Create a LDAP Service and input data match POSIX environment integration & Test LDAP under OpenBMC
Take Ubuntu Server 20.04 for example:
Ubuntu:
1. apt-get install slapd ldap-utils
(Re-Config: dpkg-reconfigure slapd)
# LDAP Administrator Password: testldap
# DNS Domain Name: testldap.com
( Bind DN: cn=admin,dc=testldap,dc=com )
# Organization Name: testldap
# Admin entry in your LDAP directory: testldap
Base DN: dc=testldap,dc=com
2. check
ldapsearch -LL -Y EXTERNAL -H ldapi:/// -b dc=testldap,dc=com
or ldapsearch -x -H ldap://127.0.0.1:389 -b "dc=testldap,dc=com" -D "cn=admin,dc=testldap,dc=com" -w testldap
3. touch newou.ldif && vim newou.ldif
---------------------------------
dn: ou=Group,dc=testldap,dc=com
objectclass: organizationalUnit
ou: Group
dn: ou=People,dc=testldap,dc=com
objectclass: organizationalUnit
ou: People
---------------------------------
4. Add OU ldif config:
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=testldap,dc=com" -w testldap -f newou.ldif
---------------------------------
5. Create user 和 qroup
touch newusr1.ldif && vim newusr1.ldif
---------------------------------
dn: uid=ldapusr1,ou=People,dc=testldap,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: ldapusr1
sn: ldapusr1
uid: ldapusr1
uidNumber: 3001
gidNumber: 1200
loginShell: /bin/bash
homeDirectory: /tmp
---------------------------------
6. Add newusr1 ldif config:
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=testldap,dc=com" -w testldap -f newusr1.ldif
---------------------------------
7. Setting {user -> ldapusr1} Password
ldappasswd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=testldap,dc=com" -w testldap "uid=ldapusr1,ou=People,dc=testldap,dc=com"
command rsp:: password: /4tpTvTT
-s {password}
ldappasswd -x -H ldap://127.0.0.1:389 -D "uid=ldapusr1,ou=People,dc=testldap,dc=com" -w "/4tpTvTT" -s abcdef
Check new-password working: # ldapwhoami -x -W -D "uid=ldapusr1,ou=People,dc=testldap,dc=com"
PS: If use LDAP with some old version or having something problem (i.e.: Result: Insufficient access (50))
Try to use the command as below to change password.
( * Or change user password by -
*use -S option to make it prompt for the new password. Another option is to use -s in which case we have to provide the new password in the command itself:
ldappasswd -x -D "cn=Manager,dc=asustest,dc=com" -W -s abcdef "uid=ldaptest1,ou=People,dc=asustest,dc=com"
)
---------------------------------
8. Create group
touch newgroup.ldif && vim newgroup.ldif
---------------------------------
dn: cn=webgroup,ou=Group,dc=testldap,dc=com
cn: webgroup
description: web users group
objectClass: posixGroup
gidNumber: 1200
---------------------------------
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=testldap,dc=com" -w testldap -f newgroup.ldif
---------------------------------
9. After create [User] and [Group]. Add [User] to join the [Group]
touch adduser1joingroup.ldif && vim adduser1joingroup.ldif
---------------------------------
dn: cn=webgroup,ou=Group,dc=testldap,dc=com
changetype: modify
add: memberUid
memberUid: ldapusr1
---------------------------------
# ldapmodify -x -H ldap://127.0.0.2:389 -D "cn=admin,dc=testldap,dc=com" -w testldap -f adduser1joingroup.ldif
---------------------------------
Create a ldap server Done~
---------------------------------
========================================================================
Test BMC WebUI LDAP Host:
LDAP Setting -
Server URI: ldap://192.168.20.170:389
Bind DN: cn=admin,dc=testldap,dc=com
Bind password: testldap
Base DN: dc=testldap,dc=com
LDAP Role groups -
Group name : webgroup
Group privilege: [Test for what you want...]
LDAP User -
Username: ldapusr1
password: abcdef
========================================================================
Setting ldap server with Certificate
========================================================================
1. Certificate creation
Start by installing the library "gnutls" and the "ssl-cert" package.
# apt-get install gnutls-bin ssl-cert
Then create the private key for our CA.
# sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"
Then, create a model for this authority and provide the name of your company in line "cn".
vi /etc/ssl/ca.info
---------------------------------
cn = InformatiWeb Computer
ca
cert_signing_key
Create self-signed certificate from our CA.
---------------------------------
# certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem
Then, create the private key for your LDAP server.
# certtool --generate-privkey --bits 1024 --outfile /etc/ssl/private/ldap_slapd_key.pem
Then create the template for creating the server certificate.
Notes :
- Enter the name of your company : organization
- And the field that points to the IP address of your LDAP server : cn
- The certificate generated by this model will be valid for 10 years (expiration_days = 3650).
vi /etc/ssl/ldap.info
---------------------------------
organization = InformatiWeb Computer
cn = ldap.informatiweblan.net
tls_www_server
encryption_key
signing_key
expiration_days = 3650
---------------------------------
Now create the server certificate.
# certtool --generate-certificate --load-privkey /etc/ssl/private/ldap_slapd_key.pem --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ldap.info --outfile /etc/ssl/certs/ldap_slapd_cert.pem
2. LDAP server configuration
To specify the LDAP server where the certificates, we will create a "ldif" file that we will import our server.
*Choose only 1 option to create and import.
(option 1)vi /etc/ssl/certinfo.ldif
---------------------------------
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap_slapd_key.pem
---------------------------------
(option 2)vi /etc/ssl/certinfo-add-path.ldif
---------------------------------
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/cacert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap_slapd_key.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/ldap_slapd_cert.pem
-
add: olcTLSCACertificatePath
olcTLSCACertificatePath: /etc/ldap/ssl/
---------------------------------
Setting folder permission (owner:group) to user openldap
(option 1)
# chown -R openldap. /etc/ssl/certs
# chown -R openldap. /etc/ssl/private
(option 2)
# chown -R openldap. /etc/ldap/ssl
Check openldap user could access CA/Cert files
# sudo -u openldap -g ssl-cert ls -l /etc/ldap/ssl/
# sudo -u openldap -g ssl-cert cat /etc/ldap/ssl/*.pem
Then import this file into the LDAP server to apply the changes.
(option 1)# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif
(option 2)# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo-add-path.ldif
And finally, to allow your server to run over SSL (by the ldaps:/// protocol), you can simply edit the file "/etc/default/slapd" and add the protocol in the list "SLAPD_SERVICES".
Note : If you want your server only works with secure connections, simply put only the "ldaps:///" protocol in the list and delete the others.
# vi /etc/default/slapd
---------------------------------
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
---------------------------------
# systemctl restart slapd.service
You can now connect to your LDAP server securely.
You can check your LDAP server security from other linux client by command:
# openssl s_client -showcerts -verify 5 -connect {LDAP-Server-IP}:636 < /dev/null
# openssl s_client -showcerts -verify 5 -connect {LDAP-Server-IP}:636 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/) {a++}; out="bluePage-cert"a".pem"; print >out}'
========================================================================
Generate the LDAP Certificate
========================================================================
Download the CSR from BMC WebUI for LDAP.
The CSR of BMC WebUI LDAP : LDAP_certificate_csr.txt
And use openssl with CSR and CA-Cert and CA-Key to gen LDAP_Cert.
# openssl x509 -req -in LDAP_certificate_csr.txt -CA certs-cacert.pem -CAkey private-CA-key.pem -CAcreateserial > LDAP_certificate.cert
LDAP certificate: LDAP_certificate.cert
========================================================================
reference:
http://iris123321.blogspot.com/2021/10/openbmc-ldap-ldapsldap-over-tls.html
http://iris123321.blogspot.com/2021/05/openbmc-ldap-openldap-server-bmc.html
https://us.informatiweb-pro.net/system-admin/linux/ubuntu-securing-your-ldap-server-with-ssl.html
https://newtoypia.blogspot.com/2016/11/certtool.html
https://blog.gtwang.org/linux/ubuntu-ldap-server/
https://www.tonylin.idv.tw/dokuwiki/doku.php/java:ldap:openldap:setup:enablessl
留言列表
