932
edits
Changes
m
→Investigation 2: Modifying OpenLDAP Server Configuration to use TLS: - Added some warnings
==Pre-Requisites==
The pre-lab must be complete so that your virtual machines share access to a private network. Lab 1 must be complete so each machine has a well configured firewall. Make sure each machine is fully updated.
==References==
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-sssd-to-use-ldap-and-require-tls-authentication_configuring-authentication-and-authorization-in-rhel
* https://www.golinuxcloud.com/configure-openldap-with-tls-certificates/
* https://www.golinuxcloud.com/ldap-client-rhel-centos-8
* https://kifarunix.com/configure-sssd-for-openldap-authentication-on-centos-8/
==Investigation 1: OpenLDAP Server Setup and Configuration==
<li>Install yum-utils</li>
<li>Install the symas ldap repo (who now maintain a version of it available for Centos 8:
<ul><li>yum-config-manager --add-repo=--add-repo=https://repo.symas.com/configs/SOFL/rhel8/sofl.repo</li></ul></li>
<li>Install the following packages
*openldap
</ol>
==Investigation 2: Modifying OpenLDAP Server Configuration to use TLS - UNDER CONSTRUCTION==
{{Admon/important|Warning|This is a good time to make another backup of VM1.}}
In this investigation we will modify the OpenLDAP server we just created to use TLS to encrypt the data it provides, you should notice that many of these steps are similar to the process of modifying postfix and apache servers to use TLS. Perform these steps on vm1.
<ol>
<li>Install the openssl package</li>
<li>Run the following commands to create a self-signed TLS certificate for your server (make sure you replace the values with ones from your machine):
{{Admon/important|Warning|As you run these commands, read the output carefully. If you encounter any errors you must resolve them before continuing to the next command.}}
<source>
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.cert.pem
openssl genrsa -out vm1.pcallagh.ops.key 4096
openssl req -new -key vm1.pcallagh.ops.key -out vm1.pcallagh.ops.csr
openssl x509 -req -in vm1.pcallagh.ops.csr -CA ca.cert.pem -CAkey ca.key -out vm1.pcallagh.ops.crt -CAcreateserial -days 365 -sha256
</source></li>
<li>Copy the certificate, the private key, and the certificte authority file to an appropriate directory (make sure the directory and the files in it are owned by the ldap account and that the directory has permissions set to 0700 and the files have 0600):
<source>cp ldap.pcallagh.ops.crt ldap.pcallagh.ops.key ca.cert.pem /etc/openldap/certs/</source></li>
<li>Write an ldif file and add the following values to '''dn: cn=config''' (again making sure to put in values from your own machine):
<source>
olcTLSCertificateFile: /etc/openldap/certs/vm1.pcallagh.ops.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/vm1.pcallagh.ops.key
olcTLSCACertificateFile: /etc/openldap/certs/ca.cert.pem
</source>
{{Admon/important|Warning|Read the output of the ldapmodify command carefully. If you encounter any errors you must resolve them before continuing to the next command.}}</li>
<li>You can use slapcat to ensure they are set correctly:
<source>slapcat -b "cn=config" | egrep "Certificate(Key)?File"</source></li>
<li>Update /etc/openldap/ldap.conf to locate your CACERT, and to indicate that ldaps is now allowed:
<ul><li>Set the URI parameter to ldaps://vm1.<yourdomain>.ops. It is suggested you also include ldapi:/// so local connections are allowed.</li>
<li>Set TLSCACERT to the absolute path of your certificate authority file (e.g. /etc/openldap/certs/ca.cert.pem).</li>
<li>Set TLSCACERTDIR to the directory your certificate authority file is in (e.g. /etc/openldap/certs).</li></ul></li>
<li>Update your firewall to permanently allow ldaps instead of ldap.</li>
<li>Double check that you can still use ldapsearch before continuing to the next investigation.</li>
</ol>
==Investigation 3: Setup and Configure OpenLdap Client Through SSSD - UNDER CONSTRUCTION==
Perform the following steps on vm2:
<ol>
<li>Install yum-utils</li>
<li>Install the symas ldap repo
<li>Install the following packages
*symas-openldap-clients*openldapsssd*sssd-clientsldap*nss_ldapsssd-tools*nssopenssl-pam-ldapdperl</li><li>If you would like to actually log into the client machines as an ldap user, you need to reconfigure the way the system authentication processes your login. Use To do this, you will use the “authconfig” authselect tool on the client machine.<br />
Note: the ldap user does not have home directory on the client unless you provide it via NFS.</li>
<li>Prior to making any changes to how your machines handle login information, use Copy the server's signed certificate onto the authconfigclient:*openssl s_client -connect <hostname or ip address of your ldap server>:636 -showcerts < /dev/null | openssl x509 -savebackup command to save your current configuration into text > /etc/rootopenldap/ldapcerts/backupcacert.crt</li><li>Use Set up the authconfig command to configure your vm SSSD service to use vm1 as ldap for authentication.<ul><li>Start by adding the ldap serverfollowing settings to /etc/sssd/sssd.conf<br />Note that you will may have to enable create /etc/sssd/sssd.conf yourself. Make sure the file is owned by root:root and that the permissions are 0600.<source>[sssd]services = nss, pamconfig_file_version = 2domains = default [sudo] [nss]homedir_substring = /home [pam]offline_credentials_expiration = 60 [domain/default]ldap_id_use_start_tls = Truecache_credentials = Trueldap_search_base = <The Base DN from your ldap server>id_provider = ldapauth_provider = ldapchpass_provider = ldapaccess_provider = ldapldap_uri = ldaps://<HOSTNAME or IP ADDRESS of your ldap server>ldap_chpass_uri = ldaps://<HOSTNAME or IP ADDRESS of your ldap authentication, identify server>ldap_tls_reqcert = allowldap_tls_cacert = <The absolute path of the certificate you copied over from the server>ldap_tls_cacertdir = <The absolute path to the directory the ldap server's certificate is in>ldap_search_timeout = 50ldap_network_timeout = 60ldap_access_order = filterldap_access_filter = (objectClass=posixAccount)</source></li><li>Now direct sssd to use those changes by running 'authselect select sssd --force'. you need the --force option to make it make changes to several files.</li><li>Test your configuration with 'sssctl config-check' and fix any errors it identifies</li><li>Once your configuration passes the sssctl check, start and the base distinguished name in a single commandenable sssd.</li></ul></li><li>Check Test that your machine is connected to the name service switch configuration file ldap server by searching for the ldapuser 1 account:<source>id ldapuser1</source>You should get something similar to the following (but may not be exactly the same):<source>uid=1002(ldapuser1) gid=1002(ldapuser1) groups=1002(ldapuser1)</source></li><li>If you want to be able to use commands like ldapsearch from this machine, you will also need to configure ldap in /etc/nsswitchopenldap.ldap.conf . This configuration file should already exist, you just need to confirm that modify the parameters to identify the LDAP isserver and location of its certificate.<ul><li>BASE <base DC from your ldap server></li><li>URI ldaps://<hostname or ip address of your ldap server></li>enabled<li>TLS_CACERT <the absolute path of the certificate you downloaded from the server earlier.></li><li>TLS_CACERTDIR <the directory you saved the certificate in></li></ul></li>
<li>Test your OpenLDAP client with the ldapsearch command.
<source>ldapsearch -x 'uid=ldapuser1'</source>
You should get something results similar to the following (but may not be exactly the same):
<source>
# extended LDIF
# numResponses: 2
# numEntries: 1
</source></li>
<li>Logout of the client machine, then log back in using the ldapuser1 account.</li>
<li>Repeat steps 1 through 6 7 on vm3.</li>
</ol>
