Difference between revisions of "LDAP"

From RHS Wiki
Jump to navigation Jump to search
Tag: visualeditor
 
Line 1: Line 1:
== TODO ==  
+
==TODO==  
 
Check: https://www.digitalocean.com/community/tutorials/how-to-authenticate-client-computers-using-ldap-on-an-ubuntu-12-04-vps<br />
 
Check: https://www.digitalocean.com/community/tutorials/how-to-authenticate-client-computers-using-ldap-on-an-ubuntu-12-04-vps<br />
 
ADD: TO_WIKI<br />
 
ADD: TO_WIKI<br />
Line 5: Line 5:
 
https://wiki.debian.org/LDAP
 
https://wiki.debian.org/LDAP
  
== LDAP: Lightweight Directory Access Protocol ==
+
==LDAP: Lightweight Directory Access Protocol==
=== Server setup ===
+
===Server setup===
 
  sudo apt-get install sldap
 
  sudo apt-get install sldap
 
  sudo apt-get install ldap-utils
 
  sudo apt-get install ldap-utils
Line 20: Line 20:
 
https://www.youtube.com/watch?v=DM_UQVVVtoY
 
https://www.youtube.com/watch?v=DM_UQVVVtoY
  
=== Client setup (PAM: Pluggable Authentication Modules ===
+
===Client setup (PAM: Pluggable Authentication Modules===
 
  sudo apt-get install libpam-ldap
 
  sudo apt-get install libpam-ldap
 
  sudo apt-get install nscd
 
  sudo apt-get install nscd
Line 59: Line 59:
 
  /etc/init.d/nscd restart
 
  /etc/init.d/nscd restart
  
== /etc/ldap.secret ==
+
==/etc/ldap.secret==
 
  echo -n ldapsearchpassword > ldap.secret
 
  echo -n ldapsearchpassword > ldap.secret
 
  sudo mv ldap.secret /etc/ldap.secret
 
  sudo mv ldap.secret /etc/ldap.secret
 
  chmod 600 /etc/ldap.secret
 
  chmod 600 /etc/ldap.secret
  
== /etc/ldap.conf ==
+
==/etc/ldap.conf==
 
  <nowiki>###DEBCONF###
 
  <nowiki>###DEBCONF###
##
+
##
## Configuration of this file will be managed by debconf as long as the
+
## Configuration of this file will be managed by debconf as long as the
## first line of the file says '###DEBCONF###'
+
## first line of the file says '###DEBCONF###'
##
+
##
## You should use dpkg-reconfigure to configure this file via debconf
+
## You should use dpkg-reconfigure to configure this file via debconf
##
+
##
 +
 +
#
 +
# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
 +
#
 +
# This is the configuration file for the LDAP nameservice
 +
# switch library and the LDAP PAM module.
 +
#
 +
# PADL Software
 +
# http://www.padl.com
 +
#
 +
 +
# Your LDAP server. Must be resolvable without using LDAP.
 +
# Multiple hosts may be specified, each separated by a
 +
# space. How long nss_ldap takes to failover depends on
 +
# whether your LDAP client library supports configurable
 +
# network or connect timeouts (see bind_timelimit).
 +
 +
 +
# Uno de los 2 sobra
 +
host rtldap01.rra.lan
 +
uri ldaps://rtldap01.rra.lan
 +
 +
# The distinguished name of the search base.
 +
base dc=rtLDAP01,dc=igrupobbva
 +
ldap_version 3
 +
 +
# The distinguished name to bind to the server with
 +
# if the effective user ID is root. Password is
 +
# stored in /etc/ldap.secret (mode 600)
 +
rootbinddn cn=admin,dc=rtLDAP01,dc=igrupobbva
 +
 +
# The port.
 +
# Optional: default is 389.
 +
#port 389
 +
port 636
 +
 +
# Reconnect policy: hard (default) will retry connecting to
 +
# the software with exponential backoff, soft will fail
 +
# immediately.
 +
bind_policy soft
 +
 +
# Do not hash the password at all; presume
 +
# the directory server will do it, if
 +
# necessary. This is the default.
 +
pam_password md5
 +
 +
 +
# Netscape SDK LDAPS
 +
ssl on
 +
 +
# Netscape SDK SSL options
 +
#sslpath /etc/ssl/certs
 +
 +
# OpenLDAP SSL mechanism
 +
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
 +
#ssl start_tls
 +
#ssl on
 +
 +
# OpenLDAP SSL options
 +
# Require and verify server certificate (yes/no)
 +
# Default is to use libldap's default behavior, which can be configured in
 +
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
 +
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
 +
#tls_checkpeer yes
 +
#tls_checkpeer no
 +
 +
 +
# CA certificates for server certificate verification
 +
# At least one of these are required if tls_checkpeer is "yes"
 +
#tls_cacertfile /etc/ssl/ca.cert
 +
#tls_cacertfile /etc/ldap/ca_server.pem
 +
#tls_cacertdir /etc/ssl/certs
 +
 +
# Seed the PRNG if /dev/urandom is not provided
 +
#tls_randfile /var/run/egd-pool
 +
 +
# SSL cipher suite
 +
# See man ciphers for syntax
 +
#tls_ciphers TLSv1
 +
 +
# Client certificate and key
 +
# Use these, if your server requires client authentication.
 +
#tls_cert
 +
#tls_key
 +
 +
# Disable SASL security layers. This is needed for AD.
 +
#sasl_secprops maxssf=0
 +
 +
# Override the default Kerberos ticket cache location.
 +
#krb5_ccname FILE:/etc/.ldapcache
 +
 +
# SASL mechanism for PAM authentication - use is experimental
 +
# at present and does not support password policy control
 +
#pam_sasl_mech DIGEST-MD5
 +
nss_initgroups_ignoreusers _apt,backup,bin,daemon,games,gnats,irc,list,lp,mail,man,messagebus,mysql,news,proxy,root,sshd,sync,sys,syslog,systemd-bus-proxy,systemd-network,systemd-resolve,systemd-timesync,uucp,uuidd,vboxadd,www-data,rra</nowiki>
  
#
+
==/etc/ldap/ldap.conf==
# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
 
#
 
# This is the configuration file for the LDAP nameservice
 
# switch library and the LDAP PAM module.
 
#
 
# PADL Software
 
# http://www.padl.com
 
#
 
 
 
# Your LDAP server. Must be resolvable without using LDAP.
 
# Multiple hosts may be specified, each separated by a
 
# space. How long nss_ldap takes to failover depends on
 
# whether your LDAP client library supports configurable
 
# network or connect timeouts (see bind_timelimit).
 
 
 
 
 
# Uno de los 2 sobra
 
host rtldap01.rra.lan
 
uri ldaps://rtldap01.rra.lan
 
 
 
# The distinguished name of the search base.
 
base dc=rtLDAP01,dc=igrupobbva
 
ldap_version 3
 
 
 
# The distinguished name to bind to the server with
 
# if the effective user ID is root. Password is
 
# stored in /etc/ldap.secret (mode 600)
 
rootbinddn cn=admin,dc=rtLDAP01,dc=igrupobbva
 
 
 
# The port.
 
# Optional: default is 389.
 
#port 389
 
port 636
 
 
 
# Reconnect policy: hard (default) will retry connecting to
 
# the software with exponential backoff, soft will fail
 
# immediately.
 
bind_policy soft
 
 
 
# Do not hash the password at all; presume
 
# the directory server will do it, if
 
# necessary. This is the default.
 
pam_password md5
 
 
 
 
 
# Netscape SDK LDAPS
 
ssl on
 
 
 
# Netscape SDK SSL options
 
#sslpath /etc/ssl/certs
 
 
 
# OpenLDAP SSL mechanism
 
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
 
#ssl start_tls
 
#ssl on
 
 
 
# OpenLDAP SSL options
 
# Require and verify server certificate (yes/no)
 
# Default is to use libldap's default behavior, which can be configured in
 
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
 
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
 
#tls_checkpeer yes
 
#tls_checkpeer no
 
 
 
 
 
# CA certificates for server certificate verification
 
# At least one of these are required if tls_checkpeer is "yes"
 
#tls_cacertfile /etc/ssl/ca.cert
 
#tls_cacertfile /etc/ldap/ca_server.pem
 
#tls_cacertdir /etc/ssl/certs
 
 
 
# Seed the PRNG if /dev/urandom is not provided
 
#tls_randfile /var/run/egd-pool
 
 
 
# SSL cipher suite
 
# See man ciphers for syntax
 
#tls_ciphers TLSv1
 
 
 
# Client certificate and key
 
# Use these, if your server requires client authentication.
 
#tls_cert
 
#tls_key
 
 
 
# Disable SASL security layers. This is needed for AD.
 
#sasl_secprops maxssf=0
 
 
 
# Override the default Kerberos ticket cache location.
 
#krb5_ccname FILE:/etc/.ldapcache
 
 
 
# SASL mechanism for PAM authentication - use is experimental
 
# at present and does not support password policy control
 
#pam_sasl_mech DIGEST-MD5
 
nss_initgroups_ignoreusers _apt,backup,bin,daemon,games,gnats,irc,list,lp,mail,man,messagebus,mysql,news,proxy,root,sshd,sync,sys,syslog,systemd-bus-proxy,systemd-network,systemd-resolve,systemd-timesync,uucp,uuidd,vboxadd,www-data,rra</nowiki>
 
 
 
== /etc/ldap/ldap.conf ==
 
 
  <nowiki>#
 
  <nowiki>#
# LDAP Defaults
+
# LDAP Defaults
#
+
#
 
+
# See ldap.conf(5) for details
+
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
+
# This file should be world readable but not world writable.
 
+
BASE cn=admin,dc=rtLDAP01,dc=igrupobbva
+
BASE cn=admin,dc=rtLDAP01,dc=igrupobbva
URI ldaps://rtldap01.rra.lan
+
URI ldaps://rtldap01.rra.lan
 +
 +
#SIZELIMIT 12
 +
#TIMELIMIT 15
 +
#DEREF never
 +
 +
# TLS certificates (needed for GnuTLS)
 +
TLS_CACERT /etc/ldap/ca_server.pem
 +
TLS_REQCERT never</nowiki>
  
#SIZELIMIT 12
+
==/etc/ldap/ca_server.pem==
#TIMELIMIT 15
 
#DEREF never
 
 
 
# TLS certificates (needed for GnuTLS)
 
TLS_CACERT /etc/ldap/ca_server.pem
 
TLS_REQCERT never</nowiki>
 
 
 
== /etc/ldap/ca_server.pem ==
 
 
  <nowiki>-----BEGIN CERTIFICATE-----
 
  <nowiki>-----BEGIN CERTIFICATE-----
MIIDAzCCAeugAwIBAgIMWMfFMzfYZ9ruHdHrMA0GCSqGSIb3DQEBCwUAMBsxGTAX
+
MIIDAzCCAeugAwIBAgIMWMfFMzfYZ9ruHdHrMA0GCSqGSIb3DQEBCwUAMBsxGTAX
BgNVBAMTEHJ0TERBUCBTZXJ2ZXIgRVMwIhgPMjAxNzAzMTQxMDI1NTVaGA8yMDI3
+
BgNVBAMTEHJ0TERBUCBTZXJ2ZXIgRVMwIhgPMjAxNzAzMTQxMDI1NTVaGA8yMDI3
MDMxMjEwMjU1NVowGzEZMBcGA1UEAxMQcnRMREFQIFNlcnZlciBFUzCCASIwDQYJ
+
MDMxMjEwMjU1NVowGzEZMBcGA1UEAxMQcnRMREFQIFNlcnZlciBFUzCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcM49P9hq7IzJFb6OT+ffutrkI2V23D
+
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcM49P9hq7IzJFb6OT+ffutrkI2V23D
EIC9e8MKAV5McPYebbm/RCTFb12vlVAX9OjlyYCatZewr7j94bDXjGpWb3v2oDll
+
EIC9e8MKAV5McPYebbm/RCTFb12vlVAX9OjlyYCatZewr7j94bDXjGpWb3v2oDll
yt9PhtrwvUX1tpmq66ANRSF4oQpqfJjzRpV85f0bokGgsSRWWEf4elskA+pZCSzh
+
yt9PhtrwvUX1tpmq66ANRSF4oQpqfJjzRpV85f0bokGgsSRWWEf4elskA+pZCSzh
/H2RTGbqRwfubS6qFNaI+1Jg0z2D69vMmo25fawi7oQ2sEY7zxJEOaXYfeLmNXm1
+
/H2RTGbqRwfubS6qFNaI+1Jg0z2D69vMmo25fawi7oQ2sEY7zxJEOaXYfeLmNXm1
PNXDpzyexOQVK6u0z+e4zpHJN14z4JAyqDNPY4v0mx6H//l3M1ZZfe5l7kM7YKuZ
+
PNXDpzyexOQVK6u0z+e4zpHJN14z4JAyqDNPY4v0mx6H//l3M1ZZfe5l7kM7YKuZ
AUOsqkgCGMTJ8lfN4xyR+7NmPM104qFaeS3jOMr1D1uKGd+KPvfK9CcCAwEAAaND
+
AUOsqkgCGMTJ8lfN4xyR+7NmPM104qFaeS3jOMr1D1uKGd+KPvfK9CcCAwEAAaND
MEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBRr
+
MEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBRr
OqqVkZ3F8rUDjB2e94oid3PLJTANBgkqhkiG9w0BAQsFAAOCAQEAtOA92GJ1ZbfL
+
OqqVkZ3F8rUDjB2e94oid3PLJTANBgkqhkiG9w0BAQsFAAOCAQEAtOA92GJ1ZbfL
Lr5t9MADd4RiqLl36VjCdChHlTvLmXWqbu7962TA730ZmsouiUeFxVCGdLKqmEbH
+
Lr5t9MADd4RiqLl36VjCdChHlTvLmXWqbu7962TA730ZmsouiUeFxVCGdLKqmEbH
r7mPfAFjWTfDMUV5YGKeZrtYrQqnLsewyHjsl3DHR536vIOabj7wHiukc8ecy6Mg
+
r7mPfAFjWTfDMUV5YGKeZrtYrQqnLsewyHjsl3DHR536vIOabj7wHiukc8ecy6Mg
p7tMUHExmOYPmgn3u9gFosFGd38aKvFfPJjep+DOKkYZCICdM5a9p6b5lLy9pbGN
+
p7tMUHExmOYPmgn3u9gFosFGd38aKvFfPJjep+DOKkYZCICdM5a9p6b5lLy9pbGN
lUvj0WAGp6KFr2LlKHVC6YU/JiyPnnC/wOeQaZuG3SWyhS0VO3QHghk/bHYVZLIx
+
lUvj0WAGp6KFr2LlKHVC6YU/JiyPnnC/wOeQaZuG3SWyhS0VO3QHghk/bHYVZLIx
wUBQLiqETyOj08Mq3fFJRM8dQcEdfjMxpeFiDo/7sIvLwEfpLuzDsxuflIR0RTs1
+
wUBQLiqETyOj08Mq3fFJRM8dQcEdfjMxpeFiDo/7sIvLwEfpLuzDsxuflIR0RTs1
Qwlshp1/+Q==
+
Qwlshp1/+Q==
-----END CERTIFICATE-----</nowiki>
+
-----END CERTIFICATE-----</nowiki>
  
== More Info ==
+
==More Info==
 
https://www.youtube.com/watch?v=LVY3WbakcOE&list=PL8B125D10F99838F7<br />
 
https://www.youtube.com/watch?v=LVY3WbakcOE&list=PL8B125D10F99838F7<br />
 
http://www.server-world.info/en/note?os=Debian_8&p=openldap&f=4
 
http://www.server-world.info/en/note?os=Debian_8&p=openldap&f=4
  
== TLS1.2 ==
+
==TLS1.2==
 
TODO: Desarrollar
 
TODO: Desarrollar
 
Examples olcTLSCipherSuite (cn=config??)<br />
 
Examples olcTLSCipherSuite (cn=config??)<br />
Line 218: Line 218:
 
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2<br />
 
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2<br />
  
== Troubleshooting ==
+
==Troubleshooting==
 
  ldapsearch -x -d 1 -ZZ
 
  ldapsearch -x -d 1 -ZZ
 
  ldapsearch -x -LLL uid=xe50582
 
  ldapsearch -x -LLL uid=xe50582
 
  ldapsearch -h rtLDAP01.igrupobbva -b dc=rtLDAP01,dc=igrupobbva -x uid=xe50582
 
  ldapsearch -h rtLDAP01.igrupobbva -b dc=rtLDAP01,dc=igrupobbva -x uid=xe50582
 +
 +
ldapsearch -x -h freeipa.rra.lan -b dc=rra,dc=lan "(&(objectclass=posixaccount)(objectClass=person)(uid=xe50582))"
 
  getent passwd
 
  getent passwd
 
  getent group
 
  getent group
  
== LDAP SSH Keys ==
+
==LDAP SSH Keys==
* Modify LDAP to enable SSH keys storage (google)
+
 
* /etc/ssh/sshd_config --> AuthorizedKeysCommand  /bin/ldapkeyfile
+
*Modify LDAP to enable SSH keys storage (google)
* /etc/ssh/sshd_config --> AuthorizedKeysCommandUser nobody
+
*/etc/ssh/sshd_config --> AuthorizedKeysCommand  /bin/ldapkeyfile
 +
*/etc/ssh/sshd_config --> AuthorizedKeysCommandUser nobody
  
 
/bin/ldapkeyfile
 
/bin/ldapkeyfile
<source lang='bash'>#!/usr/bin/env bash
+
<source lang="bash">#!/usr/bin/env bash
 
ldapsearch -h rtLDAP01.igrupobbva -b dc=rtLDAP01,dc=igrupobbva -x '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
 
ldapsearch -h rtLDAP01.igrupobbva -b dc=rtLDAP01,dc=igrupobbva -x '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
 
</source>
 
</source>

Latest revision as of 13:45, 24 February 2020

TODO

Check: https://www.digitalocean.com/community/tutorials/how-to-authenticate-client-computers-using-ldap-on-an-ubuntu-12-04-vps
ADD: TO_WIKI

https://wiki.debian.org/LDAP

LDAP: Lightweight Directory Access Protocol

Server setup

sudo apt-get install sldap
sudo apt-get install ldap-utils
sudo apt-get install phpldapadmin
sudo nano /etc/ldap/ldap.conf
# Set BASE and URI
browse http://serverip/phpldapadmin
# if it gives a low memory error:
nano /etc/php5/apache2/php.ini
# set: memory_limit = 32M
# restart apache

https://www.youtube.com/watch?v=DM_UQVVVtoY

Client setup (PAM: Pluggable Authentication Modules

sudo apt-get install libpam-ldap
sudo apt-get install nscd
nano /etc/nsswitch.conf
# add ldap to passwd, group and shadow:
passwd:    ldap compat
group:     ldap compat
shadow:    ldap compat

edit: /etc/pam.d/common-auth 

# commment: auth optional
# add:
auth    required    pam_ldap.so use_first_pass
auth    required    pam_permit.so
# modify: auth    requisite    pam_unix.so nullok_secure
# to:
auth    sufficient    pam_unix.so nullok_secure

edit: /etc/pam.d/common-account 

# add:
account    required    pam_ldap.so
# modify: account required pam_unix.so
# to:
account    sufficient    pam_unix.so

edit: /etc/pam.d/common-session 

# add (if home directory does not exist create it) :
session    required    pam_mkhomedir.so    skel=/etc/skel/ umask=0022

edit: /etc/pam.d/common-password 

# add:
password    required    pam_ldap.so
# modify: password    requisite    pam_unix.so nullok obscure md5
# to:
password    sufficient   pam_unix.so nullok obscure md5

#restart daemon:
/etc/init.d/nscd restart

/etc/ldap.secret

echo -n ldapsearchpassword > ldap.secret
sudo mv ldap.secret /etc/ldap.secret
chmod 600 /etc/ldap.secret

/etc/ldap.conf

###DEBCONF###
 ##
 ## Configuration of this file will be managed by debconf as long as the
 ## first line of the file says '###DEBCONF###'
 ##
 ## You should use dpkg-reconfigure to configure this file via debconf
 ##
 
 #
 # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
 #
 # This is the configuration file for the LDAP nameservice
 # switch library and the LDAP PAM module.
 #
 # PADL Software
 # http://www.padl.com
 #
 
 # Your LDAP server. Must be resolvable without using LDAP.
 # Multiple hosts may be specified, each separated by a 
 # space. How long nss_ldap takes to failover depends on
 # whether your LDAP client library supports configurable
 # network or connect timeouts (see bind_timelimit).
 
 
 # Uno de los 2 sobra
 host rtldap01.rra.lan
 uri ldaps://rtldap01.rra.lan
 
 # The distinguished name of the search base.
 base dc=rtLDAP01,dc=igrupobbva
 ldap_version 3
 
 # The distinguished name to bind to the server with
 # if the effective user ID is root. Password is
 # stored in /etc/ldap.secret (mode 600)
 rootbinddn cn=admin,dc=rtLDAP01,dc=igrupobbva
 
 # The port.
 # Optional: default is 389.
 #port 389
 port 636
 
 # Reconnect policy: hard (default) will retry connecting to
 # the software with exponential backoff, soft will fail
 # immediately.
 bind_policy soft
 
 # Do not hash the password at all; presume
 # the directory server will do it, if
 # necessary. This is the default.
 pam_password md5
 
 
 # Netscape SDK LDAPS
 ssl on
 
 # Netscape SDK SSL options
 #sslpath /etc/ssl/certs
 
 # OpenLDAP SSL mechanism
 # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
 #ssl start_tls
 #ssl on
 
 # OpenLDAP SSL options
 # Require and verify server certificate (yes/no)
 # Default is to use libldap's default behavior, which can be configured in
 # /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
 # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
 #tls_checkpeer yes
 #tls_checkpeer no
 
 
 # CA certificates for server certificate verification
 # At least one of these are required if tls_checkpeer is "yes"
 #tls_cacertfile /etc/ssl/ca.cert
 #tls_cacertfile /etc/ldap/ca_server.pem
 #tls_cacertdir /etc/ssl/certs
 
 # Seed the PRNG if /dev/urandom is not provided
 #tls_randfile /var/run/egd-pool
 
 # SSL cipher suite
 # See man ciphers for syntax
 #tls_ciphers TLSv1
 
 # Client certificate and key
 # Use these, if your server requires client authentication.
 #tls_cert
 #tls_key
 
 # Disable SASL security layers. This is needed for AD.
 #sasl_secprops maxssf=0
 
 # Override the default Kerberos ticket cache location.
 #krb5_ccname FILE:/etc/.ldapcache
 
 # SASL mechanism for PAM authentication - use is experimental
 # at present and does not support password policy control
 #pam_sasl_mech DIGEST-MD5
 nss_initgroups_ignoreusers _apt,backup,bin,daemon,games,gnats,irc,list,lp,mail,man,messagebus,mysql,news,proxy,root,sshd,sync,sys,syslog,systemd-bus-proxy,systemd-network,systemd-resolve,systemd-timesync,uucp,uuidd,vboxadd,www-data,rra

/etc/ldap/ldap.conf

#
 # LDAP Defaults
 #
 
 # See ldap.conf(5) for details
 # This file should be world readable but not world writable.
 
 BASE	cn=admin,dc=rtLDAP01,dc=igrupobbva
 URI	ldaps://rtldap01.rra.lan
 
 #SIZELIMIT	12
 #TIMELIMIT	15
 #DEREF		never
 
 # TLS certificates (needed for GnuTLS)
 TLS_CACERT	/etc/ldap/ca_server.pem
 TLS_REQCERT never

/etc/ldap/ca_server.pem

-----BEGIN CERTIFICATE-----
 MIIDAzCCAeugAwIBAgIMWMfFMzfYZ9ruHdHrMA0GCSqGSIb3DQEBCwUAMBsxGTAX
 BgNVBAMTEHJ0TERBUCBTZXJ2ZXIgRVMwIhgPMjAxNzAzMTQxMDI1NTVaGA8yMDI3
 MDMxMjEwMjU1NVowGzEZMBcGA1UEAxMQcnRMREFQIFNlcnZlciBFUzCCASIwDQYJ
 KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcM49P9hq7IzJFb6OT+ffutrkI2V23D
 EIC9e8MKAV5McPYebbm/RCTFb12vlVAX9OjlyYCatZewr7j94bDXjGpWb3v2oDll
 yt9PhtrwvUX1tpmq66ANRSF4oQpqfJjzRpV85f0bokGgsSRWWEf4elskA+pZCSzh
 /H2RTGbqRwfubS6qFNaI+1Jg0z2D69vMmo25fawi7oQ2sEY7zxJEOaXYfeLmNXm1
 PNXDpzyexOQVK6u0z+e4zpHJN14z4JAyqDNPY4v0mx6H//l3M1ZZfe5l7kM7YKuZ
 AUOsqkgCGMTJ8lfN4xyR+7NmPM104qFaeS3jOMr1D1uKGd+KPvfK9CcCAwEAAaND
 MEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBRr
 OqqVkZ3F8rUDjB2e94oid3PLJTANBgkqhkiG9w0BAQsFAAOCAQEAtOA92GJ1ZbfL
 Lr5t9MADd4RiqLl36VjCdChHlTvLmXWqbu7962TA730ZmsouiUeFxVCGdLKqmEbH
 r7mPfAFjWTfDMUV5YGKeZrtYrQqnLsewyHjsl3DHR536vIOabj7wHiukc8ecy6Mg
 p7tMUHExmOYPmgn3u9gFosFGd38aKvFfPJjep+DOKkYZCICdM5a9p6b5lLy9pbGN
 lUvj0WAGp6KFr2LlKHVC6YU/JiyPnnC/wOeQaZuG3SWyhS0VO3QHghk/bHYVZLIx
 wUBQLiqETyOj08Mq3fFJRM8dQcEdfjMxpeFiDo/7sIvLwEfpLuzDsxuflIR0RTs1
 Qwlshp1/+Q==
 -----END CERTIFICATE-----

More Info

https://www.youtube.com/watch?v=LVY3WbakcOE&list=PL8B125D10F99838F7
http://www.server-world.info/en/note?os=Debian_8&p=openldap&f=4

TLS1.2

TODO: Desarrollar Examples olcTLSCipherSuite (cn=config??)
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:+SSLv3:-SSLv2
olcTLSCipherSuite: HIGH:+TLSv1.2:-TLSv1.1:-TLSv1.0:-SSLv3:-SSLv2

Troubleshooting

ldapsearch -x -d 1 -ZZ
ldapsearch -x -LLL uid=xe50582
ldapsearch -h rtLDAP01.igrupobbva -b dc=rtLDAP01,dc=igrupobbva -x uid=xe50582

ldapsearch -x -h freeipa.rra.lan -b dc=rra,dc=lan "(&(objectclass=posixaccount)(objectClass=person)(uid=xe50582))"
getent passwd
getent group

LDAP SSH Keys

  • Modify LDAP to enable SSH keys storage (google)
  • /etc/ssh/sshd_config --> AuthorizedKeysCommand /bin/ldapkeyfile
  • /etc/ssh/sshd_config --> AuthorizedKeysCommandUser nobody

/bin/ldapkeyfile 

#!/usr/bin/env bash
ldapsearch -h rtLDAP01.igrupobbva -b dc=rtLDAP01,dc=igrupobbva -x '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
Retrieved from "https://wiki.herrerosolis.com/index.php?title=LDAP&oldid=2125"