Year: 2020

Config:appearance:obfuscate password display – phpLDAPadmin

Jovan Stosic April 14, 2020

Obfuscate the display of passwords.

Configuration Syntax

Category appearance
Parameter obfuscate_password_display
Default true
Applicable Values true|false
Example $config->custom->appearance[‘obfuscate_password_display’] = true;

Back to config.php

Also see config:appearance:show_clear_password

Description

If true, display all password hash values as “******”. Note that clear-text passwords will always be displayed as “******”, regardless of this setting. (Clear password display is controlled by config:appearance:show_clear_password.)

Source: Config:appearance:obfuscate password display – phpLDAPadmin

Config:appearance:obfuscate password display – phpLDAPadmin was last modified: April 14th, 2020 by Jovan Stosic

Configuring OpenLDAP Multi Master Replication on Ubuntu 16.04 – I Am Benjamin Long

Jovan Stosic April 14, 2020

 

Configuring OpenLDAP Multi Master Replication on Ubuntu 16.04

After banging my head on my desk for a couple of days trying to figure out how to get two OpenLDAP servers to mirror each other, I decided to create this post to detail how I got it working.
None of the tutorials I found had it quite right. Let’s get right into it.

First, I expect that you have two servers already up and running with ssh access.

I’m also expecting that you’re logged in as root. I’ll not be using a sudo prefix on these commands. You can gain a root prompt with sudo by running ‘sudo -s’:

user@host1$ sudo -s
[sudo] password for user:
root@host1#

Note: If at any time you want to completely start over, just run this command on both servers:

# apt remove --purge slapd -y; rm /var/lib/ldap/*

Step one: Configuring the host names

For this example, i’ll use hostX.location.example.com as the template for your FQDN’s. This will get translated automatically into the structure of your LDAP later on.

You have two servers: host1.location.example.com at 10.10.10.1 and host2.location.example.com at 10.10.10.2

Your /etc/hosts files should be edited to look like this:

#host1
127.0.0.1    localhost 
10.10.10.1   host1.location.example.com host1
10.10.10.2   host2.location.example.com host2
#host2
127.0.0.1    localhost
10.10.10.2   host2.location.example.com host2
10.10.10.1   host1.location.example.com host1

Step Two: Install OpenLDAP

On both servers, run this to install OpenLDAP:

# apt install slapd ldap-utils

When asked for a password to use with the ldap admin account, use the same one on both servers. Write it down or copy/paste it from somewhere. You’ll need it later. This process will not take long. When it’s done, you’ll have two separate OpenLDAP installations. The installation will create an ldap tree that matches your domain configuration. In this case it will translate ‘location.example.com’ to ‘dc=location,dc=example,dc=com’ and the admin account will be ‘cn=admin,dc=location,dc=example,dc=com’.

You can confirm this by running ‘slapcat’ from the command line. This will dump the tree to the screen for you to look at:

root@host1# slapcat                
dn: dc=location,dc=example,dc=com 
objectClass: top 
objectClass: dcObject 
objectClass: organization 
o: location.example.com 
dc: location 
structuralObjectClass: organization 
creatorsName: cn=admin,dc=location,dc=example,dc=com 
entryUUID: 4aad3c38-bae8-1036-8303-954f43b481de 
createTimestamp: 20170421141226Z 
entryCSN: 20170421141226.542122Z#000000#000#000000 
modifiersName: cn=admin,dc=location,dc=example,dc=com 
modifyTimestamp: 20170421141226Z 
contextCSN: 20170421141335.948963Z#000000#001#000000 
contextCSN: 20170421141314.583141Z#000000#002#000000 
 
dn: cn=admin,dc=location,dc=example,dc=com 
objectClass: simpleSecurityObject 
objectClass: organizationalRole 
cn: admin 
description: LDAP administrator 
structuralObjectClass: organizationalRole 
creatorsName: cn=admin,dc=location,dc=example,dc=com 
userPassword:: e10234hf0eyh230h23sdjksd03r2fhdfgasdldefg023= 
entryUUID: 4aad4b92-bae8-1036-8304-953420fh1de 
createTimestamp: 20170421141226Z 
entryCSN: 20170421141226.542544Z#000000#000#000000 
modifiersName: cn=admin,dc=location,dc=example,dc=com 
modifyTimestamp: 20170421141226Z

You can change this layout, and a couple of other things, by running ‘dpkg-reconfigure slapd’, but that is beyond the scope of this howto.

Step three: Configure Mirroring

Now that both OpenLDAP servers are up and running, lets get the mirroring working. This is done it two parts.

Part A: Mirroring the configuration tree

Instead of editing the /etc/slapd.conf file like in the old days, new versions of OpenLDAP store their configuration in the LDAP directory itself. This means that once it’s set up, even configuration and schema changes will be mirrored. It’s a fantastic thing, but it’s a bit, well, weird to set up if you’re coming from the file editing days.

I’m not going to do much explanation of how this works. It’s boring and all you really want is to get this up and running so you have a redundant LDAP database, right?

Create a file called ‘syncconfig.ldif’ in roots home directory. It should look like this:

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}syncprov.la

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: THE_PASSWORD_YOU_SAVED

dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://host1.location.example.com/
olcServerID: 2 ldap://host2.location.example.com/

dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://host1.location.example.com/ binddn="cn=config"
  bindmethod=simple credentials=THE_PASSWORD_YOU_SAVED
  searchbase="cn=config" type=refreshAndPersist
  retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldap://host2.location.example.com/ binddn="cn=config"
  bindmethod=simple credentials=THE_PASSWORD_YOU_SAVED
  searchbase="cn=config" type=refreshAndPersist
  retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE

Now copy that to both servers, and on both servers run:

# ldapadd -Y EXTERNAL -H ldapi:/// -f syncconfig.ldif

WARNING!   These ldif files should have NO TRAILING WHITESPACE after any line. If there is any trailing whitespace, the above command will fail with errors like:

ldapadd: wrong attributeType at line 5, entry "cn=module{0},cn=config"

You may want to restart your OpenLDAP daemons:

# /etc/init.d/slapd restart

They should come up without any errors.

Congrats! Now your configuration will automatically sync between your servers. Any config changes we make from one of the hosts will propagate to the other.

Part B: Mirroring the dc=location,dc=example,dc=com tree

Now that this is working, we setup the syncing of the  ‘dc=location,dc=example,dc=com’ tree. To do this, we create another file called ‘synctree.ldif’. It should look like this:

dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://host1.location.example.com/ binddn="cn=admin,dc=location,dc=example,dc=com"
  bindmethod=simple credentials=THE_PASSWORD_YOU_SAVED
  searchbase="dc=location,dc=example,dc=com" type=refreshAndPersist
  retry="5 5 300 5" timeout=1
olcSyncRepl: rid=001 provider=ldap://host2.location.example.com/ binddn="cn=admin,dc=location,dc=example,dc=com"
  bindmethod=simple credentials=THE_PASSWORD_YOU_SAVED
  searchbase="dc=location,dc=example,dc=com" type=refreshAndPersist
  retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE

Since the config is synced, we only need to run this on one of the servers:

# ldapadd -Y EXTERNAL -H ldapi:/// -f synctree.ldif

You don’t need to restart the daemons after this, but why not…. and that’s it! Now the configuration AND the ‘dc=location,dc=example,dc=com’ trees are synced.

https://iambenjaminlong.com/2017/04/21/configuring-openldap-multi-master-replication-on-ubuntu-16-04/

Configuring OpenLDAP Multi Master Replication on Ubuntu 16.04 – I Am Benjamin Long was last modified: April 15th, 2020 by Jovan Stosic

Ubuntu 16.04 LTS : OpenLDAP : LDAP Replication

Jovan Stosic April 14, 2020
Configure OpenLDAP Replication to continue Directory service if OpenLDAP master server would be down. OpenLDAP master server is called “Provider” and OpenLDAP Slave server is called “Consumer” on OpenLDAP.
[1]
Configure Basic LDAP Server settings on both Provider and Consumer, refer to here.
[2] Configure LDAP Provider. Add syncprov module.
root@dlp:~#

vi mod_syncprov.ldif
# create new
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: syncprov.la

root@dlp:~#

ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
root@dlp:~#

vi syncprov.ldif
# create new
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

root@dlp:~#

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={1}mdb,cn=config"
[3] Configure LDAP Consumer.
root@node01:~#

vi syncrepl.ldif
# create new
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
# LDAP server’s URI
  provider=ldap://10.0.0.30:389/
  bindmethod=simple
# own domain name
  binddn="cn=admin,dc=srv,dc=world"
# directory manager’s password
  credentials=password
  searchbase="dc=srv,dc=world"
# includes subtree
  scope=sub
  schemachecking=on
  type=refreshAndPersist
# [retry interval] [retry times] [interval of re-retry] [re-retry times]
  retry="30 5 300 3"
# replication interval
  interval=00:00:05:00

root@node01:~#

ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"
# confirm settings to search datas

root@node01:~#

ldapsearch -x -b ‘ou=people,dc=srv,dc=world’
# people, srv.world
dn: ou=people,dc=srv,dc=world
objectClass: organizationalUnit
ou: people
...
...
[4] Configure LDAP Client to bind LDAP Consumer, too.
root@www:~#

vi /etc/ldap.conf
# line 30: add LDAP Consumer

uri ldap://dlp.srv.world/

ldap://node01.srv.world/

Source: Ubuntu 16.04 LTS : OpenLDAP : LDAP Replication : Server World

Ubuntu 16.04 LTS : OpenLDAP : LDAP Replication was last modified: April 14th, 2020 by Jovan Stosic

OpenLDAP Server

Jovan Stosic April 14, 2020

If you have set up replication between servers, it is common practice to encrypt (StartTLS) the replication traffic to prevent evesdropping. This is distinct from using encryption with authentication as we did above. In this section we will build on that TLS-authentication work.

The assumption here is that you have set up replication between Provider and Consumer according to Replication and have configured TLS for authentication on the Provider by following TLS.

As previously stated, the objective (for us) with replication is high availablity for the LDAP service. Since we have TLS for authentication on the Provider we will require the same on the Consumer. In addition to this, however, we want to encrypt replication traffic. What remains to be done is to create a key and certificate for the Consumer and then configure accordingly. We will generate the key/certificate on the Provider, to avoid having to create another CA certificate, and then transfer the necessary material over to the Consumer.

  1. On the Provider,

    Create a holding directory (which will be used for the eventual transfer) and then the Consumer’s private key:

    mkdir ldap02-ssl
cd ldap02-ssl
sudo certtool --generate-privkey \
--bits 1024 \
--outfile ldap02_slapd_key.pem

    Create an info file, ldap02.info, for the Consumer server, adjusting its values accordingly:

    organization = Example Company
cn = ldap02.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 3650

    Create the Consumer’s certificate:

    sudo certtool --generate-certificate \
--load-privkey ldap02_slapd_key.pem \
--load-ca-certificate /etc/ssl/certs/cacert.pem \
--load-ca-privkey /etc/ssl/private/cakey.pem \
--template ldap02.info \
--outfile ldap02_slapd_cert.pem

    Get a copy of the CA certificate:

    cp /etc/ssl/certs/cacert.pem .

    We’re done. Now transfer the ldap02-ssl directory to the Consumer. Here we use scp (adjust accordingly):

    cd ..
scp -r ldap02-ssl user@consumer:

  2. On the Consumer,

    Configure TLS authentication:

    sudo apt install ssl-cert
sudo gpasswd -a openldap ssl-cert
sudo cp ldap02_slapd_cert.pem cacert.pem /etc/ssl/certs
sudo cp ldap02_slapd_key.pem /etc/ssl/private
sudo chgrp openldap /etc/ssl/private/ldap02_slapd_key.pem
sudo chmod 0640 /etc/ssl/private/ldap02_slapd_key.pem
sudo systemctl restart slapd.service

    Create the file /etc/ssl/certinfo.ldif with the following contents (adjust accordingly):

    dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem

    Configure the slapd-config database:

    sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif

    Configure /etc/default/slapd as on the Provider (SLAPD_SERVICES).

  3. On the Consumer,

    Configure TLS for Consumer-side replication. Modify the existing olcSyncrepl attribute by tacking on some TLS options. In so doing, we will see, for the first time, how to change an attribute’s value(s).

    Create the file consumer_sync_tls.ldif with the following contents:

    dn: olcDatabase={1}mdb,cn=config
replace: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple
 binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com"
 logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
 schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog
 starttls=critical tls_reqcert=demand

    The extra options specify, respectively, that the consumer must use StartTLS and that the CA certificate is required to verify the Provider’s identity. Also note the LDIF syntax for changing the values of an attribute (‘replace’).

    Implement these changes:

    sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif

    And restart slapd:

    sudo systemctl restart slapd.service

  4. On the Provider,

    Check to see that a TLS session has been established. In /var/log/syslog, providing you have ‘conns’-level logging set up, you should see messages similar to:

    slapd[3620]: conn=1047 fd=20 ACCEPT from IP=10.153.107.229:57922 (IP=0.0.0.0:389)
slapd[3620]: conn=1047 op=0 EXT oid=1.3.6.1.4.1.1466.20037
slapd[3620]: conn=1047 op=0 STARTTLS
slapd[3620]: conn=1047 op=0 RESULT oid= err=0 text=
slapd[3620]: conn=1047 fd=20 TLS established tls_ssf=128 ssf=128
slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" method=128
slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
slapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text

Source: OpenLDAP Server

OpenLDAP Server was last modified: April 14th, 2020 by Jovan Stosic

Token encryption requires a random string in keyphrase setting · ltb-project/self-service-password 

Jovan Stosic April 12, 2020

# Encryption, decryption keyphrase, required if $crypt_tokens = true # Please change it to anything long, random and complicated, you do not have to remember it # Changing it will also invalidate all previous tokens and SMS codes $keyphrase = “abcdefgh”;

Source: Token encryption requires a random string in keyphrase setting · Issue #243 · ltb-project/self-service-password · GitHub

Token encryption requires a random string in keyphrase setting · ltb-project/self-service-password  was last modified: April 12th, 2020 by Jovan Stosic

LDAP connection [LDAP Tool Box (LTB)]

Jovan Stosic April 12, 2020

Server address

Use an LDAP URI to configure the location of your LDAP server in $ldap_url:

$ldap_url = "ldap://localhost:389";

You can set several URI, so that next server will be tried if the previous is down:

$ldap_url = "ldap://server1 ldap://server2";

To use SSL, set ldaps in the URI:

$ldap_url = "ldaps://localhost";

To use StartTLS, set true in $ldap_starttls:

$ldap_starttls = true;

Source: LDAP connection [LDAP Tool Box (LTB)]

LDAP connection [LDAP Tool Box (LTB)] was last modified: April 12th, 2020 by Jovan Stosic

How To Install and Configure OpenLDAP and phpLDAPadmin on an Ubuntu 14.04 Server

Jovan Stosic April 12, 2020

We also want to password protect our phpLDAPadmin location. Even though phpLDAPadmin has password authentication, this will provide an extra level of protection.

The utility that we need is contained in an Apache utility package. Get it by typing:

sudo apt-get install apache2-utils

Now that you have the utility available, you can create a password file that will contain a username that you choose and the associated hashed password.

We will keep this in the /etc/apache2 directory. Create the file and specify the username you want to use by typing:

sudo htpasswd -c /etc/apache2/htpasswd demo_user

Now, we are ready to modify Apache to take advantage of our security upgrades.

 

Modify the phpLDAPadmin Apache Configuration

The first thing we will do is modify the alias that is set up to serve our phpLDAPadmin files.

Open the file with root privileges in your text editor:

sudo nano /etc/phpldapadmin/apache.conf

This is the place where we need to decide on the URL location where we want to access our interface. The default is /phpldapadmin, but we want to change this to cut down on random login attempts by bots and malicious parties.

For this guide, we’re going to use the location /superldap, but you should choose your own value.

We need to modify the line that specifies the Alias. This should be in an IfModule mod_alias.c block. When you are finished, it should look like this:

<IfModule mod_alias.c>
    Alias /superldap /usr/share/phpldapadmin/htdocs
</IfModule>

When you are finished, safe and close the file.

Configure the HTTP Virtual Host

Next, we need to modify our current Virtual Hosts file. Open it with root privileges in your editor:

sudo nano /etc/apache2/sites-enabled/000-default.conf

Inside, you’ll see a rather bare configuration file that looks like this:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

We want to add information about our domain name or IP address to define our server name and we want to set up our redirect to point all HTTP requests to the HTTPS interface. This will match the alias we configured in the last section.

The changes we discussed will end up looking like this. Modify the items in red with your own values:

<VirtualHost *:80>
    ServerAdmin webmaster@server_domain_or_IP
    DocumentRoot /var/www/html
    ServerName server_domain_or_IP
    Redirect permanent /superldap https://server_domain_or_IP/superldap
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Save and close the file when you are finished.

The last thing we need to do is set up the location block that will implement our password protection for the entire phpLDAPadmin installation.

We do this by referencing the location where we are serving the phpLDAPadmin and setting up authentication using the file we generated. We will require anyone attempting to access this content to authenticate as a valid user:

<Location /superldap>
    AuthType Basic
    AuthName "Restricted Files"
    AuthUserFile /etc/apache2/htpasswd
    Require valid-user
</Location>

Save and close the file when you are finished.

Restart Apache to implement all of the changes that we have made:

sudo service apache2 restart

Source: How To Install and Configure OpenLDAP and phpLDAPadmin on an Ubuntu 14.04 Server | DigitalOcean

How To Install and Configure OpenLDAP and phpLDAPadmin on an Ubuntu 14.04 Server was last modified: April 19th, 2020 by Jovan Stosic