Table of content
  1. Configuration
    1. Basics
    2. Security and authentication
    3. Branch example.com
  2. Startup

Installing an openldap server with replication, to manage user accounts, access rights and other information. Cyphering will be used to protect communications, except when done from the localhost.

Build information

Ensure the following options:

net/openldap24-server
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

[x] ACCESSLOG         With In-Directory Access Logging overlay
[x] AUDITLOG          With Audit Logging overlay
[x] COLLECT           With Collect overy Services overlay
[x] CONSTRAINT        With Attribute Constraint overlay
[x] DDS               With Dynamic Directory Services overlay
[x] DEREF             With Dereference overlay
[x] DYNAMIC_BACKENDS  Build dynamic backends
[x] DYNGROUP          With Dynamic Group overlay
[x] DYNLIST           With Dynamic List overlay
[x] FETCH             Enable fetch(3) support
[ ] GSSAPI            With GSSAPI support (implies SASL support)
[x] MDB               With Memory-Mapped DB backend
[x] MEMBEROF          With Reverse Group Membership overlay
[x] PBKDF2            With PBKDF2 hash password support
[x] PPOLICY           With Password Policy overlay
[x] PROXYCACHE        With Proxy Cache overlay
[x] REFINT            With Referential Integrity overlay
[x] RELAY             With Relay backend
[x] RETCODE           With Return Code testing overlay
[ ] RLOOKUPS          With reverse lookups of client hostnames
[x] RWM               With Rewrite/Remap overlay
[x] SASL              With (Cyrus) SASL2 support
[x] SEQMOD            With Sequential Modify overlay
[x] SHA2              With SHA2 Password hashes overlay
[ ] SHELL             With Shell backend (disables threading)
[ ] SLP               With SLPv2 (RFC 2608) support
[x] SMBPWD            With Samba Password hashes overlay
[ ] SOCK              With Sock backend
[x] SSSVLV            With ServerSideSort/VLV overlay
[x] SYNCPROV          With Syncrepl Provider overlay
[ ] TCP_WRAPPERS      With tcp wrapper support
[x] TRANSLUCENT       With Translucent Proxy overlay
[x] UNIQUE            With attribute Uniqueness overlay
[x] VALSORT           With Value Sorting overlay

Configuration

The configuration is done in the slapd.conf file and other files can also be included via the include directive.

Basics

Schemas inclusion (core, nis, samba, …):

samba.schema file is not part of the openldap distribution, but must be recovered from samba.

slapd.conf
1
2
3
4
5
6

# Schema
include                 /usr/local/etc/openldap/schema/core.schema 
include                 /usr/local/etc/openldap/schema/cosine.schema 
include                 /usr/local/etc/openldap/schema/inetorgperson.schema 
include                 /usr/local/etc/openldap/schema/nis.schema
include                 /usr/local/etc/openldap/schema/samba.schema

Debugging information:

slapd.conf
1
2
3
4

# Information about process and debugging
pidfile                 /var/run/openldap/slapd.pid
argsfile                /var/run/openldap/slapd.args
#loglevel               trace conns

Some values are to be adjusted to better manage concurrency, simultaneous connections, and the lifetime of requests. The DNS reverse check is suppressed to avoid increasing the latency.

slapd.conf
1
2
3
4
5
6

# Gestion des connections
conn_max_pending        100
conn_max_pending_auth   1000
idletimeout             10
timelimit               60
reverse-lookup          off

Loading modules: backends, overlays, …

slapd.conf
1
2
3
4

# Loading modules
modulepath              /usr/local/libexec/openldap 
moduleload              back_mdb
moduleload              smbk5pwd

Security and authentication

The file containing the private key must be protected with file permission set to 0600.

slapd.conf
1
2
3
4
5
6
7
8
9

# Certificats
TLSCertificateFile      /etc/cert/wildcard.example.com.crt
TLSCertificateKeyFile   /etc/cert/wildcard.example.com.key
TLSCACertificateFile    /etc/cert/cacert.pem

# SASL
sasl-host               ldap.example.com
sasl-realm              example.com
sasl-secprops           minssf=128

The authz-policy directive allows an authorization by proxy through the authzTo attribute which must be specified in the object acting as a proxy. The authz-regexp performs a conversion of authentication, especially usefull when it was performed by kerberos.

slapd.conf
1
2
3
4

# Authentication
authz-policy            to
authz-regexp            uid=([^,]*),cn=example.com,cn=gssapi,cn=auth
                        uid=$1,ou=People,dc=example,dc=com

Branch example.com

The data will be stored in the /var/db/openldap-data/example.com directory, this directory need to be created with the 0700 permissions and to have ldap as its owner, so that only the ldap process has access to it.

Defining the type of database, location, and the identity of the administrator. The password hash is generated with the slappasswd command.

slapd.conf
1
2
3
4
5
6

# Backend
database       mdb
suffix         dc=example,dc=com
rootdn         uid=root,ou=Admins,dc=example,dc=com
rootpw         {SSHA}????????????????????????????????
directory      /var/db/openldap-data/example.com

Tuning the lmdb database for checkpoints, memory allocation, …

slapd.conf
1
2
3

# lmdb DB tuning
checkpoint     150 60
searchstack    16

Maintains an index of attributes used in searches to improve performance, you can need more that what is proposed below.

A modification of the attribut list or the type of indexing requires the execution of the slapindex command (server down) to rebuild the index.

slapd.conf
1
2
3
4
5
6

# Index creation
index          objectClass                           eq
index          uid,uidNumber,gidNumber               pres,eq
index          cn,sn,givenName                       pres,eq,sub,approx
index          mail                                  pres,eq
index          owner,member,manager                  eq

Maintains the date of last modification, it is automatically update by the server (needed for the replication process)

slapd.conf
1
2

# Timestamp
lastmod        on

Ensure unicity of uid (overlay: unique)
slapd.conf
1
2
3
4

# Overlay
overlay        unique
unique_base    ou=People,dc=example,dc=com
unique_attributes uid

Password management policy (overlay: ppolicy), allow to lock the account after several failed attempts.

slapd.conf
1
2
3

overlay         ppolicy
ppolicy_default cn=Password Policy,ou=Policies,dc=example,dc=com
ppolicy_use_lockout

Dynamically creating and maintaining groups (overlay: dynlist)

slapd.conf
1
2

overlay         dynlist
dynlist-attrset groupOfURLs memberURL member

Update password as well as the encoding used for samba and kerberos, thanks to the exop operation (overlay: smbk5pwd)

slapd.conf
1
2

overlay         smbk5pwd
smbk5pwd-enable samba

Automaticaly create and manage the memberof attribut (overlay: memberof)

slapd.conf
1
2
3

overlay         memberof
memberof-dangling    drop
memberof-refint      TRUE

Startup

To allow automatic startup the following lines are added to the /etc/rc.conf file:

rc.conf
1
2
3

slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://127.0.0.1/ ldap://[::1]/ ldaps:///"'
slapd_sockets="/var/run/openldap/ldapi"

LDAP server (slapd) will be listening for requests on: