[[linux:ldap]]
 
Trace: ldap

Table of Contents

LDAP setup

LDAP com-prod-ldap01

cn=Admin,dc=company,dc=int

Server

OS is Ubuntu 16.04, OpenLDAP is 2.4.42+dfsg-2ubuntu3.1

Install

(This is taken from the original VM on laptop)

SSL cert install

See https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-tls 

root@com-prod-ldap01:/etc/ldap/ssl# cat certinfo.ldif
dn: cn=config
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/company-int-ca.cert.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/com-prod-ldap01-cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/com-prod-ldap01-key.pem

root@com-prod-ldap01:/etc/ldap/ssl# ls -l 
total 20
-rw-r--r-- 1 root     root      303 Sep  2 11:58 certinfo.ldif
-rw------- 1 openldap openldap 1534 Nov  3  2015 com-prod-ldap01-cert.pem
-rw------- 1 openldap openldap  651 Nov  3  2015 com-prod-ldap01-csr.csr
-rw------- 1 openldap openldap  916 Nov  3  2015 com-prod-ldap01-key.pem
-rw------- 1 openldap openldap 2010 Nov  3  2015 company-int-ca.cert.crt
root@com-prod-ldap01:/etc/ldap/ssl# 

root@com-prod-ldap01:/etc/ldap/ssl# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ssl/certinfo.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

root@com-prod-ldap01:/etc/ldap/ssl#

Testing

Most testing can be performed with ldapsearch, this is a command line utility which connects with credentials and searches for information. If the bind as a user/password succeeds, this counts as an authentication and is the mechanism many applications use to check authentication.
Authorisation for a particular service is usually dependant on group membership.

Adding ldif files

Most ldif files can be added with 

# ldapmodify -x -W -D "cn=Admin,dc=company,dc=int" -f logging.ldif

type of syntax, but schema changes seem to have to be made with this:- 

# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif

TLS /SSL access

Initial testing after adding ssl cert failed:- 

root@com-prod-ldap01:/etc/ldap/ssl# ldapsearch -ZZ  -v -b "" -b " ou=people,dc=company,dc=int"  -D "cn=admin,dc=company,dc=int" -h 10.10.70.100 -s sub -w <PW> cn='User1'
ldap_initialize( ldap://10.10.70.100 )
ldap_start_tls: Connect error (-11)
        additional info: (unknown error code)
root@com-prod-ldap01:/etc/ldap/ssl#

-ZZ forces a TLS connection to be used.

This is not helpful, but debugging can be turned on with -d -1:- 

root@com-prod-ldap01:/etc/ldap/ssl# ldapsearch -ZZ  -v -b "" -b " ou=people,dc=company,dc=int"  -D "cn=admin,dc=company,dc=int" -h 10.10.70.100 -s sub -w <PW> cn='user1' -d -1
ldap_initialize( ldap://10.10.70.100 )
ldap_create
ldap_url_parse_ext(ldap://10.10.70.100)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.10.70.100:389

...edited....

TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: (unknown error code)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
  0000:  30 05 02 01 02 42 00                               0....B.           
ldap_write: want=7, written=7
  0000:  30 05 02 01 02 42 00                               0....B.           
ldap_free_connection: actually freed
root@com-prod-ldap01:/etc/ldap/ssl#

This error occurs because the client can't trust the self signed CA for Company. The solution is to add the Company CA root cert to the trusted cert store on the client (in this case the server is acting as a client too), and the ldap.conf file needs to be edited too:- 

root@com-prod-ldap01:/etc/ldap/ssl# cat company-int-ca.cert.crt >> /etc/ssl/certs/ca-certificates.crt
root@com-prod-ldap01:/etc/ldap/ssl# cat /etc/ldap/ldap.conf (edited)

BASE    dc=company,dc=int    
URI     ldap://com-prod-ldap01.company.int  ldap://com-prod-ldap01.company.int:666

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

This almost works:- 

root@com-prod-ldap01:/etc/ldap/ssl# ldapsearch -ZZ  -v -b "" -b " ou=people,dc=company,dc=int"  -D "cn=admin,dc=company,dc=int" -h 10.10.70.100 -s sub -w <PW> cn='user1' -d -1
ldap_initialize( ldap://10.10.70.100 )
ldap_create
ldap_url_parse_ext(ldap://10.10.70.100)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.10.70.100:389

...edited...

TLS: hostname (10.10.70.100) does not match common name in certificate (com-prod-ldap01).
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: TLS: hostname does not match CN in peer certificate
ldap_free_connection 1 1

...edited...

The reason for this is that the ldapsearch is using the ipaddress of the server, not the dns name which is the same as the common name in the server cert.

This can be fixed with a change to the hosts file to point the com-prod-ldap01 name to the correct ipaddress. (This is only required for testing as the VM running ldap01 is on dhcp, in production, the ipaddress would be static.) 

root@com-prod-ldap01:/etc/ldap/ssl# ldapsearch -ZZ  -v -b "" -b " ou=people,dc=company,dc=int"  -D "cn=admin,dc=company,dc=int" -h com-prod-ldap01 -s sub -w <PW> cn='user1' -d -1
ldap_initialize( ldap://com-prod-ldap01 )
ldap_create
ldap_url_parse_ext(ldap://com-prod-ldap01)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP com-prod-ldap01:389
ldap_new_socket: 3

...edited...

The actual result can be seen more clearly without the debug:- 

root@com-prod-ldap01:/etc/ldap/ssl# ldapsearch -ZZ  -v -b "" -b " ou=people,dc=company,dc=int"  -D "cn=admin,dc=company,dc=int" -h com-prod-ldap01 -s sub -w <PW> cn='user1'
ldap_initialize( ldap://com-prod-ldap01 )
filter: cn=user1
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base < ou=people,dc=company,dc=int> with scope subtree
# filter: cn=user1
# requesting: ALL
#

# user1, people, company.int
dn: cn=user1,ou=people,dc=company,dc=int
cn: user1
mail: user1@company.com
givenName: user1
sn: user1
mobile: +44 7xxxxxxx
o: Company plc
postalCode: B11 22AL
st: UK
physicalDeliveryOfficeName: Brindley Road, Birmingham
displayName: User One
uid: user1
street: Brindley Road, New Brunswick Square, Birmingham
gidNumber: 6001
homeDirectory: /home/user1
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
uidNumber: 6001
loginShell: /bin/bash
userPassword:: e01ENX0wSUV1Zjdqb1NtNFY1WFhsazhnUEF3PT0=
telephoneNumber: +44 1216335786
telephoneNumber: 286

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1
root@com-prod-ldap01:/etc/ldap/ssl#

Client debug

Attempting to do an ldap search on the client gives the following error:- 

user1@ubuntu16:~$ ldapsearch -ZZ -v -b "" -b "ou=People,dc=company,dc=int" -D "cn=admin,dc=company,dc=int" -h com-prod-ldap01.company.int -s sub -w <PW> cn='Andrew Stringer'
ldap_initialize( ldap://com-prod-ldap01.company.int )
ldap_start_tls: Connect error (-11)
        additional info: (unknown error code)
user1@ubuntu16:~$

This is caused by not having the correct settings in the ldap.conf client side file and not installing the root CA which is used encryption. Example ldap.conf file below:- 

root@ubuntu16:/root# cat /etc/ldap/ldap.conf 
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=company,dc=int
URI     ldap://com-prod-ldap01.company.int  ldap://com-prod-ldap01.company.int:389


#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/company-int-ca.cert.crt

root@ubuntu16:/root#

The company-int-ca.cert.crt file can be downloaded from https://ca.company.int/company-int-ca.cert.crt and should be copied to /etc/ssl/certs/, ownership should be root and world readable.

Attempting to do an ldap search on the client gives the following error:- 

additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.

This is caused by the client not trusting the root CA. If the root ca cert is not a public trusted cert (ie a self signed root), it seems better to point to it with this in /etc/openldap/ldap.conf 

TLS_CACERT /etc/openldap/certs/company-int-ca.cert.crt

The company-int-ca.cert.crt certificate can be downloaded from https://ca.company.int/ using the link at the bottom of the page.

General searches

Use either -w xxxxx to embed password (probably unsafe) or -W to prompt on the command line. 

# ldapsearch -b "" -b " ou=people,dc=company,dc=int"  -D "cn=admin,dc=company,dc=int" -h 127.0.0.1 -s sub -w xxxxx
# extended LDIF
#
# LDAPv3
# base < ou=people,dc=company,dc=int> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# people, company.int
dn: ou=people,dc=company,dc=int
objectClass: organizationalUnit
objectClass: top
ou: people

# User1, people, company.int
dn: cn=User1,ou=people,dc=company,dc=int
cn: User1
mail: user1@company.com
givenName: User
sn: One
mobile: +44 7956904629
o: Company Systems
postalCode: B11 21AZ
st: UK
physicalDeliveryOfficeName: 21 Brindley Road, Birmingham
displayName: User One
uid: user1
gidNumber: 6001
homeDirectory: /home/user1
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
uidNumber: 6001
loginShell: /bin/bash
userPassword:: e01ENX0wSUV1Zjdqb1NtNFY1WFhsazhnUEF3PT0=
telephoneNumber: +44 1216335786
telephoneNumber: 286

Using ldapsearch over SSL connection,
From man page:- -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful. 

# ldapsearch -ZZZ -b "" -b " ou=people,dc=company,dc=int"  -D "cn=admin,dc=company,dc=int" -h 127.0.0.1 -s sub -w <PW> cn="User1"

Search as user:- 

$ ldapsearch -ZZ -v -b "" -b "ou=People,dc=company,dc=int" -D "cn=User1,ou=People,dc=company,dc=int" -h com-prod-ldap01.company.int -W -s sub cn='User1'

Basic auth:- 

$ ldapsearch -ZZ -v -D "cn=User1,ou=People,dc=company,dc=int" -h com-prod-ldap01.company.int -W -s base
ldap_initialize( ldap://com-prod-ldap01.company.int )
Enter LDAP Password: 
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
...edited...

With the ldap.conf file above, the search can be shortened to:- 

astringer@ubuntu16:~$ ldapsearch -ZZ -D "cn=User1,ou=People,dc=company,dc=int"  -W -s base
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
 
linux/ldap.txt · Last modified: 09/01/2021 23:43 by andrew