_backup.sh
#
Execute these for iPlanet Directory Server
if
[ -n "`ps -ef | grep 'ns-slapd' | grep -v grep`" ]
then
YYYY=`date +'%Y'`
cd /usr/iplanet/ds5/slapd-`hostname`/ldif
rm -f $YYYY*.ldif
../db2ldif -n UserRoot -s
"dc=example,dc=com"
cp $YYYY*.ldif /home/ldap/example_com.ldif
fi
#
Execute these for OpenLDAP Server
if
[ -n "`ps -ef | grep 'slapd' | grep -v grep`" ]
then
# For RedHat
#BINDIR=/usr/bin
# For Others
BINDIR=/usr/local/bin
$BINDIR/ldapsearch -x -LLL -b
"dc=example,dc=com" \
-D
"cn=Manager,dc=example,dc=com" \
-w `cat /etc/ldap.secret` \
"objectclass=*"
>/home/ldap/example_com.ldif
fi
chmod
600 /home/ldap/example_com.ldif
Content of db2ldif_People.sh
# Execute these for iPlanet Directory Server
if [ -n "`ps -ef | grep 'ns-slapd' | grep
-v grep`" ]
then
YYYY=`date +'%Y'`
cd
/usr/iplanet/ds5/slapd-`hostname`/ldif
rm -f
$YYYY*.ldif
../db2ldif -n UserRoot -s "ou=People,dc=example,dc=com"
cp
$YYYY*.ldif /home/ldap/People.ldif
fi
# Execute these for OpenLDAP Server
if [ -n "`ps -ef | grep 'slapd' | grep -v
grep`" ]
then
# For
RedHat
#BINDIR=/usr/bin
# For
Others
BINDIR=/usr/local/bin
$BINDIR/ldapsearch -x -LLL -b "ou=People,dc=example,dc=com" \
-D "cn=Manager,dc=example,dc=com" \
-w `cat /etc/ldap.secret` \
"objectclass=*" >/home/ldap/People.ldif
fi
chmod 600 /home/ldap/People.ldif
Content of db2ldif_group.sh
# Execute these for OpenLDAP Server
if [ -n "`ps -ef | grep 'slapd' | grep -v
grep`" ]
then
# For
RedHat
#BINDIR=/usr/bin
# For
Others
BINDIR=/usr/local/bin
$BINDIR/ldapsearch -x -LLL -b "ou=group,dc=example,dc=com" \
-D "cn=Manager,dc=example,dc=com" \
-w `cat /etc/ldap.secret` \
"objectclass=*" >/home/ldap/group.ldif
fi
chmod 600 /home/ldap/group.ldif
Content of NSS_LDAP's
/etc/ldap.conf
host ldap1.example.com
ldap2.example.com
# uri ldap://ldap1.example.com
ldap://ldap2.example.com
base dc=example,dc=com
ldap_version
3
binddn
cn=proxyagent,ou=profile,dc=example,dc=com
bindpw password
#
The distinguished name to bind to the server with
#
if the effective user ID is root. Password is
#
stored in /etc/ldap.secret (mode 600)
rootbinddn
cn=Manager,dc=example,dc=com
port
389
#
The search scope.
#scope
sub
#scope
one
#scope
base
#
Search timelimit
#timelimit
30
#
Bind timelimit
#bind_timelimit
30
#
Idle timelimit; client will close connections
#
(nss_ldap only) if the server has not been contacted
#
for the number of seconds specified below.
#idle_timelimit
3600
#
Filter to AND with uid=%s
#pam_filter
objectclass=account
pam_filter objectclass=posixAccount
#
The user ID attribute (defaults to uid)
pam_login_attribute uid
#
Search the root DSE for the password policy (works
#
with Netscape Directory Server)
#pam_lookup_policy
yes
#
Check the 'host' attribute for access control
#
Default is no; if set to yes, and user has no
#
value for the host attribute, and pam_ldap is
#
configured for account management (authorization)
#
then the user will not be allowed to login.
#pam_check_host_attr
yes
#
Group to enforce membership of
#pam_groupdn
cn=PAM,ou=Groups,dc=example,dc=com
#
Group member attribute
#pam_member_attribute
uniquemember
pam_member_attribute
memberUid
#
Specify a minium or maximum UID number allowed
#pam_min_uid
0
#pam_max_uid
0
#
Template login attribute, default template user
#
(can be overriden by value of former attribute
#
in user's entry)
#pam_login_attribute
userPrincipalName
#pam_template_login_attribute
uid
#pam_template_login
nobody
#
HEADS UP: the pam_crypt, pam_nds_passwd,
#
and pam_ad_passwd options are no
#
longer supported.
#
Do not hash the password at all; presume
#
the directory server will do it, if
#
necessary. This is the default.
#pam_password
clear
#
Hash password locally; required for University of
#
Michigan LDAP server, and works with Netscape
#
Directory Server if you're using the UNIX-Crypt
#
hash mechanism and not using the NT Synchronization
#
service.
pam_password
crypt
#
Remove old password first, then update in
#
cleartext. Necessary for use with Novell
#
Directory Services (NDS)
#pam_password
nds
#
Update Active Directory password, by
#
creating Unicode password and updating
#
unicodePwd attribute.
#pam_password
ad
#
Use the OpenLDAP password change
#
extended operation to update the password.
#pam_password
exop
#
Redirect users to a URL or somesuch on password
#
changes.
#pam_password_prohibit_message
Please visit http://internal to change your password.
#
RFC2307bis naming contexts
#
Syntax:
#
nss_base_XXX base?scope?filter
#
where scope is {base,one,sub}
#
and filter is a filter to be &'d with the
#
default filter.
#
You can omit the suffix eg:
#
nss_base_passwd ou=People,
#
to append the default base DN but this
#
may incur a small performance impact.
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group ou=group,dc=example,dc=com?one
#nss_base_hosts ou=Hosts,dc=example,dc=com?one
#nss_base_services ou=Services,dc=example,dc=com?one
#nss_base_networks ou=Networks,dc=example,dc=com?one
#nss_base_protocols ou=Protocols,dc=example,dc=com?one
#nss_base_rpc ou=Rpc,dc=example,dc=com?one
#nss_base_ethers ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=example,dc=com?one
#nss_base_aliases ou=Aliases,dc=example,dc=com?one
nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
#
attribute/objectclass mapping
#
Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
#
configure --enable-nds is no longer supported.
#
For NDS now do:
#nss_map_attribute
uniqueMember member
#
configure --enable-mssfu-schema is no longer supported.
#
For MSSFU now do:
#nss_map_objectclass
posixAccount User
#nss_map_attribute
uid msSFUName
#nss_map_attribute
uniqueMember posixMember
#nss_map_attribute
userPassword msSFUPassword
#nss_map_attribute
homeDirectory msSFUHomeDirectory
#nss_map_objectclass
posixGroup Group
#pam_login_attribute
msSFUName
#pam_filter
objectclass=User
#pam_password
ad
#
configure --enable-authpassword is no longer supported
#
For authPassword support, now do:
#nss_map_attribute
userPassword authPassword
#pam_password
nds
#
For IBM SecureWay support, do:
#nss_map_objectclass
posixAccount aixAccount
#nss_map_attribute
uid userName
#nss_map_attribute
gidNumber gid
#nss_map_attribute
uidNumber uid
#nss_map_attribute
userPassword passwordChar
#nss_map_objectclass
posixGroup aixAccessGroup
#nss_map_attribute
cn groupName
#nss_map_attribute
uniqueMember member
#pam_login_attribute
userName
#pam_filter
objectclass=aixAccount
#pam_password
clear
#
Netscape SDK LDAPS
#ssl
on
#
Netscape SDK SSL options
#sslpath
/etc/ssl/certs/cert7.db
#
OpenLDAP SSL mechanism
#
start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl
on
#
OpenLDAP SSL options
#
Require and verify server certificate (yes/no)
#
Default is "no"
tls_checkpeer yes
#
CA certificates for server certificate verification
#
At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile
/etc/ssl/ca.cert
#tls_cacertdir
/etc/ssl/certs
#
Un-comment for RedHat
#tls_cacertfile
/etc/openldap/cacert.pem
#
Un-comment for Others
tls_cacertfile
/usr/local/etc/openldap/cacert.pem
#
Seed the PRNG if /dev/urandom is not provided
#tls_randfile
/var/run/egd-pool
#
SSL cipher suite
#
See man ciphers for syntax
#tls_ciphers
TLSv1
#
Client certificate and key
#
Use these, if your server requires client authentication.
#tls_cert
#tls_key
Content of group.ldif
dn:
cn=Users,ou=group,dc=example,dc=com
cn:
Users
gidNumber:
102
objectClass:
top
objectClass:
posixGroup
#
$OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt
Exp $
#
#
LDAP Defaults
#
#
See ldap.conf(5) for details
#
This file should be world readable but not world writable.
HOST ldap1.example.com
ldap2.example.com
# URI ldap://ldap1.example.com
ldap://ldap2.example.com
BASE dc=example,dc=com
#
Un-comment for RedHat
#TLS_CACERT /etc/openldap/cacert.pem
#
Un-comment for others
TLS_CACERT /usr/local/etc/openldap/cacert.pem
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
Content of /var/ldap/ldap_client_file for Solaris9
NS_LDAP_FILE_VERSION=
2.0
NS_LDAP_SERVERS=
ldap1.example.com, ldap2.example.com
NS_LDAP_SEARCH_BASEDN=
dc=example,dc=com
NS_LDAP_AUTH=
simple
NS_LDAP_SEARCH_REF=
TRUE
NS_LDAP_SEARCH_SCOPE=
one
NS_LDAP_SEARCH_TIME=
30
NS_LDAP_CACHETTL=
43200
NS_LDAP_PROFILE=
sol9profile
NS_LDAP_CREDENTIAL_LEVEL=
proxy
NS_LDAP_BIND_TIME=
2
Content of /var/ldap/ldap_client_file for Solaris8
NS_LDAP_FILE_VERSION=
1.0
NS_LDAP_SERVERS=
192.168.1.168
NS_LDAP_SEARCH_BASEDN=
dc=example,dc=com
NS_LDAP_AUTH=
NS_LDAP_AUTH_NONE
NS_LDAP_TRANSPORT_SEC=
NS_LDAP_SEC_NONE
NS_LDAP_SEARCH_REF=
NS_LDAP_FOLLOWREF
NS_LDAP_DOMAIN=
example.com
NS_LDAP_EXP=
1088564197
NS_LDAP_SEARCH_SCOPE=
NS_LDAP_SCOPE_ONELEVEL
NS_LDAP_SEARCH_TIME=
30
NS_LDAP_BIND_TIME=
30
Content of /var/ldap/ldap_client_cred for Solaris9/8
NS_LDAP_BINDDN=
cn=proxyagent,ou=profile,dc=example,dc=com
NS_LDAP_BINDPASSWD=
{NS1}ecfa88f3a945c411
Content of /etc/nsswitch.conf for RedHat
#
#
/etc/nsswitch.conf
#
#
An example Name Service Switch config file. This file should be
#
sorted with the most-used services at the beginning.
#
#
The entry '[NOTFOUND=return]' means that the search for an
#
entry should stop if the search in the previous entry turned
#
up nothing. Note that if the search failed due to some other reason
#
(like no NIS server responding) then the search continues with the
#
next entry.
#
#
Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version
3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use
DNS (Domain Name Service)
# files Use
the local files
# db Use
the local database (.db) files
# compat Use
NIS on compat mode
# hesiod Use
Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
#
To use db, put the "db" in front of "files" for entries you
want to be
#
looked up first in the databases
#
#
Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files ldap
shadow: files
group: files ldap
#hosts: db files nisplus nis dns
hosts: files dns
#
Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams:
nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
Content of /etc/nsswitch.conf for Solaris
#
#
/etc/nsswitch.dns:
#
#
An example file that could be copied over to /etc/nsswitch.conf; it uses
#
DNS for hosts lookups, otherwise it does not use any other naming service.
#
#
"hosts:" and "services:" in this file are used only if the
#
/etc/netconfig file has a "-" for nametoaddr_libs of "inet"
transports.
passwd: files ldap
shadow: files
group: files ldap
#
You must also set up the /etc/resolv.conf file for DNS name
#
server lookup. See resolv.conf(4).
hosts: files dns
ipnodes: files
#
Uncomment the following line and comment out the above to resolve
#
both IPv4 and IPv6 addresses from the ipnodes databases. Note that
#
IPv4 addresses are searched in all of the ipnodes databases before
#
searching the hosts databases. Before turning this option on, consult
#
the Network Administration Guide for more details on using IPv6.
#ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams:
files
publickey: files
#
At present there isn't a 'files' backend for netgroup; the system will
# figure it out pretty quickly, and won't use
netgroups at all.
netgroup: files
automount: files
aliases: files
services: files
sendmailvars: files
printers: user files
auth_attr: files
prof_attr:
files
project: files
Content of /etc/init.d/openldap.server
#!
/bin/sh
#
#
openldap.server - OpenLDAP start script
#
#
Gary Tay, 19-Feb-2004
#
#
Un-Comment for RedHat
#ETC_OPENLDAP_DIR=/etc/openldap
#SLAPD_DIR=/usr/sbin
#
Un-Comment for Others
ETC_OPENLDAP_DIR=/usr/local/etc/openldap
SLAPD_DIR=/usr/local/libexec
#
Pls customize
DEBUG=""
#
Un-Comment to debug
#DEBUG="-d
10"
case
"$1" in
'start')
if [ -f $ETC_OPENLDAP_DIR/slapd.conf
-a -f $SLAPD_DIR/slapd ]; then
echo 'OpenLDAP slapd service
starting.'
$SLAPD_DIR/slapd $DEBUG -u ldap -h
"ldap:/// ldaps:///"
fi
;;
'stop')
PID=`ps -ef | grep slapd | grep -v
grep | awk '{print $2}'`
if [ -n "$PID" ]; then
echo 'OpenLDAP slapd service
stopping.'
kill -9 $PID
fi
;;
*)
echo "Usage: $0 { start | stop
}"
exit 1
;;
esac
Content of openldap_add.sh
#!
/bin/sh
#
openldap_add.sh
#
Un-Comment for RedHat
#BINDIR=/usr/bin
#
Un-Comment for others
BINDIR=/usr/local/bin
if
[ -f mgr.pwd ]
then
$BINDIR/ldapadd -c -x -D
"cn=Manager,dc=example,dc=com" -w `cat mgr.pwd` -f openldap_add.ldif
else
echo "mgr.pwd not found"
echo "Please enter LDAP password for
cn=Manager,dc=example,dc=com..."
$BINDIR/ldapadd -c -x -D
"cn=Manager,dc=example,dc=com" -W -f openldap_add.ldif
fi
Content of openldap_delete_groups.sh
#!
/bin/sh
#
openldap_delete_groups.sh
#
Destructive script
#
Never do deletion at LDAP Master Server
#
Do deletion only at LDAP Slave Server
[
"`uname -n`" = "ldap1" ] && exit
#
Un-Comment for RedHat
#BINDIR=/usr/bin
#
Un-Comment for others
BINDIR=/usr/local/bin
grep
"^dn:" group.ldif | sed 's/^dn: //' >openldap_delete_groups.ldif
if
[ -f mgr.pwd ]
then
$BINDIR/ldapdelete -c -x -D
"cn=Manager,dc=example,dc=com" -w `cat mgr.pwd` -f
openldap_delete_groups.ldif
else
echo "mgr.pwd not found"
echo "Please enter LDAP password for
cn=Manager,dc=example,dc=com..."
$BINDIR/ldapdelete -c -x -D
"cn=Manager,dc=example,dc=com" -W -f openldap_delete_groups.ldif
fi
Content of openldap_delete_Peoples.sh
#!
/bin/sh
#
openldap_delete_Peoples.sh
#
Destructive script
#
Never do deletion at LDAP Master Server
#
Do deletion only at LDAP Slave Server
[
"`uname -n`" = "ldap1" ] && exit
#
Un-Comment for RedHat
#BINDIR=/usr/bin
#
Un-Comment for others
BINDIR=/usr/local/bin
grep
"^dn:" People.ldif | sed 's/^dn: //' >openldap_delete_Peoples.ldif
if
[ -f mgr.pwd ]
then
$BINDIR/ldapdelete -c -x -D
"cn=Manager,dc=example,dc=com" -w `cat mgr.pwd` -f
openldap_delete_Peoples.ldif
else
echo "mgr.pwd not found"
echo "Please enter LDAP password for
cn=Manager,dc=example,dc=com..."
$BINDIR/ldapdelete -c -x -D
"cn=Manager,dc=example,dc=com" -W -f openldap_delete_Peoples.ldif
fi
Content of openldap_repl_group.sh
#!
/bin/sh
#
#
openldap_repl_group.sh
#
#
Gary Tay, 10-Oct-2003, written
#