Sunday, May 9, 2010

OpenLDAP under Ubuntu Linux Lucid Lynx 10.04

Introduction

Somewhat as a follow-up to my Ubuntu Linux router upgrade project over a year and a half ago, I've worked on extending my home setup to include a complete LDAP solution.

My router upgrade project was completed under the latest version of Ubuntu Linux at the time, 8.04 ("Hardy Heron"), which also happened to be a Long Term Support (LTS) release. That guide has held up very well over the last 2 years and the following 4 Ubuntu releases, and is still my working reference as I choose to rebuild with each new release every 6 months. This includes the latest release, Ubuntu Linux 10.04, "Lucid Lynx". Lucid also happens to be the next LTS release, and is the version I am basing this guide on.

This guide will include setup of an LDAP server, as well as setting up client authentication and administration tools.

LDAP stands for "Lighweight Directory Access Protocol". In the simplest setup, it is a database of usernames, passwords, and other information, and is commonly used for shared authentication and authorization. It can be extended with any set of additional fields, allowing for extra uses.

For my purposes within a home network, LDAP is probably a bit of an overkill. However, with an increasing number of computers and virtual machines, it will make user maintenance easier once complete. I even plan on using it with RADIUS and WPA 2 Enterprise for keeping better control around wireless access. Additionally, this will be a good learning experience, as well as hopefully a good working reference for others needing a similar setup.

OpenLDAP

OpenLDAP (Wikipedia) is a free and open source LDAP server. It is highly configurable and very performant. As detailed at http://www.openldap.org/pub/hyc/LDAPcon2007.pdf:

OpenLDAP is the premier implementation of LDAP client and server software, providing full support of LDAPv3 and most popular standard and draft (work in progress) LDAP extensions. It has evolved over the years from its origins in the University of Michigan's reference implementation of LDAPv2 as a vehicle for experimentation into a mature, commercial grade package capable of supporting the most demanding environments. The current release has been proven to scale to hundreds of millions of objects in data volumes in excess of a terabyte, with performance in excess of 22,000 queries per second at sub-millisecond latencies. Reliability in production deployments has been flawless, with hardware failure being the principal cause of unscheduled downtime.

Also refer to "An OpenLDAP Update" (Marty Heyman, 2007-09-13, onlamp.com) for additional details. This was as of 2007, and these results should easily be multiplied through replicated nodes. (See "What is a directory service?" and "Replication" in the Administrator's Guide, and the "Directories vs. Relational Database Management Systems" FAQ entry.) OpenLDAP is also the only LDAP server provided in Ubuntu that is also maintained / supported by the Ubuntu developers.

The only alternatives I even considered were:

  • The 389 Directory Server (Wikipedia). Part of Red Hat's Fedora project, and identical to the Red Hat Directory Server. Like OpenLDAP, the 389 Directory Server is also based off of the University of Michigan project, and later, Netscape Directory Server. Unfortunately, the 389 Directory Server looks rather exclusive to Fedora and Red Hat Enterprise Linux (RHEL), with no binary packages readily available for other systems. There is some outdated documentation for Ubuntu, that only applied to older versions of both the directory server (1.1 vs. 1.2) and Ubuntu (9.10 vs. 10.04). Even following the notes, installation under a 9.10 VM no longer works as documented. Compiling from source would probably be the most successful attempt for current versions, but just the number of dependencies involved doesn't make this a very appealing option.
  • Apache Directory Server (Wikipedia). I had no specific issues against, but also no current compelling reasons to consider Apache Directory Server over OpenLDAP.

OpenLDAP installation under Ubuntu

Unfortunately, as of Ubuntu Linux 9.10 (Karmic Koala), there is no longer any automated, prompted configuration when installing the Ubuntu-packaged OpenLDAP server, slapd. The issues are visible in Ubuntu Bug # 463684, https://help.ubuntu.com/community/OpenLDAPServer, http://ubuntuforums.org/showthread.php?t=1313472, and http://ubuntuforums.org/showthread.php?t=1295934. Fortunately, most of these issues appear to have been corrected in the latest server guide for 10.04 (Lucid Lynx) at http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html.

My installation is based off of the latest server guide (the last link above), with a few noted changes (highlighted) for the backend*.ldif file:

# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleLoad: back_hdb
olcModuleLoad: back_monitor

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: secret
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uid eq
olcDbIndex: cn eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: uniqueMember eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDbCheckpoint: 512 30
olcAccess: to dn.subtree="ou=people,dc=example,dc=com" attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by * none
# Below line should already exist by default in frontend.
#olcAccess: to dn.base="" by * read
# Below line modified from "*" to "users" to prevent anonymous access.
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by users read

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,dc=example,dc=com
-

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcAccess
olcAccess: to dn.subtree="cn=Monitor" by dn="cn=admin,dc=example,dc=com" read
-

# http://www.openldap.org/doc/admin24/monitoringslapd.html
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {2}monitor

My updates include enabling monitoring, addition of commonly used indicies, and some security changes. The security changes are somewhat commented above, and include disabling anonyous access by default, removing a redudant entry that already exists in the default-created /etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif file, and only allowing "people" (vs. system accounts, etc.) to change their own passwords. Though fixed later in the server guide under "Setting up ACL", the initial permissions on the userPassword and shadowLastChange attributes are treated differently in the server guide. The above gives them the same permissions, and matching those under "Setting up ACL" later in the server guide - from the start.

Starting with OpenLDAP 2.3, the LDAP configuration, by default, including the schema, is stored in LDAP itself (a.k.a. "cn=config"). This allows for dynamic configuration at runtime, and typically without restarting the service. At least in Ubuntu's default configuration, access to this configuation, stored in cn=config, is only available to the root user on the operating system. My updated configuration (above) also allows access to the same configured root user (olcRootDN) as specified in the backend database. Since no seperate olcRootPW is provided, the same password from the backend database is also used. Interestingly, I found that if only a olcRootPW is provided for the configuration database without a olcRootDN, a currently-undocumented default olcRootDN of "cn=admin" is used. I filed an issue report addressing this oversight in the documentation at http://www.openldap.org/its/index.cgi?findid=6546. An additional reference I found helpful around the update to "cn=config" is http://www.zytrax.com/books/ldap/ch6/slapd-config.html.

These settings and changes may not and probably will not be perfect for everyone, but at least this should point out some things to be aware of. Please modify as appropriate to fit your needs.

Security

Be sure to configure TLS (transport layer security). This appears to be covered quite well in the Ubuntu server guide, and I don't plan to provide any additional details around TLS for LDAP here.

Backup Plan

A backup plan is not currently covered in the Ubuntu server guide, so be sure to at least review the Maintenance section of the OpenLDAP Administrator's Guide. However, even the OpenLDAP guide doesn't even mention the possibility of hot database backups, but does conclude the backup section with "MORE on actual Berkeley DB backups later covering db_recover etc.".

A hot database backup doesn't require any downtime, while offering good protection with minimal space overhead. Unlike the other documented approach using slapcat, a hot database backup also guarantees consistency by capturing an exact point in time, regardless of how long the backup takes.

Here I am assuming that you are using a Berkeley Database for the backend, either bdb or hdb. Details of these backends are available under "Berkeley DB Backends" in the OpenLDAP Administrator's Guide. Since most of the database is stored within this database, we can defer to the database's backup documentation. For the Berkeley Database, this is documented quite well at http://download.oracle.com/docs/cd/E17076_02/html/bdb-sql/admin.html.

The best available option for backing up, at least for a hot backup, seems to be the db_hotbackup command line utility referenced in the Berkeley DB documentation. At least in Ubuntu, this script is not installed by default, but is available in the db4.x-util package. Unfortunately, the OpenLDAP implementation provided by the Ubuntu package is still linked against version 4.7 of the Berkeley DB instead of the version 4.8 that was standardized on by almost every other package depending upon Berkeley DB in the Lucid release, so the db4.7-util package is probably the one you need to install. I filed a bug report addressing this version issue in Ubuntu Bug # 572489.

Once the utility package is installed, a hot backup can simply be executed as:

sudo db4.7_hotbackup -c -h /var/lib/ldap/ -b <backupDir>/db

Also backup the /etc/ldap/slapd.d/ directory, which contains the server configuration, including the LDAP schema and configuration of the backend database: (On my systems, I already backup all of /etc/.)

sudo cp -R /etc/ldap/slapd.d <backupDir>/slapd.d

Schedule this to happen regularly and automatically through cron or another job scheduler, and ensure a copy is written to tape or another equivalent media and kept off-site, following typical best practices.

To be continued...

I'll be following up with a number of posts. To be included:

7 comments:

raerek said...

First I would like to thank you for this post. I am looking forward to your planned posts on this topic as well - can you tell me when are they supposed to arrive?

And I would like to ask you - or anyone able to help - another question. I plan to set up things like this:
-Group A: members can change the password of anyone, except the password of other Group A members.
-Group B: members can change their own passwords, and the passwords of Group C mebmers.
-Group C: members can only change their ownn password.

Can you outline how to write the "olcAccess: to" lines - If I do not have to, I would not like to set up three OU-s - I'd rather have everyone in the ou=people.

Thank you:
raerek

Mark A. Ziesemer said...

raerek - I've dedicated a new post as a response to your question: OpenLDAP Password Permissions Configuration Example.

Unknown said...

Hi,

thanks for this comprehensive tutorial.
Regarding the UbuntuWiki, why not change the article itself if there's so much new or broken?
Just suggesting...

Thanks again,
Gunnar

Rob Castellow said...

This is good information and many great links. Thanks for the the post!

Anonymous said...

Forgive me for being ignorant, but is there anything undesirable with using rsync as the backup mechanism ?

Or is the situation that by the time rsync gets to file 9 out of 10, it might have changed since rsync started on file 1 of 10 (and therefore file 1 is missing data that makes it usable with file 9) ?

Mark A. Ziesemer said...

Zeno - that is correct. This is actually documented quite well by Oracle at the link in the post. However, it does also note that a manual backup is possible (e.g. by using rsync), as long as the log files are copied after the database file.

Inukaze said...

Somone have a complete setup from scratch under Ubuntu 10.04 Server AMD64 . Becuase during 6 months i try to install and configure OpenLDAP buts ever result imposible

Some thing ever had an error , i try with diferent guides but never works at all

Basically i just need install
OpenLDAP Server under Ubuntu 10.04 LTS AMD64
OpenLDAP Client in anothers machines with another distros like : Canaima , Luna Elementary , Microsoft Windows XP , Microsoft Windows 7 , Microsoft Windows 8/8.1 , Microsoft Windows 10 .

Assing Print Quotes to ldap users using Pykota.

But this result Imposible. i never complete the first step for errors like

(49) Invalid Credentials : i really dont know how set properly the password, i try using all methods i found on internet , but never works , neither Plain Text , SSHA , MD5 , Crypt

When i try add "config.ldif" with the example from above , i just recieved the follow output :
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f config.ldif


SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNunmer=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional infor: handler exited with 1

Well result imposible for me configure an OpenLDAP server.

Someone can have a working guide ???