Engineering and technology notes

Category	appearance
Parameter	obfuscate_password_display
Default	true
Applicable Values	true\|false
Example	$config->custom->appearance[‘obfuscate_password_display’] = true;

Back to config.php

Also see config:appearance:show_clear_password

Description

If true, display all password hash values as “******”. Note that clear-text passwords will always be displayed as “******”, regardless of this setting. (Clear password display is controlled by config:appearance:show_clear_password.)

Source: Config:appearance:obfuscate password display – phpLDAPadmin

Configuring OpenLDAP Multi Master Replication on Ubuntu 16.04 – I Am Benjamin Long

Engineering and technology notes

Jovan Stosic April 14, 2020

Configuring OpenLDAP Multi Master Replication on Ubuntu 16.04

After banging my head on my desk for a couple of days trying to figure out how to get two OpenLDAP servers to mirror each other, I decided to create this post to detail how I got it working.
None of the tutorials I found had it quite right. Let’s get right into it.

First, I expect that you have two servers already up and running with ssh access.

I’m also expecting that you’re logged in as root. I’ll not be using a sudo prefix on these commands. You can gain a root prompt with sudo by running ‘sudo -s’:

user@host1$ sudo -s
[sudo] password for user:
root@host1#

Note: If at any time you want to completely start over, just run this command on both servers:

# apt remove --purge slapd -y; rm /var/lib/ldap/*

Step one: Configuring the host names

For this example, i’ll use hostX.location.example.com as the template for your FQDN’s. This will get translated automatically into the structure of your LDAP later on.

You have two servers: host1.location.example.com at 10.10.10.1 and host2.location.example.com at 10.10.10.2

Your /etc/hosts files should be edited to look like this:

#host1
127.0.0.1    localhost 
10.10.10.1   host1.location.example.com host1
10.10.10.2   host2.location.example.com host2

#host2
127.0.0.1    localhost
10.10.10.2   host2.location.example.com host2
10.10.10.1   host1.location.example.com host1

Step Two: Install OpenLDAP

On both servers, run this to install OpenLDAP:

# apt install slapd ldap-utils

When asked for a password to use with the ldap admin account, use the same one on both servers. Write it down or copy/paste it from somewhere. You’ll need it later. This process will not take long. When it’s done, you’ll have two separate OpenLDAP installations. The installation will create an ldap tree that matches your domain configuration. In this case it will translate ‘location.example.com’ to ‘dc=location,dc=example,dc=com’ and the admin account will be ‘cn=admin,dc=location,dc=example,dc=com’.

You can confirm this by running ‘slapcat’ from the command line. This will dump the tree to the screen for you to look at:

root@host1# slapcat                
dn: dc=location,dc=example,dc=com 
objectClass: top 
objectClass: dcObject 
objectClass: organization 
o: location.example.com 
dc: location 
structuralObjectClass: organization 
creatorsName: cn=admin,dc=location,dc=example,dc=com 
entryUUID: 4aad3c38-bae8-1036-8303-954f43b481de 
createTimestamp: 20170421141226Z 
entryCSN: 20170421141226.542122Z#000000#000#000000 
modifiersName: cn=admin,dc=location,dc=example,dc=com 
modifyTimestamp: 20170421141226Z 
contextCSN: 20170421141335.948963Z#000000#001#000000 
contextCSN: 20170421141314.583141Z#000000#002#000000 
 
dn: cn=admin,dc=location,dc=example,dc=com 
objectClass: simpleSecurityObject 
objectClass: organizationalRole 
cn: admin 
description: LDAP administrator 
structuralObjectClass: organizationalRole 
creatorsName: cn=admin,dc=location,dc=example,dc=com 
userPassword:: e10234hf0eyh230h23sdjksd03r2fhdfgasdldefg023= 
entryUUID: 4aad4b92-bae8-1036-8304-953420fh1de 
createTimestamp: 20170421141226Z 
entryCSN: 20170421141226.542544Z#000000#000#000000 
modifiersName: cn=admin,dc=location,dc=example,dc=com 
modifyTimestamp: 20170421141226Z

You can change this layout, and a couple of other things, by running ‘dpkg-reconfigure slapd’, but that is beyond the scope of this howto.

Step three: Configure Mirroring

Now that both OpenLDAP servers are up and running, lets get the mirroring working. This is done it two parts.

Part A: Mirroring the configuration tree

Instead of editing the /etc/slapd.conf file like in the old days, new versions of OpenLDAP store their configuration in the LDAP directory itself. This means that once it’s set up, even configuration and schema changes will be mirrored. It’s a fantastic thing, but it’s a bit, well, weird to set up if you’re coming from the file editing days.

I’m not going to do much explanation of how this works. It’s boring and all you really want is to get this up and running so you have a redundant LDAP database, right?

Create a file called ‘syncconfig.ldif’ in roots home directory. It should look like this:

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}syncprov.la

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: THE_PASSWORD_YOU_SAVED

dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://host1.location.example.com/
olcServerID: 2 ldap://host2.location.example.com/

dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://host1.location.example.com/ binddn="cn=config"
  bindmethod=simple credentials=THE_PASSWORD_YOU_SAVED
  searchbase="cn=config" type=refreshAndPersist
  retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldap://host2.location.example.com/ binddn="cn=config"
  bindmethod=simple credentials=THE_PASSWORD_YOU_SAVED
  searchbase="cn=config" type=refreshAndPersist
  retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE

Now copy that to both servers, and on both servers run:

# ldapadd -Y EXTERNAL -H ldapi:/// -f syncconfig.ldif

WARNING! These ldif files should have NO TRAILING WHITESPACE after any line. If there is any trailing whitespace, the above command will fail with errors like:

ldapadd: wrong attributeType at line 5, entry "cn=module{0},cn=config"

You may want to restart your OpenLDAP daemons:

# /etc/init.d/slapd restart

They should come up without any errors.

Congrats! Now your configuration will automatically sync between your servers. Any config changes we make from one of the hosts will propagate to the other.

Part B: Mirroring the dc=location,dc=example,dc=com tree

Now that this is working, we setup the syncing of the ‘dc=location,dc=example,dc=com’ tree. To do this, we create another file called ‘synctree.ldif’. It should look like this:

dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://host1.location.example.com/ binddn="cn=admin,dc=location,dc=example,dc=com"
  bindmethod=simple credentials=THE_PASSWORD_YOU_SAVED
  searchbase="dc=location,dc=example,dc=com" type=refreshAndPersist
  retry="5 5 300 5" timeout=1
olcSyncRepl: rid=001 provider=ldap://host2.location.example.com/ binddn="cn=admin,dc=location,dc=example,dc=com"
  bindmethod=simple credentials=THE_PASSWORD_YOU_SAVED
  searchbase="dc=location,dc=example,dc=com" type=refreshAndPersist
  retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE

Since the config is synced, we only need to run this on one of the servers:

# ldapadd -Y EXTERNAL -H ldapi:/// -f synctree.ldif

You don’t need to restart the daemons after this, but why not…. and that’s it! Now the configuration AND the ‘dc=location,dc=example,dc=com’ trees are synced.

https://iambenjaminlong.com/2017/04/21/configuring-openldap-multi-master-replication-on-ubuntu-16-04/

Ubuntu 16.04 LTS : OpenLDAP : LDAP Replication

Engineering and technology notes

Jovan Stosic April 14, 2020

	Configure OpenLDAP Replication to continue Directory service if OpenLDAP master server would be down. OpenLDAP master server is called “Provider” and OpenLDAP Slave server is called “Consumer” on OpenLDAP.
[1]	Configure Basic LDAP Server settings on both Provider and Consumer, refer to here.
[2]	Configure LDAP Provider. Add syncprov module.

root@dlp:~#

vi mod_syncprov.ldif

# create new

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: syncprov.la

root@dlp:~#

ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

root@dlp:~#

vi syncprov.ldif

# create new

dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

root@dlp:~#

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=syncprov,olcDatabase={1}mdb,cn=config"

[3]	Configure LDAP Consumer.

root@node01:~#

vi syncrepl.ldif

# create new

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001

# LDAP server’s URI

  provider=ldap://10.0.0.30:389/
  bindmethod=simple

# own domain name

  binddn="cn=admin,dc=srv,dc=world"

# directory manager’s password

  credentials=password
  searchbase="dc=srv,dc=world"

# includes subtree

  scope=sub
  schemachecking=on
  type=refreshAndPersist

# [retry interval] [retry times] [interval of re-retry] [re-retry times]

  retry="30 5 300 3"

# replication interval

  interval=00:00:05:00

root@node01:~#

ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

# confirm settings to search datas

root@node01:~#

ldapsearch -x -b ‘ou=people,dc=srv,dc=world’

# people, srv.world
dn: ou=people,dc=srv,dc=world
objectClass: organizationalUnit
ou: people
...
...

[4]	Configure LDAP Client to bind LDAP Consumer, too.

root@www:~#

vi /etc/ldap.conf

# line 30: add LDAP Consumer

uri ldap://dlp.srv.world/

ldap://node01.srv.world/

Source: Ubuntu 16.04 LTS : OpenLDAP : LDAP Replication : Server World

OpenLDAP Server

Engineering and technology notes

Jovan Stosic April 14, 2020

If you have set up replication between servers, it is common practice to encrypt (StartTLS) the replication traffic to prevent evesdropping. This is distinct from using encryption with authentication as we did above. In this section we will build on that TLS-authentication work.

The assumption here is that you have set up replication between Provider and Consumer according to Replication and have configured TLS for authentication on the Provider by following TLS.

As previously stated, the objective (for us) with replication is high availablity for the LDAP service. Since we have TLS for authentication on the Provider we will require the same on the Consumer. In addition to this, however, we want to encrypt replication traffic. What remains to be done is to create a key and certificate for the Consumer and then configure accordingly. We will generate the key/certificate on the Provider, to avoid having to create another CA certificate, and then transfer the necessary material over to the Consumer.

On the Provider,

Create a holding directory (which will be used for the eventual transfer) and then the Consumer’s private key:

mkdir ldap02-ssl
cd ldap02-ssl
sudo certtool --generate-privkey \
--bits 1024 \
--outfile ldap02_slapd_key.pem

Create an info file, ldap02.info, for the Consumer server, adjusting its values accordingly:

organization = Example Company
cn = ldap02.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 3650

Create the Consumer’s certificate:

sudo certtool --generate-certificate \
--load-privkey ldap02_slapd_key.pem \
--load-ca-certificate /etc/ssl/certs/cacert.pem \
--load-ca-privkey /etc/ssl/private/cakey.pem \
--template ldap02.info \
--outfile ldap02_slapd_cert.pem

Get a copy of the CA certificate:

cp /etc/ssl/certs/cacert.pem .

We’re done. Now transfer the ldap02-ssl directory to the Consumer. Here we use scp (adjust accordingly):

cd ..
scp -r ldap02-ssl user@consumer:

On the Consumer,

Configure TLS authentication:

sudo apt install ssl-cert
sudo gpasswd -a openldap ssl-cert
sudo cp ldap02_slapd_cert.pem cacert.pem /etc/ssl/certs
sudo cp ldap02_slapd_key.pem /etc/ssl/private
sudo chgrp openldap /etc/ssl/private/ldap02_slapd_key.pem
sudo chmod 0640 /etc/ssl/private/ldap02_slapd_key.pem
sudo systemctl restart slapd.service

Create the file /etc/ssl/certinfo.ldif with the following contents (adjust accordingly):

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem

Configure the slapd-config database:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif

Configure /etc/default/slapd as on the Provider (SLAPD_SERVICES).

On the Consumer,

Configure TLS for Consumer-side replication. Modify the existing olcSyncrepl attribute by tacking on some TLS options. In so doing, we will see, for the first time, how to change an attribute’s value(s).

Create the file consumer_sync_tls.ldif with the following contents:
```
dn: olcDatabase={1}mdb,cn=config
replace: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple
 binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com"
 logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
 schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog
 starttls=critical tls_reqcert=demand
```
The extra options specify, respectively, that the consumer must use StartTLS and that the CA certificate is required to verify the Provider’s identity. Also note the LDIF syntax for changing the values of an attribute (‘replace’).

Implement these changes:
```
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif
```
And restart slapd:
```
sudo systemctl restart slapd.service
```

On the Provider,

Check to see that a TLS session has been established. In /var/log/syslog, providing you have ‘conns’-level logging set up, you should see messages similar to:

slapd[3620]: conn=1047 fd=20 ACCEPT from IP=10.153.107.229:57922 (IP=0.0.0.0:389)
slapd[3620]: conn=1047 op=0 EXT oid=1.3.6.1.4.1.1466.20037
slapd[3620]: conn=1047 op=0 STARTTLS
slapd[3620]: conn=1047 op=0 RESULT oid= err=0 text=
slapd[3620]: conn=1047 fd=20 TLS established tls_ssf=128 ssf=128
slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" method=128
slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
slapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text

Source: OpenLDAP Server