Openldap: how to configure replication without a plain text password
Environment
- Red Hat Enterprise Linux 5/6
- Openldap 2.3
Issue
We recently setup an openldap directory without 2 servers replicating to each other with the following configuration:
syncrepl rid=000
provider=ldaps://ATUPRD2
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=maif,dc=local"
attrs="*,+"
bindmethod=simple
binddn="cn=replicator,ou=Comptes service,ou=Comptes,dc=maif,dc=local"
credentials=xxxxxxxx
We tried configuring replication with external sasl authentication to avoid plain text password with no success.
- Is it possible to setup replication without plaintext password ?
- What kind of connection is required ? Is external sasl the correct direction ?
Resolution
-
Setup openldap server
- Install openldap-servers package
- Configure Basic stuff (database, suffix, rootdn etc..)
-
Setup SSL
- Create a key for the ldap server (openssl genrsa
) - Generate a certificate request, mention the key location, provide additional details(such as, fqdn of hostname, country,location etc..) required.
- Sign the certificate using your CA (If you do not have exiting CA, setup a CA using openssl or Red Hat Certificate System)
- Copy the signed certificate to ldap server.
- Add the following to slapd.conf
- Create a key for the ldap server (openssl genrsa
TLSCACertificatePath /etc/openldap/cacerts/ca.crt # (CA certificate)
TLSCertificateFile /etc/openldap/certs/slapd.pem # (ldap server certificate)
TLSCertificateKeyFile /etc/openldap/certs/slapd.key # (ldap server certificate key)
-
Configure your client to use SSL/TLS and see if you can connect to the ldap server using SSL/TLS
- Copy CA certificate(it's the CA certificate used to sing the ldap server's certificate) to /etc/openldap/cacerts directory.
-
Make sure /etc/openldap/ldap.conf contains the following.
TLS_CACERTDIR /etc/openldap/cacerts
BASE
URI ldap://ldap.server.example.com # This should be the FQDN of ldap server, IP address wont work as it wont match the ldap server certificate cn (As mentioned earlier, the Server certificate needs to be created using it's FQDN)
-
Check if ldap client connects to ldap server using SSL/TLS
Example:
# ldapserch -x -H ldaps://ldap.example.com uid=foo (testing using ldaps)
# ldapserch -x -H ldap://ldap.example.com -Z uid=foo (testing using tls)
-
Create a Certificate for the Client/user.
Follow the steps mentioned in step 2 to create certificate for user/client. (create a key, csr and get the certificate signed by the same CA, Mention the userid when prompted for 'Common Name')
Note down the subject from the certificate, (openssl -x509 -in
-noout -text ) the reverse form this needs to used on slapd to map the certificate to the user. -
Configure ldap server to ask/verify Client Certificate
Add the following to slapd.conf file
TLSVerifyClient allow
- Add authz-regexp into slapd.
For example:- Consider the following subject in the certificate.
C=IN, ST=Kerala, L=Calicut, O=Red Hat, OU=GSS, CN=test-user/emailAddress=test-user@redhat.com
Add regexp as shown below.
authz-regexp "email=test-user@redhat.com,cn=test-user,ou=gss,o=red hat,l=calicut,st=kerala,c=in" "uid=test-user,ou=People,dc=pnq,dc=redhat,dc=com"
With the above, we map the certificate to test-user. (and it'll work only for that user, if you want to map many users, then you need to customize the regexp).
- Lets test the client certificate using ldapsearch utility.
On Client, create .ldaprc file (on user's home directory) with the following content in it.
# cat /home/test-user/.ldaprc
SASL_MECH EXTERNAL
TLS_CERT /etc/openldap/cacerts/replicator.pem
TLS_KEY /etc/openldap/cacerts/replicator-key.pem
TLS_CACERTDIR /etc/openldap/cacerts
# ldapsearch -Z
- watch the logs on ldap server, make sure the client connects, uses tls, external mechanism and the binddn is mapped to actual user DN.
If the above works fine, go ahead and configure provider/consumer.
Sample Consumer configuration:
syncrepl rid=100
provider=ldap://dhcp200-189.pnq.redhat.com
type=refreshOnly
interval=00:00:05:00
retry="5 5 300 +"
searchbase="dc=pnq,dc=redhat,dc=com"
attrs="*,+"
bindmethod=sasl
saslmech=EXTERNAL
tls_cert=/etc/openldap/cacerts/replicator.pem
tls_key=/etc/openldap/cacerts/replicator-key.pem
tls_cacert=/etc/openldap/cacerts/ca.crt
tls_reqcert=demand
starttls=yes
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments