Table of Contents
LDAP setup
LDAP com-prod-ldap01
cn=Admin,dc=company,dc=int
Server
OS is Ubuntu 16.04, OpenLDAP is 2.4.42+dfsg-2ubuntu3.1
Install
(This is taken from the original VM on laptop)
SSL cert install
See https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-tls
root@com-prod-ldap01:/etc/ldap/ssl# cat certinfo.ldif dn: cn=config replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ldap/ssl/company-int-ca.cert.crt - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/ssl/com-prod-ldap01-cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/ssl/com-prod-ldap01-key.pem root@com-prod-ldap01:/etc/ldap/ssl# ls -l total 20 -rw-r--r-- 1 root root 303 Sep 2 11:58 certinfo.ldif -rw------- 1 openldap openldap 1534 Nov 3 2015 com-prod-ldap01-cert.pem -rw------- 1 openldap openldap 651 Nov 3 2015 com-prod-ldap01-csr.csr -rw------- 1 openldap openldap 916 Nov 3 2015 com-prod-ldap01-key.pem -rw------- 1 openldap openldap 2010 Nov 3 2015 company-int-ca.cert.crt root@com-prod-ldap01:/etc/ldap/ssl# root@com-prod-ldap01:/etc/ldap/ssl# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ssl/certinfo.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" root@com-prod-ldap01:/etc/ldap/ssl#
Testing
Most testing can be performed with ldapsearch
, this is a command line utility which connects with credentials and searches for information. If the bind as a user/password succeeds, this counts as an authentication and is the mechanism many applications use to check authentication.
Authorisation for a particular service is usually dependant on group membership.
Adding ldif files
Most ldif files can be added with
# ldapmodify -x -W -D "cn=Admin,dc=company,dc=int" -f logging.ldif
type of syntax, but schema changes seem to have to be made with this:-
# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif
TLS /SSL access
Initial testing after adding ssl cert failed:-
root@com-prod-ldap01:/etc/ldap/ssl# ldapsearch -ZZ -v -b "" -b " ou=people,dc=company,dc=int" -D "cn=admin,dc=company,dc=int" -h 10.10.70.100 -s sub -w <PW> cn='User1' ldap_initialize( ldap://10.10.70.100 ) ldap_start_tls: Connect error (-11) additional info: (unknown error code) root@com-prod-ldap01:/etc/ldap/ssl#
-ZZ forces a TLS connection to be used.
This is not helpful, but debugging can be turned on with -d -1
:-
root@com-prod-ldap01:/etc/ldap/ssl# ldapsearch -ZZ -v -b "" -b " ou=people,dc=company,dc=int" -D "cn=admin,dc=company,dc=int" -h 10.10.70.100 -s sub -w <PW> cn='user1' -d -1 ldap_initialize( ldap://10.10.70.100 ) ldap_create ldap_url_parse_ext(ldap://10.10.70.100) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 10.10.70.100:389 ...edited.... TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 0000: 30 05 02 01 02 42 00 0....B. ldap_write: want=7, written=7 0000: 30 05 02 01 02 42 00 0....B. ldap_free_connection: actually freed root@com-prod-ldap01:/etc/ldap/ssl#
This error occurs because the client can't trust the self signed CA for Company. The solution is to add the Company CA root cert to the trusted cert store on the client (in this case the server is acting as a client too), and the ldap.conf file needs to be edited too:-
root@com-prod-ldap01:/etc/ldap/ssl# cat company-int-ca.cert.crt >> /etc/ssl/certs/ca-certificates.crt root@com-prod-ldap01:/etc/ldap/ssl# cat /etc/ldap/ldap.conf (edited) BASE dc=company,dc=int URI ldap://com-prod-ldap01.company.int ldap://com-prod-ldap01.company.int:666 # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt
This almost works:-
root@com-prod-ldap01:/etc/ldap/ssl# ldapsearch -ZZ -v -b "" -b " ou=people,dc=company,dc=int" -D "cn=admin,dc=company,dc=int" -h 10.10.70.100 -s sub -w <PW> cn='user1' -d -1 ldap_initialize( ldap://10.10.70.100 ) ldap_create ldap_url_parse_ext(ldap://10.10.70.100) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 10.10.70.100:389 ...edited... TLS: hostname (10.10.70.100) does not match common name in certificate (com-prod-ldap01). ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate ldap_free_connection 1 1 ...edited...
The reason for this is that the ldapsearch
is using the ipaddress of the server, not the dns name which is the same as the common name in the server cert.
This can be fixed with a change to the hosts file to point the com-prod-ldap01
name to the correct ipaddress. (This is only required for testing as the VM running ldap01 is on dhcp, in production, the ipaddress would be static.)
root@com-prod-ldap01:/etc/ldap/ssl# ldapsearch -ZZ -v -b "" -b " ou=people,dc=company,dc=int" -D "cn=admin,dc=company,dc=int" -h com-prod-ldap01 -s sub -w <PW> cn='user1' -d -1 ldap_initialize( ldap://com-prod-ldap01 ) ldap_create ldap_url_parse_ext(ldap://com-prod-ldap01) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP com-prod-ldap01:389 ldap_new_socket: 3 ...edited...
The actual result can be seen more clearly without the debug:-
root@com-prod-ldap01:/etc/ldap/ssl# ldapsearch -ZZ -v -b "" -b " ou=people,dc=company,dc=int" -D "cn=admin,dc=company,dc=int" -h com-prod-ldap01 -s sub -w <PW> cn='user1' ldap_initialize( ldap://com-prod-ldap01 ) filter: cn=user1 requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base < ou=people,dc=company,dc=int> with scope subtree # filter: cn=user1 # requesting: ALL # # user1, people, company.int dn: cn=user1,ou=people,dc=company,dc=int cn: user1 mail: user1@company.com givenName: user1 sn: user1 mobile: +44 7xxxxxxx o: Company plc postalCode: B11 22AL st: UK physicalDeliveryOfficeName: Brindley Road, Birmingham displayName: User One uid: user1 street: Brindley Road, New Brunswick Square, Birmingham gidNumber: 6001 homeDirectory: /home/user1 objectClass: inetOrgPerson objectClass: top objectClass: posixAccount uidNumber: 6001 loginShell: /bin/bash userPassword:: e01ENX0wSUV1Zjdqb1NtNFY1WFhsazhnUEF3PT0= telephoneNumber: +44 1216335786 telephoneNumber: 286 # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 root@com-prod-ldap01:/etc/ldap/ssl#
Client debug
Attempting to do an ldap search on the client gives the following error:-
user1@ubuntu16:~$ ldapsearch -ZZ -v -b "" -b "ou=People,dc=company,dc=int" -D "cn=admin,dc=company,dc=int" -h com-prod-ldap01.company.int -s sub -w <PW> cn='Andrew Stringer' ldap_initialize( ldap://com-prod-ldap01.company.int ) ldap_start_tls: Connect error (-11) additional info: (unknown error code) user1@ubuntu16:~$
This is caused by not having the correct settings in the ldap.conf client side file and not installing the root CA which is used encryption. Example ldap.conf file below:-
root@ubuntu16:/root# cat /etc/ldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=company,dc=int URI ldap://com-prod-ldap01.company.int ldap://com-prod-ldap01.company.int:389 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/company-int-ca.cert.crt root@ubuntu16:/root#
The company-int-ca.cert.crt
file can be downloaded from https://ca.company.int/company-int-ca.cert.crt and should be copied to /etc/ssl/certs/, ownership should be root and world readable.
Attempting to do an ldap search on the client gives the following error:-
additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
This is caused by the client not trusting the root CA. If the root ca cert is not a public trusted cert (ie a self signed root), it seems better to point to it with this in /etc/openldap/ldap.conf
TLS_CACERT /etc/openldap/certs/company-int-ca.cert.crt
The company-int-ca.cert.crt
certificate can be downloaded from https://ca.company.int/ using the link at the bottom of the page.
General searches
Use either -w xxxxx to embed password (probably unsafe) or -W to prompt on the command line.
# ldapsearch -b "" -b " ou=people,dc=company,dc=int" -D "cn=admin,dc=company,dc=int" -h 127.0.0.1 -s sub -w xxxxx # extended LDIF # # LDAPv3 # base < ou=people,dc=company,dc=int> with scope subtree # filter: (objectclass=*) # requesting: ALL # # people, company.int dn: ou=people,dc=company,dc=int objectClass: organizationalUnit objectClass: top ou: people # User1, people, company.int dn: cn=User1,ou=people,dc=company,dc=int cn: User1 mail: user1@company.com givenName: User sn: One mobile: +44 7956904629 o: Company Systems postalCode: B11 21AZ st: UK physicalDeliveryOfficeName: 21 Brindley Road, Birmingham displayName: User One uid: user1 gidNumber: 6001 homeDirectory: /home/user1 objectClass: inetOrgPerson objectClass: top objectClass: posixAccount uidNumber: 6001 loginShell: /bin/bash userPassword:: e01ENX0wSUV1Zjdqb1NtNFY1WFhsazhnUEF3PT0= telephoneNumber: +44 1216335786 telephoneNumber: 286
Using ldapsearch over SSL connection,
From man page:- -Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful.
# ldapsearch -ZZZ -b "" -b " ou=people,dc=company,dc=int" -D "cn=admin,dc=company,dc=int" -h 127.0.0.1 -s sub -w <PW> cn="User1"
Search as user:-
$ ldapsearch -ZZ -v -b "" -b "ou=People,dc=company,dc=int" -D "cn=User1,ou=People,dc=company,dc=int" -h com-prod-ldap01.company.int -W -s sub cn='User1'
Basic auth:-
$ ldapsearch -ZZ -v -D "cn=User1,ou=People,dc=company,dc=int" -h com-prod-ldap01.company.int -W -s base ldap_initialize( ldap://com-prod-ldap01.company.int ) Enter LDAP Password: filter: (objectclass=*) requesting: All userApplication attributes # extended LDIF ...edited...
With the ldap.conf file above, the search can be shortened to:-
astringer@ubuntu16:~$ ldapsearch -ZZ -D "cn=User1,ou=People,dc=company,dc=int" -W -s base Enter LDAP Password: # extended LDIF # # LDAPv3