Month: April 2020

Re: viewing cn=config

Jovan Stosic April 16, 2020 
How do I get to see the contents of cn=config?



There are two main methods that I know of and for both you have to be logged in as root. First:


  ~# slapcat -b cn=config




Slapd does not even have to be running. This command will dump the entire configuration, but you can also filter its output:


  ~# slapcat -b cn=config -a cn=config

This will show only the root object. However:

  ~# slapcat -b cn=config -a "(|(cn=config)(olcDatabase={1}hdb))"

This will show both the root object and the hdb database definition.

Second method:

  ~# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

Again, you can also filter the output:

  ~# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config cn=config

  ~# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config \
     "(|(cn=config)(olcDatabase={1}hdb))"


 


Source: Re: viewing cn=config


Re: viewing cn=config was last modified:  April 16th, 2020 by Jovan Stosic

					

        
        

	

    
                                 
                    

	
    
                                 
                    

	
    
                                 
                    

	
    
                                 
                    

	
    
                                 
                    

	
    
                                 
                    

	
    
                                 
                    

	
    
                                 
                    

	

		

			
Config:appearance:obfuscate password display – phpLDAPadmin

						
            

                 
                Jovan Stosic
                 April 14, 2020
			
 
					


		

        				
Obfuscate the display of passwords.


 Configuration Syntax 






Category
appearance




Parameter
obfuscate_password_display




Default
true




Applicable Values
true|false




Example
$config->custom->appearance[‘obfuscate_password_display’] = true;






Back to config.php


Also see config:appearance:show_clear_password


 Description 


If true, display all password hash values as “******”. Note that clear-text passwords will always be displayed as “******”, regardless of this setting. (Clear password display is controlled by config:appearance:show_clear_password.)


Source: Config:appearance:obfuscate password display – phpLDAPadmin


Config:appearance:obfuscate password display – phpLDAPadmin was last modified:  April 14th, 2020 by Jovan Stosic

					

        
        

	

    
                                 
                    

	

		

			
Configuring OpenLDAP Multi Master Replication on Ubuntu 16.04 – I Am Benjamin Long

						
            

                 
                Jovan Stosic
                 April 14, 2020
			
 
					


		

        				
 




Configuring OpenLDAP Multi Master Replication on Ubuntu 16.04






After banging my head on my desk for a couple of days trying to figure out how to get two OpenLDAP servers to mirror each other, I decided to create this post to detail how I got it working.

None of the tutorials I found had it quite right. Let’s get right into it.


First, I expect that you have two servers already up and running with ssh access.


I’m also expecting that you’re logged in as root. I’ll not be using a sudo prefix on these commands. You can gain a root prompt with sudo by running ‘sudo -s’:


user@host1$ sudo -s
[sudo] password for user:
root@host1#


Note: If at any time you want to completely start over, just run this command on both servers:


# apt remove --purge slapd -y; rm /var/lib/ldap/*


Step one: Configuring the host names


For this example, i’ll use hostX.location.example.com as the template for your FQDN’s. This will get translated automatically into the structure of your LDAP later on.


You have two servers: host1.location.example.com at 10.10.10.1 and host2.location.example.com at 10.10.10.2


Your /etc/hosts files should be edited to look like this:


#host1
127.0.0.1    localhost 
10.10.10.1   host1.location.example.com host1
10.10.10.2   host2.location.example.com host2


#host2
127.0.0.1    localhost
10.10.10.2   host2.location.example.com host2
10.10.10.1   host1.location.example.com host1



Step Two: Install OpenLDAP


On both servers, run this to install OpenLDAP:


# apt install slapd ldap-utils


When asked for a password to use with the ldap admin account, use the same one on both servers. Write it down or copy/paste it from somewhere. You’ll need it later. This process will not take long. When it’s done, you’ll have two separate OpenLDAP installations. The installation will create an ldap tree that matches your domain configuration. In this case it will translate ‘location.example.com’ to ‘dc=location,dc=example,dc=com’ and the admin account will be ‘cn=admin,dc=location,dc=example,dc=com’.


You can confirm this by running ‘slapcat’ from the command line. This will dump the tree to the screen for you to look at:


root@host1# slapcat                
dn: dc=location,dc=example,dc=com 
objectClass: top 
objectClass: dcObject 
objectClass: organization 
o: location.example.com 
dc: location 
structuralObjectClass: organization 
creatorsName: cn=admin,dc=location,dc=example,dc=com 
entryUUID: 4aad3c38-bae8-1036-8303-954f43b481de 
createTimestamp: 20170421141226Z 
entryCSN: 20170421141226.542122Z#000000#000#000000 
modifiersName: cn=admin,dc=location,dc=example,dc=com 
modifyTimestamp: 20170421141226Z 
contextCSN: 20170421141335.948963Z#000000#001#000000 
contextCSN: 20170421141314.583141Z#000000#002#000000 
 
dn: cn=admin,dc=location,dc=example,dc=com 
objectClass: simpleSecurityObject 
objectClass: organizationalRole 
cn: admin 
description: LDAP administrator 
structuralObjectClass: organizationalRole 
creatorsName: cn=admin,dc=location,dc=example,dc=com 
userPassword:: e10234hf0eyh230h23sdjksd03r2fhdfgasdldefg023= 
entryUUID: 4aad4b92-bae8-1036-8304-953420fh1de 
createTimestamp: 20170421141226Z 
entryCSN: 20170421141226.542544Z#000000#000#000000 
modifiersName: cn=admin,dc=location,dc=example,dc=com 
modifyTimestamp: 20170421141226Z


You can change this layout, and a couple of other things, by running ‘dpkg-reconfigure slapd’, but that is beyond the scope of this howto.


Step three: Configure Mirroring


Now that both OpenLDAP servers are up and running, lets get the mirroring working. This is done it two parts.


Part A: Mirroring the configuration tree


Instead of editing the /etc/slapd.conf file like in the old days, new versions of OpenLDAP store their configuration in the LDAP directory itself. This means that once it’s set up, even configuration and schema changes will be mirrored. It’s a fantastic thing, but it’s a bit, well, weird to set up if you’re coming from the file editing days.


I’m not going to do much explanation of how this works. It’s boring and all you really want is to get this up and running so you have a redundant LDAP database, right?


Create a file called ‘syncconfig.ldif’ in roots home directory. It should look like this:


dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}syncprov.la

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: THE_PASSWORD_YOU_SAVED

dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://host1.location.example.com/
olcServerID: 2 ldap://host2.location.example.com/

dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://host1.location.example.com/ binddn="cn=config"
  bindmethod=simple credentials=THE_PASSWORD_YOU_SAVED
  searchbase="cn=config" type=refreshAndPersist
  retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldap://host2.location.example.com/ binddn="cn=config"
  bindmethod=simple credentials=THE_PASSWORD_YOU_SAVED
  searchbase="cn=config" type=refreshAndPersist
  retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE


Now copy that to both servers, and on both servers run:


# ldapadd -Y EXTERNAL -H ldapi:/// -f syncconfig.ldif


WARNING!   These ldif files should have NO TRAILING WHITESPACE after any line. If there is any trailing whitespace, the above command will fail with errors like:


ldapadd: wrong attributeType at line 5, entry "cn=module{0},cn=config"


You may want to restart your OpenLDAP daemons:


# /etc/init.d/slapd restart


They should come up without any errors.


Congrats! Now your configuration will automatically sync between your servers. Any config changes we make from one of the hosts will propagate to the other.


Part B: Mirroring the dc=location,dc=example,dc=com tree


Now that this is working, we setup the syncing of the  ‘dc=location,dc=example,dc=com’ tree. To do this, we create another file called ‘synctree.ldif’. It should look like this:


dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://host1.location.example.com/ binddn="cn=admin,dc=location,dc=example,dc=com"
  bindmethod=simple credentials=THE_PASSWORD_YOU_SAVED
  searchbase="dc=location,dc=example,dc=com" type=refreshAndPersist
  retry="5 5 300 5" timeout=1
olcSyncRepl: rid=001 provider=ldap://host2.location.example.com/ binddn="cn=admin,dc=location,dc=example,dc=com"
  bindmethod=simple credentials=THE_PASSWORD_YOU_SAVED
  searchbase="dc=location,dc=example,dc=com" type=refreshAndPersist
  retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE


Since the config is synced, we only need to run this on one of the servers:


# ldapadd -Y EXTERNAL -H ldapi:/// -f synctree.ldif


You don’t need to restart the daemons after this, but why not…. and that’s it! Now the configuration AND the ‘dc=location,dc=example,dc=com’ trees are synced.




https://iambenjaminlong.com/2017/04/21/configuring-openldap-multi-master-replication-on-ubuntu-16-04/


Configuring OpenLDAP Multi Master Replication on Ubuntu 16.04 – I Am Benjamin Long was last modified:  April 15th, 2020 by Jovan Stosic

					

        
        

	

    
                                 
                    

	

		

			
Ubuntu 16.04 LTS : OpenLDAP : LDAP Replication

						
            

                 
                Jovan Stosic
                 April 14, 2020
			
 
					


		

        				







Configure OpenLDAP Replication to continue Directory service if OpenLDAP master server would be down. OpenLDAP master server is called “Provider” and OpenLDAP Slave server is called “Consumer” on OpenLDAP.






[1]


Configure Basic LDAP Server settings on both Provider and Consumer, refer to here.






[2]
Configure LDAP Provider. Add syncprov module.












root@dlp:~#


vi mod_syncprov.ldif




# create new




dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: syncprov.la






root@dlp:~#


ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif


SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"




root@dlp:~#


vi syncprov.ldif




# create new




dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100






root@dlp:~#


ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif


SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={1}mdb,cn=config"













[3]
Configure LDAP Consumer.












root@node01:~#


vi syncrepl.ldif




# create new




dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001



# LDAP server’s URI


  provider=ldap://10.0.0.30:389/
  bindmethod=simple



# own domain name


  binddn="cn=admin,dc=srv,dc=world"



# directory manager’s password


  credentials=password
  searchbase="dc=srv,dc=world"



# includes subtree


  scope=sub
  schemachecking=on
  type=refreshAndPersist



# [retry interval] [retry times] [interval of re-retry] [re-retry times]


  retry="30 5 300 3"



# replication interval


  interval=00:00:05:00






root@node01:~#


ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif


SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"




# confirm settings to search datas


root@node01:~#


ldapsearch -x -b ‘ou=people,dc=srv,dc=world’


# people, srv.world
dn: ou=people,dc=srv,dc=world
objectClass: organizationalUnit
ou: people
...
...













[4]
Configure LDAP Client to bind LDAP Consumer, too.












root@www:~#


vi /etc/ldap.conf




# line 30: add LDAP Consumer


uri ldap://dlp.srv.world/


ldap://node01.srv.world/








Source: Ubuntu 16.04 LTS : OpenLDAP : LDAP Replication : Server World


Ubuntu 16.04 LTS : OpenLDAP : LDAP Replication was last modified:  April 14th, 2020 by Jovan Stosic

					

        
        

	

    
                                 
                    

	

		

			
OpenLDAP Server

						
            

                 
                Jovan Stosic
                 April 14, 2020
			
 
					


		

        				
If you have set up replication between servers, it is common practice to encrypt (StartTLS) the replication traffic to prevent evesdropping. This is distinct from using encryption with authentication as we did above. In this section we will build on that TLS-authentication work.


The assumption here is that you have set up replication between Provider and Consumer according to Replication and have configured TLS for authentication on the Provider by following TLS.


As previously stated, the objective (for us) with replication is high availablity for the LDAP service. Since we have TLS for authentication on the Provider we will require the same on the Consumer. In addition to this, however, we want to encrypt replication traffic. What remains to be done is to create a key and certificate for the Consumer and then configure accordingly. We will generate the key/certificate on the Provider, to avoid having to create another CA certificate, and then transfer the necessary material over to the Consumer.






    

  1. 

    On the Provider,
    

    Create a holding directory (which will be used for the eventual transfer) and then the Consumer’s private key:
    

    

    mkdir ldap02-ssl
cd ldap02-ssl
sudo certtool --generate-privkey \
--bits 1024 \
--outfile ldap02_slapd_key.pem

    

    

    Create an info file, ldap02.info, for the Consumer server, adjusting its values accordingly:
    

    

    organization = Example Company
cn = ldap02.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 3650

    

    

    Create the Consumer’s certificate:
    

    

    sudo certtool --generate-certificate \
--load-privkey ldap02_slapd_key.pem \
--load-ca-certificate /etc/ssl/certs/cacert.pem \
--load-ca-privkey /etc/ssl/private/cakey.pem \
--template ldap02.info \
--outfile ldap02_slapd_cert.pem

    

    

    Get a copy of the CA certificate:
    

    

    cp /etc/ssl/certs/cacert.pem .

    

    

    We’re done. Now transfer the ldap02-ssl directory to the Consumer. Here we use scp (adjust accordingly):
    

    

    cd ..
scp -r ldap02-ssl user@consumer:

    

    

    2. 

  2. 

    On the Consumer,
    

    Configure TLS authentication:
    

    

    sudo apt install ssl-cert
sudo gpasswd -a openldap ssl-cert
sudo cp ldap02_slapd_cert.pem cacert.pem /etc/ssl/certs
sudo cp ldap02_slapd_key.pem /etc/ssl/private
sudo chgrp openldap /etc/ssl/private/ldap02_slapd_key.pem
sudo chmod 0640 /etc/ssl/private/ldap02_slapd_key.pem
sudo systemctl restart slapd.service

    

    

    Create the file /etc/ssl/certinfo.ldif with the following contents (adjust accordingly):
    

    

    dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem

    

    

    Configure the slapd-config database:
    

    

    sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif

    

    

    Configure /etc/default/slapd as on the Provider (SLAPD_SERVICES).
    

    3. 

  3. 

    On the Consumer,
    

    Configure TLS for Consumer-side replication. Modify the existing olcSyncrepl attribute by tacking on some TLS options. In so doing, we will see, for the first time, how to change an attribute’s value(s).
    

    Create the file consumer_sync_tls.ldif with the following contents:
    

    

    dn: olcDatabase={1}mdb,cn=config
replace: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple
 binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com"
 logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
 schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog
 starttls=critical tls_reqcert=demand

    

    

    The extra options specify, respectively, that the consumer must use StartTLS and that the CA certificate is required to verify the Provider’s identity. Also note the LDIF syntax for changing the values of an attribute (‘replace’).
    

    Implement these changes:
    

    

    sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif

    

    

    And restart slapd:
    

    

    sudo systemctl restart slapd.service

    

    

    4. 

  4. 

    On the Provider,
    

    Check to see that a TLS session has been established. In /var/log/syslog, providing you have ‘conns’-level logging set up, you should see messages similar to:
    

    

    slapd[3620]: conn=1047 fd=20 ACCEPT from IP=10.153.107.229:57922 (IP=0.0.0.0:389)
slapd[3620]: conn=1047 op=0 EXT oid=1.3.6.1.4.1.1466.20037
slapd[3620]: conn=1047 op=0 STARTTLS
slapd[3620]: conn=1047 op=0 RESULT oid= err=0 text=
slapd[3620]: conn=1047 fd=20 TLS established tls_ssf=128 ssf=128
slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" method=128
slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
slapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text

    

    

    5. 







Source: OpenLDAP Server


OpenLDAP Server was last modified:  April 14th, 2020 by Jovan Stosic