Search:  
Gentoo Wiki

HOWTO_LDAP_SAMBA_PDC_Security_Upgrade


This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Previous page Top Next Page

Contents


Create Certs

OPTIONAL Usage off SSL and or TLS encription methods is recommended as a "best practice" because passwords are transfered over the connections between the LDAP system and what ever it talks to. Using them is completely optional, but highly recommended.

First we should create our ssl certificates. The following procedure is used to create a self signed certificates for more information see OpenLDAP SSL/TLS How-To

First we need to create a directory for building our certs in. change to that directory and then create a new CA. the script will execute and ask you some questions about your orgazination.


Tip: YOUR NAME is not your name, it should be your FQDN. If you set it to anything else, clients will reject your certificate. Make sure your clients attempt to connect to the FQDN address of your host if it is multi-homed.
# mkdir /var/myca
# cd /var/myca
# /etc/ssl/misc/CA.sh -newca

This creates a demoCA directory with various items including demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and private key)

Next we need to create a new server certificate signing request that we can later sign with the previously generated CA cert. Again it will ask you some questions about your orgazination.


Tip: YOUR NAME is not your name, it should be your FQDN. If you set it to anything else, clients will reject your certificate. Make sure your clients attempt to connect to the FQDN address of your host if it is multi-homed.
# openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

Next we have the CA sign the CSR. after we execute its going to ask for us to enter the PEM pass phrase this is the challenge passphrase we gave in the previous command. its also going to ask if we want to sign the cert, which we do.

# /etc/ssl/misc/CA.sh -sign

The result of the above command should be the creation of newcert.pem our signed cert

Next we should move the certs to our desired certificate repository and rename them. i prefer to put them in /certs/openldap

# mkdir -p /certs/openldap
# mv demoCA/cacert.pem /certs/openldap/CA-cert.pem
# mv newcert.pem /certs/openldap/ser-crt.pem
# mv newreq.pem /certs/openldap/ser-key.pem
# chmod 400 /certs/openldap/ser-key.pem
# chown ldap:ldap /certs/openldap/ser-key.pem
The chmod makes the private key read-only, the owner of the key should be the same user that runs slapd. a chown command will be nesscary if the owner of the server key is not the same as the user who runs slapd. The certificates should be publicly readable
Warning: failure to execute the chown in the commands above will prevent slapd from starting, leaving an error msg of "main: TLS init def ctx failed: -1" in /var/log/syslog

Update /etc/openldap/slapd.conf to ensure the following lines are uncommented

# TLSCertificateFile /certs/openldap/ser-crt.pem
# TLSCertificateKeyFile /certs/openldap/ser-key.pem
# TLSCACertificateFile /certs/openldap/CA-cert.pem

You may also want to update /etc/openldap/ldap.conf. This line will let the ldapsearch client automatically use your certificate to verify the server.

client ~#
echo "TLS_CACERT /certs/openldap/CA-cert.pem" >> /etc/openldap/ldap.confImage:CursorOFF.gif

Configure Samba to use TLS

Update the following line in/etc/samba/smb.conf in the [Global] section.

File: smb.conf
 ldap ssl = start_tls

Now, restart everything and hope it works!

Code: Restart Servers
 # /etc/init.d/slapd restart
 # /etc/init.d/samba restart

Securing Files

We need to secure /etc/openldap/slapd.conf from access to anyone besides root because there is a root password for are entire ldap directory in the file. We can accomplish this with the following command.

Code: secure slapd.conf
# chmod 600 /etc/openldap/slapd.conf
# chown ldap:ldap /etc/openldap/slapd.conf

Not using the rootdn

See Talk:HOWTO_LDAP_SAMBA_PDC_Security_Upgrade for now.
Po0ky 14:43, 29 December 2005 (GMT)

Previous page Top Next Page

Retrieved from "http://www.gentoo-wiki.info/HOWTO_LDAP_SAMBA_PDC_Security_Upgrade"

Last modified: Fri, 05 Sep 2008 08:04:00 +0000 Hits: 20,793