Difference between revisions of "OpenLDAP"

From Michael's Information Zone
Jump to navigation Jump to search
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
==AD Proxy==
+
==Active Directory LDAP Proxy==
 
===Purpose===
 
===Purpose===
 
To proxy secure LDAP requests from the internet to MS AD.
 
To proxy secure LDAP requests from the internet to MS AD.
 +
===Commands===
 +
====CentOS 7====
 +
On a clean install with epel-release installed (not needed, but it is part of my initial setup script)
 +
<pre>
 +
 +
yum -y install openldap openldap-servers
 +
cat <<EOF >>/etc/openldap/slapd.conf
 +
 +
moduleload              back_ldap
 +
 +
include                /etc/openldap/schema/core.schema
 +
include                /etc/openldap/schema/cosine.schema
 +
include                /etc/openldap/schema/nis.schema
 +
include                /etc/openldap/schema/inetorgperson.schema
 +
 +
 +
pidfile                /var/run/openldap/slapd.pid
 +
argsfile                /var/run/openldap/slapd.args
 +
 +
sizelimit              unlimited
 +
 +
idletimeout            3600
 +
writetimeout            600
 +
 +
database                ldap
 +
suffix                  "dc=your,dc=tld"
 +
uri                    "ldap://domaincontroller"
 +
chase-referrals        no
 +
idassert-bind          bindmethod=simple
 +
                        mode=self
 +
                        binddn="cn=binduser,ou=Users,DC=your,DC=tld"
 +
                        credentials="password"
 +
 +
logfile                /var/log/slapd.log
 +
loglevel                1
 +
EOF
 +
 +
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
 +
systemctl enable slapd
 +
systemctl start slapd
 +
firewall-cmd --permanent --add-service=ldap
 +
firewall-cmd --reload
 +
</pre>
 +
When finished, you can query the OpenLDAP but must authenticate in the process. In this configuration it does not allow for anonymous binds, which is a good thing.
 +
<pre>
 +
ldapsearch -v -x -h <openldap ip/FQDN> -D "cn=binduser,ou=Users,DC=your,DC=tld" -w password -b OU=Users,DC=your,DC=tld
 +
</pre>
 +
====LDAPS====
 +
Edit /etc/sysconfig/slapd and update to take secure connections, install certificates, Restart services<ref>https://www.lisenet.com/2016/openldap-with-ssl-and-nfs-for-user-home-directories-on-centos-7/</ref>
 +
<pre>
 +
sed -i 's/SLAPD_URLS=\"ldapi:\/\/\/\ ldap:\/\/\/\"/SLAPD_URLS=\"ldapi:\/\/\/\ ldaps:\/\/\/\"/' /etc/sysconfig/slapd
 +
</pre>
 +
 
===Notes===
 
===Notes===
 
*Interesting YouTube Video that covers everything except enabling TLS<ref>https://www.youtube.com/watch?v=bp8ffdY7Mu4</ref>
 
*Interesting YouTube Video that covers everything except enabling TLS<ref>https://www.youtube.com/watch?v=bp8ffdY7Mu4</ref>
Line 7: Line 60:
 
*A guide by owncloud.org<ref>https://doc.owncloud.org/server/10.0/admin_manual/configuration/ldap/ldap_proxy_cache_server_setup.html</ref>
 
*A guide by owncloud.org<ref>https://doc.owncloud.org/server/10.0/admin_manual/configuration/ldap/ldap_proxy_cache_server_setup.html</ref>
 
*Possible howto on enabling TLS<ref>https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html</ref>
 
*Possible howto on enabling TLS<ref>https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html</ref>
 +
*Here is someone that has already gone through the work for me. Will be working off of this how-to.<ref>https://howdoilinux.com/2015/05/openldap-to-active-directory-proxy-configuration/</ref>

Latest revision as of 10:56, 19 March 2018

Active Directory LDAP Proxy

Purpose

To proxy secure LDAP requests from the internet to MS AD.

Commands

CentOS 7

On a clean install with epel-release installed (not needed, but it is part of my initial setup script)


yum -y install openldap openldap-servers
cat <<EOF >>/etc/openldap/slapd.conf

moduleload              back_ldap

include                 /etc/openldap/schema/core.schema
include                 /etc/openldap/schema/cosine.schema
include                 /etc/openldap/schema/nis.schema
include                 /etc/openldap/schema/inetorgperson.schema


pidfile                 /var/run/openldap/slapd.pid
argsfile                /var/run/openldap/slapd.args

sizelimit               unlimited

idletimeout             3600
writetimeout            600

database                ldap
suffix                  "dc=your,dc=tld"
uri                     "ldap://domaincontroller"
chase-referrals         no
idassert-bind           bindmethod=simple
                        mode=self
                        binddn="cn=binduser,ou=Users,DC=your,DC=tld"
                        credentials="password"

logfile                 /var/log/slapd.log
loglevel                1
EOF

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
systemctl enable slapd
systemctl start slapd
firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload

When finished, you can query the OpenLDAP but must authenticate in the process. In this configuration it does not allow for anonymous binds, which is a good thing.

ldapsearch -v -x -h <openldap ip/FQDN> -D "cn=binduser,ou=Users,DC=your,DC=tld" -w password -b OU=Users,DC=your,DC=tld

LDAPS

Edit /etc/sysconfig/slapd and update to take secure connections, install certificates, Restart services[1]

sed -i 's/SLAPD_URLS=\"ldapi:\/\/\/\ ldap:\/\/\/\"/SLAPD_URLS=\"ldapi:\/\/\/\ ldaps:\/\/\/\"/' /etc/sysconfig/slapd

Notes

  • Interesting YouTube Video that covers everything except enabling TLS[2]
  • openLDAP as proxy to Active Directory as stated by SAMBA[3]
  • A guide by owncloud.org[4]
  • Possible howto on enabling TLS[5]
  • Here is someone that has already gone through the work for me. Will be working off of this how-to.[6]
  • https://www.lisenet.com/2016/openldap-with-ssl-and-nfs-for-user-home-directories-on-centos-7/
  • https://www.youtube.com/watch?v=bp8ffdY7Mu4
  • https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD
  • https://doc.owncloud.org/server/10.0/admin_manual/configuration/ldap/ldap_proxy_cache_server_setup.html
  • https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html
  • https://howdoilinux.com/2015/05/openldap-to-active-directory-proxy-configuration/