OpenLDAP Server

Jovan Stosic April 14, 2020

If you have set up replication between servers, it is common practice to encrypt (StartTLS) the replication traffic to prevent evesdropping. This is distinct from using encryption with authentication as we did above. In this section we will build on that TLS-authentication work.

The assumption here is that you have set up replication between Provider and Consumer according to Replication and have configured TLS for authentication on the Provider by following TLS.

As previously stated, the objective (for us) with replication is high availablity for the LDAP service. Since we have TLS for authentication on the Provider we will require the same on the Consumer. In addition to this, however, we want to encrypt replication traffic. What remains to be done is to create a key and certificate for the Consumer and then configure accordingly. We will generate the key/certificate on the Provider, to avoid having to create another CA certificate, and then transfer the necessary material over to the Consumer.

  1. On the Provider,

    Create a holding directory (which will be used for the eventual transfer) and then the Consumer’s private key:

    mkdir ldap02-ssl
cd ldap02-ssl
sudo certtool --generate-privkey \
--bits 1024 \
--outfile ldap02_slapd_key.pem

    Create an info file, ldap02.info, for the Consumer server, adjusting its values accordingly:

    organization = Example Company
cn = ldap02.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 3650

    Create the Consumer’s certificate:

    sudo certtool --generate-certificate \
--load-privkey ldap02_slapd_key.pem \
--load-ca-certificate /etc/ssl/certs/cacert.pem \
--load-ca-privkey /etc/ssl/private/cakey.pem \
--template ldap02.info \
--outfile ldap02_slapd_cert.pem

    Get a copy of the CA certificate:

    cp /etc/ssl/certs/cacert.pem .

    We’re done. Now transfer the ldap02-ssl directory to the Consumer. Here we use scp (adjust accordingly):

    cd ..
scp -r ldap02-ssl user@consumer:

  2. On the Consumer,

    Configure TLS authentication:

    sudo apt install ssl-cert
sudo gpasswd -a openldap ssl-cert
sudo cp ldap02_slapd_cert.pem cacert.pem /etc/ssl/certs
sudo cp ldap02_slapd_key.pem /etc/ssl/private
sudo chgrp openldap /etc/ssl/private/ldap02_slapd_key.pem
sudo chmod 0640 /etc/ssl/private/ldap02_slapd_key.pem
sudo systemctl restart slapd.service

    Create the file /etc/ssl/certinfo.ldif with the following contents (adjust accordingly):

    dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem

    Configure the slapd-config database:

    sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif

    Configure /etc/default/slapd as on the Provider (SLAPD_SERVICES).

  3. On the Consumer,

    Configure TLS for Consumer-side replication. Modify the existing olcSyncrepl attribute by tacking on some TLS options. In so doing, we will see, for the first time, how to change an attribute’s value(s).

    Create the file consumer_sync_tls.ldif with the following contents:

    dn: olcDatabase={1}mdb,cn=config
replace: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple
 binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com"
 logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
 schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog
 starttls=critical tls_reqcert=demand

    The extra options specify, respectively, that the consumer must use StartTLS and that the CA certificate is required to verify the Provider’s identity. Also note the LDIF syntax for changing the values of an attribute (‘replace’).

    Implement these changes:

    sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif

    And restart slapd:

    sudo systemctl restart slapd.service

  4. On the Provider,

    Check to see that a TLS session has been established. In /var/log/syslog, providing you have ‘conns’-level logging set up, you should see messages similar to:

    slapd[3620]: conn=1047 fd=20 ACCEPT from IP=10.153.107.229:57922 (IP=0.0.0.0:389)
slapd[3620]: conn=1047 op=0 EXT oid=1.3.6.1.4.1.1466.20037
slapd[3620]: conn=1047 op=0 STARTTLS
slapd[3620]: conn=1047 op=0 RESULT oid= err=0 text=
slapd[3620]: conn=1047 fd=20 TLS established tls_ssf=128 ssf=128
slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" method=128
slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
slapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text

Source: OpenLDAP Server

Token encryption requires a random string in keyphrase setting · ltb-project/self-service-password 

Jovan Stosic April 12, 2020

# Encryption, decryption keyphrase, required if $crypt_tokens = true # Please change it to anything long, random and complicated, you do not have to remember it # Changing it will also invalidate all previous tokens and SMS codes $keyphrase = “abcdefgh”;

Source: Token encryption requires a random string in keyphrase setting · Issue #243 · ltb-project/self-service-password · GitHub

LDAP connection [LDAP Tool Box (LTB)]

Jovan Stosic April 12, 2020

Server address

Use an LDAP URI to configure the location of your LDAP server in $ldap_url:

$ldap_url = "ldap://localhost:389";

You can set several URI, so that next server will be tried if the previous is down:

$ldap_url = "ldap://server1 ldap://server2";

To use SSL, set ldaps in the URI:

$ldap_url = "ldaps://localhost";

To use StartTLS, set true in $ldap_starttls:

$ldap_starttls = true;

Source: LDAP connection [LDAP Tool Box (LTB)]

How To Install and Configure OpenLDAP and phpLDAPadmin on an Ubuntu 14.04 Server

Jovan Stosic April 12, 2020

We also want to password protect our phpLDAPadmin location. Even though phpLDAPadmin has password authentication, this will provide an extra level of protection.

The utility that we need is contained in an Apache utility package. Get it by typing:

sudo apt-get install apache2-utils

Now that you have the utility available, you can create a password file that will contain a username that you choose and the associated hashed password.

We will keep this in the /etc/apache2 directory. Create the file and specify the username you want to use by typing:

sudo htpasswd -c /etc/apache2/htpasswd demo_user

Now, we are ready to modify Apache to take advantage of our security upgrades.

 

Modify the phpLDAPadmin Apache Configuration

The first thing we will do is modify the alias that is set up to serve our phpLDAPadmin files.

Open the file with root privileges in your text editor:

sudo nano /etc/phpldapadmin/apache.conf

This is the place where we need to decide on the URL location where we want to access our interface. The default is /phpldapadmin, but we want to change this to cut down on random login attempts by bots and malicious parties.

For this guide, we’re going to use the location /superldap, but you should choose your own value.

We need to modify the line that specifies the Alias. This should be in an IfModule mod_alias.c block. When you are finished, it should look like this:

<IfModule mod_alias.c>
    Alias /superldap /usr/share/phpldapadmin/htdocs
</IfModule>

When you are finished, safe and close the file.

Configure the HTTP Virtual Host

Next, we need to modify our current Virtual Hosts file. Open it with root privileges in your editor:

sudo nano /etc/apache2/sites-enabled/000-default.conf

Inside, you’ll see a rather bare configuration file that looks like this:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

We want to add information about our domain name or IP address to define our server name and we want to set up our redirect to point all HTTP requests to the HTTPS interface. This will match the alias we configured in the last section.

The changes we discussed will end up looking like this. Modify the items in red with your own values:

<VirtualHost *:80>
    ServerAdmin webmaster@server_domain_or_IP
    DocumentRoot /var/www/html
    ServerName server_domain_or_IP
    Redirect permanent /superldap https://server_domain_or_IP/superldap
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Save and close the file when you are finished.

The last thing we need to do is set up the location block that will implement our password protection for the entire phpLDAPadmin installation.

We do this by referencing the location where we are serving the phpLDAPadmin and setting up authentication using the file we generated. We will require anyone attempting to access this content to authenticate as a valid user:

<Location /superldap>
    AuthType Basic
    AuthName "Restricted Files"
    AuthUserFile /etc/apache2/htpasswd
    Require valid-user
</Location>

Save and close the file when you are finished.

Restart Apache to implement all of the changes that we have made:

sudo service apache2 restart

Source: How To Install and Configure OpenLDAP and phpLDAPadmin on an Ubuntu 14.04 Server | DigitalOcean

Owncloud/Nextcloud – Migration of database to LDAP users

Jovan Stosic April 12, 2020

1) In owncloud database change the table : oc_accounts
For the existing owncloud user in the column backend put: OC\User_LDAP\User_Proxy instead of OC\User\Database. For example:

UPDATE oc_accounts SET backend=’OCA\\User_LDAP\\User_Proxy’ WHERE user_id=’my_user’;

2) In table oc_ldap_user_mapping add the LDAP user. For example:

insert into oc_ldap_user_mapping (owncloud_name, ldap_dn, directory_uuid) values(‘my_user’,’cn=User_Name User_Surname,ou=users,dc=ris,dc=mk’,’user_uuid_from_LDAP’);

3) Delete the existing user from oc_users

delete from oc_users where uid=”my_user”;