OpenLDAP – Enabling SSL on Replication

ldapopenldap

Can you told me how can i modify current configuration for olcSyncRepl?

I have following situation:

  1. I Configured master ldap server and slave server
  2. I Configured replication between these two servers (Everything is working)
  3. I have following configuration for slave client:
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://10.101.11.130:389/
  bindmethod=simple
  binddn="uid=rpuser,dc=itzgeek,dc=local"
  credentials=root1234
  searchbase="dc=itzgeek,dc=local"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00

And I want to add:

  1. Credential not as plain-text ( I want to add {SSHA}…. )
  2. Add certificates (I have also enabled ldaps with self-signed certificates .crt and .key)

I would like to advise you how to safely configure it, modify it. I do not want to spoil the current server settings. For example, how could I change the IP address of the current master server? If someone will answer it, I will be able to test the rest of the set changes

PS

I know that it is possible to modify files in /etc/openldap/slapd.d/cn=config
but can you told me how can i use ldif files and ldapi to update config ?

Best Answer

As a reference I post syncrepl directives used in Æ-DIR:

olcSyncrepl: rid=001
  provider=ldaps://ae-dir-p1.example.com
  bindmethod=sasl
  saslmech=EXTERNAL
  starttls=no
  tls_cert="/opt/ae-dir/etc/tls/ae-dir-c1.example.com.crt"
  tls_key="/opt/ae-dir/etc/tls/ae-dir-c1.example.com.key"
  tls_cacert="/opt/ae-dir/etc/tls/my-ae-dir-testca-2017-06.pem"
  tls_reqcert=demand
  crlcheck=none
  filter="(objectClass=*)"
  searchbase="dc=ae-dir,dc=example,dc=org"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 +"

First of all you should not use an IP address in LDAP URL for provider=. Rather get a correctly issued TLS server cert for the hostname and then OpenLDAP slapd will conduct the correct TLS hostname check to prevent MITM attacks (see RFC 6125).

I assume that you have TLS configured on your provider and consumer instances. The above syncrepl configuration uses the already configured TLS server certificate also as TLS client certificate for replication.

In case of TLS client certs the resulting authentication identity (authc-DN) is the subject DN in the client certificate. You might want to map that to an authorization identity (authz-DN) of an existing LDAP entry. This can be achieved by adding olcAuthzRegexp to cn=config like this:

olcAuthzRegexp:
  "(cn=[^,]+,OU=ITS,O=My Org)"
  "ldap:///dc=ae-dir,dc=example,dc=org??sub?(&(objectClass=pkiUser)(seeAlso=$1)(seeAlso:dnSubordinateMatch:=OU=ITS,O=My Org)(aeStatus=0))"

With the above a subject DN ending with OU=ITS,O=My Org will be mapped to an LDAP entry with object class pkiUser with the client cert's subject DN stored in attribute seeAlso like this:

dn: uid=ae-dir-slapd_ae-dir-deb-c1,cn=ae,dc=ae-dir,dc=example,dc=org
aeStatus: 0
cn: ae-dir-slapd_ae-dir-deb-c1
memberOf: cn=ae-replicas,cn=ae,dc=ae-dir,dc=example,dc=org
objectClass: account
objectClass: aeObject
objectClass: aeService
objectClass: pkiUser
objectClass: posixAccount
seeAlso: cn=ae-dir-c1.example.com,OU=ITS,O=My Org
[..]

You can then properly authorize this service user entry, in the above example via LDAP group ae-replicas.

Related Topic