LDAP/OpenLDAP configuration

From RevSpace
Jump to navigation Jump to search

The below configuration is used for LDAP at RevSpace, written for and tested with OpenLDAP 2.5.13. The paths are relative to the base configuration directory, e.g. /etc/ldap.

ldap.conf

# needed for anything using libldap
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_CACERTDIR /etc/ssl/certs

slapd.conf

# Schemas.
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/rfc2307bis.schema
include /etc/ldap/schema/openssh-lpk.schema

# Server
pidfile /run/slapd/slapd.pid
include /etc/ldap/slapd/local.conf
security tls=1
disallow bind_anon
require LDAPv3 bind authc strong
loglevel none
moduleload deref.la
moduleload syncprov.la

# Database.
database        ldif
suffix          "dc=space,dc=revspace,dc=nl"
rootdn          "cn=admin,dc=space,dc=revspace,dc=nl"
rootpw          "{CRYPT}$6$rounds=42000$<EXPUNGED>"
directory       /var/lib/ldap/data

password-hash {CRYPT}
password-crypt-salt-format "$6$rounds=42000$%.16s"

overlay deref

include /etc/ldap/slapd/db.replication.conf
include /etc/ldap/slapd/db.acl.conf


slapd/

node.conf

# per-server local node configuration
serverid 1
pidfile /run/slapd/slapd.pid
TLSCACertificateFile /var/lib/dehydrated/certs/ldap2.space.revspace.nl/fullchain.pem
TLSCertificateFile /var/lib/dehydrated/certs/ldap2.space.revspace.nl/cert.pem
TLSCertificateKeyFile /var/lib/dehydrated/certs/ldap2.space.revspace.nl/privkey.pem
# TLSCipherSuite SECURE256:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC:!NULL

db.replication.conf

overlay syncprov

syncrepl rid=1
         provider=ldaps://ldap2.space.revspace.nl
         bindmethod=simple
         binddn="cn=repl-ldap2,ou=services,dc=space,dc=revspace,dc=nl"
         credentials="<EXPUNGED>"
         searchbase="dc=space,dc=revspace,dc=nl"
         schemachecking=on
         type=refreshAndPersist
         retry="60 +"

#syncrepl rid=2
#         bindmethod=simple
#         binddn="cn=repl-ldap2,ou=services,dc=space,dc=revspace,dc=nl"
#         credentials="<EXPUNGED>"
#         searchbase="dc=space,dc=revspace,dc=nl"
#         schemachecking=on
#         type=refreshAndPersist
#         retry="60 +"

mirrormode on

db.acl.conf

# User-changeable attributes
access to dn.subtree="ou=people,dc=space,dc=revspace,dc=nl" attrs=sshPublicKey,userPassword,loginShell
	by self write
	by group="cn=board,ou=groups,dc=space,dc=revspace,dc=nl" write
	by dn.exact="cn=sshpubkey,ou=services,dc=space,dc=revspace,dc=nl" write
	by dn.exact="cn=shelldap-gateway,ou=services,dc=space,dc=revspace,dc=nl" write
	by dn.exact="cn=ldap-sync-scriptje,ou=services,dc=space,dc=revspace,dc=nl" write
	by dn.subtree="ou=services,dc=space,dc=revspace,dc=nl" read
	by * auth
# Users
access to dn.subtree="ou=people,dc=space,dc=revspace,dc=nl"
	by self read
	by group="cn=board,ou=groups,dc=space,dc=revspace,dc=nl" write
	by dn.exact="cn=shelldap-gateway,ou=services,dc=space,dc=revspace,dc=nl" write
	by dn.exact="cn=ldap-sync-scriptje,ou=services,dc=space,dc=revspace,dc=nl" write
	by dn.subtree="ou=services,dc=space,dc=revspace,dc=nl" read
	by * auth
# Groups
access to dn.subtree="ou=groups,dc=space,dc=revspace,dc=nl"
	by group="cn=board,ou=groups,dc=space,dc=revspace,dc=nl" write
	by dn.subtree="ou=services,dc=space,dc=revspace,dc=nl" read
	by * read
# Fallback
access to *
	by group="cn=board,ou=groups,dc=space,dc=revspace,dc=nl" write
	by * read


schema/

rfc2307bis.schema

Taken from: https://github.com/jtyr/rfc2307bis/tree/4fb02fcfc5816e62716e34a9e27c506e2bedd9c8

###
# Extracted from: http://tools.ietf.org/html/draft-howard-rfc2307bis-02
###

# Builtin
#attributeType ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
#    DESC 'An integer uniquely identifying a user in an
#          administrative domain'
#    EQUALITY integerMatch
#    ORDERING integerOrderingMatch
#    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
#    SINGLE-VALUE )

# Builtin
#attributeType ( 1.3.6.1.1.1.1.1 NAME 'gidNumber'
#    DESC 'An integer uniquely identifying a group in an
#          administrative domain'
#    EQUALITY integerMatch
#    ORDERING integerOrderingMatch
#    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
#    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.2 NAME 'gecos'
    DESC 'The GECOS field; the common name'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory'
    DESC 'The absolute path to the home directory'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.4 NAME 'loginShell'
    DESC 'The path to the login shell'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.6 NAME 'shadowMin'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.7 NAME 'shadowMax'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
    EQUALITY caseExactMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributeType ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'
    EQUALITY caseExactMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributeType ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
    DESC 'Netgroup triple'
    EQUALITY caseIgnoreMatch
    SUBSTR caseIgnoreSubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributeType ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort'
    DESC 'Service port number'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol'
    DESC 'Service protocol name'
    EQUALITY caseIgnoreMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributeType ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber'
    DESC 'IP protocol number'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber'
    DESC 'ONC RPC number'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
    DESC 'IPv4 addresses as a dotted decimal omitting leading
          zeros or IPv6 addresses as defined in RFC2373'
    EQUALITY caseIgnoreIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributeType ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber'
    DESC 'IP network omitting leading zeros, eg. 192.168'
    EQUALITY caseIgnoreIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber'
    DESC 'IP netmask omitting leading zeros, eg. 255.255.255.0'
    EQUALITY caseIgnoreIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.22 NAME 'macAddress'
    DESC 'MAC address in maximal, colon separated hex
          notation, eg. 00:00:92:90:ee:e2'
    EQUALITY caseIgnoreIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributeType ( 1.3.6.1.1.1.1.23 NAME 'bootParameter'
    DESC 'rpc.bootparamd parameter'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributeType ( 1.3.6.1.1.1.1.24 NAME 'bootFile'
    DESC 'Boot image name'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributeType ( 1.3.6.1.1.1.1.26 NAME 'nisMapName'
    DESC 'Name of a generic NIS map'
    EQUALITY caseIgnoreMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} )

attributeType ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry'
    DESC 'A generic NIS entry'
    EQUALITY caseExactMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024}
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey'
    DESC 'NIS public key'
    EQUALITY octetStringMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey'
    DESC 'NIS secret key'
    EQUALITY octetStringMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.30 NAME 'nisDomain'
    DESC 'NIS domain'
    EQUALITY caseIgnoreIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributeType ( 1.3.6.1.1.1.1.31 NAME 'automountMapName'
    DESC 'automount Map Name'
    EQUALITY caseExactMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.32 NAME 'automountKey'
    DESC 'Automount Key value'
    EQUALITY caseExactMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'
    DESC 'Automount information'
    EQUALITY caseExactMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
    SINGLE-VALUE )

objectClass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY
    DESC 'Abstraction of an account with POSIX attributes'
    MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
    MAY ( userPassword $ loginShell $ gecos $
          description ) )

objectClass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY
    DESC 'Additional attributes for shadow passwords'
    MUST uid
    MAY ( userPassword $ description $
          shadowLastChange $ shadowMin $ shadowMax $
          shadowWarning $ shadowInactive $
          shadowExpire $ shadowFlag ) )

objectClass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY
    DESC 'Abstraction of a group of accounts'
    MUST gidNumber
    MAY ( userPassword $ memberUid $
          description ) )

objectClass ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL
    DESC 'Abstraction an Internet Protocol service.
          Maps an IP port and protocol (such as tcp or udp)
          to one or more names; the distinguished value of
          the cn attribute denotes the services canonical
          name'
    MUST ( cn $ ipServicePort $ ipServiceProtocol )
    MAY description )

objectClass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL
    DESC 'Abstraction of an IP protocol. Maps a protocol number
          to one or more names. The distinguished value of the cn
          attribute denotes the protocol canonical name'
    MUST ( cn $ ipProtocolNumber )
    MAY description )

objectClass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL
    DESC 'Abstraction of an Open Network Computing (ONC)
         [RFC1057] Remote Procedure Call (RPC) binding.
         This class maps an ONC RPC number to a name.
         The distinguished value of the cn attribute denotes
         the RPC service canonical name'
    MUST ( cn $ oncRpcNumber )
    MAY description )

objectClass ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY
    DESC 'Abstraction of a host, an IP device. The distinguished
          value of the cn attribute denotes the hosts canonical
       name. Device SHOULD be used as a structural class'
    MUST ( cn $ ipHostNumber )
    MAY ( userPassword $ l $ description $
          manager ) )

objectClass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL
    DESC 'Abstraction of a network. The distinguished value of
          the cn attribute denotes the network canonical name'
    MUST ipNetworkNumber
    MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) )

objectClass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
    DESC 'Abstraction of a netgroup. May refer to other
          netgroups'
    MUST cn
    MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )

objectClass ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL
    DESC 'A generic abstraction of a NIS map'
    MUST nisMapName
    MAY description )

objectClass ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL
    DESC 'An entry in a NIS map'
    MUST ( cn $ nisMapEntry $ nisMapName ) )

objectClass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY
    DESC 'A device with a MAC address; device SHOULD be
          used as a structural class'
    MAY macAddress )

objectClass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY
    DESC 'A device with boot parameters; device SHOULD be
          used as a structural class'
    MAY ( bootFile $ bootParameter ) )

objectClass ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY
    DESC 'An object with a public and secret key'
    MUST ( cn $ nisPublicKey $ nisSecretKey )
    MAY ( uidNumber $ description ) )

objectClass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY
    DESC 'Associates a NIS domain with a naming context'
    MUST nisDomain )

objectClass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL
    MUST ( automountMapName )
    MAY description )

objectClass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL
    DESC 'Automount information'
    MUST ( automountKey $ automountInformation )
    MAY description )

objectClass ( 1.3.6.1.1.1.2.18 NAME 'groupOfMembers' SUP top STRUCTURAL
    DESC 'A group with members (DNs)'
    MUST cn
    MAY ( businessCategory $ seeAlso $ owner $ ou $ o $
          description $ member ) )

openssh-lpk.schema

Taken from: https://www.nikhef.nl/pdp/files/packages/mkgroup-sshlpk/openssh-lpk.schema

#
# LDAP Public Key Patch schema for use with openssh-ldappubkey
# Author: Eric AUGE <eau@phear.org>
#
# Based on the proposal of : Mark Ruijter
#


# octetString SYNTAX
attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
	DESC 'OpenSSH Public key'
	EQUALITY octetStringMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

# printableString SYNTAX yes|no
objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
	DESC 'OpenSSH LPK objectclass'
	MUST uid
	MAY sshPublicKey
	)


skel/

README

LDIF files to import in case the complete LDAP data goes poof.

Use like:

for x in $(pwd)/*.ldif; do
	su openldap -s /bin/sh -c "ldapadd -Q -Y EXTERNAL -H ldapi:/// -W -f $x"
done

After that programs like shelldap should work again.

00-root.ldif

dn: dc=space,dc=revspace,dc=nl
objectClass: top
objectClass: dcObject
objectClass: organization
o: RevSpace

01-unit-services.ldif

dn: ou=services,dc=space,dc=revspace,dc=nl
objectClass: top
objectClass: organizationalUnit
ou: services

01-unit-groups.ldif

dn: ou=groups,dc=space,dc=revspace,dc=nl
objectClass: top
objectClass: organizationalUnit
ou: groups

01-unit-people.ldif

dn: ou=people,dc=space,dc=revspace,dc=nl
objectClass: top
objectClass: organizationalUnit
ou: people