Today a small blog post to explain how I have setup my openldap server at home for authentication.
It is not an in detail explanation, but should give a good start if you can do some
thinking yourself.
For this setup I had the following requirements:
- The data between the ldap server and the client should be encrypted.
- Access should be restricted to given hosts. That is a user which has acces on machine A
may not have acces on machine B by default.
- Sudo rights should also be managed by openldap.
First I had to install the openldap-server port with:
cd /usr/ports/net/openldap23-server
make install clean
And of course I had to enable it in /etc/rc.conf by adding the lines:
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldaps://192.168.0.80/ ldap://127.0.0.1/"'
slapd_sockets="/var/run/openldap/ldapi"
Then I had to edit my /usr/local/etc/openldap/slapd.conf configuration file:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/ldapns.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/sudo.schema
The above code includes all the necessary ldap schemes. It should be noted that the sudo.schema
should be taken from the installation of the sudo port and copied to the openldap/schema directory.
The ldapns.schema is needed for limiting of users to hosts. This schema can be found
here
The next settings we need to set in the slapd.conf are the access rights. I use 2 user to
do more than authentication against the ldap server: Manager and nss. Which gives me the
following access settings:
access to attrs=userPassword
by dn="cn=Manager,dc=jeroen,dc=se" write
by anonymous auth
by * none
access to *
by dn="cn=Manager,dc=jeroen,dc=se" write
by dn="uid=nss,dc=jeroen,dc=se" read
by anonymous auth
And the last settings I had to make in the slapd.conf file where the
initial password for the root user (Manager):
rootdn "cn=Manager,dc=jeroen,dc=se"
rootpw {SSHA}9cyD+AfBLx0jvSSL7iJ7tMMB4hl2mN0P
And the settings for SSL, which assumes your keys are in /usr/local/etc/openldap/ssl/server.pem:
#TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCACertificateFile /usr/local/etc/openldap/ssl/server.pem
TLSCertificateFile /usr/local/etc/openldap/ssl/server.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.pem
TLSVerifyClient never
The rest of the settings in slapd.conf were left to their default value. So I then started slapd with
/usr/local/etc/rc.d/slapd start
That is basically all you have to do to get slapd running. I used the following ldif file
to get the intial data into the ldap server:
dn: dc=jeroen,dc=se
objectclass: dcObject
objectclass: organization
o: jeroen dot se
dc: jeroen
dn: cn=Manager,dc=jeroen,dc=se
objectclass: organizationalRole
cn: Manager
After this I used phpldapadmin to fill my ldap server with more data. I will
post the configuration I use on the clients in the coming days.
