Showing posts with label LDAP. Show all posts

Saturday, July 20, 2013

Openldap Replication- Multimaster

Below are the LDAP server participating in multimaster configuration. Operating System used is Centos6.3
masterldap1.fireblade.com - 192.168.56.191
masterldap2.fireblade.com - 192.168.56.192
masterldap3.fireblade.com - 192.168.56.193

Install Openldap in all the Machines(192.168.56.191.192.168.56.192,192.168.56,193)

# yum install openldap-*

Setup Openldap configuration environment

# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

# chown ldap.ldap /var/lib/ldap/DB_CONFIG

# rm -rf /etc/openldap/slapd.d/*

Configure the Domain and set Manager password in all the systems.

# vim /etc/openldap/slapd.conf

database        bdb
suffix          "dc=fireblade,dc=com"
checkpoint      1024 15
rootdn          "cn=Manager,dc=fireblade,dc=com"

rootpw          redhat

Save and above in all the three servers.

Enable syncprov module by commenting it in /etc/openldap/slapd.conf in all the three servers

moduleload syncprov.la

Save the configuration file.

Go to masterldap1.fireblade,com(192.168.56.191) and enter the below configuration at the end of the file.

1. 1. 1. 1. REPLICATION CONFIGURATION###################

serverID 001
syncrepl rid=000
 provider=ldap://192.168.56.192
 type=refreshAndPersist
 retry="5 5 300 +"
 searchbase="dc=fireblade,dc=com"
 attrs="*,+"
 bindmethod=simple
 binddn="cn=manager,dc=fireblade,dc=com"
 credentials=redhat

syncrepl rid=001
 provider=ldap://192.168.56.193
 type=refreshAndPersist
 retry="5 5 300 +"
 searchbase="dc=fireblade,dc=com"
 attrs="*,+"
 bindmethod=simple
 binddn="cn=manager,dc=fireblade,dc=com"
 credentials=redhat

index entryCSN eq
index entryUUID eq

mirrormode TRUE

overlay syncprov

syncprov-checkpoint 100 10

Save the configuration.

Go to second server masterldap2.fireblade.com (192.168.56.192) and write the below configuration in /etc/openldap/slapd.conf at the end of it.

serverID 002
syncrepl rid=000
 provider=ldap://192.168.56.191
 type=refreshAndPersist
 retry="5 5 300 +"
 searchbase="dc=fireblade,dc=com"
 attrs="*,+"
 bindmethod=simple
 binddn="cn=manager,dc=fireblade,dc=com"
 credentials=redhat

syncrepl rid=001
 provider=ldap://192.168.56.193
 type=refreshAndPersist
 retry="5 5 300 +"
 searchbase="dc=fireblade,dc=com"
 attrs="*,+"
 bindmethod=simple
 binddn="cn=manager,dc=fireblade,dc=com"
 credentials=redhat

index entryCSN eq
index entryUUID eq

mirrormode TRUE

overlay syncprov

syncprov-checkpoint 100 10

Save the above configuration.

Go to Third server and write the below configuration at the end of configuration file /etc/openldap/slapd.conf

serverID 003 syncrepl rid=000

 provider=ldap://192.168.56.191
 type=refreshAndPersist
 retry="5 5 300 +"
 searchbase="dc=fireblade,dc=com"
 attrs="*,+"
 bindmethod=simple
 binddn="cn=manager,dc=fireblade,dc=com"
 credentials=redhat

syncrepl rid=001

 provider=ldap://192.168.56.192
 type=refreshAndPersist
 retry="5 5 300 +"
 searchbase="dc=fireblade,dc=com"
 attrs="*,+"
 bindmethod=simple
 binddn="cn=manager,dc=fireblade,dc=com"
 credentials=redhat

index entryCSN eq index entryUUID eq
mirrormode TRUE

overlay syncprov

syncprov-checkpoint 100 10

Save the configuration.

Start LDAP in all the servers by running below command

# /etc/init.d/slapd start

Openldap Replication with syncrepl

Syncrepl RefreshOnly Style replication
Theory

In refreshOnly type of replication the consumer (1) initiates a connection (2) with the provider (2) - synchronization of DITs takes places and the connection is broken. Periodically the consumer (1) re-connects (2) with the provider (3) and re-synchronizes. refreshOnly synchronization may be viewed as operating in burst mode and the replication cycle time is the time between re-connections.

Master LDAP server - ldap-master.fireblade.com - Provider
Slave LDAP server - ldap1.fireblade.com - Consumer

In Provider LDAP ldap-master.fireblade.com configuration ile add the below configuration and save.

# NOTE: 
# the provider configuration contains no reference to any consumers

# define the provider to use the syncprov overlay
# (last directives in database section)
overlay syncprov
# allows contextCSN to saves to database every 100 updates or ten minutes
syncprov-ch
syncprov-checkpoint 100 10

In Consumer LDAP ldap1.fireblade.com configuration add the below configuration and save.

# provider is ldap://master-ldap.example.com:389, sync interval 
# every 1 hour, whole DIT (searchbase), all user attributes synchronized
# simple security with cleartext password
# NOTE: comments inside the syncrepl directive are rejected by OpenLDAP
#       and are included only to carry further explanation. They MUST NOT
#       appear in an operational file
syncrepl rid=000 
 provider=ldap://ldap-master.fireblade.com
 type=refreshOnly
 #re-connect/re-sync every hour
 interval=00:1:00:00
 retry="5 5 300 +" 
 searchbase="dc=example,dc=com"
 #both user (*) and operational (+) attributes required
 attrs="*,+"
 bindmethod=simple
 binddn="cn=Manager,dc=fireblade,dc=com"
 #Warning: password sent in clear - insecure
 credentials=dirtysecret

Restart ldap service in both Consumer and provider.

# service ldap restart

Test the configuration by creating a new entry in the Provider.

Openldap Replication with Slurpd

Here I am using Master-Slave replication using Slurpd. Below are the participating systems

1. ldap-master.fireblade.com (Master Server)

2. ldap1.fireblade.com (client Server)

Replication to work properly Master and salve system initially should have exact number of entries. Take a dump of all the entries in the Master server using the below command and import it to the slave.

# slapcat > master.ldif

Go to the salve ldap1.fireblade.com and import it using ldapadd.

#  ldapadd -D "cn=Manager,dc=dc1,dc=fireblade,dc=com" -W -x -f initial.ldif

At this point both master and slave has the exact amount of data. Let's start the replication configuration.

Open /etc/openldap/sldapd.conf in master server ldap-master.fireblade.com and add the below entries

Replication will happen in the every 5 minutes.

replicationinterval 300

# Keep the sapce in front of binddn as it is bbecause 
replica uri=ldap://ldap1.fireblade.com bindmethod=simple
 binddn="cn=manager,dc=fireblade,dc=com" credentials=redhat

save the configuration and exit the file.

Open /etc/openldap/sldapd.conf in the salve server ldap1.fireblade.com and add the following entries.

updatedn "cn=manager,dc=fireblade,dc=com"

updateref ldap://ldap-master.fireblade.com:389

Save the configuration and restart the ldap service in both the server and client

# service ldap restart

Test the configuration by create a new user in the master server and test whether it appears in the slave with in 5 minutes.

Debugging
Statrt slapd and slurpd in debug mode to troubleshoot the issues

# slapd -d 1

# slurpd -d 1

Openldap referral

In Openldap we can delegate the responsibility to maintain a purticular part of directory to Other LDAP server. I am using two LDAP server hosting the domain dc=fireblade,dc=com.

1. master-ldap.fireblade.com - 192.168.56.10

2. ldap1.fireblade.com - 192.168.56.21

In this scenario we are going to delegate all the requests for ou=us,dc=fireblade,dc=com to the master-ldap.fireblade.com to ldap1.fireblade.com
Go to ou=us,dc=fireblade,dc=com create a new.ldif with below entries.

dn: ou=us,dc=fireblade,dc=com
ref: ldap://master-ldap.fireblade.com/ou=us,dc=fireblade,dc=com
ou: us
objectClass: referral
objectClass: extensibleObject
objectClass: top

Add the new entry to LDAP using the below command

# ldapadd -D "cn=Manager,dc=fireblade,dc=com" -W -x -f new.ldif

Go to Deligated server ldap1.fireblade.com and configure the domain fireblade.com in slapd.conf and create the ou us and user nagaraj under it.

vi /etc/openldap/slapd.conf

suffix          "dc=fireblade,dc=com"
rootdn          "cn=Manager,dc=fireblade,dc=com"
rootpw          {SSHA}U0DavqxmDkhcPK9qpaJzxRM7r/GFtptM

Create DIT using the following LDAP and add it using ldap add

# vim add.ldif

dn: dc=fireblade,dc=com
objectclass: dcObject
objectclass: organization
o: fireblade.com
dc: fireblade

dn: ou=us,dc=fireblade,dc=com
objectClass: organizationalUnit
objectClass: top
ou: us

 dn: cn=nagaraj,ou=People,dc=fireblade,dc=com
 objectClass: posixAccount
 objectClass: top
 objectClass: person
 objectClass: organizationalPerson
 objectClass: inetOrgPerson
 cn: nagaraj
 gidNumber: 20001
 homeDirectory: /home/nagaraj
 sn: Sulthan Munaver
 uid: sulthan
 uidNumber: 20000
 manager: uid=suresh,ou=People,dc=fireblade,dc=com
 telephoneNumber: 666677777777
 userPassword:: e1NIQX1QSFo4UWEreEt0b1VBWkR0Z3RzLzJURGk3Nk09

# ldapadd -D "cn=Manager,dc=fireblade,dc=com" -W -x -f add.ldif

Now the ldap1.fireblade.com server configured with cn=nagaraj,ou=us,dc=fireblade,dc=com

Please go to any other machine with Openldap client and search the nagaraj entry in master-ldap.fireblade.com using the below command.

# ldapsearch -C -h master-ldap.fireblade.com -x -b "ou=us,dc=fireblade,dc=com" "(uid=nagaraj)"

Even though the entry is not there in the master-ldap.fireblade.com due to referral, it will consult the ldap1.fireblade.com and returns the output.

# ngaraj, us, fireblade.com
dn: cn=ngaraj,ou=us,dc=fireblade,dc=com
uid: nagaraj
gidNumber: 5010
sn: Nagraj Nagmangala
cn: ngaraj
homeDirectory: /home/nagraj
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
uidNumber: 5010

Configuring Multiple DIT in a Single server

Let's say if we have one domain called fireblade.com and we need to configure fireblade.net in the same server please follow the following steps.

Note: fireblade.com domain already exist and we are configuring the fireblade.net domian in addition and adding a OU called people OU.
My LDAP server's hostname is

master-ldap1.fireblade.com - 192.168.56.22

Open the configuration file and define the second domain

# vim /etc/openldap/slapd.conf

add the below lines.

database       bdb
suffix         dc=fireblade,dc=net"
rootdn         "cn=Manager,dc=fireblade,dc=net"
rootpw         redhat

directory       /var/lib/ldap/firenix-net

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

Save and restart LDAP

# /etc/init.d/ldap restart

Create ldif called test.ldif

vim test.ldif

dn: dc=fireblade,dc=net
dc: fireblade
description: Example Network Operations
objectClass: dcObject
objectClass: organization
o: Firenix, Inc.

dn: ou=people, dc=fireblade,dc=net
ou: people
description: All people in organisation
objectClass: organizationalUnit

Add the ldif to the DATABASE

#  ldapadd -D "cn=Manager,dc=fireblade,dc=net" -W -x -f test.ldif

Now the server contains two domains fireblade.com and fireblade.net

Enjoy !!!

Openldap ACL Key word examples

0: o=suffix
   1: cn=Manager,o=suffix
   2: ou=people,o=suffix
   3: uid=kdz,ou=people,o=suffix
   4: cn=addresses,uid=kdz,ou=people,o=suffix
   5: uid=hyc,ou=people,o=suffix

Then:

   dn.base="ou=people,o=suffix" match 2;
   dn.one="ou=people,o=suffix" match 3, and 5;
   dn.subtree="ou=people,o=suffix" match 2, 3, 4, and 5; and
   dn.children="ou=people,o=suffix" match 3, 4, and 5.

OpenLDAP group ACL

In this scenario all the members in a particular group can update the Directory server data.

Create group called administrators add suresh as user under "dc=fireblade,dc=com" usingthe

following LDIF

dn: cn=administrators,dc=fireblade,dc=com
objectClass: groupOfNames
cn: administrators
member: cn=suresh,ou=People,dc=fireblade,dc=com

LDIF for suresh is given below

dn: cn=suresh,ou=People,dc=fireblade,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
cn: suresh
gidNumber: 3001
homeDirectory: /home/suresh
sn: suresh
uid: suresh
uidNumber: 3000
userPassword:: e1NIQX1QSFo4UWEreEt0b1VBWkR0Z3RzLzJURGk3Nk09

Open the openldap configuration file and add the following configuration

access to dn.children="dc=fireblade,dc=com"
       by self write
       by group.exact="cn=administrators,dc=fireblade,dc=com" write
       by * auth

Save and exit the configuration and restart the service.

/etc/init.d/ldap restart

Connect to LDAP as suresh and try to modify the filed. Now you can modify the fields.

Enjoy !!!!!

Openldap ACL Implimentation

Giving Permission to change password for the authenticated current user

By using this configuration only currently authenticated user can change the password themselves. He can't view or change the others passwords.

Open /etc/openldap/slapd.conf

# vim /etc/openldap/slapd.conf

After the line rootdn          "cn=Manager,dc=fireblade,dc=com" enter the below configurations.

access to attrs=userPassword
    by self write
    by * auth

access to *
      by * read

Save the configuration and restart the openldap

# /etc/init.d/openldap restart

Giving permission to the Manager to update the filed of his Employee

# vi /etc/openldap/slap.conf

After the line rootdn "cn=Manager,dc=fireblade,dc=com" enter the below configurations.

access to dn.exact="uid=sulthan,ou=People,dc=fireblade,dc=com"

   attrs=carLicense,homePhone,mobile,pager,telephoneNumber
   by self write
   by set="this/manager & user" write
   by * read

Save the configuration file and restart the ldap using th below command

# /etc/init.d/ldap restart

NOTE: Create user sulthan with objectClass: IntetOrgPerson and suresh as his manager using any of the LDAP client like Apache Directory Studio.

LDIF for both sulthan and suresh are given below.

dn: cn=sulthan,ou=People,dc=fireblade,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: sulthan
gidNumber: 20001
homeDirectory: /home/smunaver
sn: Sulthan Munaver
uid: sulthan
uidNumber: 20000
manager: uid=suresh,ou=People,dc=fireblade,dc=com
telephoneNumber: 666677777777
userPassword:: e1NIQX1QSFo4UWEreEt0b1VBWkR0Z3RzLzJURGk3Nk09

dn: cn=suresh,ou=People,dc=fireblade,dc=com
objectClass: posixAccount
objectClass: top
objectClass: person
cn: suresh
gidNumber: 3001
homeDirectory: /home/suresh
sn: suresh
uid: suresh
uidNumber: 3000
userPassword:: e1NIQX1QSFo4UWEreEt0b1VBWkR0Z3RzLzJURGk3Nk09

Suresh is the Manager for Sulthan and he can update the fields such as carLicense,homePhone,mobile,pager,telephoneNumber.

Enabling logging in Openldap

To enable logging in the Openldap follow the steps given below.

# vim /etc/openldap/slapd.conf

Add the below line

 loglevel 256

Save the file
Restart ldap

# service ldap restart

Open /etc/syslogd.conf

# vi /etc/syslogd.conf


Add the lone at the end of the file
local4.*   /var/log/openldap.log

Create a file in /var/log/openldap.log

# touch /var/log/openldap.log

Save the file
Restart Syslog

#service syslog restart

Enjoy !!!!!

Directory Server Components

1. Main process of Directory server is ns-slapd

2. Made up of a front end which handles network communication and extensible which contain basic server functions.

3. Database is Sleepycat Berkrly DB.

4. Redhat management console.

To start Management console

# centos-idm-console

5. Redhat administration server which can handle start,stop,restart and view logfiles. 

6. Httpd.worker is the process.

Configuring SSL in LDAP server

Operating System used: Centos 6.3

Install Openldap by running the below command.

# yum install openldap-*

Copy slapd.conf file to the required location /etc/openldap

# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

Copy DB_CONFIG to the required location

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Change the ownership by running the below command

# chown ldap.ldap /var/lib/ldap/DB_CONFIG

Open the the main LDAP configuration file and setup the Domain and Manager password.

# vim /etc/openldap/slapd.conf

database        bdb
suffix          "dc=fireblade,dc=com"
checkpoint      1024 15
rootdn          "cn=Manager,dc=fireblade,dc=com"

rootpw          redhat

Save the configuration file and start ldap. Now LDAP will start in normal mode the port 389.

# /etc/init.d/slapd restart

OPENLDAP with SSL

Open the configuration file and make the following changes below.

TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile /etc/openldap/certs/slapdcert.pem
TLSCertificateKeyFile /etc/openldap/certs/slapdkey.pem

Go to /etc/openldap/certs and create the required certificates

# cd /etc/openldap/certs

# openssl req -new -x509 -nodes -out /etc/openldap/certs/slapdcert.pem -keyout /etc/openldap/certs/slapdkey.pem -days 365

Fill the required details while certificate creation
Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Kerala Locality Name (eg, city) [Default City]:Cochin Organization Name (eg, company) [Default Company Ltd]:FIREBLADE Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:fireblade Email Address []:admin@fireblade.com

Start LDAPS by running the below command

# /etc/init.d/slapd restart

Confirm LDAP is running in the SSL mode by running the below command.

# netstat -ntlp | grep 636

Installing Centos Directory Server

Installing Centos-Directory-Server and initial login.

DNS should be properly configured

Add following file to /etc/yum.repos.d/

# vim CentOS-Testing.repo

[c5-testing]
name=CentOS-5 Testing 
baseurl=http://dev.centos.org/centos/$releasever/testing/$basearch/
enabled=0
gpgcheck=1
gpgkey=http://dev.centos.org/centos/RPM-GPG-KEY-CentOS-testing

Save the file and exit

Install the directory server using yum

# yum install centos-ds

Install Supported rpm

# yum install xorg-x11-xauth bitstream-vera-fonts dejavu-lgc-fonts urw-fonts

Setting up java

# mv /usr/bin/java /usr/bin/java_old

Download the latest vesrion of java to /opt from the Sun and install it

# cd /opt

# tar xvzf jdk-7u5-linux-i586.tar.gz

# vim /etc/profile and add the following lines

JAVA_HOME=/opt/jdk1.7.0_05
export JAVA_HOME
PATH=PATH=$PATH:$HOME/bin:$JAVA_HOME/bin

save and exit the file

# source /etc/profile

Configure the directory server using the following command

#  setup-ds-admin.pl

After configuration start the services

# /etc/init.d/dirsrv start 
# /etc/init.d/dirsrv-admin start

Open Directory server administration console

# centos-idm-console

cn=Directory Manager
password=**********
Administration url=http://localhost:9830

If you wan to remove the initial configuration and reconfigure it Please do the below steps

Log files         /var/log/dirsrv/slapd-instance
Configuration files     /etc/dirsrv/slapd-instance
Instance directory     /usr/lib/dirsrv/slapd-instance
Database files         /var/lib/dirsrv/slapd-instance

Enjoy !!!!!!

Thursday, March 10, 2011

LDAP ERROR

[root@test1 ~]# /etc/init.d/ldap start
Stopping slapd: [ OK ]
Checking configuration files for slapd: bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap: (2)
Expect poor performance for suffix dc=example,dc=internal.
config file testing succeeded
[ OK ]
Starting slapd: [ OK ]

If you get error while starting ldap for the first time. Do the following.

[root@fedora ~]# rm -rf /var/lib/ldap/*

[root@fedora ~]# updatedb

[root@fedora ~]# locate DB_CONFIG.example
/usr/share/doc/openldap-servers-2.4.12/DB_CONFIG.example

[root@test ~]# cp /usr/share/doc/openldap-servers-2.4.12/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@fedora ~]# chown -R ldap:ldap /var/lib/ldap

Please restart now the error should be resolved.

[root@fedora ~]# /etc/init.d/ldap restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]

Only for Geeks

Pages