Friday, 13 April 2012

FreeBSD - OpenLDAP and FreeRADIUS part 2

The OpenLDAP server is running and now I have to implement the design for the directory I want to use. Before I can start entering all ou,dc,cn-info I'm going add a password for the slapd-daemon and generate a hash for in the slapd-config file. There are several hash-schemes for the password but I'm going to use the MD5-hash:

slappasswd -h {MD5}

This command asks for a password and after entering one, it generates a hash.

New password:
Re-enter new password:
{MD5}1iB8sGXpjoNB5Ra2copmjQ==
[root@fbsd-radius ~]#

Copy this hash, we're going to need it later




Now I'm going to edit slapd.conf in /usr/local/etc.openldap

cd /usr/local/etc/openldap
nano slapd.conf

and add the following lines

include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema

and for later:

#include /usr/local/etc/openldap/schema/samba.schema
If samba is not installed the slap-daemon will not start, so keep it commented for this moment. Samba will be installed later on for MSCHAPv2 authentication.

Add also:


allow bind_v2
password-hash {md5}
rootpw {MD5}1iB8sGXpjoNB5Ra2copmjQ=

My suffix and rootdn will be:

suffix "dc=tempelman,dc=local"
rootdn "cn=Manager,dc=tempelman,dc=local"

and following Alwina's design, I'm also going to add two management accounts for the LDAP-tree. This will give them the necessary rights:

access to dn.exact="cn=ldapmanager,ou=Roles,dc=tempelman,dc=local" by * manage
access to dn.exact="cn=ldapreader,ou=Roles,dc=tempelman,dc=local" by * read 
access to attrs=userPassword by self write
                                by anonymous auth
                                by * none
access to *
        by self write
        by users read
        by anonymous auth


Configure the database (easy, just copy the config example)

mv DB_CONFIG.example /var/db/openldap-data/DB_CONFIG

Now it's the moment to edit the ldap.conf

I'm changing the line "Base dc=example,dc=com " to
BASE  dc=tempelman,dc=local"
Now I'm ready to create the LDIF import files for the tree. I 'm going to create two file org.ldif and org1.ldif.

cd
nano org.ldif
org.ldif will include the basic info of the tree and the manager.

dn: dc=tempelman,dc=local
objectclass: dcObject
objectclass: organization
o: Tempelman
dc: Tempelman

dn: cn=Manager,dc=tempelman,dc=local
objectclass: organizationalRole
cn: Manager

Import the freshly made LDIF-file with the following command:

ldapadd -Z -D "cn=Manager,dc=tempelman,dc=local" -W -f /root/org.ldif

org1.ldif includes organisational units (People, Groups, Roles, the admin accounts and a testuser).
dn: ou=People,dc=tempelman,dc=local
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Groups,dc=tempelman,dc=local
ou: Groups
objectClass: top
objectClass: organizationalUnit

dn: ou=Roles,dc=tempelman,dc=local
ou: Roles
objectClass: top
objectClass: organizationalUnit

dn: cn=allusers,ou=Groups,dc=tempelman,dc=local
objectClass: posixGroup
objectClass: top
cn: customers
gidNumber: 5001

dn: cn=wifiusers,ou=Groups,dc=tempelman,dc=local
objectClass: posixGroup
objectClass: top
cn: customers
gidNumber: 5002

dn: cn=vpnusers,ou=Groups,dc=tempelman,dc=local
objectClass: posixGroup
objectClass: top
cn: customers
gidNumber: 5003
dn: uid=testuser,ou=People,dc=tempelman,dc=local
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser
cn: Test User
sn: TestUser
givenName: Test
displayName: Testuser
uidNumber: 5001
gidNumber: 5001
gecos: Testuser
homeDirectory: /home/testuser
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
mail: testuser@tempelman.local
postalCode: 8888HH
l: Somewheristan
o: Exampelus
mobile: 0612345678
homePhone: 1900123456
title: System Tester
postalAddress:
initials: TU
loginShell: /bin/sh
shadowExpire: -1

dn: cn=ldapmanager,ou=Roles,dc=tempelman,dc=local
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldapmanager
description: LDAP manager user for unrestricted read/write
userPassword:

dn: cn=ldapreader,ou=Roles,dc=tempelman,dc=local
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ldapreader
description: LDAP reader for unrestricted reads
userPassword:

Let's import:
ldapadd -Z -D "cn=Manager,dc=tempelman,dc=local" -W -f /root/org1.ldif
If you encounter any problems read Lampros' blog about this topic for some troubleshooting tips.

For manually editting the ldap directory the handy tool ldapvi is available. You can install it from the ports with the following steps:
cd /usr/ports/sysutils/ldapvi
make install clean -DBATCH
ldapvi --ldap-conf -D "cn=Manager,dc=tempelman,dc=local"
Now let's see if all is working:

[root@fbsd-radius ~]# ldapsearch -Z -D "cn=Manager,dc=tempelman,dc=local" -W


# extended LDIF
#
# LDAPv3
# base <dc=tempelman,dc=local> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# tempelman.local
dn: dc=tempelman,dc=local
objectClass: dcObject
objectClass: organization
o: Tempelman
dc: Tempelman
 
[...cut...]

# vpnusers, Groups, tempelman.local
dn: cn=vpnusers,ou=Groups,dc=tempelman,dc=local
objectClass: posixGroup
objectClass: top
cn: customers
cn: vpnusers
gidNumber: 5003

# search result
search: 3
result: 0 Success

# numResponses: 12
# numEntries: 11
[root@fbsd-radius ~]#
All seems okay :-)

Samba
Before I'm going to step up to FreeBSD I'm going to Install samba 3.5 for the samba.schema.

cd /usr/ports/net/samba35
make install clean

After installation copy the schema:

cp /usr/local/share/examples/samba/Ldap/samba.schema /usr/local/etc/openldap/schema/

In the next part I'm going to continue with installing FreeRadius.
Geplaatst door Marcel op 15:15
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)