Dissidence Toolkit Music Blackhole HDD DetonatorInternet FamousDubnet Metawiki ATM Traffic Analysis (edit this)

jamiedubs.com / projects
Table of Contents

setting up OpenLDAP


%s/dc=yourdomain,dc=com/dc=eyebeam,dc=org

# check slapd running / ldap.conf OK
ldapsearch -x -D "cn=Manager,dc=eyebeam,dc=org" -W -b '' -s base '(objectClass=*)' namingContexts

# add some ish
ldapadd -x -D 'cn=Manager,dc=yourdomain,dc=com' -W -c -S base.errors -f base.ldif

---------------------------------BEGIN base.ldif---------------------------------
#
# Our base domain object
#
dn: dc=eyebeam,dc=org
objectClass: top
objectClass: dcObject
objectClass: domain
#objectClass: nisDomainObject
dc: eyebeam
#nisDomain: eyebeam.org


#
# Aliases organizational Unit
#
# Root for
#
#	nisMailAlias
#
# NIS maps covered
#
#	aliases
#
dn: ou=Aliases,dc=eyebeam,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Aliases


#
# Ethers organizational Unit
#
# Root for
#
#	ieee802Device
#	bootableDevice
#
# NIS maps covered
#
#	bootparams
#	ethers
#
dn: ou=Ethers,dc=eyebeam,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Ethers


#
# Group organizational Unit
#
# Root for
#
#	posixGroup
#	
# NIS maps covered
#
#	group
#
dn: ou=Group,dc=eyebeam,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Group


#
# Hosts organizational Unit
#
# Root for
#
#	ipHost
#	device
#
# NIS maps covered
#
#	hosts
#
dn: ou=Hosts,dc=eyebeam,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Hosts


#
# Netgroup organizational Unit
#
# Root for
#
#	nisNetgroup
#
# NIS maps covered
#
#	netgroup
#
dn: ou=Netgroup,dc=eyebeam,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Netgroup


#
# Networks organizational Unit
#
# Root for
#
#	ipNetwork
#
# NIS maps covered
#
#	netmasks
#	networks
#
dn: ou=Networks,dc=eyebeam,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Networks


#
# People organizational Unit
#
# Root for
#
#	account
#	posixAccount
#	shadowAccount
#
# NIS maps covered
#
#	passwd
#
dn: ou=People,dc=eyebeam,dc=org
objectClass: top
objectClass: organizationalUnit
ou: People


#
# Profile organizational Unit
#
# Root for
#
#	SolarisNamingProfile
#
dn: ou=Profile,dc=eyebeam,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Profile


#
# Protocols organizational Unit
#
# Root for
#
#	ipProtocol
#
# NIS maps covered
#
#	protocols
#
dn: ou=Protocols,dc=eyebeam,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Protocols


#
# Rpc organizational Unit
#
# Root for
#
#	oncRpc
#
# NIS maps covered
#
#	rpc
#
dn: ou=Rpc,dc=eyebeam,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Rpc


#
# Services organizational Unit
#
# Root for
#
#	ipService
#
# NIS maps covered
#
#	rpc
#
dn: ou=Services,dc=eyebeam,dc=org
ou: Services
objectClass: top
objectClass: organizationalUnit

----------------------------------END---------------------------------



ldapadd -x -D 'cn=Manager,dc=yourdomain,dc=com' -W -c -S base.errors -f testuser.ldif


---------------------------------BEGIN testuser.ldif---------------------------------
#
# New Tester user
#
dn: uid=tester,ou=People,dc=eyebeam,dc=org
objectClass: top
objectClass: account
objectClass: posixAccount
uid: tester
cn: Test User
userPassword: tester
gecos: Test User
uidNumber: 100
gidNumber: 100
homeDirectory: /home/tester
loginShell: /bin/bash
----------------------------------END---------------------------------


# test query

ldapsearch -x -D "cn=Manager,dc=eyebeam,dc=org" -W -b 'dc=eyebeam,dc=org' '(cn=*Test*)'

setup LDAP TLS/SSL

use instructions at http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC_Security_Upgrade – reprinted here:

OPTIONAL Usage off SSL and or TLS encription methods is recommended as a “best practice” because passwords are transfered over the connections between the LDAP system and what ever it talks to. Using them is completely optional, but highly recommended.

First we should create our ssl certificates. The following procedure is used to create a self signed certificates for more information see [http://openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html OpenLDAP SSL/TLS How-To]

Fisrt we need to create a directory for building our certs in. change to that directory and then create a new CA. the script will execute and ask you some questions about your orgazination.

'''YOUR NAME''' is not your name, it should be your FQDN. If you set it to anything else, clients will reject your certificate. Make sure your clients attempt to connect to the FQDN address of your host if it is multi-homed.

  1. mkdir /var/myca
  2. cd /var/myca
  3. /etc/ssl/misc/CA.sh -newca

This creates a demoCA directory with various items including demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and private key)

Next we need to create a new server certificate signing request that we can later sign with the previously generated CA cert. Again it will ask you some questions about your orgazination.

'''YOUR NAME''' is not your name, it should be your FQDN. If you set it to anything else, clients will reject your certificate. Make sure your clients attempt to connect to the FQDN address of your host if it is multi-homed.

  1. openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

Next we have the CA sign the CSR. after we execute its going to ask for us to enter the PEM pass phrase this is the challenge passphrase we gave in the previous command. its also going to ask if we want to sign the cert, which we do.

  1. /etc/ssl/misc/CA.sh -sign

The result of the above command should be the creation of newcert.pem our signed cert

Next we should move the certs to our desired certificate repository and rename them. i prefer to put them in '/certs/openldap'

  1. mkdir -p /certs/openldap
  2. mv demoCA/cacert.pem /certs/openldap/CA-cert.pem
  3. mv newcert.pem /certs/openldap/ser-crt.pem
  4. mv newreq.pem /certs/openldap/ser-key.pem
  5. chmod 400 /certs/openldap/ser-key.pem
  6. chown ldap:ldap /certs/openldap/ser-key.pem

The chmod makes the private key read-only, the owner of the key should be the same user that runs slapd. a chown command will be nesscary if the owner of the server key is not the same as the user who runs slapd. The certificates should be publicly readable failure to execute the chown in the commands above will prevent slapd from starting, leaving an error msg of "main: TLS init def ctx failed: -1" in /var/log/syslog

Update /etc/openldap/slapd.conf to ensure the following lines are uncommented

  1. TLSCertificateFile /certs/openldap/ser-crt.pem
  2. TLSCertificateKeyFile /certs/openldap/ser-key.pem
  3. TLSCACertificateFile /certs/openldap/CA-cert.pem

You may also want to update /etc/openldap/ldap.conf. This line will let the ldapsearch client automatically use your certificate to verify the server.

echo "TLS_CACERT /certs/openldap/CA-cert.pem" >> /etc/openldap/ldap.conf

MediaWiki LDAP config

http://www.mediawiki.org/wiki/Extension:LDAP_Authentication

append to LocalSettings.php: 

require_once( 'extensions/LdapAuthentication/LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( "eyebeam" );
$wgLDAPServerNames = array( "eyebeam" => "colossus.eyebeam.org"  );
$wgLDAPEncryptionType = array( "eyebeam" => "clear" );   // "testADdomain"=>"tls",
#$wgLDAPSearchAttributes = array( "eyebeam"=>"uid" );
#$wgLDAPBaseDNs = array( "eyebeam"=>"dc=eyebeam,dc=org" );
$wgLDAPSearchStrings = array( "eyebeam"=>"uid=USER-NAME,ou=People,dc=eyebeam,dc=org"  );
$wgLDAPUseSSL = false;
$wgLDAPUseLocal = true; // failover to local db
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
$wgLDAPRetrievePrefs = false;
#$wgMinimalPasswordLength = 1;

$wgLDAPDebug = 3;
$wgShowExceptionDetails = true;