Shiz: s/FreeRADIUS/OpenLDAP/, whoops

2024-04-07T11:03:07Z

s/FreeRADIUS/OpenLDAP/, whoops

← Older revision		Revision as of 11:03, 7 April 2024
Line 1:		Line 1:
	The below configuration is used for LDAP at RevSpace, written for and tested with ~~FreeRADIUS~~ 2.5.13. The paths are relative to the base configuration directory, e.g. <code>/etc/ldap</code>.		The below configuration is used for LDAP at RevSpace, written for and tested with OpenLDAP 2.5.13. The paths are relative to the base configuration directory, e.g. <code>/etc/ldap</code>.

	=<code>ldap.conf</code>=		=<code>ldap.conf</code>=

Shiz: Fix formatting on base configuration directory example

2024-04-07T10:53:22Z

Fix formatting on base configuration directory example

← Older revision		Revision as of 10:53, 7 April 2024
Line 1:		Line 1:
	The below configuration is used for LDAP at RevSpace, written for and tested with FreeRADIUS 2.5.13. The paths are relative to the base configuration directory, e.g. /etc/ldap.		The below configuration is used for LDAP at RevSpace, written for and tested with FreeRADIUS 2.5.13. The paths are relative to the base configuration directory, e.g. <code>/etc/ldap</code>.

	=<code>ldap.conf</code>=		=<code>ldap.conf</code>=

Shiz: Created page with "The below configuration is used for LDAP at RevSpace, written for and tested with FreeRADIUS 2.5.13. The paths are relative to the base configuration directory, e.g. /etc/ldap..."

2024-04-07T10:52:56Z

Created page with "The below configuration is used for LDAP at RevSpace, written for and tested with FreeRADIUS 2.5.13. The paths are relative to the base configuration directory, e.g. /etc/ldap..."

New page

The below configuration is used for LDAP at RevSpace, written for and tested with FreeRADIUS 2.5.13. The paths are relative to the base configuration directory, e.g. /etc/ldap.

=<code>ldap.conf</code>=
<pre>
# needed for anything using libldap
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_CACERTDIR /etc/ssl/certs
</pre>

=<code>slapd.conf</code>=
<pre>
# Schemas.
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/rfc2307bis.schema
include /etc/ldap/schema/openssh-lpk.schema

# Server
pidfile /run/slapd/slapd.pid
include /etc/ldap/slapd/local.conf
security tls=1
disallow bind_anon
require LDAPv3 bind authc strong
loglevel none
moduleload deref.la
moduleload syncprov.la

# Database.
database ldif
suffix "dc=space,dc=revspace,dc=nl"
rootdn "cn=admin,dc=space,dc=revspace,dc=nl"
rootpw "{CRYPT}$6$rounds=42000$<EXPUNGED>"
directory /var/lib/ldap/data

password-hash {CRYPT}
password-crypt-salt-format "$6$rounds=42000$%.16s"

overlay deref

include /etc/ldap/slapd/db.replication.conf
include /etc/ldap/slapd/db.acl.conf
</pre>

=<code>slapd/</code>=

==<code>node.conf</code>==
<pre>
# per-server local node configuration
serverid 1
pidfile /run/slapd/slapd.pid
TLSCACertificateFile /var/lib/dehydrated/certs/ldap2.space.revspace.nl/fullchain.pem
TLSCertificateFile /var/lib/dehydrated/certs/ldap2.space.revspace.nl/cert.pem
TLSCertificateKeyFile /var/lib/dehydrated/certs/ldap2.space.revspace.nl/privkey.pem
# TLSCipherSuite SECURE256:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC:!NULL
</pre>

==<code>db.replication.conf</code>==
<pre>
overlay syncprov

syncrepl rid=1
provider=ldaps://ldap2.space.revspace.nl
bindmethod=simple
binddn="cn=repl-ldap2,ou=services,dc=space,dc=revspace,dc=nl"
credentials="<EXPUNGED>"
searchbase="dc=space,dc=revspace,dc=nl"
schemachecking=on
type=refreshAndPersist
retry="60 +"

#syncrepl rid=2
# bindmethod=simple
# binddn="cn=repl-ldap2,ou=services,dc=space,dc=revspace,dc=nl"
# credentials="<EXPUNGED>"
# searchbase="dc=space,dc=revspace,dc=nl"
# schemachecking=on
# type=refreshAndPersist
# retry="60 +"

mirrormode on
</pre>

==<code>db.acl.conf</code>==
<pre>
# User-changeable attributes
access to dn.subtree="ou=people,dc=space,dc=revspace,dc=nl" attrs=sshPublicKey,userPassword,loginShell
by self write
by group="cn=board,ou=groups,dc=space,dc=revspace,dc=nl" write
by dn.exact="cn=sshpubkey,ou=services,dc=space,dc=revspace,dc=nl" write
by dn.exact="cn=shelldap-gateway,ou=services,dc=space,dc=revspace,dc=nl" write
by dn.exact="cn=ldap-sync-scriptje,ou=services,dc=space,dc=revspace,dc=nl" write
by dn.subtree="ou=services,dc=space,dc=revspace,dc=nl" read
by * auth
# Users
access to dn.subtree="ou=people,dc=space,dc=revspace,dc=nl"
by self read
by group="cn=board,ou=groups,dc=space,dc=revspace,dc=nl" write
by dn.exact="cn=shelldap-gateway,ou=services,dc=space,dc=revspace,dc=nl" write
by dn.exact="cn=ldap-sync-scriptje,ou=services,dc=space,dc=revspace,dc=nl" write
by dn.subtree="ou=services,dc=space,dc=revspace,dc=nl" read
by * auth
# Groups
access to dn.subtree="ou=groups,dc=space,dc=revspace,dc=nl"
by group="cn=board,ou=groups,dc=space,dc=revspace,dc=nl" write
by dn.subtree="ou=services,dc=space,dc=revspace,dc=nl" read
by * read
# Fallback
access to *
by group="cn=board,ou=groups,dc=space,dc=revspace,dc=nl" write
by * read
</pre>

=<code>schema/</code>=

==<code>rfc2307bis.schema</code>==
Taken from: https://github.com/jtyr/rfc2307bis/tree/4fb02fcfc5816e62716e34a9e27c506e2bedd9c8

<pre>
###
# Extracted from: http://tools.ietf.org/html/draft-howard-rfc2307bis-02
###

# Builtin
#attributeType ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
# DESC 'An integer uniquely identifying a user in an
# administrative domain'
# EQUALITY integerMatch
# ORDERING integerOrderingMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
# SINGLE-VALUE )

# Builtin
#attributeType ( 1.3.6.1.1.1.1.1 NAME 'gidNumber'
# DESC 'An integer uniquely identifying a group in an
# administrative domain'
# EQUALITY integerMatch
# ORDERING integerOrderingMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
# SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.2 NAME 'gecos'
DESC 'The GECOS field; the common name'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory'
DESC 'The absolute path to the home directory'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.4 NAME 'loginShell'
DESC 'The path to the login shell'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.6 NAME 'shadowMin'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.7 NAME 'shadowMax'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributeType ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributeType ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
DESC 'Netgroup triple'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributeType ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort'
DESC 'Service port number'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol'
DESC 'Service protocol name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributeType ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber'
DESC 'IP protocol number'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber'
DESC 'ONC RPC number'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
DESC 'IPv4 addresses as a dotted decimal omitting leading
zeros or IPv6 addresses as defined in RFC2373'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributeType ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber'
DESC 'IP network omitting leading zeros, eg. 192.168'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber'
DESC 'IP netmask omitting leading zeros, eg. 255.255.255.0'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.22 NAME 'macAddress'
DESC 'MAC address in maximal, colon separated hex
notation, eg. 00:00:92:90:ee:e2'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributeType ( 1.3.6.1.1.1.1.23 NAME 'bootParameter'
DESC 'rpc.bootparamd parameter'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributeType ( 1.3.6.1.1.1.1.24 NAME 'bootFile'
DESC 'Boot image name'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributeType ( 1.3.6.1.1.1.1.26 NAME 'nisMapName'
DESC 'Name of a generic NIS map'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} )

attributeType ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry'
DESC 'A generic NIS entry'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024}
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey'
DESC 'NIS public key'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey'
DESC 'NIS secret key'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.30 NAME 'nisDomain'
DESC 'NIS domain'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributeType ( 1.3.6.1.1.1.1.31 NAME 'automountMapName'
DESC 'automount Map Name'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.32 NAME 'automountKey'
DESC 'Automount Key value'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

attributeType ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'
DESC 'Automount information'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectClass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY
DESC 'Abstraction of an account with POSIX attributes'
MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
MAY ( userPassword $ loginShell $ gecos $
description ) )

objectClass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY
DESC 'Additional attributes for shadow passwords'
MUST uid
MAY ( userPassword $ description $
shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $
shadowExpire $ shadowFlag ) )

objectClass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY
DESC 'Abstraction of a group of accounts'
MUST gidNumber
MAY ( userPassword $ memberUid $
description ) )

objectClass ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL
DESC 'Abstraction an Internet Protocol service.
Maps an IP port and protocol (such as tcp or udp)
to one or more names; the distinguished value of
the cn attribute denotes the services canonical
name'
MUST ( cn $ ipServicePort $ ipServiceProtocol )
MAY description )

objectClass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL
DESC 'Abstraction of an IP protocol. Maps a protocol number
to one or more names. The distinguished value of the cn
attribute denotes the protocol canonical name'
MUST ( cn $ ipProtocolNumber )
MAY description )

objectClass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL
DESC 'Abstraction of an Open Network Computing (ONC)
[RFC1057] Remote Procedure Call (RPC) binding.
This class maps an ONC RPC number to a name.
The distinguished value of the cn attribute denotes
the RPC service canonical name'
MUST ( cn $ oncRpcNumber )
MAY description )

objectClass ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY
DESC 'Abstraction of a host, an IP device. The distinguished
value of the cn attribute denotes the hosts canonical
name. Device SHOULD be used as a structural class'
MUST ( cn $ ipHostNumber )
MAY ( userPassword $ l $ description $
manager ) )

objectClass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL
DESC 'Abstraction of a network. The distinguished value of
the cn attribute denotes the network canonical name'
MUST ipNetworkNumber
MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) )

objectClass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
DESC 'Abstraction of a netgroup. May refer to other
netgroups'
MUST cn
MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )

objectClass ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL
DESC 'A generic abstraction of a NIS map'
MUST nisMapName
MAY description )

objectClass ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL
DESC 'An entry in a NIS map'
MUST ( cn $ nisMapEntry $ nisMapName ) )

objectClass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY
DESC 'A device with a MAC address; device SHOULD be
used as a structural class'
MAY macAddress )

objectClass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY
DESC 'A device with boot parameters; device SHOULD be
used as a structural class'
MAY ( bootFile $ bootParameter ) )

objectClass ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY
DESC 'An object with a public and secret key'
MUST ( cn $ nisPublicKey $ nisSecretKey )
MAY ( uidNumber $ description ) )

objectClass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY
DESC 'Associates a NIS domain with a naming context'
MUST nisDomain )

objectClass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL
MUST ( automountMapName )
MAY description )

objectClass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL
DESC 'Automount information'
MUST ( automountKey $ automountInformation )
MAY description )

objectClass ( 1.3.6.1.1.1.2.18 NAME 'groupOfMembers' SUP top STRUCTURAL
DESC 'A group with members (DNs)'
MUST cn
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $
description $ member ) )
</pre>

==<code>openssh-lpk.schema</code>==
Taken from: https://www.nikhef.nl/pdp/files/packages/mkgroup-sshlpk/openssh-lpk.schema

<pre>
#
# LDAP Public Key Patch schema for use with openssh-ldappubkey
# Author: Eric AUGE <eau@phear.org>
#
# Based on the proposal of : Mark Ruijter
#

# octetString SYNTAX
attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
DESC 'OpenSSH Public key'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

# printableString SYNTAX yes|no
objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
DESC 'OpenSSH LPK objectclass'
MUST uid
MAY sshPublicKey
)
</pre>

=<code>skel/</code>=

==<code>README</code>==
<pre>
LDIF files to import in case the complete LDAP data goes poof.

Use like:

for x in $(pwd)/*.ldif; do
su openldap -s /bin/sh -c "ldapadd -Q -Y EXTERNAL -H ldapi:/// -W -f $x"
done

After that programs like shelldap should work again.
</pre>

==<code>00-root.ldif</code>==
<pre>
dn: dc=space,dc=revspace,dc=nl
objectClass: top
objectClass: dcObject
objectClass: organization
o: RevSpace
</pre>

==<code>01-unit-services.ldif</code>==
<pre>
dn: ou=services,dc=space,dc=revspace,dc=nl
objectClass: top
objectClass: organizationalUnit
ou: services
</pre>

==<code>01-unit-groups.ldif</code>==
<pre>
dn: ou=groups,dc=space,dc=revspace,dc=nl
objectClass: top
objectClass: organizationalUnit
ou: groups
</pre>

==<code>01-unit-people.ldif</code>==
<pre>
dn: ou=people,dc=space,dc=revspace,dc=nl
objectClass: top
objectClass: organizationalUnit
ou: people
</pre>

LDAP/OpenLDAP configuration - Revision history

Shiz: s/FreeRADIUS/OpenLDAP/, whoops

Shiz: Fix formatting on base configuration directory example

Shiz: Created page with "The below configuration is used for LDAP at RevSpace, written for and tested with FreeRADIUS 2.5.13. The paths are relative to the base configuration directory, e.g. /etc/ldap..."