Create multiple database to OpenLDAP with AppArmor¶
This entry is a supplement to “Create multiple databases to OpenLDAP”. AppArmor is disabled at Ubuntu 12.04 in the preious article. AppArmor is enable environment will fail just that steps. Because new directory “/var/lib/ldap2” is not allowed in AppArmor policy.
After making directory and changing permission, install dependency package and change setting of AppArmor.
$ sudo apt-get install apparmor-utils
Append path “/var/lib/ldap2” to config file “/etc/apparmor.d/usr.sbin.slapd”.
Default;
#include <tunables/global>
/usr/sbin/slapd {
(snip)
# the databases and logs
/var/lib/ldap/ r,
/var/lib/ldap/** rwk,
# lock file
/var/lib/ldap/alock kw,
(snip)
Changed;
#include <tunables/global>
/usr/sbin/slapd {
(snip)
# the databases and logs
/var/lib/ldap/ r,
/var/lib/ldap/** rwk,
/var/lib/ldap2/ r,
/var/lib/ldap2/** rwk,
/var/log/ldap/ r,
/var/log/ldap/** rwk,
# lock file
/var/lib/ldap/alock kw,
/var/lib/ldap2/alock kw,
(snip)
After Change, reload policy.
$ sudo aa-enforce slapd
Setting /etc/apparmor.d/usr.sbin.slapd to enforce mode.
The rest of the steps are the same.
Dovecot with LDAP¶
Before Set up Dovecot with LDAP, you should prepare Postfix with LDAP. See also “Postfix with LDAP for Dovecot”.
Install packages¶
$ sudo apt-get install dovecot-pop3d dovecot-lmtpd dovecot-ldap dovecot-postfix
Configuration¶
/etc/dovecot/dovecot.conf¶
This file is basic configuration. It will be not changed.
!include_try /usr/share/dovecot/protocols.d/*.protocol
dict {
}
!include conf.d/*.conf
!include_try local.conf
/etc/dovecot/dovecot-ldap.conf.ext¶
You configure the connection to LDAP, and mapping of LDAP attributes in this file.
Default is enable “base = ” only. The value of “base” is null.
After change;
uris = ldap://ldap01.example.org/ ldap://ldap02.example.org/
tls = yes
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
tls_ca_cert_dir = /etc/ssl/certs
auth_bind = yes
auth_bind_userdn = uid=%n,ou=People,dc=example,dc=org
ldap_version = 3
base = ou=People,dc=example,dc=org
deref = never
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%n))
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%n))
“user_attrs” and “user_filter” are related user account.
“homeDirectory”, “uidNumber” and “gidNumber” are LDAP attributes
“home”, “uid” and “gid” are Dovecot attributes
“pass_attrs” and “pass_filter” are related password.
“uid” and “userPassword” are LDAP attributes
“user” and “password” are Dovecot attributes.
“%n” is user part in “user@domain” of mail address. I will user account mail address. See also Variables (of Dovecot).
/etc/dovecot/conf.d/10-auth.conf¶
Change authentication mechanism for using LDAP.
Default;
auth_mechanisms = plain
!include auth-system.conf.ext
After change;
auth_mechanisms = plain
!include auth-ldap.conf.ext
/etc/doveconf/conf.d/10-mail.conf¶
Set up location of mail delivery.
Default is null.
After change;
mail_location = maildir:/var/vmail/%d/%n/Maildir
Login account is email address. (user0@example.org) But this domain name is dummy. “auth_bind_userdn” specify “uid=%n”, “%n” is account name only. If support multiple domain, follow, and change LDAP setting of userdn to using “mailAddress”, and “olcAccess”.
Check configuration¶
Check configuration finally with “doveconf -n” command.
See also¶
Multiple LDAP authentication servers
Postfix with LDAP for Dovecot¶
When it is used for ldap server for authentication of IMAP4 or POP3 server are used with LDAP, firstly needs to set up MTA with LDAP for mail delivery to users. I have used Postfix as MTA in this case. OS is Ubuntu 12.04, and POP3 server is dovecot2, and MTA is Postfix.
Install packages¶
$ sudo apt-get install postfix-ldap mailutils
Install postfix-doc if you needs postfix-ldap documentation, then see /usr/share/doc/postfix/html/LDAP_README.html.
Configuration of debconf¶
General type of mail configuration
Internet Site
System mail name
mail.example.org
Configuration¶
The points are next parameters of postmap for ldap.
“query_filter” is “(mail=%s)”
“result_attribute” is some cases
“scope” is “one”
LDAP lookups¶
postmap file name is any. I have named “/etc/postfix/ldap-alias.cf” in this case.
$ sudo postconf alias_maps=hash:/etc/aliases,ldap:/etc/postfix/ldap-aliases.cf
/etc/postfix/ldap-aliases.cf is as follows.
server_host = ldap://ldap01.example.org ldap://ldap02.example.org
timeout = 10
search_base = ou=People,dc=example,dc=org
domain = example.org
query_filter = (mail=%s)
result_attribute = mail
scope = one
bind = no
dereference = 0
start_tls = yes
version = 3
tls_ca_cert_dir = /etc/ssl/certs
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
Confirm above settings.
$ sudo postmap -q user0@example.org ldap:/etc/postfix/ldap-aliaces.cf
user0@example.org
Create and/or update database.
$ sudo postmap /etc/postfix/ldap-aliases.cf
Setting alias maps.
$ postconf alias_maps
alias_maps = hash:/etc/aliases
$ sudo postconf alias_maps = hash:/etc/aliases,ldap:/etc/postfix/ldap-aliases.cf
see more ldap_table(5)
domain setting¶
$ postconf mydomain
mydomain = localdomain
$ sudo postconf mydomain=example.org
Virtual domains¶
Set up “virtual_mailbox_domains” if you use virtual domains.
$ postconf virtual_mailbox_domains
virtual_mailbox_domains = $virtual_mailbox_maps
$ sudo virtual_mailbox_domains=/etc/postfix/virtual_domains
/etc/postfix/virtual_domains
example.org
example.net
example.com
Virtual mailbox¶
/etc/postfix/virtual_mailbox is follows;
server_host = ldap://ldap01.example.org ldap://ldap02.example.org
timeout = 10
search_base = ou=People,dc=example,dc=org
domain = example.org
query_filter = (mail=%s)
result_attribute = mail
result_format = %d/%u/Maildir/
scope = one
bind = no
dereference = 0
start_tls = yes
version = 3
tls_ca_cert_dir = /etc/ssl/certs
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
Confirmation
$ postalias -q user0@example.org ldap:/etc/postfix/virtual_mailbox
example.org/user0/Maildir/
Create database
$ sudo postmap /etc/postfix/virtual_mailbox
Set up “virtual_mail_box_maps” and “virtual_mailbox_base”.
$ postconf virtual_mailbox_maps
virtual_mailbox_maps =
$ sudo postconf virtual_mailbox_maps=ldap:/etc/postfix/virtual_mailbox
$ postconf virtual_mailbox_base
virtual_mailbox_base =
$ sudo postconf virtual_mailbox_base=/var/vmail
Make directory, and change owner & group, permission.
$ sudo mkdir -p /var/vmail/example.org
$ sudo chown -R root:mail /var/vmail
$ sudo chmod 2775 /var/vmail
Mailbox owner¶
You set up mailbox owners are each uid, /etc/postfix/virtual_uids is follows;
server_host = ldap://ldap01.example.org ldap://ldap02.example.org
timeout = 10
search_base = ou=People,dc=example,dc=org
domain = example.org
query_filter = (mail=%s)
result_attribute = uidNumber
scope = one
bind = no
dereference = 0
version = 3
start_tls = yes
tls_ca_cert_dir = /etc/ssl/certs
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
Confirm
$ postalias -q user0@example.org ldap:/etc/postfix/virtual_uids
10001
Create database
$ postmap /etc/postfix/virtual_uids
Set up “virtual_uid_maps”.
$ postconf virtual_uid_maps
virtual_uid_maps =
$ sudo postconf virtual_uid_maps=ldap:/etc/postfix/virtual_uids
Mailbox group¶
Mailbox group is specified “mail” group.
$ postconf virtual_gid_maps
virtual_gid_maps =
$ id mail
uid=8(mail) gid=8(mail) groups=8(mail)
$ sudo postconf virtual_gid_maps=static:8
Confirmation¶
$ date | mail -s test user0@example.org
$ sudo tree /var/vmail
/var/vmail/example.org/
└── user0
└── Maildir
├── cur
├── new
│ ├── 1348801351.V805I2b4cM580106.mx2
│ ├── 1348801351.V805I2c6dM544653.mx2
│ ├── 1348801351.V805I2c6eM565186.mx2
│ ├── 1348801351.V805I2c71M587794.mx2
│ └── 1348801396.V805I232dM112750.mx2
└── tmp
5 directories, 5 files
Create multiple databases to OpenLDAP¶
Perform the following action at creating a new other database if a database is already existed.
Setting of OpenLDAP¶
$ sudo mkdir /var/lib/ldap2
$ sudo chown openldap:openldap /var/lib/ldap2
$ sudo ldapvi -Y EXTERNAL -h ldapi:/// -b cn=config
Append lines as follow to last lines with a blank line.
add olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap2
olcSuffix: dc=example,dc=org
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=org" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=org" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=org
olcRootPW: {SSHA}AWtw2vmrYibntFzTJrcxjW13A3xlI+ck
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
(save then,)
add: 1, rename: 0, modify: 0, delete: 0
Action? [yYqQvVebB*rsf+?] y
Done
Generate password for rootdn of a new database¶
$ slappasswd
New password:
Re-enter new password:
{SSHA}3n2Z4m3XfLFMV6wK+neR8bGlptUHJpJC
Add new entries to new database¶
You should use ‘-A’ option, this option start with an empty file without searcing.
$ sudo ldapvi -D cn=admin,dc=example,dc=org -A
--- Login
Type M-h for help on key bindings.
Filter or DN: cn=admin,dc=example,dc=org
Password: ********
Example entries is follow
add dc=example,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: example.org
dc: example
add cn=admin,dc=example,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: {SSHA}3n2Z4m3XfLFMV6wK+neR8bGlptUHJpJC
add ou=People,dc=example,dc=org
objectClass: organizationalUnit
ou: People
(save, then)
add: 3, rename: 0, modify: 0, delete: 0
Action? [yYqQvVebB*rsf+?] y
Done
At this point, you will be able to do the entry in the same way as the existing LDAP database.
OpenSSH LDAP public key¶
Ubuntu¶
Ubuntu (and Debian) don’t have official debian package of openssh-lpk package. So I applied openssh with openssh-lpk patch from Gentoo. I think it is enable to build with the same way in Debian. (But I have not tried)
Package build¶
Download patch and apply to source package.
$ wget http://distfiles.gentoo.org/distfiles/openssh-lpk-5.9p1-0.3.14.patch.gz
$ gzip -d openssh-lpk-5.9p1-0.3.14.patch.gz
$ sudo apt-get build-dep openssh
$ sudo apt-get install libldap2-dev quilt
$ apt-get source openssh
$ cd openssh-5.9p1
$ patch < ../openssh-lpk-5.9p1-0.3.14.patch
$ dpkg-source --commit
Remove line #234 because this patch has a bug.
$ vi ./auth-rsa.c (234 line delete)
Execute “quilt refresh”.
$ quilt refresh
Edit debian/rules
$ vi debian/rules
--- a/rules 2012-04-02 10:38:04.000000000 +0000
+++ b/rules 2012-06-12 21:46:43.000000000 +0000
@@ -81,6 +81,7 @@
# The deb build wants xauth; the udeb build doesn't.
confflags += --with-xauth=/usr/bin/xauth
+confflags += --with-ldap
confflags_udeb += --without-xauth
# Default paths. The udeb build has /usr/bin/X11 and /usr/games removed.
@@ -93,6 +94,7 @@
cflags := $(default_cflags)
cflags += -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT
cflags += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"
+cflags += -DWITH_LDAP_PUBKEY
cflags_udeb := -Os
cflags_udeb += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"
confflags += --with-cflags='$(cflags)'
Append libldap2-dev to Build-Depends of debian/control.
$ vi debian/control
(snip)
Build-Depends: ..., libldap2-dev
(snip)
Build package with “debuild” and “pbuilder” after update debian/changelog. You install openssh-client, openssh-server, these two package at lease.
$ sudo dpkg -i openssh-client_5.9p1-5ubuntu1+cust1_amd64.deb openssh-server_5.9p1-5ubuntu1+cust1_amd64.deb
Setting of OpenSSH¶
/etc/ssh/sshd_config¶
UseLPK yes
LpkServers ldap://127.0.0.1/
LpkUserDN ou=People,dc=example,dc=org
LpkGroupDN ou=Group,dc=example,dc=org
LpkForceTLS no
Restart sshd.
Postscript¶
I use patch in this time that does not support URL of IPv6 format at LpkServers. But, name base is no problem for IPv6. And you must use libnss-ldapd and libpam-ldapd.
CentOS 6¶
CentOS 6 supports openssh-lpk in default. So you will it, you only do install “openssh-ldap”, and set up.
$ sudo yum install openssh-ldap
$ sudo vi /etc/ssh/sshd_config
/etc/ssh/sshd_config¶
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
AuthorizedKeysCommandRunAs nobody
/etc/ssh/ldap.conf¶
Copy from “/usr/share/doc/openssh-ldap-5.3p1/ldap.conf” as template to “/etc/ssh/ldap.conf”. openssh-ldap package of CentOS6 supports IPv6.
uri ldap://ldap.example.org
port 389
base dc=example,dc=org
ldap_version 3
scope sub
timelimit 30
bind_timelimit 30
bind_policy hard
ssl no
Restart sshd.