Saturday, November 14, 2009

OpenLDAP in Ubuntu Karmic Koala (9.10)

I've decided to try Ubuntu again because she's prettier than her big sister Debian and I had the naive hope that she might have finally gotten some professional help and a big dose of the crazy pills she needed. I was wrong, once you get past the sexy exterior she's still the same old pile of crazy that she was before.

I've been trying to set up a bunch of services and the documentation is generally useless since it's usually incomplete or so wrong that I wonder if the documentation team is a bunch of chimps flinging poo. So there will be a number of posts here to fill in some of the blanks. Ubuntu doc team, if you read this, please fix the docs rather than just cut and paste the manual from the last release.

First up, LDAP! FWIW, here is the original doc.

Getting it running

OpenLDAP in Ubuntu Karmic Koala (9.10) is not installed as described in the Ubuntu community documentation. Among its many detestable qualities, you are not prompted for the initial directory configuration during the dpkg run, and the way LDAP is setup is different from my (admittedly sketchy) recollection of how it was previously set up.

There is some documentation in forums on getting LDAP working properly, some of it good, some of it not. The post that got OpenLDAP running (properly?) for me is here. At the very least it was enough to allow me to get access to the database with PHPLDAPAdmin.

Creating SSL/TLS Certificates for LDAP

The official SSL Certificate document is surprisingly good. I followed it to set up a CA and create certificates for LDAP with pretty good results. There was only important thing that was not mentioned in the doc:
  • Take care to make sure that the correct permissions are set on private keys. These keys should not be readable by any user other than absolutely necessary for security.
The section of the LDAP documentation that describes setting up certs does the trick, but there are a couple things I recommend changing.
  • The document instructs you to add the openldap user to the ssl-cert group. I don't like this because it means that an attacker that compromises openldap can now read any private SSL keys also owned by ssl-cert (Apache?, OpenVPN?, could be bad). As an alternative, I used ACLs to give the openldap user access to the one specific file that it needs access to.
  • The Common Name field on your LDAP certificate should match the hostname of the server that any LDAP clients connect to; otherwise the LDAP clients will freak out.
  • Any LDAP clients need to be given a copy of the CA cert and instructed to use it. The following line should be added to the /etc/ldap/ldap.conf file and changed as appropriate to point at the CA certificate.
      TLS_CACERT /usr/local/etc/openldap/cacert.pem
  • If you are having difficulty testing to see if your SSL LDAP is working properly, try the following command, substituting your LDAP information.
    ldapsearch -x -ZZ -d -1 -b 'dc=example,dc=com' \
    -D 'cn=user,dc=example,dc=com' -h ldap.example.com -W
  • The section that discusses adding additional schemas to OpenLDAP is accurate, but not very clear. Step 3 uses the slapcat command to convert schema files to LDIF format. Unless you want to import the misc schema only, the schema files that you actually want are the ones in the ldif_output directory. Change the first line to the format
    dn: cn=SCHEMA_NAME,dc=schema,dc=config
    and the third line to
    cn: SCHEMA_NAME
    Remove the lines at the bottom as instructed, then import the schema file as instructed (using the correct file name of course).