wissem.jimdo.com
Wissem Mediouni Web Site
OpenLDAP Installation and Configuration:
Set up hostname
# vi /etc/hosts
# vi /etc/sysconfig/network
Install OpenLDAP
# yum install openldap openldap-clients
# yum install sssd perl-LDAP.noarch
# yum -y --disablerepo=* localinstall -v lib64db4.6-4.6.21-26-rosa.lts2012.0.x86_64.rpm
# yum -y --disablerepo=* localinstall -v berkeleydb-ltb-4.6.21.NC-4.el6.patch4.x86_64.rpm
# yum -y --disablerepo=* localinstall -v openldap-ltb-2.4.36-1.el6.x86_64.rpm
# yum list installed | grep openldap
Set PATH to include OpenLDAP
# vi /root/.bash_profile
PATH=/usr/local/openldap/bin:/usr/local/openldap/sbin:$PATH:$HOME/bi
. ./.bash_profile
Set up DataBase config file
# cp /usr/local/openldap/etc/openldap/DB_CONFIG.example /usr/local/openldap/var/openldap-data/DB_CONFIG
Change ownership to ldap for LDAP file structure
# chown –R ldap:ldap /var/lib/ldap
Start LDAP and have it start at boot up
# service slapd start
# chkconfig slapd on
Create or Change LDAP Manager password
# slappasswd
New password: secret
{SSHA}b+EGw24ZN97RqXMXBC5rYf18z4vVBHpO
# vi /usr/local/openldap/etc/openldap/slapd.conf
rootpw {SSHA}b+EGw24ZN97RqXMXBC5rYf18z4vVBHpO
Install email:
# yum install mailx
Install & configure NTP:
# yum install ntp
# vi /etc/ntp.conf # Add the following lines:
server 172.20.15.240
server 172.20.15.241
# chkconfig ntpd on
# service ntpd start
# ntpq -p
Open internal O/S firewall:
# vi /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Aug 8 22:58:11 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:532]
-A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5666 -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ppp+ -j ACCEPT
COMMIT
# Completed on Thu Aug 8 22:58:11 2013
# Generated by iptables-save v1.4.7 on Thu Aug 8 22:58:11 2013
*nat
:PREROUTING ACCEPT [2:104]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:108]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Aug 8 22:58:11 2013
# chkconfig iptables on
# service iptables start
# chkconfig ip6tables off
# service ip6tables stop
Create certs and keys, if using SSL/TLS:
http://www.server-world.info/en/note?os=CentOS_5&p=ldap&f=3
Modify/verify the following files & lines:
# vi /etc/openldap/db.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}h3SDRKFzrUTx+DiFSpF86ClkrnFlATi9
-
replace: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}h3SDRKFzrUTx+DiFSpF86ClkrnFlATi9
-
replace: olcSuffix
olcSuffix: dc=luthresearch,dc=net
-
replace: olcRootDN
olcRootDN: cn=manager,dc=luthresearch,dc=net
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=manager,dc=luthresearch,dc=net" read by * none
# vi /etc/openldap/ldap.conf
#BASE dc=luthresearch,dc=net
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#URI ldap://ldap.luthresearch.net
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
SSL ON
#TLS_CACERTDIR /etc/openldap/cacerts
#TLS_REQCERT allow
# vi /etc/sssd/sssd.conf
[domain/default]
#[domain/LDAP]
enumerate = True
cache_credentials = True
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.luthresearch.net
ldap_search_base = dc=luthresearch,dc=net
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_id_use_start_tls = False
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam
config_file_version = 2
domains = default
# vi /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files ldap
aliases: files nisplus
# vi /etc/openldap/base.ldif
dn: dc=luthresearch,dc=net
dc: luthresearch
objectClass: top
objectClass: domain
dn: ou=People,dc=luthresearch,dc=net
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=luthresearch,dc=net
ou: Group
objectClass: top
objectClass: organizationalUnit
LDAP Path: /usr/local/openldap/etc/openldap
Installation & Configuration of Radius, on LDAP server, for StrongSwan:
# yum install freeradius
# yum install freeradius-ldap
# yum install freeradius-utils
# yum -y upgrade
# chkconfig radiusd on
# chkconfig pptpd on
# reboot
# vi /etc/resolv.conf
search us-west-2.compute.internal ec2.luthresearch.net luthresearch.net ec2.internal
nameserver 172.20.15.12
nameserver 172.20.15.49
nameserver 10.17.0.2
# cp /usr/share/freeradius/dictionary.microsoft /etc/radiusclient/dictionary.microsoft
# vi /etc/radiusclient/dictionary # Add the following line:
include /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.microsoft
# cd /etc/radiusclient/
# mv dictionary.microsoft dictionary.microsoft.bak
# scp /etc/radiusclient/dictionary.microsoft <server>:/etc/radiusclient
# vi /etc/raddb/sites-available/inner-tunnel & /etc/raddb/sites-available/default & /etc/raddb/sites-enabled/default
# Make sure ldap line is uncommented, in etc_smbpasswd section of the eap function.
# The following is uncommented:
Auth-Type LDAP {
ldap
}
# But ldap line must commented in the post-auth function.
# vi /etc/raddb/modules/ldap # Under ldap function has the following:
server = <LDAP IP address>
basedn = "ou=People,dc=luthresearch,dc=net"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
# vi /etc/raddb/ldap.attrmap # Verify the following lines are there:
checkItem LM-Password sambaLmPassword
checkItem NT-Password sambaNTPassword
# service radiusd start
# service pptpd start
Add Radius & Samba schemas to existing schema:
Download schemas and place in /usr/local/openldap/etc/openldap/schema directory.
Add the following entries to the /usr/local/openldap/etc/openldap/slapd.conf file:
include /usr/local/openldap/etc/openldap/schema/RADIUS-LDAPv3.schema
include /usr/local/openldap/etc/openldap/schema/samba.schema
Radius trouble shooting commands:
# netstat –plunt
# radtest testing password 127.0.0.1 0 testing123
# radtest luthtest luthtestpass 127.0.0.1 0 testing123
# radiusd -X
If IP address change:
# vi /etc/raddb/modules/ldap
server=10.16.249.90
Search files for a specific string in it:
# find /etc -type f -print | xargs grep '10.15.2' 2>/dev/null
Radius command tools:
To change the default radius "testing123" password:
# vi /etc/strongswan/strongswan.conf
# vi /etc/raddb/clients.conf
Make sure the new password does not have quotes around it.
LDAP trouble shooting commands:
To display LDAP logs:
# tail /var/log/openldap.log
To display current LDAP version:
# ldapsearch -VV
Start slapd in debug mode:
# /usr/local/openldap/libexec/slapd -d -1 -u ldap -F /usr/local/etc/openldap/slapd.d -h ldapi:/// 2> output
Test slapd:
# slaptest -f /usr/local/openldap/etc/openldap/slapd.conf
Recover database:
# db_recover -vh /usr/local/openldap/var/openldap-data
Test if server can access LDAP:
# ldapsearch -H ldap://10.15.2.188:389 -x -b "ou=People,dc=luthresearch,dc=net" -LLL "(&(object)(uid=luthtest))"
LDAP command tools:
To add a new LDAP user:
# vi /etc/openldap/adduser.ldif
modify the dn:, cn:, userPassword, & sambaNTPassword fields
the sambaNTPassword field is generated by running the following command on the PopTop server, & copy the NT Hash value:
smbencrypt <new password>
# ldapadd -x -D "cn=Manager,dc=luthresearch,dc=net" -w secret -f /etc/openldap/adduser.ldif
To change the users LDAP password:
# ldappasswd -vx -D "cn=Manager,dc=luthresearch,dc=net" -w secret -S "uid=luthtest,ou=People,dc=luthresearch,dc=net"
To display LDAP database:
# ldapsearch -x -b 'dc=luthresearch,dc=net' -D "cn=Manager,dc=luthresearch,dc=net" -w secret -h localhost dn -LLL | grep -v ^$
# ldapsearch -x -b 'dc=luthresearch,dc=net' '(object*)'
To delete an LDAP user account:
# ldapdelete -D "cn=Manager,dc=luthresearch,dc=net" -w secret "uid=luthtest,ou=People,dc=luthresearch,dc=net"
To search for a specific LDAP user:
# ldapsearch -x -b 'dc=luthresearch,dc=net' "uid=ntUser"
To restart the LDAP service:
# service slapd restart
To enable SSL on port 636:
# /usr/local/openldap/libexec/slapd -h ldap://127.0.0.1:10389/ ldaps:/// ldapi:/// -g openldap -u openldap -f /usr/local/openldap/etc/openldap/slapd.conf
To replace the LDAP database:
On Source server:
# ldapsearch -x -b 'dc=luthresearch,dc=net' '(object*)' | tail
and remember the numEntries count at the bottom line of the output.
# slapcat -n 0 -l /tmp/east_ldap_user_list.ldif
or # slapcat -l /tmp/east_ldap_user_list.ldif
Then copy that file to the Destination server:/tmp
On Destination server:
# service slapd stop
tar & delete the all files in /usr/local/openldap/var/openldap-data.
# cd /usr/local/openldap/var
# tar cvf openldap-data.tar openldap-data
# cd openldap-data
# cp DB_CONFIG ..
# rm -f *
# cp ../DB_CONFIG .
# slapadd -l /tmp/east_ldap_user_list.ldif
If you get the following error message:
slapadd: line 1: database #1 (dc=luthresearch,dc=net) not configured to hold "dc=myplace,dc=local"; no database configured for that naming context
Then running the following:
# cd /tmp
# cat > ldapadd.sed <<EOF
/^creatorsName:/d
/^createTimestamp:/d
/^modifiersName:/d
/^modifyTimestamp:/d
/^structuralObjectClass:/d
/^entryUUID:/d
/^entryCSN:/d
EOF
# cat /tmp/east_ldap_user_list.ldif | sed -f ldapadd.sed > /tmp/east_ldap_user_list_updated.ldif
Clear out any bogus entries at the top of the /tmp/east_ldap_user_list_updated.ldif file and then rerun the slapadd command:
# slapadd -l /tmp/east_ldap_user_list_updated.ldif
# chown -R ldap:ldap /usr/local/berkeleydb/openldap-logs
# chown -R ldap:ldap /usr/local/openldap
# service slapd restart
Verify that the number of entries is correct
# ldapsearch -x -b 'dc=luthresearch,dc=net' '(object*)' | tail
Make sure the numEntries count is the same as when you first ran this command from the Source server.
Reference: http://virtualtee.blogspot.com/2012/02/openldap-after-upgrading-debian.html
----------------------------------------------------------------
Create adduser.ldif template for adding new LDAP users:
Create the following /etc/openldap/adduser.ldif file:
dn: uid=luthtest,ou=People,dc=luthresearch,dc=net
cn: Luth Test
objectclass: account
objectclass: sambaSamAccount
sambaSID: S-1-5-21-924209702-1057988766-553982440-3096
sambaNTPassword: 29D05F5BDEB37E2C5B6682D07EB5F3EC # This is the NT Hash # value generated by running “smbencrypt luthtestpass” on the PopTop
# server
objectclass: top
objectclass: shadowAccount
userPassword: luthtestpass
-------------------------------------------------------------------------
OpenLDAP Mirror Mode Replication Configuration:
References: http://www.openldap.org/doc/admin24/replication.html
http://www.openldap.org/lists/openldap-software/200906/msg00029.html
Add the following highlighted lines to this file:
[root@dev-ldap04 ~]# vi /usr/local/openldap/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include /usr/local/openldap/etc/openldap/schema/openldap.schema
include /usr/local/openldap/etc/openldap/schema/RADIUS-LDAPv3.schema
include /usr/local/openldap/etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
sizelimit unlimited # Allows ldapsearch to return all entry count
# Load dynamic backend modules:
# modulepath /usr/local/openldap/libexec/openldap
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
moduleload syncprov.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=luthresearch,dc=net"
rootdn "cn=Manager,dc=luthresearch,dc=net"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {CRYPT}9KfIO0kVs.2rM
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/openldap/var/openldap-data
# Indices to maintain
# index objectclass,entryCSN,entryUUID eq
index objectClass eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 5 # Point to other LDAP server
syncrepl rid=005 # Point to other LDAP server
provider=ldap://dev-ldap05 # Point to other LDAP server
bindmethod=simple
binddn="cn=Manager,dc=luthresearch,dc=net"
credentials=secret
searchbase="dc=luthresearch,dc=net"
schemachecking=on
retry="60 +"
mirrormode on
-------------------------------------------------------------------------
slapd Service Fail-over:
Create public/private keys:
Reference: http://www.dotkam.com/2009/03/10/run-commands-remotely-via-ssh-with-no-password/
Add the following highlighted lines to ~/vip_monitor.sh:
[root@dev-ldap04 ~]# cat vip_monitor.sh
#!/bin/sh
# This script will monitor another HA node and take over a Virtual IP (VIP)
# if communication with the other node fails
# High Availability IP variables
# Other node's IP to ping and VIP to swap if other node goes down
HA_Node_IP=10.15.2.185
HA_Node_Name=dev-ldap05
VIP=10.15.2.160
MYSELF="Dev-LDAP04"
EMAIL="[email protected]"
EMAILMESSAGE="/tmp/alert.txt"
# Specify the EC2 region that this will be running in
REGION=us-west-2
# Run aws-apitools-common.sh to set up default environment variables and to
# leverage AWS security credentials provided by EC2 roles
. /etc/profile.d/aws-apitools-common.sh
# Determine the instance and ENI IDs so we can reassign the VIP to the
# correct ENI. Requires EC2 describe-instances and assign-private-ip-address
# permissions. The following example EC2 roles policy will authorize these
# commands:
# {
# "Statement": [
# {
# "Action": [
# "ec2:AssignPrivateIpAddresses",
# "ec2:DescribeInstances"
# ],
# "Effect": "Allow",
# "Resource": "*"
# }
# ]
# }
Instance_ID=`/usr/bin/curl --silent http://169.254.169.254/latest/meta-data/instance-id`
ENI_ID=`/opt/aws/bin/ec2-describe-instances $Instance_ID --region $REGION | grep eni -m 1 | awk '{print $2;}'`
eval `ssh-agent`
ssh-add ~/.ssh/id_rsa_ldap04
echo `date` "-- Starting HA monitor"
while [ . ]; do
echo `date` "Testing..."
pingresult=`ping -c 3 -W 1 $HA_Node_IP | grep time= | wc -l`
if [ "$pingresult" == "0" ]; then
echo `date` "-- HA heartbeat failed, taking over VIP"
/opt/aws/bin/ec2-assign-private-ip-addresses -n $ENI_ID --secondary-private-ip-address $VIP --allow-reassignment --region $REGION
pingresult=`ping -c 1 -W 1 $VIP | grep time= | wc -l`
if [ "$pingresult" == "0" ]; then
echo "Server $HA_Node_Name is down."
echo `date` "-- Restarting network"
/sbin/service network restart > /dev/null 2>&1
fi
echo `date` "-- HA heartbeat failed, taking over VIP" > $EMAILMESSAGE
/bin/mail -s "$MYSELF" "$EMAIL" < $EMAILMESSAGE
fi
ssh root@$HA_Node_IP service slapd status | grep "not running"
serviceresult=`echo $?`
if [ "$serviceresult" == "0" ]; then
echo `date` "--slapd service down on $HA_Node_Name. Removing VIP from $HA_Node_Name."
/opt/aws/bin/ec2-assign-private-ip-addresses -n $ENI_ID --secondary-private-ip-address $VIP --allow-reassignment --region $REGION
ssh root@$HA_Node_IP ifconfig eth0:0 $VIP netmask 255.255.255.0 down
echo `date` "-- Restarting network"
/sbin/service network restart > /dev/null 2>&1
echo `date` "--slapd service down on $HA_Node_Name. Removing VIP from $HA_Node_Name." > $EMAILMESSAGE
/bin/mail -s "$MYSELF" "$EMAIL" < $EMAILMESSAGE
fi
sleep 60
done
-------------------------------------------------------------------------
Amazon Server Fail-over:
Reference: http://aws.amazon.com/articles/2127188135977316
Add fail-over script to crontab:
# echo '@reboot /root/vip_monitor.sh >> /tmp/vip_monitor.log' | crontab ./vip_monitor.sh >> /tmp/vip_monitor.log &
and created the following /etc/sysconfig/network-scripts/ifcfg-eth0:0 file:
DEVICE=eth0:0
BOOTPROTO=dhcp
ONBOOT=yes
IPADDR=10.15.2.160
NETMASK=255.255.255.192
Now the interface eth0:0 is started up at reboot, and on only one of the servers at a time.
-------------------------------------------------------------------------
Modifications to OpenLDAP for StrongSwan:
For Scalability:
Reference: http://freeradius.org/features/scalability.html
# vi /etc/raddb/radiusd.conf
max_requests = 2048
max_servers = 128
-------------------------------------------------------------------------
Modifications to FreeRadius for StrongSwan:
Reference: http://tecadmin.net/freeradius-authentication-with-openldap/
Edit Radius LDAP files:
# vi /etc/raddb/modules/ldap
ldap {
set_auth_type = yes
basedn = "ou=People,dc=luthresearch,dc=net"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
...
}
set_auth_type = yes
# vi /etc/raddb/ldap.attrmap
checkItem User-Password userPassword
Enable LDAP authentication:
# vi /etc/raddb/sites-available/inner-tunnel
&
# vi /etc/raddb/sites-available/default
Auth-Type LDAP {
ldap
}
Restart the radiusd service:
# service radiusd restart
-------------------------------------------------------------------------
Modifications to StrongSwan for Radius/LDAP:
Increase sockets & threads, for scalability:
Reference: https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Parallel-RADIUS-sessions
# vi /etc/strongswan/strongswan.conf
charon {
...
...
plugins {
eap-radius {
servers {
server-a {
address = 10.16.251.126 # Point StrongSwan to authenticate to the VIP LDAP address
secret = e38tlfjslBY3Qb
sockets = 20
#accounting = yes
}
}
}
...
...
...
libstrongswan {
processor {
priority_threads {
medium = 30
}
}
...
...
...
dns1 = 10.17.0.2 # IP address from /etc/resolv.conf
Configure private IP address and Virtual IP address pool
# vi /etc/strongswan/ipsec.conf
conn ios
left=10.17.252.168 # Local IP address
leftid="C=CH, O=Luth Research LLC, CN=West IPSEC01"
rightsourceip=10.16.0.0/19 # VIP address pool
Create IPTables settings
# vi /etc/sysconfig/iptables
-A POSTROUTING -s 10.16.0.0/19 -d 10.17.0.0/16 -p tcp -m tcp --dport 3128 -j ACCEPT
-A POSTROUTING -s 10.16.0.0/19 -j SNAT --to-source 10.17.252.168
After moving cloned IPsec server, you must recreate certs with new IP & proxy address with the following commands:
# cd /etc/strongswan/ipsec.d/certs
# strongswan pki --pub --in /etc/strongswan/ipsec.d/private/serverKey.pem | strongswan pki --issue --cacert /etc/strongswan/ipsec.d/cacerts/caCert.pem --cakey /etc/pki/tls/private/caKey.pem --dn "C=CH, O=Luth Research LLC, CN=West IPSEC01" --san="<new IP address>" --san="pw02.mb.surveysavvy.com" --san="p02.mb.surveysavvy.com" --flag serverAuth --flag ikeIntermediate --outform pem > /etc/strongswan/ipsec.d/certs/serverCert.pem
Verify:
# openssl x509 -in serverCert.pem -text -noout
Restart service:
# service strongswan restart
Add ldap-clients package:
# yum install openldap-clients
-------------------------------------------------------------------------
Modifications to OpenVPN server for LDAP:
# vi /etc/openvpn/auth/ldap.conf
<LDAP>
# LDAP server URL
URL ldap://<LDAP VIP address>:389
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN cn=Manager,dc=luthresearch,dc=net
# Bind Password
Password secret
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=People,dc=luthresearch,dc=net"
# User Search Filter
SearchFilter "(&(uid=%u))"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "ou=Groups,dc=luthresearch,dc=net"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
# vi /etc/openvpn/server.conf
proto tcp
port 443
dev tun
server 10.15.3.64 255.255.255.192 # client VPN IP address range
ca ca.crt
cert savvyconnect_mobile.crt
key savvyconnect_mobile.key
dh dh2048.pem
tls-auth ta.key 0
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
# vi /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Fri Sep 13 21:51:43 2013
*nat
:PREROUTING ACCEPT [1694:103138]
:POSTROUTING ACCEPT [981:68923]
:OUTPUT ACCEPT [981:68923]
-A POSTROUTING -s 10.15.3.64/26 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Sep 13 21:51:43 2013
# Generated by iptables-save v1.4.7 on Fri Sep 13 21:51:43 2013
*filter
:INPUT ACCEPT [170989:200690580]
:FORWARD ACCEPT [36519:25056860]
:OUTPUT ACCEPT [137871:38023526]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
COMMIT
# Completed on Fri Sep 13 21:51:43 2013
# service openvpn restart
-------------------------------------------------------------------------
Fix to the bogus service openvpn status output:
# service openvpn status
Status written to /var/log/messages
That really didn't write the status to the /var/log/messages file.
The fix is to add the following code to the/etc/rc.d/init.d/openvpn file:
status)
if [ -f $lock ]
then
cd $work
for c in `/bin/ls *.conf 2>/dev/null`
do
bn=${c%%.conf}
pidf=$piddir/$bn.pid
if [ -s $pidf ]
then
pid=`cat $pidf`
if kill -0 $pid
then
echo "$c $pid running"
else
echo "$c $pid aborted"
fi
else
echo "$c stopped"
fi
done
else
echo "openvpn: service not started"
exit 1
fi
;;
Now the output gives us meaningful information on the status of OpenVPN:
# service openvpn status
server.conf 842 running
Set up hostname
# vi /etc/hosts
# vi /etc/sysconfig/network
Install OpenLDAP
# yum install openldap openldap-clients
# yum install sssd perl-LDAP.noarch
# yum -y --disablerepo=* localinstall -v lib64db4.6-4.6.21-26-rosa.lts2012.0.x86_64.rpm
# yum -y --disablerepo=* localinstall -v berkeleydb-ltb-4.6.21.NC-4.el6.patch4.x86_64.rpm
# yum -y --disablerepo=* localinstall -v openldap-ltb-2.4.36-1.el6.x86_64.rpm
# yum list installed | grep openldap
Set PATH to include OpenLDAP
# vi /root/.bash_profile
PATH=/usr/local/openldap/bin:/usr/local/openldap/sbin:$PATH:$HOME/bi
. ./.bash_profile
Set up DataBase config file
# cp /usr/local/openldap/etc/openldap/DB_CONFIG.example /usr/local/openldap/var/openldap-data/DB_CONFIG
Change ownership to ldap for LDAP file structure
# chown –R ldap:ldap /var/lib/ldap
Start LDAP and have it start at boot up
# service slapd start
# chkconfig slapd on
Create or Change LDAP Manager password
# slappasswd
New password: secret
{SSHA}b+EGw24ZN97RqXMXBC5rYf18z4vVBHpO
# vi /usr/local/openldap/etc/openldap/slapd.conf
rootpw {SSHA}b+EGw24ZN97RqXMXBC5rYf18z4vVBHpO
Install email:
# yum install mailx
Install & configure NTP:
# yum install ntp
# vi /etc/ntp.conf # Add the following lines:
server 172.20.15.240
server 172.20.15.241
# chkconfig ntpd on
# service ntpd start
# ntpq -p
Open internal O/S firewall:
# vi /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Aug 8 22:58:11 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:532]
-A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5666 -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ppp+ -j ACCEPT
COMMIT
# Completed on Thu Aug 8 22:58:11 2013
# Generated by iptables-save v1.4.7 on Thu Aug 8 22:58:11 2013
*nat
:PREROUTING ACCEPT [2:104]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:108]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Aug 8 22:58:11 2013
# chkconfig iptables on
# service iptables start
# chkconfig ip6tables off
# service ip6tables stop
Create certs and keys, if using SSL/TLS:
http://www.server-world.info/en/note?os=CentOS_5&p=ldap&f=3
Modify/verify the following files & lines:
# vi /etc/openldap/db.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}h3SDRKFzrUTx+DiFSpF86ClkrnFlATi9
-
replace: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}h3SDRKFzrUTx+DiFSpF86ClkrnFlATi9
-
replace: olcSuffix
olcSuffix: dc=luthresearch,dc=net
-
replace: olcRootDN
olcRootDN: cn=manager,dc=luthresearch,dc=net
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=manager,dc=luthresearch,dc=net" read by * none
# vi /etc/openldap/ldap.conf
#BASE dc=luthresearch,dc=net
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#URI ldap://ldap.luthresearch.net
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
SSL ON
#TLS_CACERTDIR /etc/openldap/cacerts
#TLS_REQCERT allow
# vi /etc/sssd/sssd.conf
[domain/default]
#[domain/LDAP]
enumerate = True
cache_credentials = True
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.luthresearch.net
ldap_search_base = dc=luthresearch,dc=net
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_id_use_start_tls = False
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam
config_file_version = 2
domains = default
# vi /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files ldap
aliases: files nisplus
# vi /etc/openldap/base.ldif
dn: dc=luthresearch,dc=net
dc: luthresearch
objectClass: top
objectClass: domain
dn: ou=People,dc=luthresearch,dc=net
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=luthresearch,dc=net
ou: Group
objectClass: top
objectClass: organizationalUnit
LDAP Path: /usr/local/openldap/etc/openldap
Installation & Configuration of Radius, on LDAP server, for StrongSwan:
# yum install freeradius
# yum install freeradius-ldap
# yum install freeradius-utils
# yum -y upgrade
# chkconfig radiusd on
# chkconfig pptpd on
# reboot
# vi /etc/resolv.conf
search us-west-2.compute.internal ec2.luthresearch.net luthresearch.net ec2.internal
nameserver 172.20.15.12
nameserver 172.20.15.49
nameserver 10.17.0.2
# cp /usr/share/freeradius/dictionary.microsoft /etc/radiusclient/dictionary.microsoft
# vi /etc/radiusclient/dictionary # Add the following line:
include /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.microsoft
# cd /etc/radiusclient/
# mv dictionary.microsoft dictionary.microsoft.bak
# scp /etc/radiusclient/dictionary.microsoft <server>:/etc/radiusclient
# vi /etc/raddb/sites-available/inner-tunnel & /etc/raddb/sites-available/default & /etc/raddb/sites-enabled/default
# Make sure ldap line is uncommented, in etc_smbpasswd section of the eap function.
# The following is uncommented:
Auth-Type LDAP {
ldap
}
# But ldap line must commented in the post-auth function.
# vi /etc/raddb/modules/ldap # Under ldap function has the following:
server = <LDAP IP address>
basedn = "ou=People,dc=luthresearch,dc=net"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
# vi /etc/raddb/ldap.attrmap # Verify the following lines are there:
checkItem LM-Password sambaLmPassword
checkItem NT-Password sambaNTPassword
# service radiusd start
# service pptpd start
Add Radius & Samba schemas to existing schema:
Download schemas and place in /usr/local/openldap/etc/openldap/schema directory.
Add the following entries to the /usr/local/openldap/etc/openldap/slapd.conf file:
include /usr/local/openldap/etc/openldap/schema/RADIUS-LDAPv3.schema
include /usr/local/openldap/etc/openldap/schema/samba.schema
Radius trouble shooting commands:
# netstat –plunt
# radtest testing password 127.0.0.1 0 testing123
# radtest luthtest luthtestpass 127.0.0.1 0 testing123
# radiusd -X
If IP address change:
# vi /etc/raddb/modules/ldap
server=10.16.249.90
Search files for a specific string in it:
# find /etc -type f -print | xargs grep '10.15.2' 2>/dev/null
Radius command tools:
To change the default radius "testing123" password:
# vi /etc/strongswan/strongswan.conf
# vi /etc/raddb/clients.conf
Make sure the new password does not have quotes around it.
LDAP trouble shooting commands:
To display LDAP logs:
# tail /var/log/openldap.log
To display current LDAP version:
# ldapsearch -VV
Start slapd in debug mode:
# /usr/local/openldap/libexec/slapd -d -1 -u ldap -F /usr/local/etc/openldap/slapd.d -h ldapi:/// 2> output
Test slapd:
# slaptest -f /usr/local/openldap/etc/openldap/slapd.conf
Recover database:
# db_recover -vh /usr/local/openldap/var/openldap-data
Test if server can access LDAP:
# ldapsearch -H ldap://10.15.2.188:389 -x -b "ou=People,dc=luthresearch,dc=net" -LLL "(&(object)(uid=luthtest))"
LDAP command tools:
To add a new LDAP user:
# vi /etc/openldap/adduser.ldif
modify the dn:, cn:, userPassword, & sambaNTPassword fields
the sambaNTPassword field is generated by running the following command on the PopTop server, & copy the NT Hash value:
smbencrypt <new password>
# ldapadd -x -D "cn=Manager,dc=luthresearch,dc=net" -w secret -f /etc/openldap/adduser.ldif
To change the users LDAP password:
# ldappasswd -vx -D "cn=Manager,dc=luthresearch,dc=net" -w secret -S "uid=luthtest,ou=People,dc=luthresearch,dc=net"
To display LDAP database:
# ldapsearch -x -b 'dc=luthresearch,dc=net' -D "cn=Manager,dc=luthresearch,dc=net" -w secret -h localhost dn -LLL | grep -v ^$
# ldapsearch -x -b 'dc=luthresearch,dc=net' '(object*)'
To delete an LDAP user account:
# ldapdelete -D "cn=Manager,dc=luthresearch,dc=net" -w secret "uid=luthtest,ou=People,dc=luthresearch,dc=net"
To search for a specific LDAP user:
# ldapsearch -x -b 'dc=luthresearch,dc=net' "uid=ntUser"
To restart the LDAP service:
# service slapd restart
To enable SSL on port 636:
# /usr/local/openldap/libexec/slapd -h ldap://127.0.0.1:10389/ ldaps:/// ldapi:/// -g openldap -u openldap -f /usr/local/openldap/etc/openldap/slapd.conf
To replace the LDAP database:
On Source server:
# ldapsearch -x -b 'dc=luthresearch,dc=net' '(object*)' | tail
and remember the numEntries count at the bottom line of the output.
# slapcat -n 0 -l /tmp/east_ldap_user_list.ldif
or # slapcat -l /tmp/east_ldap_user_list.ldif
Then copy that file to the Destination server:/tmp
On Destination server:
# service slapd stop
tar & delete the all files in /usr/local/openldap/var/openldap-data.
# cd /usr/local/openldap/var
# tar cvf openldap-data.tar openldap-data
# cd openldap-data
# cp DB_CONFIG ..
# rm -f *
# cp ../DB_CONFIG .
# slapadd -l /tmp/east_ldap_user_list.ldif
If you get the following error message:
slapadd: line 1: database #1 (dc=luthresearch,dc=net) not configured to hold "dc=myplace,dc=local"; no database configured for that naming context
Then running the following:
# cd /tmp
# cat > ldapadd.sed <<EOF
/^creatorsName:/d
/^createTimestamp:/d
/^modifiersName:/d
/^modifyTimestamp:/d
/^structuralObjectClass:/d
/^entryUUID:/d
/^entryCSN:/d
EOF
# cat /tmp/east_ldap_user_list.ldif | sed -f ldapadd.sed > /tmp/east_ldap_user_list_updated.ldif
Clear out any bogus entries at the top of the /tmp/east_ldap_user_list_updated.ldif file and then rerun the slapadd command:
# slapadd -l /tmp/east_ldap_user_list_updated.ldif
# chown -R ldap:ldap /usr/local/berkeleydb/openldap-logs
# chown -R ldap:ldap /usr/local/openldap
# service slapd restart
Verify that the number of entries is correct
# ldapsearch -x -b 'dc=luthresearch,dc=net' '(object*)' | tail
Make sure the numEntries count is the same as when you first ran this command from the Source server.
Reference: http://virtualtee.blogspot.com/2012/02/openldap-after-upgrading-debian.html
----------------------------------------------------------------
Create adduser.ldif template for adding new LDAP users:
Create the following /etc/openldap/adduser.ldif file:
dn: uid=luthtest,ou=People,dc=luthresearch,dc=net
cn: Luth Test
objectclass: account
objectclass: sambaSamAccount
sambaSID: S-1-5-21-924209702-1057988766-553982440-3096
sambaNTPassword: 29D05F5BDEB37E2C5B6682D07EB5F3EC # This is the NT Hash # value generated by running “smbencrypt luthtestpass” on the PopTop
# server
objectclass: top
objectclass: shadowAccount
userPassword: luthtestpass
-------------------------------------------------------------------------
OpenLDAP Mirror Mode Replication Configuration:
References: http://www.openldap.org/doc/admin24/replication.html
http://www.openldap.org/lists/openldap-software/200906/msg00029.html
Add the following highlighted lines to this file:
[root@dev-ldap04 ~]# vi /usr/local/openldap/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include /usr/local/openldap/etc/openldap/schema/openldap.schema
include /usr/local/openldap/etc/openldap/schema/RADIUS-LDAPv3.schema
include /usr/local/openldap/etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
sizelimit unlimited # Allows ldapsearch to return all entry count
# Load dynamic backend modules:
# modulepath /usr/local/openldap/libexec/openldap
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
moduleload syncprov.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=luthresearch,dc=net"
rootdn "cn=Manager,dc=luthresearch,dc=net"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {CRYPT}9KfIO0kVs.2rM
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/openldap/var/openldap-data
# Indices to maintain
# index objectclass,entryCSN,entryUUID eq
index objectClass eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 5 # Point to other LDAP server
syncrepl rid=005 # Point to other LDAP server
provider=ldap://dev-ldap05 # Point to other LDAP server
bindmethod=simple
binddn="cn=Manager,dc=luthresearch,dc=net"
credentials=secret
searchbase="dc=luthresearch,dc=net"
schemachecking=on
retry="60 +"
mirrormode on
-------------------------------------------------------------------------
slapd Service Fail-over:
Create public/private keys:
Reference: http://www.dotkam.com/2009/03/10/run-commands-remotely-via-ssh-with-no-password/
Add the following highlighted lines to ~/vip_monitor.sh:
[root@dev-ldap04 ~]# cat vip_monitor.sh
#!/bin/sh
# This script will monitor another HA node and take over a Virtual IP (VIP)
# if communication with the other node fails
# High Availability IP variables
# Other node's IP to ping and VIP to swap if other node goes down
HA_Node_IP=10.15.2.185
HA_Node_Name=dev-ldap05
VIP=10.15.2.160
MYSELF="Dev-LDAP04"
EMAIL="[email protected]"
EMAILMESSAGE="/tmp/alert.txt"
# Specify the EC2 region that this will be running in
REGION=us-west-2
# Run aws-apitools-common.sh to set up default environment variables and to
# leverage AWS security credentials provided by EC2 roles
. /etc/profile.d/aws-apitools-common.sh
# Determine the instance and ENI IDs so we can reassign the VIP to the
# correct ENI. Requires EC2 describe-instances and assign-private-ip-address
# permissions. The following example EC2 roles policy will authorize these
# commands:
# {
# "Statement": [
# {
# "Action": [
# "ec2:AssignPrivateIpAddresses",
# "ec2:DescribeInstances"
# ],
# "Effect": "Allow",
# "Resource": "*"
# }
# ]
# }
Instance_ID=`/usr/bin/curl --silent http://169.254.169.254/latest/meta-data/instance-id`
ENI_ID=`/opt/aws/bin/ec2-describe-instances $Instance_ID --region $REGION | grep eni -m 1 | awk '{print $2;}'`
eval `ssh-agent`
ssh-add ~/.ssh/id_rsa_ldap04
echo `date` "-- Starting HA monitor"
while [ . ]; do
echo `date` "Testing..."
pingresult=`ping -c 3 -W 1 $HA_Node_IP | grep time= | wc -l`
if [ "$pingresult" == "0" ]; then
echo `date` "-- HA heartbeat failed, taking over VIP"
/opt/aws/bin/ec2-assign-private-ip-addresses -n $ENI_ID --secondary-private-ip-address $VIP --allow-reassignment --region $REGION
pingresult=`ping -c 1 -W 1 $VIP | grep time= | wc -l`
if [ "$pingresult" == "0" ]; then
echo "Server $HA_Node_Name is down."
echo `date` "-- Restarting network"
/sbin/service network restart > /dev/null 2>&1
fi
echo `date` "-- HA heartbeat failed, taking over VIP" > $EMAILMESSAGE
/bin/mail -s "$MYSELF" "$EMAIL" < $EMAILMESSAGE
fi
ssh root@$HA_Node_IP service slapd status | grep "not running"
serviceresult=`echo $?`
if [ "$serviceresult" == "0" ]; then
echo `date` "--slapd service down on $HA_Node_Name. Removing VIP from $HA_Node_Name."
/opt/aws/bin/ec2-assign-private-ip-addresses -n $ENI_ID --secondary-private-ip-address $VIP --allow-reassignment --region $REGION
ssh root@$HA_Node_IP ifconfig eth0:0 $VIP netmask 255.255.255.0 down
echo `date` "-- Restarting network"
/sbin/service network restart > /dev/null 2>&1
echo `date` "--slapd service down on $HA_Node_Name. Removing VIP from $HA_Node_Name." > $EMAILMESSAGE
/bin/mail -s "$MYSELF" "$EMAIL" < $EMAILMESSAGE
fi
sleep 60
done
-------------------------------------------------------------------------
Amazon Server Fail-over:
Reference: http://aws.amazon.com/articles/2127188135977316
Add fail-over script to crontab:
# echo '@reboot /root/vip_monitor.sh >> /tmp/vip_monitor.log' | crontab ./vip_monitor.sh >> /tmp/vip_monitor.log &
and created the following /etc/sysconfig/network-scripts/ifcfg-eth0:0 file:
DEVICE=eth0:0
BOOTPROTO=dhcp
ONBOOT=yes
IPADDR=10.15.2.160
NETMASK=255.255.255.192
Now the interface eth0:0 is started up at reboot, and on only one of the servers at a time.
-------------------------------------------------------------------------
Modifications to OpenLDAP for StrongSwan:
For Scalability:
Reference: http://freeradius.org/features/scalability.html
# vi /etc/raddb/radiusd.conf
max_requests = 2048
max_servers = 128
-------------------------------------------------------------------------
Modifications to FreeRadius for StrongSwan:
Reference: http://tecadmin.net/freeradius-authentication-with-openldap/
Edit Radius LDAP files:
# vi /etc/raddb/modules/ldap
ldap {
set_auth_type = yes
basedn = "ou=People,dc=luthresearch,dc=net"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
...
}
set_auth_type = yes
# vi /etc/raddb/ldap.attrmap
checkItem User-Password userPassword
Enable LDAP authentication:
# vi /etc/raddb/sites-available/inner-tunnel
&
# vi /etc/raddb/sites-available/default
Auth-Type LDAP {
ldap
}
Restart the radiusd service:
# service radiusd restart
-------------------------------------------------------------------------
Modifications to StrongSwan for Radius/LDAP:
Increase sockets & threads, for scalability:
Reference: https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Parallel-RADIUS-sessions
# vi /etc/strongswan/strongswan.conf
charon {
...
...
plugins {
eap-radius {
servers {
server-a {
address = 10.16.251.126 # Point StrongSwan to authenticate to the VIP LDAP address
secret = e38tlfjslBY3Qb
sockets = 20
#accounting = yes
}
}
}
...
...
...
libstrongswan {
processor {
priority_threads {
medium = 30
}
}
...
...
...
dns1 = 10.17.0.2 # IP address from /etc/resolv.conf
Configure private IP address and Virtual IP address pool
# vi /etc/strongswan/ipsec.conf
conn ios
left=10.17.252.168 # Local IP address
leftid="C=CH, O=Luth Research LLC, CN=West IPSEC01"
rightsourceip=10.16.0.0/19 # VIP address pool
Create IPTables settings
# vi /etc/sysconfig/iptables
-A POSTROUTING -s 10.16.0.0/19 -d 10.17.0.0/16 -p tcp -m tcp --dport 3128 -j ACCEPT
-A POSTROUTING -s 10.16.0.0/19 -j SNAT --to-source 10.17.252.168
After moving cloned IPsec server, you must recreate certs with new IP & proxy address with the following commands:
# cd /etc/strongswan/ipsec.d/certs
# strongswan pki --pub --in /etc/strongswan/ipsec.d/private/serverKey.pem | strongswan pki --issue --cacert /etc/strongswan/ipsec.d/cacerts/caCert.pem --cakey /etc/pki/tls/private/caKey.pem --dn "C=CH, O=Luth Research LLC, CN=West IPSEC01" --san="<new IP address>" --san="pw02.mb.surveysavvy.com" --san="p02.mb.surveysavvy.com" --flag serverAuth --flag ikeIntermediate --outform pem > /etc/strongswan/ipsec.d/certs/serverCert.pem
Verify:
# openssl x509 -in serverCert.pem -text -noout
Restart service:
# service strongswan restart
Add ldap-clients package:
# yum install openldap-clients
-------------------------------------------------------------------------
Modifications to OpenVPN server for LDAP:
# vi /etc/openvpn/auth/ldap.conf
<LDAP>
# LDAP server URL
URL ldap://<LDAP VIP address>:389
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN cn=Manager,dc=luthresearch,dc=net
# Bind Password
Password secret
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=People,dc=luthresearch,dc=net"
# User Search Filter
SearchFilter "(&(uid=%u))"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "ou=Groups,dc=luthresearch,dc=net"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
# vi /etc/openvpn/server.conf
proto tcp
port 443
dev tun
server 10.15.3.64 255.255.255.192 # client VPN IP address range
ca ca.crt
cert savvyconnect_mobile.crt
key savvyconnect_mobile.key
dh dh2048.pem
tls-auth ta.key 0
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
# vi /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Fri Sep 13 21:51:43 2013
*nat
:PREROUTING ACCEPT [1694:103138]
:POSTROUTING ACCEPT [981:68923]
:OUTPUT ACCEPT [981:68923]
-A POSTROUTING -s 10.15.3.64/26 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Sep 13 21:51:43 2013
# Generated by iptables-save v1.4.7 on Fri Sep 13 21:51:43 2013
*filter
:INPUT ACCEPT [170989:200690580]
:FORWARD ACCEPT [36519:25056860]
:OUTPUT ACCEPT [137871:38023526]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
COMMIT
# Completed on Fri Sep 13 21:51:43 2013
# service openvpn restart
-------------------------------------------------------------------------
Fix to the bogus service openvpn status output:
# service openvpn status
Status written to /var/log/messages
That really didn't write the status to the /var/log/messages file.
The fix is to add the following code to the/etc/rc.d/init.d/openvpn file:
status)
if [ -f $lock ]
then
cd $work
for c in `/bin/ls *.conf 2>/dev/null`
do
bn=${c%%.conf}
pidf=$piddir/$bn.pid
if [ -s $pidf ]
then
pid=`cat $pidf`
if kill -0 $pid
then
echo "$c $pid running"
else
echo "$c $pid aborted"
fi
else
echo "$c stopped"
fi
done
else
echo "openvpn: service not started"
exit 1
fi
;;
Now the output gives us meaningful information on the status of OpenVPN:
# service openvpn status
server.conf 842 running