Monday, 20 February 2012

FreeBSD - OpenLDAP and FreeRADIUS part 1

At the moment I have a Cisco 1231 access point in use and I was wondering if I could use OpenLDAP in combination with FreeRadius to do some authentication for my wireless clients. Next to that I want a setup to test Radius authentication with an ASA 5505. Since I'm still in a FreeBSD mood and the current OpenLDAP implementation on Ubuntu is way too complex for a simple setup I decided to stay with the red daemon.

A small rant:
In the 90's I started working with Novell Directory Services/eDirectory up until version 8.8 a few years ago. Did some LDAP work on Active Directory. Had Mac OSX clients authenticate to eDirectory and AD even with drive mappings etc.. It was not always easy but we got there..... It's 2012 now,  then why do I have to enter several unreadable CLI commands (yep even unreadable for an experienced linux user) in Ubuntu just to add a Samba schema. I'm certainly not afraid of CLI but this is not the 80's anymore. If you're able to write create an ubercomplex configsystem, like the one found in the current Ubuntu-version, you're also able to write a decent tool to manage it!! 

First I created a FreeBSD setup as I described earlier (up until the installation of my favourite tools). After FreeBSD was installed I continued with OpenLDAP.



OpenLDAP installation
cd /usr/ports/net/openldap24-server
make install clean -DBATCH
This will install OpenLDAP with the default selections.Next copy the DB_CONFIG example file to /var/db/openldap-data

cp /usr/local/etc/openldap/DB_CONFIG.example /var/db/openldap-data/DB_CONFIG


OpenLDAP certificates

Before we continue to delve deeper into the OpenLDAP configuration we're going to create certificates (this is based on the Lampros guide). I will only list the commando's and the input I gave. Remark : Lampros explains that OpenLDAP can be picky about the CN.
cd /usr/local/etc/openldap
mkdir /usr/local/etc/openldap/private

Creation of the Root CA (Certification Authority)
 
Type:
openssl req -days 3650 -nodes -new -x509 -keyout /usr/local/etc/openldap/private/ca.key -out /usr/local/etc/openldap/ca.crt
This command (and a few of the following also) popups a few questions which need input to get the CA and the keys working. Although I almost filled out every question, the most important is the common name (the rest can be left blank).
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Overijssel
Locality Name (eg, city) []:Nieuwleusen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tempelman
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:ca.tempelman.local
Email Address []:(enter)
CN=ca.tempelman.local

Creation of the Private Key and Certificate Signing Request (CSR)
openssl req -days 3650 -nodes -new -keyout /usr/local/etc/openldap/private/server.key -out /usr/local/etc/openldap/private/server.csr
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Overijssel
Locality Name (eg, city) []:Nieuwleusen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tempelman
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:fbsd-radius.tempelman.local
Email Address []:(enter)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(enter)
An optional company name []:(enter)
[root@fbsd-radius /var/db/openldap-data]#
CN=fbsd-radius.tempelman.local

Sign Server Certificate
openssl x509 -req -days 3650 -in /usr/local/etc/openldap/private/server.csr -out /usr/local/etc/openldap/server.crt -CA /usr/local/etc/openldap/ca.crt -CAkey /usr/local/etc/openldap/private/ca.key -CAcreateserial

Generate the Client Certificate
openssl req -days 3650 -nodes -new -keyout /usr/local/etc/openldap/private/client.key -out /usr/local/etc/openldap/private/client.csr
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Overijssel
Locality Name (eg, city) []:Nieuwleusen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tempelman
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:fbsd-radius.tempelman.local
Email Address []: (enter)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(enter)
An optional company name []:(enter)
 CN=fbsd-radius.tempelman.local

Sign Client Certificate
openssl x509 -req -days 3650 -in /usr/local/etc/openldap/private/client.csr -out /usr/local/etc/openldap/client.crt -CA /usr/local/etc/openldap/ca.crt -CAkey /usr/local/etc/openldap/private/ca.key

Key overview
Now let's see what we've got:

Public keys:
[root@fbsd-radius /usr/local/etc/openldap]# ls -al
total 30
drwxr-xr-x  4 root  wheel   512 Feb 12 14:46 .
drwxr-xr-x  7 root  wheel   512 Feb 12 13:56 ..
-rw-------  1 root  wheel   845 Feb 12 14:02 DB_CONFIG.example
-rw-r--r--  1 root  wheel  1237 Feb 12 14:29 ca.crt
-rw-r--r--  1 root  wheel    17 Feb 12 14:46 ca.srl
-rw-r--r--  1 root  wheel   895 Feb 12 14:46 client.crt
-rw-r--r--  1 root  wheel   245 Feb 12 13:56 ldap.conf
-rw-r--r--  1 root  wheel   245 Feb 12 13:56 ldap.conf.default
drwxr-xr-x  2 root  wheel   512 Feb 12 14:38 private
drwxr-xr-x  2 root  wheel  1024 Feb 12 14:02 schema
-rw-r--r--  1 root  wheel   895 Feb 12 14:37 server.crt
-rw-------  1 root  wheel  2107 Feb 12 14:02 slapd.conf
-rw-------  1 root  wheel  2107 Feb 12 14:02 slapd.conf.default
[root@fbsd-radius /usr/local/etc/openldap]#
Private keys:
[root@fbsd-radius /usr/local/etc/openldap]# ls -l private
total 10
-rw-r--r--  1 root  wheel  887 Feb 12 14:29 ca.key
-rw-r--r--  1 root  wheel  668 Feb 12 14:38 client.csr
-rw-r--r--  1 root  wheel  887 Feb 12 14:38 client.key
-rw-r--r--  1 root  wheel  668 Feb 12 14:33 server.csr
-rw-r--r--  1 root  wheel  891 Feb 12 14:33 server.key
[root@fbsd-radius /usr/local/etc/openldap]#
Configure OpenLDAP to use certificates
Now the certficates are ready we need to included them in the OpenLDAP configuration. We can arrange the by editing slapd.conf
nano /usr/local/etc/openldap/slapd.conf
At the end of the file add:
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /usr/local/etc/openldap/server.crt
TLSCertificateKeyFile /usr/local/etc/openldap/private/server.key
TLSCACertificateFile /usr/local/etc/openldap/ca.crt 
Now edit the client side (this is mandatory irregardless which program you'll later use to access OpenLDAP), type:
nano /usr/local/etc/openldap/ldap.conf
Add lines at the end of the file:
TLS_CACERT /usr/local/etc/openldap/ca.crt
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3
Now let's get OpenLDAP started at boottime:
nano /etc/rc.conf
Add the lines at the end of the file:
slapd_enable="YES"
slapd_flags="-4 -u ldap -g ldap -h ldaps:///"
The above line means 'start ldap for IPv4, by user ldap, group ldap, listening at URI ldaps:///

Certficate permissions

We need to change the permissions on the private certficates so that only user ldap can access them:
cd /usr/local/etc/openldap
chown -R ldap:ldap private
chmod -R 700 private/
chmod -R 700 private/* 
At this point I rebooted my machine. Let's check if OpenLDAP is running:

[root@fbsd-radius /home/marcel]# sockstat -4 -p 636
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS    
ldap     slapd      649   6  tcp4   *:636                 *:*
[root@fbsd-radius /home/marcel]#


We now have a LDAP server running, accepting secure connections (not really at this moment but... ;-))


Before I can start using OpenLDAP I need a directorydesign. I based my design on the following How-To

dc=tempelman,dc=local
|
|-ou=Roles
|    |
|    |-cn=ldapreader
|    |-cn=ldapmanager
|
|
|-ou=Groups
|    |
|    |-cn=allusers
|    |-cn=wifiusers
|    |-cn=vpnusers
|
|-ou=People
     |
     |-cn=testuser



In the next part I will show you how I implement my LDAP-tree.














Geplaatst door
Marcel


op
15:08



















Labels:
,
,

















No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)