Openldap: how to configure replication without a plain text password

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 5/6
  • Openldap 2.3

Issue

We recently setup an openldap directory without 2 servers replicating to each other with the following configuration:

syncrepl rid=000
        provider=ldaps://ATUPRD2
        type=refreshAndPersist
        retry="5 5 300 +"
        searchbase="dc=maif,dc=local"
        attrs="*,+"
        bindmethod=simple
        binddn="cn=replicator,ou=Comptes service,ou=Comptes,dc=maif,dc=local"
        credentials=xxxxxxxx

We tried configuring replication with external sasl authentication to avoid plain text password with no success.
- Is it possible to setup replication without plaintext password ?
- What kind of connection is required ? Is external sasl the correct direction ?

Resolution

  1. Setup openldap server

    • Install openldap-servers package
    • Configure Basic stuff (database, suffix, rootdn etc..)
  2. Setup SSL

    • Create a key for the ldap server (openssl genrsa )
    • Generate a certificate request, mention the key location, provide additional details(such as, fqdn of hostname, country,location etc..) required.
    • Sign the certificate using your CA (If you do not have exiting CA, setup a CA using openssl or Red Hat Certificate System)
    • Copy the signed certificate to ldap server.
    • Add the following to slapd.conf
      TLSCACertificatePath /etc/openldap/cacerts/ca.crt    # (CA certificate)
      TLSCertificateFile /etc/openldap/certs/slapd.pem     # (ldap server certificate)
      TLSCertificateKeyFile  /etc/openldap/certs/slapd.key # (ldap server certificate key)
  1. Configure your client to use SSL/TLS and see if you can connect to the ldap server using SSL/TLS

    • Copy CA certificate(it's the CA certificate used to sing the ldap server's certificate) to /etc/openldap/cacerts directory.
    • Make sure /etc/openldap/ldap.conf contains the following.

      TLS_CACERTDIR /etc/openldap/cacerts
      BASE
      URI ldap://ldap.server.example.com # This should be the FQDN of ldap server, IP address wont work as it wont match the ldap server certificate cn (As mentioned earlier, the Server certificate needs to be created using it's FQDN)

  2. Check if ldap client connects to ldap server using SSL/TLS

    Example:

      # ldapserch -x -H ldaps://ldap.example.com  uid=foo (testing using ldaps)
      # ldapserch -x -H ldap://ldap.example.com -Z uid=foo (testing using tls)
  1. Create a Certificate for the Client/user.

    Follow the steps mentioned in step 2 to create certificate for user/client. (create a key, csr and get the certificate signed by the same CA, Mention the userid when prompted for 'Common Name')

    Note down the subject from the certificate, (openssl -x509 -in -noout -text ) the reverse form this needs to used on slapd to map the certificate to the user.

  2. Configure ldap server to ask/verify Client Certificate

    Add the following to slapd.conf file

    TLSVerifyClient allow
  1. Add authz-regexp into slapd.

For example:- Consider the following subject in the certificate.

  C=IN, ST=Kerala, L=Calicut, O=Red Hat, OU=GSS, CN=test-user/emailAddress=test-user@redhat.com

Add regexp as shown below.

  authz-regexp "email=test-user@redhat.com,cn=test-user,ou=gss,o=red hat,l=calicut,st=kerala,c=in" "uid=test-user,ou=People,dc=pnq,dc=redhat,dc=com"

With the above, we map the certificate to test-user. (and it'll work only for that user, if you want to map many users, then you need to customize the regexp).

  1. Lets test the client certificate using ldapsearch utility.

On Client, create .ldaprc file (on user's home directory) with the following content in it.

  # cat /home/test-user/.ldaprc
  SASL_MECH EXTERNAL
  TLS_CERT /etc/openldap/cacerts/replicator.pem
  TLS_KEY /etc/openldap/cacerts/replicator-key.pem
  TLS_CACERTDIR /etc/openldap/cacerts

  # ldapsearch -Z
  • watch the logs on ldap server, make sure the client connects, uses tls, external mechanism and the binddn is mapped to actual user DN.

If the above works fine, go ahead and configure provider/consumer.

Sample Consumer configuration:

      syncrepl rid=100
        provider=ldap://dhcp200-189.pnq.redhat.com
        type=refreshOnly
        interval=00:00:05:00
        retry="5 5 300 +"
        searchbase="dc=pnq,dc=redhat,dc=com"
        attrs="*,+"
        bindmethod=sasl
        saslmech=EXTERNAL
        tls_cert=/etc/openldap/cacerts/replicator.pem
        tls_key=/etc/openldap/cacerts/replicator-key.pem
        tls_cacert=/etc/openldap/cacerts/ca.crt
        tls_reqcert=demand
        starttls=yes

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments