CODEWITHSUNDEEP
centosldapdebianopenldapldif
malevolent
malevolent

Reputation: 1

How to configure OpenLDAP with SSL as proxy for Active Directory with LDIF method

On my company, we have an Active Directory to manage users, and many web services outside the office that we want to make their login system to be done via ldap. I want to publish the LDAP via SSL and make all those web services login against our AD, but I don't want to expose the AD not even via SSL, so I want to set up an OpenLDAP proxy to AD in our DMZ and connect to the AD in read-only mode. I'm not and LDAP expert at all, and when I set up other LDAP in the past I followed a few steps to have one running and then, managed them with Apache Directory Studio or LAM, I expected this to be quite easier to accomplish and well, it seems pretty more hard to accomplish than I expected.

I've been dealing with this for weeks now, and I couldn't find any way to accomplish it. Everyone says slapd.conf is deprecated, and must be not used anymore, and there are plenty of tutorials in how to configure OpenLDAP with SSL via LDIF, but I couldn't find any way to configure, via LDIF an openldap with ssl being a proxy for AD. The only way I could find to configure LDAP as proxy for AD was on the samba site with this slapd.conf file

### Schema includes ###########################################################
include                 /etc/openldap/schema/core.schema
include                 /etc/openldap/schema/cosine.schema
include                 /etc/openldap/schema/inetorgperson.schema
include                 /etc/openldap/schema/misc.schema
include                 /etc/openldap/schema/nis.schema

## Module paths ##############################################################
modulepath              /usr/lib64/openldap/
moduleload              back_ldap
moduleload              rwm

# Main settings ###############################################################
pidfile                 /var/run/openldap/slapd.pid
argsfile                /var/run/openldap/slapd.args

### Database definition (Proxy to AD) #########################################
database                ldap
readonly                yes
protocol-version        3
rebind-as-user
uri                     "ldap://{AD-Hostname/IP}:389"
suffix                  "{your Domain DN}"
overlay                 rwm
rwm-map                 attribute       uid     sAMAccountName

### Logging ###################################################################
loglevel                0

I also modified the schemas/inetorgperson.schema, and added this

################
#AD schema
################
attributetype ( 1.2.840.113556.1.4.221
      NAME 'sAMAccountName'
      SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
################

And finally, added the sAMAccountName attribute on schemas/inetorgperson.ldif by adding

olcAttributeTypes: ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )

and

olcObjectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2
798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY
( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ em
ployeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ ini
tials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo
$ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ pre
ferredLanguage $ userSMIMECertificate $ sAMAccountName $ userPKCS12i ) )

And it worked, but after deleting the directory slapd.d and recreating it with

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

(and apply proper ownership afterwards).

Ovbiously, when I did that, my previous configuration with LDIF -create a local database and set up SSL- got deleted, and since I used the slapd.conf and created the sladp.d directory, my ldap administrator account got deleted as well, and I cannot configure SSL again or add more databases.

First, I'd configured the local database and configured SSL following those steps.

[root@dlp ~]# systemctl enable --now slapd 

# generate encrypted password
[root@dlp ~]# slappasswd

New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@dlp ~]# vi chrootpw.ldif
# specify the password generated above for [olcRootPW] section

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

Imported basic schemas

[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

Set the domain name on LDAP DB.

 # generate directory manager's password

[root@dlp ~]# slappasswd

New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@dlp ~]# vi chdomain.ldif
# replace to your own domain name for [dc=***,dc=***] section
# specify the password generated above for [olcRootPW] section

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=domain,dc=int" read by * none

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=domain,dc=int

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=domain,dc=int

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=domain,dc=int" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=domain,dc=int" write by * read

[root@dlp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

[root@dlp ~]# vi basedomain.ldif
# replace to your own domain name for [dc=***,dc=***] section

dn: dc=domain,dc=int
objectClass: top
objectClass: dcObject
objectclass: organization
o: LDAP Server
dc: domain

dn: cn=Manager,dc=domain,dc=int
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=domain,dc=int
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=domain,dc=int
objectClass: organizationalUnit
ou: Group

[root@dlp ~]# ldapadd -x -D cn=Manager,dc=domain,dc=int -W -f basedomain.ldif

Enter LDAP Password:     # directory manager's password

adding new entry "dc=domain,dc=int"

adding new entry "cn=Manager,dc=domain,dc=int"

adding new entry "ou=People,dc=domain,dc=int"

adding new entry "ou=Group,dc=domain,dc=int"

After generating a CA and valid certificates

 [root@dlp ~]# cp /etc/pki/tls/certs/{server.key,server.crt} /etc/openldap/certs/

[root@dlp ~]# chown ldap:ldap /etc/openldap/certs/{server.key,server.crt}
[root@dlp ~]# vi mod_ssl.ldif
# create new

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key

[root@dlp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

[root@dlp ~]# systemctl restart slapd

And allowing firewall

 [root@dlp ~]# firewall-cmd --add-service={ldap,ldaps}

success
[root@dlp ~]# firewall-cmd --runtime-to-permanent

success

That works, it leaves a working LDAPS server with the DIT dc=domain,dc=int and I can connect with my user cn=Manager,dc=domain,dc=int, create any objects, and so forth.

But then as I couldn't find any way to configure this to add another database with the former configuration I had to remove the slapd.d directory, create a slapd.conf file and apply it, so it generated a brand new slapd.d directory with just the AD proxy, no SSL nor user to make anything like apply more LDIFs.

So, I need to know how to mix it up all together.

Upvotes: 0

Views: 983

Answers (0)

Related Questions