I have to configure two OpenLDAP nodes in multi-master mode.
I've also integrated them with our corporate Active Directory, and the integration seems to work, after some verification.
Even if the log say the replication is working fine, I verified that an entity added to one node didn't replicate on the other.
This is my slapd.conf is shown below. The only difference between the two slapd.conf is serverID
### Schema includes ###########################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/microsoft.minimal.schema
## Module paths ##############################################################
modulepath /usr/lib64/openldap/
moduleload back_ldap
moduleload rwm
moduleload syncprov
moduleload accesslog
### Logging ###################################################################
logfile /var/log/slapd/slapd.log
loglevel sync
# Main settings ###############################################################
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Allow v2 binding for legacy clients #########################################
allow bind_v2
### Database local ############################################################
database bdb
suffix "dc=farm,dc=it"
rootdn "cn=manager,dc=farm,dc=it"
rootpw {SSHA}B29rxKxtjTN8JJIppPGJt7ahvUPhd1pa
directory /var/lib/ldap
# Indexes for this back end
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uid eq,pres,sub
access to attrs=userPassword
by self =xw
by dn.exact="cn=manager,dc=farm,dc=it"
by dn.exact="cn=replica,dc=farm,dc=it"
by anonymous auth
by * none
access to *
by anonymous auth
by self write
by dn.exact="cn=replica,dc=farm,dc=it" read
by users read
by * none
# Replica #####################################################################
#Define the server ID.
serverID 2
# Replication configuration, only things you may have to change here are provider, binddn, credentials and searchbase.
syncrepl rid=001
provider=ldap://almldap01.farm.it:389
binddn="cn=replica,dc=farm,dc=it"
bindmethod=simple
credentials="3L3jkKZcSb5anj8ReCi3ZDWnbv9HNeB8"
searchbase="dc=farm,dc=it"
type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 5"
timeout=1
#Rest replication configuration goes to end of the file.
mirrormode TRUE
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
syncprov-checkpoint 1000 60
### Database definition (Proxy to AD) #########################################
database ldap
readonly yes
protocol-version 3
rebind-as-user yes
uri "ldap://corp.farm.group:389"
suffix "dc=corp,dc=farm,dc=group"
idassert-bind bindmethod=simple
mode=none
binddn="CN=WfLdapBind,OU=Users,OU=WebFarm,DC=corp,DC=farm,DC=group"
credentials="djW5l5hvTPcMcLvV"
idassert-authzFrom "*"
overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map objectClass posixAccount person
The syncrepl rid and provider should also be different in each case. rid should be unique, and provider should point to the other OpenLDAP master.
Related
We have configured OpenSearch in AWS. We need to send two different application logs to two different indexes in OpenSearch using Fluent Bit. We are using tail as an INPUT and ES as an OUTPUT. Please find below fluent-bit configuration -
INPUT -
[INPUT]
name tail
path /var/log/messages
Refresh_Interval 1
Tag messages
Path_Key On
read_from_head true
[INPUT]
name tail
path /var/log/secure
Refresh_Interval 1
Tag secure
Path_Key On
read_from_head true
OUTPUT -
[OUTPUT]
Name es
Match *
Host opensearch-url
Port 443
HTTP_User admin
HTTP_Passwd ************
tls On
tls.verify Off
Include_Tag_Key On
Tag_Key tag
I installed Openldap and created one user by following this documentation https://help.ubuntu.com/lts/serverguide/openldap-server.html.
OpenLDAP is working fine.
I also configured LDAP authentication on Open Distro for Elasticsearch (debian package) by referring to this documentation https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/ldap/
I want login to kibana from my custom ldap user. So, I followed this documentation https://aws.amazon.com/blogs/opensource/ldap-integration-for-open-distro-for-elasticsearch/. But, still I am unable to login with my custom ldap user into my kibana.
This is my .ldif file :
dn: ou=People,dc=server,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=server,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=miners,ou=Groups,dc=server,dc=com
objectClass: posixGroup
cn: miners
gidNumber: 5000
dn: uid=john,ou=People,dc=server,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
This is my config.yml file for ldap:
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- server.com:389
- localhost:389
bind_dn: 'uid=John,ou=People,dc=server,dc=com'
password: "johnldap"
userbase: 'ou=people,dc=server,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: 'uid'
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- server.com:389
- localhost:389
bind_dn: 'uid=John,ou=People,dc=server,dc=com'
password: "johnldap"
rolebase: 'ou=People,dc=server,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'ou=People,dc=server,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
description: "Authorize via another Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap
What am I missing ?
I try to setup an OpenLDAP Server with mdb backend. But neither the version from packet repository nor a self compiled version (to be shure that back_mdb is compiled into slapd) works for me.
Config database is accessible, log doesn't print any errors and the database file is created (data.mdb) - but my root (suffix) won't show up and isn't writeable.
A basic configuration suggested by the OpenLDAP administrator's guide won't help either.
My config:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database mdb
maxsize 1073741824
suffix "dc=directory,dc=local"
rootdn "cn=admin,dc=directory,dc=local"
rootpw "{SSHA}Lh2sewmXFDo+bwc0Vqy12Xwc61n9sQ5t"
directory /var/lib/openldap/openldap-data
index objectClass eq
access to dn.subtree="ou=contacts,dc=directory,dc=local" by self write by dn="cn=server,ou=people,dc=directory,dc=local" write by dn="cn=phone,ou=people,dc=directory,dc=local" read
access to * by dn="cn=admin,dc=directory,dc=local" write by anonymous auth by dn.subtree="ou=people,dc=directory,dc=local" read by * none
database config
rootdn "cn=admin,cn=config"
rootpw "{SSHA}Lh2sewmXFDo+bwc0Vqy12Xwc61n9sQ5t"
I had to add the ldif to create my root dn on the localhost.
Create LDIF file:
dn: dc=directory,dc=local
dc: directory
o: directory.local
objectClass: top
objectClass: dcObject
objectClass: organization
structuralObjectClass: organization
Add the LDIF file and recreate database index:
slappadd -b "dc=directory,dc=local" -v -l basedn.ldif
slapindex
Start the ldap daemon and there it is: my root dn.
I have set up two OpenLDAP servers on my network and am trying to enable authentication through LDAP. I am able to login to my servers if users are authenticated on the local LDAP server. However, after I add a reference object to the other server I can't see the object through phpldapadmin. Here's what I am adding with ldapadd.
dn: uid=server2,ou=People,dc=example,dc=com
objectClass: referral
objectClass: extensibleObject
cn: server2
ref: ldap://192.168.4.105/ou=People,dc=server2,dc=example,dc=com
It successfully adds but I am unable to see it through phpldapadmin. I can view it through ldapsearch this is what I get.
$ ldapsearch -h 192.168.4.106 -x -b "uid=server2,ou=People,dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=server2,ou=People,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 10 Referral
matchedDN: uid=server2,ou=People,dc=example,dc=com
ref: ldap://192.168.4.106/ou=People,dc=server2,dc=example,dc=com??sub
The fact that I can't see the objects and that they don't give me access to the other server is driving me nuts. I have nss_ldap and pam_ldap installed as well as the phpldapadmin module. I am running Ubuntu 13.04 on both servers. This is my slapd.conf for my client.
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/share/slapd/etc/openldap/schema/core.schema
include /usr/share/slapd/etc/openldap/schema/cosine.schema
include /usr/share/slapd/etc/openldap/schema/nis.schema
include /usr/share/slapd/etc/openldap/schema/corba.schema
include /usr/share/slapd/etc/openldap/schema/misc.schema
include /usr/share/slapd/etc/openldap/schema/inetorgperson.schema
allow bind_v2
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
referral ldap://server2.example.com:389
pidfile /usr/share/slapd/var/run/slapd.pid
argsfile /usr/share/slapd/var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
moduleload back_bdb.la
# moduleload back_hdb.la
moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
overlay chain
chain-max-depth 1 #allows 1 referral hop
chain-uri "ldap://192.168.4.106"
chain-rebind-as-user yes
chain-idassert-bind bindmethod="simple"
binddn="cn=admin,dc=example,dc=com"
credentials="{SSHA}****"
mode="self"
chain-tls start
chain-idassert-authzFrom "*"
chain-return-error TRUE
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=server2,dc=example,dc=com"
rootdn "cn=admin,dc=server2,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(9) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}*********
defaultaccess none
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
I would be really grateful if someone could point me in the direction of my problem. I'm not sure if this is related but I am unable to view my OpenLDAP server through Apache Directory Studio but I can see it through phpldapadmin.
ldap.conf
host 192.168.4.105
base dc=server2,dc=example,dc=com
uri ldap://192.168.4.105
ldap_version 3
rootbinddn cn=admin,dc=server2,dc=example,dc=com
rootpw {SSHA}blah
scope sub
timelimit 5
bind_timelimit 5
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
pam_password exop
nss_base_passwd ou=People,dc=server2,dc=example,dc=com?sub
nss_base_shadow ou=People,dc=server2,dc=example,dc=com?sub
nss_base_group ou=Group,dc=server2,dc=example,dc=com?sub
nss_base_hosts ou=Hosts,dc=server2,dc=example,dc=com?sub
nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,messagebus,news,nslcd,openldap,proxy,root,sshd,statd,sync,sys,syslog,uucp,whoopsie,www-data
I am am currently running OpenLdap 2.4.31 on Ubuntu 12.04 in EC2. I am having an issue where I get random timeouts when doing ldapsearch or ldapadd commands against the ldap server.
There is really no load against the ldap servers, I am using them for name resolution for EC2 internal hostnames and using ldap as an external node classifier for puppet.
When the timeout happens I get the following error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server
If I rerun the command it works fine, this is causing some issues in my automation (and while I can put in error checking for this it seems odd its happening in the first place).
Here is a copy of my slapd.conf (with some env specific info commented out) hopefully someone has some suggestions on what I am missing in the config to prevent the timeout issue:
include /opt/openldap/openldap-2.4.31/etc/openldap/schema/core.schema
include /opt/openldap/openldap-2.4.31/etc/openldap/schema/collective.schema
include /opt/openldap/openldap-2.4.31/etc/openldap/schema/corba.schema
include /opt/openldap/openldap-2.4.31/etc/openldap/schema/cosine.schema
include /opt/openldap/openldap-2.4.31/etc/openldap/schema/duaconf.schema
include /opt/openldap/openldap-2.4.31/etc/openldap/schema/dyngroup.schema
include /opt/openldap/openldap-2.4.31/etc/openldap/schema/inetorgperson.schema
include /opt/openldap/openldap-2.4.31/etc/openldap/schema/java.schema
include /opt/openldap/openldap-2.4.31/etc/openldap/schema/misc.schema
include /opt/openldap/openldap-2.4.31/etc/openldap/schema/nis.schema
include /opt/openldap/openldap-2.4.31/etc/openldap/schema/openldap.schema
include /opt/openldap/openldap-2.4.31/etc/openldap/schema/ppolicy.schema
include /opt/openldap/openldap-2.4.31/etc/openldap/schema/puppet.schema
pidfile /opt/openldap/openldap-2.4.31/var/run/slapd.pid
argsfile /opt/openldap/openldap-2.4.31/var/run/slapd.args
loglevel 0
serverID 001
database bdb
suffix "dc=example,dc=local"
rootdn "cn=admin,dc=example,dc=local"
rootpw secret
directory /opt/openldap/openldap-2.4.31/var/openldap-data
idletimeout 120
timelimit 300
cachesize 2000
syncrepl rid=000
provider=ldap://10.10.10.10
type=refreshAndPersist
retry="5 5 10 +"
searchbase="dc=example,dc=local"
attrs="*,+"
bindmethod=simple
binddn="cn=admin,dc=example,dc=local"
credentials=secret
syncrepl rid=000
provider=ldap://10.10.10.20
type=refreshAndPersist
retry="5 5 10 +"
searchbase="dc=example,dc=local"
attrs="*,+"
bindmethod=simple
binddn="cn=admin,dc=example,dc=local"
credentials=secret
index entryCSN eq
index entryUUID eq
mirrormode TRUE
overlay syncprov
syncprov-checkpoint 100 10
Ignore this question. My self-healing automation was misconfiguration and was restarting the slapd process every minute on accident.