User Tools

Site Tools


vps_-_netbsd_with_ldap

Installing an OpenLDAP Server on a NetBSD VPS

Note: This tutorial assumes you’ve already followed the NetBSD on SDF VPS tutorial to set up networking, the time zone and pkgsrc using the SDF VPS pkgsrc.

An LDAP server can be used for an endless number of things. Essentially, LDAP is just an object-oriented hierarchical database. Common uses include authentication and authorisation, host management, a backend for Kerberos, a backend for a DHCP server, a shared address book and forming a part of some public key infrastructures.

In this tutorial, I will be setting up the LDAP server to provide authorisation and authentication for a nix client, but the first few stages are the same for almost any application of LDAP.

The OpenLDAP server is available in the SDF VPS pkgsrc and so the software is already installed, but does require some configuration.

Jargon and Tools

  • OpenLDAP
    • The LDAP server that will be used
  • Suffix
    • The suffix appended to all LDAP objects, which normally related to a domain name
  • Root DN
    • The administrative user of the server, with read and write access to all data objects. The password for this user should be kept secure
  • slapd
    • The name of the executable of the OpenLDAP server
  • slappasswd
    • The name of the executable tool used for creating password hashes
  • pwd_mkdb
    • The name of the executable tool that generates the password databases

Initial Setup

To begin with, we’ll create the chroot environment. Whilst the OpenLDAP server is running, this is the only part of the file system it will be able to see.

The first step is to create the directories and copy the initial configuration that comes from pkgsrc.

# mkdir /var/chroot/openldap
# mkdir /var/chroot/openldap/etc /var/chroot/openldap/var
# cp -r /usr/pkg/etc_example/openldap /var/chroot/openldap/etc/
# cp -r /usr/pkg/var/openldap /var/chroot/openldap/var/

The next step is to create the user and group that the server will run as, and allow for this information to be available in the chroot.

# groupadd -g 17 slapd
# useradd -u 17 -g 17 -d /var/chroot/openldap slapd
# grep slapd /etc/master.passwd > /var/chroot/openldap/etc/master.passwd
# pwd_mkdb -d /var/chroot/openldap /var/chroot/openldap/etc/master.passwd
# grep slapd /etc/group > /var/chroot/openldap/etc/group

No password needs to be set for the slapd user as no one will ever log in using its username. This disallows logins from that user.

Finally, we’ll need to set the correct permissions necessary for OpenLDAP to access its data while keeping it secure.

# chown -R slapd:slapd /var/chroot/openldap
# chmod -R 700 /var/chroot/openldap/var/openldap/openldap-data

Initial Configuration

The next stage involves editing some configuration files so that paths are correct within the chroot and the chroot is enabled with the correct user and group.

This step also includes setting the password for the root DN (Distinguished Name), the LDAP administrative user.

Begin by creating a hash of the password you wish to use for the root DN. This should be a secure password, as the root DN can read and write to the database, regardless of any access restrictions that we set up later on. The slappasswd tool is used to do this.

# slappasswd -s 'reallysecurepassword'
{SSHA}1LuiLGmSO+EoPA0uk80v4TC5xwacBOWg

Note: The -s flag passed here tells slappasswd that we want to pass the secret on the command line. If you execute slappasswd without any arguments, it will prompt for the password on the terminal allowing you to avoid having the password show up in any logs or in the running process list.

You should copy the whole line to your clipboard as we will need it shortly. Then open up /var/chroot/openldap/etc/openldap/slapd.conf in your favorite editor.

The first three lines that need changing are near the top of the file. They start with include, pidfile and argsfile and have a path to a file following them. These paths point to the read-only filesystem of the SDF VPS pkgsrc and not our chroot, so they should be changed like so:

include         /etc/openldap/schema/core.schema
[...SNIPPED...]
pidfile         /var/openldap/run/slapd.pid
argsfile        /var/openldap/run/slapd.args

Next, we’ll need to set the suffix, the root DN, and the password for the root DN. The suffix is normally formed from your domain name. In this example, the domain name is shiftout.org, and so the suffix should be dc=shiftout,dc=org. The suffix should then be copied onto the end of the root DN, so in this example, it becomes: cn=manager,dc=shiftout,dc=org. For the root DN’s password, replace secret with the string you copied to your clipboard earlier.

suffix          "dc=shiftout,dc=org"
rootdn          "cn=manager,dc=shiftout,dc=org"
[...SNIPPED...]
rootpw          {SSHA}1LuiLGmSO+EoPA0uk80v4TC5xwacBOWg

Then there is one final path to modify. This is the directory that OpenLDAP uses for storing its data. Currently, it is set to point at the read-only SDF VPS pkgsrc, so this needs to be changed.

directory       /var/openldap/openldap-data

The final step before running the server for the first time is to configure the rc scripts. These allow for the server to be started on boot.

First, copy the example rc script for slapd into the /etc/rc.d directory.

# cp /usr/pkg/share/examples/rc.d/slapd /etc/rc.d/

Then edit the new file /etc/rc.d/slapd with your favorite editor.

There are two lines you need to edit here. The line defining where to find slapd is fine as the read-only filesystem is fine for executing programs from, it’s only the configuration and data store we needed to move.

The first line that needs to be edited is the location of the configuration file, which should look like this:

required_files="/var/chroot/openldap/etc/openldap/${name}.conf"

The second line is the command line arguments that are passed to “slapd” when it is started. This should look like:

command_args="-u slapd -g slapd -r /var/chroot/openldap/ -f /etc/openldap/slapd.conf"

The -u and -g flags are used to specify the user and group that slapd should be running as. The -r flag tells slapd where to chroot, and the -f flag tells slapd where to find the configuration file. All configuration files are read after the chroot has happened, which is why the path does not include /var/chroot/openldap in it.

Finally, it is necessary to enable slapd in the rc.conf file.

# echo "slapd=YES" >> /etc/rc.conf

You can edit the file manually and add this line if you would like to keep your rc.conf organized in some way.

Testing

Before starting slapd as a daemon, it would be wise to first test that it is working fine using debug mode. The following command will start slapd in debug mode with the command line arguments we specified in slapd's rc file. 255 represents the debug level.

# /usr/pkg/libexec/slapd -u slapd -g slapd -r /var/chroot/openldap/ -f /etc/openldap/slapd.conf -d 255

If you see something similar to:

502c06bd slapd starting
502c06bd daemon: added 4r listener=0x0
502c06bd daemon: added 6r listener=0x7f7ffc427180
502c06bd daemon: added 7r listener=0x7f7ffc427240
502c06bd daemon: select: listen=6 active_threads=0 tvp=NULL
502c06bd daemon: select: listen=7 active_threads=0 tvp=NULL
502c06bd daemon: activity on 1 descriptor
502c06bd daemon: waked
502c06bd daemon: select: listen=6 active_threads=0 tvp=NULL
502c06bd daemon: select: listen=7 active_threads=0 tvp=NULL

Then you have succeeded in configuring an OpenLDAP to a point where it will start successfully. Press Ctrl+C to stop the server. You can start or stop the server as a daemon using /etc/rc.d/slapd {start,stop} just like you would with other daemons on NetBSD.

Note: From this point, configuration will become specific to providing authentication and authorization services for nix clients. If you’re looking to use LDAP for another application, hopefully you’ve got to a point where a more generalized tutorial is able to help you.

Including extra schemata

Three schemata will need to be used by slapd to enable you to store objects representing users and groups.

  • cosine.schema
    • Includes “generally useful” objects and attributes (sic)
  • nis.schema
    • Includes objects and attributes for use in representing fields from BSD-style flat file authentication and authorization files
  • inetorgperson.schema
    • Includes objects and attributes for representing contact information and organizational information

These files are included by adding the following three lines underneath the first include we changed earlier in the /var/chroot/openldap/etc/openldap/slapd.conf file:

/var/chroot/openldap/etc/openldap/slapd.conf
  include         /etc/openldap/schema/cosine.schema
  include         /etc/openldap/schema/nis.schema
  include         /etc/openldap/schema/inetorgperson.schema

At the end of this file, we’ll also add another index. Searching on non-indexed fields can result in no results being returned, so this is important.

index           uid         eq

Configuring ACLs

The sample configuration in /var/chroot/openldap/etc/openldap/slapd.conf is sane for using LDAP for authentication and authorization so this step simply involves un-commenting the following:

/var/chroot/openldap/etc/openldap/slapd.conf
  access to dn.base="" by * read
  access to dn.base="cn=Subschema" by * read
  access to *
          by self write
          by users read
          by anonymous auth

A second test

To ensure that no errors have been made while configuring, it would be a good idea now to run slapd again with the debug option. Any errors will be apparent in the output if they have occurred.

# /usr/pkg/libexec/slapd -u slapd -g slapd -r /var/chroot/openldap/ -f /etc/openldap/slapd.conf -d 255

Importing data

Assuming you’ve got this far with no problems, it’s time to import some data. The data used for interactions with an OpenLDAP server is stored in a text file in LDIF (LDAP Data Interchange Format). Once we have performed this initial import, further interactions can be performed through graphical clients.

Copy the following example into a text file:

  # Create top-level object in domain
  dn: dc=shiftout,dc=org
  objectClass: top
  objectClass: dcObject
  objectclass: organization
  o: shiftOut
  dc: shiftOut
  description: shiftOut

  dn: ou=people,dc=shiftout,dc=org
  objectClass: organizationalUnit
  ou: people

  dn: ou=groups,dc=shiftout,dc=org
  objectClass: organizationalUnit
  ou: groups

  dn: uid=irl,ou=people,dc=shiftout,dc=org
  objectClass: inetOrgPerson
  objectClass: posixAccount
  objectClass: shadowAccount
  uid: irl
  sn: Learmonth
  givenName: Iain
  cn: Iain Learmonth
  displayName: Iain R. Learmonth
  uidNumber: 2000
  gidNumber: 2000
  userPassword: password
  gecos: Iain R. Learmonth
  loginShell: /bin/bash
  homeDirectory: /home/irl
  shadowExpire: -1
  shadowFlag: 0
  shadowWarning: 7
  shadowMin: 8
  shadowMax: 999999
  shadowLastChange: 10877
  mail: irl@sdf.org
  homePhone: +1 (206) 299 2120 x1388
  title: System Administrator
  initials: IRL

  dn: cn=irl,ou=groups,dc=shiftout,dc=org
  objectClass: posixGroup
  cn: irl
  gidNumber: 2000

The following is used in this example:

  • Suffix: dc=shiftout,dc=org
  • Initial user: irl
  • Organisation name: shiftOut

These three values will need to be changed. Hopefully you can also use common sense to identify names and contact information that will need to be changed.

Assuming you have saved your LDIF file as /tmp/ldif, run the following command to import it:

ldapadd -D "cn=manager,dc=shiftout,dc=org" -Wx -f /tmp/ldif

You will need to replace the bind DN here with the correct root DN and suffix you specified earlier.

Note for experienced users: Tools such as slapadd, slapcat, etc. work directly on the OpenLDAP database files. As the path for this is set in a configuration file that assumes it’s being used in the chroot, they will not work. Experienced users may decide to setup another slapd.conf file for use outside the chroot, but the ldapadd, ldapsearch, etc. tools work just as well while the server is running.

You can check the import was successful by running:

ldapwhoami -D "uid=irl,ou=people,dc=shiftout,dc=org" -Wx

Replace the uid and suffix with the ones that you have created. You should see an output similar to:

dn:uid=irl,ou=people,dc=shiftout,dc=org

If you see this, you have correctly configured a working LDAP server, to which you can add, query, modify, and remove data representing users and groups.

Graphical Client

Apache Directory Studio provides a graphical browser that you can use to add, query, modify and remove data from your LDAP database. It can be downloaded from http://directory.apache.org/studio/.


$Id: VPS_NetBSD_OpenLDAP.html,v 1.5 2012/08/16 00:47:07 irl Exp $ Installing an OpenLDAP Server on a NetBSD VPS - traditional link (using RCS)

vps_-_netbsd_with_ldap.txt · Last modified: 2021/04/02 19:27 by hc9