No edit summary |
(Drop direct Test Days category membership) |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{|border="1" | |||
|-style="color: white; background-color: #3074c2; font-weight: bold" | |||
| DATE || TIME || WHERE | |||
|- | |||
| '''2010-10-14''' || From ''09:00'' to ''21:00'' UTC (5am -> 5pm EDT) || [irc://irc.freenode.net/fedora-test-day #fedora-test-day] ([http://webchat.freenode.net/?channels=fedora-test-day webirc]) | |||
|- | |||
|} | |||
{{admon/note | Can't make the date? | If you come to this page before or after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find at [http://bugzilla.redhat.com Bugzilla], and add your results to the results section. If this page is more than a month old when you arrive here, please check the [[QA/Test_Days|current schedule]] and see if a similar but more recent Test Day is planned or has already happened.}} | |||
== What to test? == | |||
Today's installment of Fedora Test Day will focus on '''OpenLDAP with TLS encryption'''. OpenLDAP in Fedora 14 uses Mozilla NSS instead of OpenSSL crypto backend. This change should have no effect for users, but to be sure we want to test OpenLDAP server and as many programs using OpenLDAP libraries (libldap) as possible. | |||
== Who's available == | |||
The following cast of characters will be available testing, workarounds, bug fixes, and general discussion ... | |||
* Development - Jan Zeleny ([[User:jzeleny|jzeleny]]), Jan Vcelak ([[User:jvcelak|jvcelak]]), Rich Megginson ([[User:rmeggins|rmeggins]]) | |||
* Quality Assurance - Ondrej Moris ([[User:omoris|omoris]]) | |||
== Prerequisite for Test Day == | |||
# '''Fedora 14''' (or Rawhide) system | |||
# <code>openldap</code> and <code>openldap-clients</code> packages | |||
# optionally for testing server: <code>openldap-servers</code> package | |||
# at least one application from [[#Packages_list|package list]] below | |||
== Packages list == | |||
<div style="float:left;margin-right:20pt"> | |||
===== Priority 1 (the most important) ===== | |||
{| | |||
! Package | |||
! Taken by | |||
! Notes | |||
|- | |||
| openldap-clients | |||
| omoris | |||
| {{result|pass}} | |||
|- | |||
| openldap-servers | |||
| omoris | |||
| {{result|pass}} | |||
|- | |||
| am-utils | |||
| | |||
| | |||
|- | |||
| audit | |||
| | |||
| | |||
|- | |||
| autofs | |||
| jvcelak | |||
| {{result|pass}} | |||
|- | |||
| krb5-workstation | |||
| | |||
| | |||
|- | |||
| nss_ldap | |||
| omoris | |||
| {{result|pass}} | |||
|- | |||
| nss-pam-ldapd | |||
| omoris | |||
| {{result|pass}} | |||
|- | |||
| openssh | |||
| mvadkert | |||
| {{result|pass}} | |||
|- | |||
| pam_ldap | |||
| omoris | |||
| {{result|pass}} | |||
|- | |||
| python-ldap | |||
| jvcelak | |||
| {{result|pass}} | |||
|- | |||
| ruby-ldap | |||
| alich | |||
| {{result|pass}} | |||
|- | |||
| sssd | |||
| shanks | |||
| {{result|pass}} | |||
|- | |||
| sudo | |||
| alich | |||
| {{result|pass}} | |||
|- | |||
| libuser | |||
| mvadkert | |||
| {{result|pass}} | |||
|- | |||
| nfs-utils-lib | |||
| | |||
| | |||
|- | |||
| quota | |||
| mvadkert | |||
| {{result|pass}} | |||
|- | |||
|} | |||
</div> | |||
<div style="float:left;margin-right:20pt"> | |||
===== Priority 2 ===== | |||
{| | |||
! Package | |||
! Taken by | |||
! Notes | |||
|- | |||
| bdii | |||
| | |||
| | |||
|- | |||
| bind-dyndb-ldap | |||
| | |||
| | |||
|- | |||
| bind | |||
| | |||
| | |||
|- | |||
| cups | |||
| | |||
| | |||
|- | |||
| curl | |||
| ksrot | |||
| {{result|pass}} | |||
|- | |||
| dhcp | |||
| | |||
| | |||
|- | |||
| dirmngr | |||
| | |||
| | |||
|- | |||
| httpd | |||
| | |||
| | |||
|- | |||
| lighttpd | |||
| | |||
| | |||
|- | |||
| mod_authz_ldap | |||
| | |||
| | |||
|- | |||
| mod_perl | |||
| | |||
| | |||
|- | |||
| mod_revocator | |||
| | |||
| | |||
|- | |||
| openvpn-auth-ldap | |||
| | |||
| | |||
|- | |||
| php | |||
| jgorig | |||
| {{result|pass}} | |||
|- | |||
| postgresql | |||
| | |||
| | |||
|- | |||
| proftpd | |||
| jgorig | |||
| {{result|pass}} | |||
|- | |||
| pure-ftpd | |||
| | |||
| | |||
|- | |||
|} | |||
</div> | |||
<div style="float:left;margin-right:20pt"> | |||
===== Priority 3 ===== | |||
{| | |||
! Package | |||
! Taken by | |||
! Notes | |||
|- | |||
| cyrus-imapd | |||
| | |||
| | |||
|- | |||
| cyrus-sasl | |||
| | |||
| | |||
|- | |||
| dbmail | |||
| | |||
| | |||
|- | |||
| dovecot | |||
| | |||
| | |||
|- | |||
| exim | |||
| | |||
| | |||
|- | |||
| freeradius | |||
| | |||
| | |||
|- | |||
| jabberd | |||
| | |||
| | |||
|- | |||
| sendmail | |||
| | |||
| | |||
|- | |||
| samba | |||
| | |||
| | |||
|- | |||
| samba4 | |||
| | |||
| | |||
|- | |||
| ocspd | |||
| | |||
| | |||
|- | |||
| pdns | |||
| | |||
| | |||
|- | |||
| postfix | |||
| | |||
| | |||
|- | |||
| ss5 | |||
| | |||
| | |||
|- | |||
| zabbix | |||
| | |||
| | |||
|- | |||
| | |||
| | |||
| | |||
|- | |||
| | |||
| | |||
| | |||
|} | |||
</div> | |||
<div style="float:left;margin-right:20pt"> | |||
===== Priority 4 ===== | |||
{| | |||
! Package | |||
! Taken by | |||
! Notes | |||
|- | |||
| activemq-cpp | |||
| | |||
| | |||
|- | |||
| apr-util | |||
| | |||
| | |||
|- | |||
| ipa | |||
| | |||
| | |||
|- | |||
| asterisk | |||
| | |||
| | |||
|- | |||
| callweaver | |||
| | |||
| | |||
|- | |||
| cluster | |||
| | |||
| | |||
|- | |||
| dspam | |||
| | |||
| | |||
|- | |||
| nagios-plugins | |||
| | |||
| | |||
|- | |||
| nufw | |||
| | |||
| | |||
|- | |||
| opal | |||
| | |||
| | |||
|- | |||
| openser | |||
| | |||
| | |||
|- | |||
| opensips | |||
| | |||
| | |||
|- | |||
| squid | |||
| | |||
| | |||
|- | |||
| virtuoso-opensource | |||
| | |||
| | |||
|- | |||
| zarafa | |||
| | |||
| | |||
|- | |||
| | |||
| | |||
| | |||
|- | |||
| | |||
| | |||
| | |||
|} | |||
</div> | |||
<div style="float:left;margin-right:20pt;border:none"> | |||
===== Priority 5 ===== | |||
{| | |||
! Package | |||
! Taken by | |||
! Notes | |||
|- | |||
| alpine | |||
| | |||
| | |||
|- | |||
| claws-mail | |||
| | |||
| | |||
|- | |||
| ekiga | |||
| | |||
| | |||
|- | |||
| evolution-exchange | |||
| | |||
| | |||
|- | |||
| evolution | |||
| | |||
| | |||
|- | |||
| GConf2 | |||
| | |||
| | |||
|- | |||
| gq | |||
| | |||
| | |||
|- | |||
| gnupg | |||
| | |||
| | |||
|- | |||
| gnupg2 | |||
| | |||
| | |||
|- | |||
| kdesvn | |||
| | |||
| | |||
|- | |||
| ldapvi | |||
| | |||
| | |||
|- | |||
| myproxy | |||
| | |||
| | |||
|- | |||
| rapidsvn | |||
| | |||
| | |||
|- | |||
| seahorse | |||
| | |||
| | |||
|- | |||
| subcommander | |||
| | |||
| | |||
|- | |||
| sylpheed | |||
| | |||
| | |||
|- | |||
| wine | |||
| | |||
| | |||
|- | |||
|} | |||
</div> | |||
<div style="float:left;margin-right:20pt"> | |||
===== Priority 6 (the least important) ===== | |||
{| | |||
! Package | |||
! Taken by | |||
! Notes | |||
|- | |||
| echoping | |||
| | |||
| | |||
|- | |||
| kdebase3 | |||
| | |||
| | |||
|- | |||
| kdepimlibs | |||
| | |||
| | |||
|- | |||
| log4cxx | |||
| | |||
| | |||
|- | |||
| migrationtools | |||
| | |||
| | |||
|- | |||
| ovaldi | |||
| | |||
| | |||
|- | |||
| pathfinder | |||
| | |||
| | |||
|- | |||
| ptlib | |||
| | |||
| | |||
|- | |||
| root | |||
| | |||
| | |||
|- | |||
|} | |||
</div> | |||
<hr style="clear:both;border:none;" /> | |||
== Testing environment == | |||
=== Update your machine === | |||
If you're running Fedora 14, make sure you have all the current updates for it installed, using the update manager. | |||
=== Kickstart / Live DVD === | |||
We recommend the testing to be done in virtual machine, using a Fedora 14 network install as installation medium. Boot and installation images are available ([http://download.fedoraproject.org/pub/fedora/linux/releases/test/14-Beta/Fedora/i386/iso/Fedora-14-Beta-i386-netinst.iso i386], [http://download.fedoraproject.org/pub/fedora/linux/releases/test/14-Beta/Fedora/x86_64/iso/Fedora-14-Beta-x86_64-netinst.iso x86_64]) | |||
If you want to download Live medium, we have two LiveCDs available for you [http://kparal.fedorapeople.org/testdays/2010-10-14_OpenLDAP_NSS/ here]. | |||
These images contain LiveCDs with shortcuts to IRC and this wiki page. They also have all Priority 1 programs pre-installed in case you want to test one of them. | |||
=== Available testing servers === | |||
{{admon/note|You can use your server|You don't have to use our testing servers. Feel free to configure yours, we provide [[#OpenLDAP_server_2|nice step by step guide.]]}} | |||
{{admon/warning|Test OpenLDAP with MozNSS primarily|Please, use mainly openldap03. The other servers are only for reference, to reveal possible behavior changes.}} | |||
{{admon/caution|Test Day is over|The servers are no longer available.}} | |||
{| | |||
! server !! service !! package version || base DN | |||
|- | |||
| openldap01.fedoraproject.org || OpenLDAP + OpenSSL || openldap-servers-2.4.21-11.fc13.x86_64 || dc=silver,dc=testday | |||
|- | |||
| openldap02.fedoraproject.org || 389 Directory Server || 389-ds-base-1.2.7.a1 || dc=example,dc=com | |||
|- | |||
| '''openldap03.fedoraproject.org''' || OpenLDAP + MozNSS || openldap-servers-2.4.22-7.fc14.x86_64 || dc=gold,dc=testday | |||
|} | |||
Download [http://jvcelak.fedorapeople.org/testday-101014/cacert.pem OpenLDAP Testday CA certificate] (PEM format). Certificates of testing servers are signed by this CA. | |||
==== Accessing our servers ==== | |||
* You can use anonymous bind for '''read only''' access. | |||
* For '''read-write''' access use bind name ''cn=Tester,dc=silver,dc=testday'' and password ''openldap''. Subtree ''ou=free,dc=base,dc=testday'' is ready for your experiments. Please create some organization unit with your name under it, not to conflict with other testers. (Don't forgot to replace dc=silver correctly for other servers.) | |||
(read-write access is now set up for openldap02 - use the cn=Tester user) | |||
== How to test? == | |||
Choose one of applications in the list above and mark it on this page by adding your name into "Taken by" column. Perform some testing. Below is a table of features what might be tested. The table lists common OpenLDAP based applications and the TLS options used. The table lists some features which are supported by <code>ldap.conf</code> file. If your application uses OpenLDAP and is able to configure it to use TLS/SSL, you will probably have similar configuration options. | |||
You can use our [[#Available_servers|prepared LDAP server]] for your testing. | |||
==== Example configurations ==== | |||
===== OpenLDAP command line tools ===== | |||
* Application: <code>ldapsearch</code>, <code>ldapmodify</code>, et. al. | |||
* Default config file: <code>/etc/openldap/ldap.conf</code>, <code>~/.ldaprc</code> | |||
* Manual page: ldap.conf | |||
* [[#Libldap|Step by step configuration]] | |||
Use the -Z (prefer TLS) or -ZZ (require TLS) command line options to use StartTLS with ldap:// URIs. | |||
{| | |||
! Config option !! Description !! Example | |||
|- | |||
| URI | |||
| LDAP URI - use ldaps:// for LDAPS, or use ldap:// with -Z cmd line flag for starttls | |||
| ldaps://ldap.example.com:636/ | |||
|- | |||
| TLS_CACERT | |||
| Full path and filename of file containing CA certificates to use | |||
| /etc/pki/tls/certs/ca-bundle.crt | |||
|- | |||
| TLS_CACERTDIR | |||
| Full path name of directory containing CA certificates in separate files | |||
| /etc/openldap/cacerts | |||
|- | |||
| TLS_CERT | |||
| Full path name and file name of client cert file | |||
| /home/user/myusercert.pem | |||
|- | |||
| TLS_KEY | |||
| Full path name and file name of cert private key file - must be unencrypted | |||
| /home/user/myuserkey.pem | |||
|- | |||
| TLS_CIPHER_SUITE | |||
| Specifies TLS cipher suites to use | |||
| HIGH:MEDIUM:+SSLv3 | |||
|- | |||
| TLS_REQCERT | |||
| Specifies what checks to perform on server certs | |||
| demand | |||
|} | |||
===== OpenLDAP server ===== | |||
* Default config file: <code>/etc/openldap/slapd.d/cn=config.ldif</code> | |||
* Manual page: slapd-config | |||
* [[#OpenLDAP_2|Step by step configuration]] | |||
Use the -H command line option to have slapd listen for LDAPS requests (e.g. slapd -H ldaps://hostname ....) | |||
{| | |||
! Config option !! Description !! Example | |||
|- | |||
| olcTLSCACertificateFile | |||
| Full path and filename of file containing CA certificates to use | |||
| /etc/pki/tls/certs/ca-bundle.crt | |||
|- | |||
| olcTLSCACertificatePath | |||
| Full path name of directory containing CA certificates in separate files | |||
| /etc/openldap/cacerts | |||
|- | |||
| olcTLSCertificateFile | |||
| Full path name and file name of server cert file | |||
| /home/user/myusercert.pem | |||
|- | |||
| olcTLSCertificateKeyFile | |||
| Full path name and file name of server private key file - must be unencrypted | |||
| /home/user/myuserkey.pem | |||
|- | |||
| olcTLSCipherSuite | |||
| Specifies TLS cipher suites to use | |||
| HIGH:MEDIUM:+SSLv3 | |||
|- | |||
| olcTLSVerifyClient | |||
| Specifies what checks to perform on incoming client certs | |||
| demand | |||
|} | |||
For OpenLDAP server, we also need to test server-to-server interactions that use TLS. For example, test replication from a server using Mozilla NSS to another server using OpenSSL using LDAPS or StartTLS. Try a back-ldap or back-meta configuration using TLS/SSL. | |||
===== pam_ldap/nss_ldap ===== | |||
* Default config file: <code>/etc/ldap.conf</code> | |||
* Manual page: nss_ldap | |||
{| | |||
! Config option !! Description !! Example | |||
|- | |||
| uri | |||
| LDAP URI - use ldaps:// for LDAPS, or use ldap:// with ssl start_tls option (see below) | |||
| uri ldaps://ldap.example.com:636/ | |||
|- | |||
| ssl on,off,start_tls | |||
| off - no TLS ; on - use LDAPS ; start_tls - use LDAP with the StartTLS operation (recommended) | |||
| ssl start_tls | |||
|- | |||
| tls_cacertfile | |||
| Full path and filename of file containing CA certificates to use | |||
| tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt | |||
|- | |||
| tls_cacertdir | |||
| Full path name of directory containing CA certificates in separate files | |||
| tls_cacertdir /etc/openldap/cacerts | |||
|- | |||
| tls_cert | |||
| Full path name and file name of client cert file for client cert auth (SASL/EXTERNAL) | |||
| tls_cert /path/to/myusercert.pem | |||
|- | |||
| tls_key | |||
| Full path name and file name of client cert private key file - must be unencrypted | |||
| tls_key /path/to/myuserkey.pem | |||
|- | |||
| tls_ciphers | |||
| Specifies TLS cipher suites to use | |||
| tls_ciphers HIGH:MEDIUM:+SSLv3 | |||
|- | |||
| tls_checkpeer yes,no | |||
| check the server cert or no | |||
| tls_checkpeer yes | |||
|} | |||
=== Finishing test === | |||
After you perform testing, it is important to report results. A special section '''Test Results''' is available. Here you should write: what program have you tested, what was tested (i.e. what tests were performed) and what was the result. After you fill this report, please add a mark into "Notes" column in package list: | |||
{| border="0" | |||
|- | |||
| {{result|pass}} || in case everything was ok | |||
|- | |||
| {{result|warn}} || in case there was probably something wrong | |||
|- | |||
| {{result|fail}} || in case the test failed | |||
|} | |||
In the latter two cases a description of what went wrong should be available in [[#Test Results|Test Results]] section below. | |||
== Step by step configurations == | |||
=== Libldap === | |||
{{admon/note|Many applications uses libldap setting|This describes how to setup trusted certificate authorities. Server certificates signed by these will be accepted. If you want to do testing with our testday servers, you will have to add at least our CA certificate.}} | |||
There are more possibilities of configuring trusted CAs. The easiest way is probably using TLS_CACERTDIR directory (<code>/etc/openldap/cacerts</code> in this example) with certificate files in PEM format.<br /> | |||
You can do it your way - may the force (<code>man ldap.conf</code>) be with you. Directory with MozNSS cert database, and one bundle CA file are supported as well. | |||
# install OpenLDAP client tools to have some simple tool for your configuration testing: <code>yum install openldap-clients</code> | |||
# you need hash for each certificate, you can use <code>c_hash</code> tool: | |||
#* run: <code>/etc/pki/tls/misc/c_hash /path/to/cert.pem</code> | |||
#* you should get something like: ''537ced62.0 => /path/to/cert.pem'' | |||
# create symlink in CA certs directory: | |||
#* <code>ln -s /path/to/cert.pem /etc/openldap/cacerts/537ced62.0</code> | |||
# repeat previous steps for each CA you trust | |||
# make sure, all certificates are readable for all users trough created symlinks | |||
# update <code>/etc/openldap/ldap.conf</code> | |||
#* add: TLS_CACERTDIR /etc/openldap/cacerts | |||
#* optionally, you can set up default server (URI) and search base (BASE) | |||
If you have a lot of certificates, you can use <code>c_rehash</code> tool from openssl-perl package. | |||
=== OpenLDAP server === | |||
{{admon/warning|Usual mistakes|Do not leave any empty lines in OpenLDAP server configuration files (everything in <code>/etc/openldap/slapd.d</code>).<br /> | |||
No olcTLS* option must be the last line in your database configuration or your server will not start (bug #641946), possible workaround is adding one extra line with comment (starting <code>#</code>).}} | |||
Quick help: <code>man slapd-config</code> | |||
# install OpenLDAP server: <code>yum install openldap-servers</code> | |||
# choose and set your server base DN, e.g. ''dc=copper,dc=testday'' | |||
# generate admin (manager) user password hash:<br/><code>slappasswd</code> | |||
# update /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif | |||
#* olcSuffix: dc=copper,dc=testday | |||
#* olcRootDN: cn=Manager,dc=copper,dc=testday | |||
#* olcRootPW: <admin-user-password-hash> | |||
# update /etc/openldap/slapd.d/cn=config/olcDatabase={2}monitor.ldif | |||
#* olcAccess: {0}to * by dn.base="cn=manager,dc=copper,dc=testday" read by * none | |||
# start your server: <code>service slapd start</code> | |||
# try your serve functionality | |||
#* <code>ldapsearch -H ldap://localhost -x -b "" -s base "(objectclass=*)" namingContexts</code> | |||
#* you should get: <code>namingContexts: dc=copper,dc=testday</code> | |||
# create base nodes | |||
#* download example [http://jvcelak.fedorapeople.org/testday-101014/root_copper.ldif root DN nodes] (LDIF) | |||
#* update DNs in that file | |||
#* import that file into the database: <br/><code>ldapadd -H ldap://localhost -x -D "cn=Manager,dc=copper,dc=testday" -W -f root.ldif</code> | |||
# install BDB configuration file | |||
#* <code>cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG</code> | |||
# restart your server: <code>service slapd restart</code> | |||
# '''your server is now configured and running without TLS''' | |||
# generate certificates for your server (if you don't have any), we offer you [[#Generating_certificates|step by step guide]] | |||
# update <code>/etc/openldap/slapd.d/cn=config.ldif</code>, add following options (customised): | |||
#* olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem | |||
#* olcTLSCertificateFile: /etc/openldap/certs/server.pem | |||
#* olcTLSCertificateKeyFile: /etc/openldap/certs/server.pem | |||
# make your certificates readable for <code>ldap</code> user | |||
# enable at least ldaps:// interface in <code>/etc/sysconfig/ldap</code>: | |||
#* SLAPD_LDAP=yes (default) | |||
#* SLAPD_LDAPS=yes | |||
#* SLAPD_LDAPI=yes (optional) | |||
# restart your server: <code>service slapd restart</code> | |||
# '''your server is running with TLS support''' | |||
# test that your configuration is working | |||
#* without TLS: ldapsearch -x -H ldap://localhost -b "dc=copper,dc=testday" | |||
#* with TLS: ldapsearch -x -H ldaps://localhost -b "dc=copper,dc=testday" | |||
=== Generating certificates === | |||
===== Use your own CA ===== | |||
There are more possibilities. The easiest way is installing '''TinyCA''' GUI, which will handle everything you need. You need not perform this task on your testing system. | |||
# install TinyCA: <code>yum install tinyca2</code> | |||
# create new certification authority | |||
# create new certificate request | |||
#* select 'Requests' tab | |||
#* right-click into the emtpy list of requests and select 'New Request' | |||
#* use pre-filled values, set 'Common Name' to match your server hostname | |||
#* set some pass-phrase (which will be removed anyway) | |||
#* click 'OK' | |||
# sign the certificate request | |||
#* right-click on the certificate request and select 'Sign Request', 'Sign Request (Server)' | |||
#* you will be prompted for CA password | |||
#* signed certificate will appear under 'Certificates' tab | |||
# export your key + certificate for server | |||
#* open 'Keys' tab | |||
#* right click on appropriate key and select 'Export' | |||
#* select export location (file) | |||
#* Export Format: PEM | |||
#* Without Passphrase: Yes | |||
#* Include Certificate (PEM): Yes | |||
#* click 'Save', provide your certificate pass-phrase password | |||
# export your CA certificate | |||
#* open 'CA' tab | |||
#* click on 'Export CA' icon in toolbar | |||
#* set filename, select PEM format and click on 'Save' | |||
# configure your server to use your key and certificate | |||
# configure your server and any clients to use/accept your CA | |||
===== Use our public sub CA with TinyCA ===== | |||
# download [http://jvcelak.fedorapeople.org/testday-101014/testday-public-ca.tar.gz public testday sub CA] | |||
# move the file into <code>~/.TinyCA</code> | |||
# extract the file: <code>tar xf testday-public-ca.tar.gz</code> | |||
# CA is ready, use it in TinyCA<br />CA password is: ''openldap'' | |||
# you have to add this CA certificate onto server | |||
## append it to your olcTLSCACertificateFile (really file, not option in config) | |||
## or use olcTLSCACertificatePath instead of olcTLSCACertificateFile | |||
===== Other ways ===== | |||
* [http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html OpenLDAP TLS guide] (can be used as well) | |||
== Test Results == | |||
After you are finished testing, please file a testing report below. The first report can | |||
be used as an example how it should look like. If you encounter any issue, please first | |||
consult it on IRC. If it will be verified as a bug, file a bugzilla against openldap | |||
component and add a note about it to your report. | |||
'''Tested program: abcd-1.5-3-fc14.x86_64''' | |||
* tried against all referential servers | |||
* tried TLS connection with and without client certificate | |||
* all test were tun with option CDEF turned on | |||
* all test were running fine, except one | |||
* bug #123456 was filed | |||
* bug #123457 was filed | |||
'''[omoris] Tested program: openldap-servers-2.4.22-7.fc14.i686 openldap-clients-2.4.22-7.fc14.i686''' | |||
* executed upstream self-test included in source rpm | |||
* all passed | |||
'''[ksrot] Tested program: curl-7.21.0-5.fc14.x86_64''' | |||
* tried the query LDAP database using following commands: | |||
curl 'ldap://openldap03.fedoraproject.org/dc=gold,dc=testday??sub' | |||
curl --cacert /etc/testday/cacert.pem 'ldaps://openldap03.fedoraproject.org/dc=gold,dc=testday??sub' | |||
curl 'ldap://openldap01.fedoraproject.org/dc=silver,dc=testday??sub' | |||
curl --cacert /etc/testday/cacert.pem 'ldaps://openldap01.fedoraproject.org/dc=silver,dc=testday??sub' | |||
* output looked fine | |||
'''[jvcelak] Tested program: openldap-2.4.23-1.fc15.x86_64 openldap-2.4.21-10.fc13.x86_64''' | |||
* reported bug #641946 (slapd init script gets stuck in an infinite loop) | |||
* OK: CA signed certificates (now used on silver and bronze) | |||
* OK: sub-CA signed certificates (now used on gold) | |||
* OK: referral chasing with TLS (tested including loops) | |||
* OK: Ldap backend with TLS, works as a proxy (tested including loops) | |||
* OK: self-signed certificates | |||
* OK: delta-syncrepl with TLS | |||
** verification with OpenSSL fails when connecting to localhost (host name doesn't match) | |||
** verification with MozNSS works well when connecting to localhost or hostname | |||
** verification with MozNSS fails when using certificate and hostname doesn't match | |||
* MozNSS error messages often miss explanation (like -8172 Unknown error) | |||
'''[mvadkert] Tested program: openssh-5.5p1-21.fc14.2.x86_64''' | |||
* omoris and jvcelak added openssh.scheme and a test user | |||
* tested with ssh-ldap-helper | |||
root@freedom openldap]# /usr/libexec/openssh/ssh-ldap-helper -vvv -f /etc/openldap/ldap.conf -s user2 | |||
debug1: Reading configuration data /etc/openldap/ldap.conf | |||
debug3: === Configuration === | |||
debug3: URI ldaps://openldap03.fedoraproject.org | |||
debug3: Host openldap03.fedoraproject.org | |||
debug3: Port 636 | |||
debug3: SSL Yes | |||
debug3: Ldap_Version 3 | |||
debug3: Base ou=omoris,ou=free,dc=gold,dc=testday | |||
debug3: BindDN cn=Tester,dc=gold,dc=testday | |||
debug3: BindPW openldap | |||
debug3: Scope Sub | |||
[snip] | |||
debug1: LDAP do connect | |||
debug3: Set TLS CA cert dir /etc/openldap/cacerts | |||
debug3: Set TLS check peer to 1 | |||
debug3: LDAP initialize ldaps://openldap03.fedoraproject.org | |||
[snip] | |||
debug3: LDAP search scope = 2 (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=user2)) | |||
ssh-rsa | |||
AAAAB3NzaC1yc2EAAAABIwAAAQEAsDA+I14oBeVd7ceujknbvc3i2Qfnx2Q1vPatRcwPfWLF2H4fPUuUypkJjswvJXxZun+7h1tNpZPMvKCxMLNph4follk35MXT01LZYtW3rs3bdYL+9vBO7ns1+MDrrusotM3f+j90VhPVn5MhgPABVAaSVoTGn058d/N/R1pMMvnRrKhBYlLG0Yb4WesvJQCL9GkbPqjn7tWZQNbDqnIA/TgYe87ES7rsC8ZFObSYYhWXJqnYb8ysQRVLTRUxE/EzYWM0YUIuYIN9eRzUJW9rFmlVDalUjzwIK6dkhkl4xN3vX5lSL3OCJlwIxUoQLK2P9fEvbPlxd9IRSQNWFJO2HQ==mvadkert@dhcp-lab-118.englab.brq.redhat.com | |||
debug2: LDAP process user finished | |||
debug1: LDAP do close | |||
debug2: LDAP do close OK | |||
'''[jvcelak] Tested program: python-ldap-2.3.12-1.fc15.x86_64''' | |||
* not tested very deeply, basic operations work: | |||
#!/usr/bin/python | |||
import ldap | |||
import ldap.modlist as modlist | |||
l = ldap.initialize("ldaps://openldap03.fedoraproject.org", trace_level = 1) | |||
l.simple_bind_s("cn=Tester,dc=gold,dc=testday", "openldap") | |||
ldif = modlist.addModlist({ | |||
"objectClass" : [ "organizationalUnit", "top" ], | |||
"ou" : [ "jvcelak" ], | |||
}) | |||
l.add_s("ou=jvcelak,ou=free,dc=gold,dc=testday", ldif) | |||
print l.search_s("dc=gold,dc=testday", ldap.SCOPE_SUBTREE, "(cn=Manager)") | |||
l.delete_s("ou=jvcelak,ou=free,dc=gold,dc=testday") | |||
l.unbind_s() | |||
'''[mvadkert] Tested program: libuser-0.56.18-2.fc14''' | |||
* tested all libuser commands - found bug in lpasswd #643022 | |||
* generally works well after good setup in /etc/libuser.conf | |||
'''[omoris] Tested program: pam_ldap-185-5.fc14''' | |||
* tested password change, ssh connection, password change via ssh connection | |||
* no problems, works fine | |||
* testes via beakerlib using already prepared testcases | |||
'''[omoris] Tested program: nss_ldap-265-6.fc14 & nss-pam-ldapd.i686 0:0.7.7-1.fc14 ''' | |||
* tested getent, id of ldap users | |||
* no problems, works fine | |||
* testes via beakerlib using already prepared testcases | |||
'''[mvadkert] Tested program: quota-3.17-13.fc14.x86_64''' | |||
* mail stored in surname in LDAP user, quota works as expected with ldaps :) | |||
'''[amarecek] Tested program: sudo-1.7.4p4-3.fc14.x86_64''' | |||
* rights escalation with ldap users only | |||
* rights escalation with local users and ldap groups | |||
* rights escalation with ldap users containing white spaces (also "su" tested) | |||
* rights escalation with ldap groups containing white spaces | |||
'''[jgorig] Tested program: php-ldap-5.3.3-1.fc14.x86_64''' | |||
* basic operations works | |||
<?php | |||
$conn = ldap_connect("openldap03.fedoraproject.org"); | |||
if(!$conn) exit(ldap_error($conn)); | |||
$ret = ldap_start_tls($conn); | |||
if(!$ret) exit(ldap_error($conn)); | |||
$r = ldap_bind($conn, "cn=Tester,dc=gold,dc=testday", "openldap"); | |||
if(!$r) exit(ldap_error($conn)); | |||
$data["objectClass"][0] = "organizationalUnit"; | |||
$data["objectClass"][1] = "top"; | |||
$data["ou"] = "Testovac"; | |||
ldap_add($conn, "ou=Testovac,ou=free,dc=gold,dc=testday", $data); | |||
$sr = ldap_search($conn, "dc=gold,dc=testday", "ou=Testovac"); | |||
print_r(ldap_get_entries($conn, $sr)); | |||
ldap_delete($conn, "ou=Testovac,ou=free,dc=gold,dc=testday"); | |||
ldap_close($conn); | |||
'''[amarecek] Tested program: ruby-1.8.7.302-1.fc14.x86_64, ruby-ldap-0.9.7-10.fc12.x86_64''' | |||
* simple connection works | |||
#!/bin/env ruby | |||
require 'ldap' | |||
_host = 'openldap03.fedoraproject.org' | |||
_port = 389 | |||
_binddn = 'cn=Tester,dc=gold,dc=testday' | |||
_bindpw = 'openldap' | |||
_base = 'ou=alich,ou=free,dc=gold,dc=testday' | |||
connection = LDAP::Conn.new(_host, _port) | |||
connection.bind(_binddn, _bindpw) | |||
connection.perror("bind") | |||
scope = LDAP::LDAP_SCOPE_SUBTREE | |||
attrs = ['dn', 'cn'] | |||
items = ['posixAccount', 'posixGroup'] | |||
items.each { |item| | |||
filter = "(objectClass=#{item})" | |||
begin | |||
connection.search(_base, scope, filter) { |record| | |||
print "DN: #{record.dn}\n" | |||
print "ATTRS: #{record.attrs}\n" | |||
print "\tCN: #{record.vals('cn')}\n" | |||
print "#{record.to_hash}\n" | |||
} | |||
rescue LDAP::ResultError | |||
connection.perror("search") | |||
exit 1 | |||
end | |||
connection.perror("search") | |||
} | |||
connection.unbind | |||
* all data were found successfully | |||
'''[jvcelak] Tested program: autofs-5.0.5-31.fc15.x86_64''' | |||
* reported bug #643045 (outdated autofs.schema in openldap-servers) | |||
* automounter connects to LDAP server with TLS (ldap:// + requiretls, ldaps://) | |||
* automountMap successfully found | |||
* referring to another server using ldap:server:dn works | |||
* volumes mounted as expected | |||
'''[shanks] Tested program: sssd-1.3.0-35.fc14.x86_64 | |||
* Not tested deeply, basic operation of LDAP ID and auth works: | |||
[sssd[be[LDAP]]] [get_server_status] (7): Status of server 'fed14sssdldap.gsr.pnq.redhat.com' is 'working' | |||
[sssd[be[LDAP]]] [be_resolve_server_done] (4): Found address for server fed14sssdldap.gsr.pnq.redhat.com: [10.65.201.183] | |||
[sssd[be[LDAP]]] [sdap_connect_send] (4): Executing START TLS | |||
[sssd[be[LDAP]]] [sdap_ldap_connect_callback_add] (9): New LDAP connection to [ldap://fed14sssdldap.gsr.pnq.redhat.com:389] with fd [26]. | |||
[sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0xe9d210], connected[1], ops[0xe7e280], ldap[0xea1220] | |||
[sssd[be[LDAP]]] [sdap_connect_done] (3): START TLS result: Success(0), Start TLS request accepted.Server willing to negotiate SSL. | |||
[sssd[be[LDAP]]] [fo_set_port_status] (4): Marking port 389 of server 'fed14sssdldap.gsr.pnq.redhat.com' as 'working' | |||
[sssd[be[LDAP]]] [set_server_common_status] (4): Marking server 'fed14sssdldap.gsr.pnq.redhat.com' as 'working' | |||
[sssd[be[LDAP]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0xec7d50 | |||
[sssd[be[LDAP]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0xec78c0 | |||
[sssd[be[LDAP]]] [ldb] (9): tevent: Destroying timer event 0xec78c0 "ltdb_timeout" | |||
[sssd[be[LDAP]]] [ldb] (9): tevent: Ending timer event 0xec7d50 "ltdb_callback" | |||
[sssd[be[LDAP]]] [find_password_expiration_attributes] (9): No password policy requested. | |||
[sssd[be[LDAP]]] [simple_bind_send] (4): Executing simple bind as: uid=puser1,ou=People,dc=example,dc=com | |||
[sssd[be[LDAP]]] [simple_bind_send] (8): ldap simple bind sent, msgid = 2 | |||
[sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0xe9d210], connected[1], ops[0xec79e0], ldap[0xea1220] | |||
[sssd[be[LDAP]]] [sdap_process_result] (8): Trace: ldap_result found nothing! | |||
[sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0xe9d210], connected[1], ops[0xec79e0], ldap[0xea1220] | |||
[sssd[be[LDAP]]] [simple_bind_done] (5): Server returned no controls. | |||
[sssd[be[LDAP]]] [simple_bind_done] (3): Bind result: Success(0), (null) | |||
'''[jgorig] Tested program: proftpd-1.3.3b-1.fc14.x86_64''' | |||
* user authentication works | |||
* [http://www.mustuniversityaccreditation.com Mustuniversity] | |||
* [http://www.aboutmustuniversity.com Must University] | |||
[[Category:Fedora 14 Test Days]] |
Latest revision as of 21:17, 26 June 2015
DATE | TIME | WHERE |
2010-10-14 | From 09:00 to 21:00 UTC (5am -> 5pm EDT) | #fedora-test-day (webirc) |
What to test?[edit]
Today's installment of Fedora Test Day will focus on OpenLDAP with TLS encryption. OpenLDAP in Fedora 14 uses Mozilla NSS instead of OpenSSL crypto backend. This change should have no effect for users, but to be sure we want to test OpenLDAP server and as many programs using OpenLDAP libraries (libldap) as possible.
Who's available[edit]
The following cast of characters will be available testing, workarounds, bug fixes, and general discussion ...
- Development - Jan Zeleny (jzeleny), Jan Vcelak (jvcelak), Rich Megginson (rmeggins)
- Quality Assurance - Ondrej Moris (omoris)
Prerequisite for Test Day[edit]
- Fedora 14 (or Rawhide) system
openldap
andopenldap-clients
packages- optionally for testing server:
openldap-servers
package - at least one application from package list below
Packages list[edit]
Priority 1 (the most important)[edit]
Package | Taken by | Notes |
---|---|---|
openldap-clients | omoris | |
openldap-servers | omoris | |
am-utils | ||
audit | ||
autofs | jvcelak | |
krb5-workstation | ||
nss_ldap | omoris | |
nss-pam-ldapd | omoris | |
openssh | mvadkert | |
pam_ldap | omoris | |
python-ldap | jvcelak | |
ruby-ldap | alich | |
sssd | shanks | |
sudo | alich | |
libuser | mvadkert | |
nfs-utils-lib | ||
quota | mvadkert |
Priority 2[edit]
Package | Taken by | Notes |
---|---|---|
bdii | ||
bind-dyndb-ldap | ||
bind | ||
cups | ||
curl | ksrot | |
dhcp | ||
dirmngr | ||
httpd | ||
lighttpd | ||
mod_authz_ldap | ||
mod_perl | ||
mod_revocator | ||
openvpn-auth-ldap | ||
php | jgorig | |
postgresql | ||
proftpd | jgorig | |
pure-ftpd |
Priority 3[edit]
Package | Taken by | Notes |
---|---|---|
cyrus-imapd | ||
cyrus-sasl | ||
dbmail | ||
dovecot | ||
exim | ||
freeradius | ||
jabberd | ||
sendmail | ||
samba | ||
samba4 | ||
ocspd | ||
pdns | ||
postfix | ||
ss5 | ||
zabbix | ||
Priority 4[edit]
Package | Taken by | Notes |
---|---|---|
activemq-cpp | ||
apr-util | ||
ipa | ||
asterisk | ||
callweaver | ||
cluster | ||
dspam | ||
nagios-plugins | ||
nufw | ||
opal | ||
openser | ||
opensips | ||
squid | ||
virtuoso-opensource | ||
zarafa | ||
Priority 5[edit]
Package | Taken by | Notes |
---|---|---|
alpine | ||
claws-mail | ||
ekiga | ||
evolution-exchange | ||
evolution | ||
GConf2 | ||
gq | ||
gnupg | ||
gnupg2 | ||
kdesvn | ||
ldapvi | ||
myproxy | ||
rapidsvn | ||
seahorse | ||
subcommander | ||
sylpheed | ||
wine |
Priority 6 (the least important)[edit]
Package | Taken by | Notes |
---|---|---|
echoping | ||
kdebase3 | ||
kdepimlibs | ||
log4cxx | ||
migrationtools | ||
ovaldi | ||
pathfinder | ||
ptlib | ||
root |
Testing environment[edit]
Update your machine[edit]
If you're running Fedora 14, make sure you have all the current updates for it installed, using the update manager.
Kickstart / Live DVD[edit]
We recommend the testing to be done in virtual machine, using a Fedora 14 network install as installation medium. Boot and installation images are available (i386, x86_64)
If you want to download Live medium, we have two LiveCDs available for you here. These images contain LiveCDs with shortcuts to IRC and this wiki page. They also have all Priority 1 programs pre-installed in case you want to test one of them.
Available testing servers[edit]
server | service | package version | base DN |
---|---|---|---|
openldap01.fedoraproject.org | OpenLDAP + OpenSSL | openldap-servers-2.4.21-11.fc13.x86_64 | dc=silver,dc=testday |
openldap02.fedoraproject.org | 389 Directory Server | 389-ds-base-1.2.7.a1 | dc=example,dc=com |
openldap03.fedoraproject.org | OpenLDAP + MozNSS | openldap-servers-2.4.22-7.fc14.x86_64 | dc=gold,dc=testday |
Download OpenLDAP Testday CA certificate (PEM format). Certificates of testing servers are signed by this CA.
Accessing our servers[edit]
- You can use anonymous bind for read only access.
- For read-write access use bind name cn=Tester,dc=silver,dc=testday and password openldap. Subtree ou=free,dc=base,dc=testday is ready for your experiments. Please create some organization unit with your name under it, not to conflict with other testers. (Don't forgot to replace dc=silver correctly for other servers.)
(read-write access is now set up for openldap02 - use the cn=Tester user)
How to test?[edit]
Choose one of applications in the list above and mark it on this page by adding your name into "Taken by" column. Perform some testing. Below is a table of features what might be tested. The table lists common OpenLDAP based applications and the TLS options used. The table lists some features which are supported by ldap.conf
file. If your application uses OpenLDAP and is able to configure it to use TLS/SSL, you will probably have similar configuration options.
You can use our prepared LDAP server for your testing.
Example configurations[edit]
OpenLDAP command line tools[edit]
- Application:
ldapsearch
,ldapmodify
, et. al. - Default config file:
/etc/openldap/ldap.conf
,~/.ldaprc
- Manual page: ldap.conf
- Step by step configuration
Use the -Z (prefer TLS) or -ZZ (require TLS) command line options to use StartTLS with ldap:// URIs.
Config option | Description | Example |
---|---|---|
URI | LDAP URI - use ldaps:// for LDAPS, or use ldap:// with -Z cmd line flag for starttls | ldaps://ldap.example.com:636/ |
TLS_CACERT | Full path and filename of file containing CA certificates to use | /etc/pki/tls/certs/ca-bundle.crt |
TLS_CACERTDIR | Full path name of directory containing CA certificates in separate files | /etc/openldap/cacerts |
TLS_CERT | Full path name and file name of client cert file | /home/user/myusercert.pem |
TLS_KEY | Full path name and file name of cert private key file - must be unencrypted | /home/user/myuserkey.pem |
TLS_CIPHER_SUITE | Specifies TLS cipher suites to use | HIGH:MEDIUM:+SSLv3 |
TLS_REQCERT | Specifies what checks to perform on server certs | demand |
OpenLDAP server[edit]
- Default config file:
/etc/openldap/slapd.d/cn=config.ldif
- Manual page: slapd-config
- Step by step configuration
Use the -H command line option to have slapd listen for LDAPS requests (e.g. slapd -H ldaps://hostname ....)
Config option | Description | Example |
---|---|---|
olcTLSCACertificateFile | Full path and filename of file containing CA certificates to use | /etc/pki/tls/certs/ca-bundle.crt |
olcTLSCACertificatePath | Full path name of directory containing CA certificates in separate files | /etc/openldap/cacerts |
olcTLSCertificateFile | Full path name and file name of server cert file | /home/user/myusercert.pem |
olcTLSCertificateKeyFile | Full path name and file name of server private key file - must be unencrypted | /home/user/myuserkey.pem |
olcTLSCipherSuite | Specifies TLS cipher suites to use | HIGH:MEDIUM:+SSLv3 |
olcTLSVerifyClient | Specifies what checks to perform on incoming client certs | demand |
For OpenLDAP server, we also need to test server-to-server interactions that use TLS. For example, test replication from a server using Mozilla NSS to another server using OpenSSL using LDAPS or StartTLS. Try a back-ldap or back-meta configuration using TLS/SSL.
pam_ldap/nss_ldap[edit]
- Default config file:
/etc/ldap.conf
- Manual page: nss_ldap
Config option | Description | Example |
---|---|---|
uri | LDAP URI - use ldaps:// for LDAPS, or use ldap:// with ssl start_tls option (see below) | uri ldaps://ldap.example.com:636/ |
ssl on,off,start_tls | off - no TLS ; on - use LDAPS ; start_tls - use LDAP with the StartTLS operation (recommended) | ssl start_tls |
tls_cacertfile | Full path and filename of file containing CA certificates to use | tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt |
tls_cacertdir | Full path name of directory containing CA certificates in separate files | tls_cacertdir /etc/openldap/cacerts |
tls_cert | Full path name and file name of client cert file for client cert auth (SASL/EXTERNAL) | tls_cert /path/to/myusercert.pem |
tls_key | Full path name and file name of client cert private key file - must be unencrypted | tls_key /path/to/myuserkey.pem |
tls_ciphers | Specifies TLS cipher suites to use | tls_ciphers HIGH:MEDIUM:+SSLv3 |
tls_checkpeer yes,no | check the server cert or no | tls_checkpeer yes |
Finishing test[edit]
After you perform testing, it is important to report results. A special section Test Results is available. Here you should write: what program have you tested, what was tested (i.e. what tests were performed) and what was the result. After you fill this report, please add a mark into "Notes" column in package list:
in case everything was ok | |
in case there was probably something wrong | |
in case the test failed |
In the latter two cases a description of what went wrong should be available in Test Results section below.
Step by step configurations[edit]
Libldap[edit]
There are more possibilities of configuring trusted CAs. The easiest way is probably using TLS_CACERTDIR directory (/etc/openldap/cacerts
in this example) with certificate files in PEM format.
You can do it your way - may the force (man ldap.conf
) be with you. Directory with MozNSS cert database, and one bundle CA file are supported as well.
- install OpenLDAP client tools to have some simple tool for your configuration testing:
yum install openldap-clients
- you need hash for each certificate, you can use
c_hash
tool:- run:
/etc/pki/tls/misc/c_hash /path/to/cert.pem
- you should get something like: 537ced62.0 => /path/to/cert.pem
- run:
- create symlink in CA certs directory:
ln -s /path/to/cert.pem /etc/openldap/cacerts/537ced62.0
- repeat previous steps for each CA you trust
- make sure, all certificates are readable for all users trough created symlinks
- update
/etc/openldap/ldap.conf
- add: TLS_CACERTDIR /etc/openldap/cacerts
- optionally, you can set up default server (URI) and search base (BASE)
If you have a lot of certificates, you can use c_rehash
tool from openssl-perl package.
OpenLDAP server[edit]
Quick help: man slapd-config
- install OpenLDAP server:
yum install openldap-servers
- choose and set your server base DN, e.g. dc=copper,dc=testday
- generate admin (manager) user password hash:
slappasswd
- update /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
- olcSuffix: dc=copper,dc=testday
- olcRootDN: cn=Manager,dc=copper,dc=testday
- olcRootPW: <admin-user-password-hash>
- update /etc/openldap/slapd.d/cn=config/olcDatabase={2}monitor.ldif
- olcAccess: {0}to * by dn.base="cn=manager,dc=copper,dc=testday" read by * none
- start your server:
service slapd start
- try your serve functionality
ldapsearch -H ldap://localhost -x -b "" -s base "(objectclass=*)" namingContexts
- you should get:
namingContexts: dc=copper,dc=testday
- create base nodes
- download example root DN nodes (LDIF)
- update DNs in that file
- import that file into the database:
ldapadd -H ldap://localhost -x -D "cn=Manager,dc=copper,dc=testday" -W -f root.ldif
- install BDB configuration file
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
- restart your server:
service slapd restart
- your server is now configured and running without TLS
- generate certificates for your server (if you don't have any), we offer you step by step guide
- update
/etc/openldap/slapd.d/cn=config.ldif
, add following options (customised):- olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem
- olcTLSCertificateFile: /etc/openldap/certs/server.pem
- olcTLSCertificateKeyFile: /etc/openldap/certs/server.pem
- make your certificates readable for
ldap
user - enable at least ldaps:// interface in
/etc/sysconfig/ldap
:- SLAPD_LDAP=yes (default)
- SLAPD_LDAPS=yes
- SLAPD_LDAPI=yes (optional)
- restart your server:
service slapd restart
- your server is running with TLS support
- test that your configuration is working
- without TLS: ldapsearch -x -H ldap://localhost -b "dc=copper,dc=testday"
- with TLS: ldapsearch -x -H ldaps://localhost -b "dc=copper,dc=testday"
Generating certificates[edit]
Use your own CA[edit]
There are more possibilities. The easiest way is installing TinyCA GUI, which will handle everything you need. You need not perform this task on your testing system.
- install TinyCA:
yum install tinyca2
- create new certification authority
- create new certificate request
- select 'Requests' tab
- right-click into the emtpy list of requests and select 'New Request'
- use pre-filled values, set 'Common Name' to match your server hostname
- set some pass-phrase (which will be removed anyway)
- click 'OK'
- sign the certificate request
- right-click on the certificate request and select 'Sign Request', 'Sign Request (Server)'
- you will be prompted for CA password
- signed certificate will appear under 'Certificates' tab
- export your key + certificate for server
- open 'Keys' tab
- right click on appropriate key and select 'Export'
- select export location (file)
- Export Format: PEM
- Without Passphrase: Yes
- Include Certificate (PEM): Yes
- click 'Save', provide your certificate pass-phrase password
- export your CA certificate
- open 'CA' tab
- click on 'Export CA' icon in toolbar
- set filename, select PEM format and click on 'Save'
- configure your server to use your key and certificate
- configure your server and any clients to use/accept your CA
Use our public sub CA with TinyCA[edit]
- download public testday sub CA
- move the file into
~/.TinyCA
- extract the file:
tar xf testday-public-ca.tar.gz
- CA is ready, use it in TinyCA
CA password is: openldap - you have to add this CA certificate onto server
- append it to your olcTLSCACertificateFile (really file, not option in config)
- or use olcTLSCACertificatePath instead of olcTLSCACertificateFile
Other ways[edit]
- OpenLDAP TLS guide (can be used as well)
Test Results[edit]
After you are finished testing, please file a testing report below. The first report can be used as an example how it should look like. If you encounter any issue, please first consult it on IRC. If it will be verified as a bug, file a bugzilla against openldap component and add a note about it to your report.
Tested program: abcd-1.5-3-fc14.x86_64
- tried against all referential servers
- tried TLS connection with and without client certificate
- all test were tun with option CDEF turned on
- all test were running fine, except one
- bug #123456 was filed
- bug #123457 was filed
[omoris] Tested program: openldap-servers-2.4.22-7.fc14.i686 openldap-clients-2.4.22-7.fc14.i686
- executed upstream self-test included in source rpm
- all passed
[ksrot] Tested program: curl-7.21.0-5.fc14.x86_64
- tried the query LDAP database using following commands:
curl 'ldap://openldap03.fedoraproject.org/dc=gold,dc=testday??sub' curl --cacert /etc/testday/cacert.pem 'ldaps://openldap03.fedoraproject.org/dc=gold,dc=testday??sub' curl 'ldap://openldap01.fedoraproject.org/dc=silver,dc=testday??sub' curl --cacert /etc/testday/cacert.pem 'ldaps://openldap01.fedoraproject.org/dc=silver,dc=testday??sub'
- output looked fine
[jvcelak] Tested program: openldap-2.4.23-1.fc15.x86_64 openldap-2.4.21-10.fc13.x86_64
- reported bug #641946 (slapd init script gets stuck in an infinite loop)
- OK: CA signed certificates (now used on silver and bronze)
- OK: sub-CA signed certificates (now used on gold)
- OK: referral chasing with TLS (tested including loops)
- OK: Ldap backend with TLS, works as a proxy (tested including loops)
- OK: self-signed certificates
- OK: delta-syncrepl with TLS
- verification with OpenSSL fails when connecting to localhost (host name doesn't match)
- verification with MozNSS works well when connecting to localhost or hostname
- verification with MozNSS fails when using certificate and hostname doesn't match
- MozNSS error messages often miss explanation (like -8172 Unknown error)
[mvadkert] Tested program: openssh-5.5p1-21.fc14.2.x86_64
- omoris and jvcelak added openssh.scheme and a test user
- tested with ssh-ldap-helper
root@freedom openldap]# /usr/libexec/openssh/ssh-ldap-helper -vvv -f /etc/openldap/ldap.conf -s user2 debug1: Reading configuration data /etc/openldap/ldap.conf debug3: === Configuration === debug3: URI ldaps://openldap03.fedoraproject.org debug3: Host openldap03.fedoraproject.org debug3: Port 636 debug3: SSL Yes debug3: Ldap_Version 3 debug3: Base ou=omoris,ou=free,dc=gold,dc=testday debug3: BindDN cn=Tester,dc=gold,dc=testday debug3: BindPW openldap debug3: Scope Sub [snip] debug1: LDAP do connect debug3: Set TLS CA cert dir /etc/openldap/cacerts debug3: Set TLS check peer to 1 debug3: LDAP initialize ldaps://openldap03.fedoraproject.org [snip] debug3: LDAP search scope = 2 (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=user2)) ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsDA+I14oBeVd7ceujknbvc3i2Qfnx2Q1vPatRcwPfWLF2H4fPUuUypkJjswvJXxZun+7h1tNpZPMvKCxMLNph4follk35MXT01LZYtW3rs3bdYL+9vBO7ns1+MDrrusotM3f+j90VhPVn5MhgPABVAaSVoTGn058d/N/R1pMMvnRrKhBYlLG0Yb4WesvJQCL9GkbPqjn7tWZQNbDqnIA/TgYe87ES7rsC8ZFObSYYhWXJqnYb8ysQRVLTRUxE/EzYWM0YUIuYIN9eRzUJW9rFmlVDalUjzwIK6dkhkl4xN3vX5lSL3OCJlwIxUoQLK2P9fEvbPlxd9IRSQNWFJO2HQ==mvadkert@dhcp-lab-118.englab.brq.redhat.com debug2: LDAP process user finished debug1: LDAP do close debug2: LDAP do close OK
[jvcelak] Tested program: python-ldap-2.3.12-1.fc15.x86_64
- not tested very deeply, basic operations work:
#!/usr/bin/python import ldap import ldap.modlist as modlist l = ldap.initialize("ldaps://openldap03.fedoraproject.org", trace_level = 1) l.simple_bind_s("cn=Tester,dc=gold,dc=testday", "openldap") ldif = modlist.addModlist({ "objectClass" : [ "organizationalUnit", "top" ], "ou" : [ "jvcelak" ], }) l.add_s("ou=jvcelak,ou=free,dc=gold,dc=testday", ldif) print l.search_s("dc=gold,dc=testday", ldap.SCOPE_SUBTREE, "(cn=Manager)") l.delete_s("ou=jvcelak,ou=free,dc=gold,dc=testday") l.unbind_s()
[mvadkert] Tested program: libuser-0.56.18-2.fc14
- tested all libuser commands - found bug in lpasswd #643022
- generally works well after good setup in /etc/libuser.conf
[omoris] Tested program: pam_ldap-185-5.fc14
- tested password change, ssh connection, password change via ssh connection
- no problems, works fine
- testes via beakerlib using already prepared testcases
[omoris] Tested program: nss_ldap-265-6.fc14 & nss-pam-ldapd.i686 0:0.7.7-1.fc14
- tested getent, id of ldap users
- no problems, works fine
- testes via beakerlib using already prepared testcases
[mvadkert] Tested program: quota-3.17-13.fc14.x86_64
- mail stored in surname in LDAP user, quota works as expected with ldaps :)
[amarecek] Tested program: sudo-1.7.4p4-3.fc14.x86_64
- rights escalation with ldap users only
- rights escalation with local users and ldap groups
- rights escalation with ldap users containing white spaces (also "su" tested)
- rights escalation with ldap groups containing white spaces
[jgorig] Tested program: php-ldap-5.3.3-1.fc14.x86_64
- basic operations works
<?php $conn = ldap_connect("openldap03.fedoraproject.org"); if(!$conn) exit(ldap_error($conn)); $ret = ldap_start_tls($conn); if(!$ret) exit(ldap_error($conn)); $r = ldap_bind($conn, "cn=Tester,dc=gold,dc=testday", "openldap"); if(!$r) exit(ldap_error($conn)); $data["objectClass"][0] = "organizationalUnit"; $data["objectClass"][1] = "top"; $data["ou"] = "Testovac"; ldap_add($conn, "ou=Testovac,ou=free,dc=gold,dc=testday", $data); $sr = ldap_search($conn, "dc=gold,dc=testday", "ou=Testovac"); print_r(ldap_get_entries($conn, $sr)); ldap_delete($conn, "ou=Testovac,ou=free,dc=gold,dc=testday"); ldap_close($conn);
[amarecek] Tested program: ruby-1.8.7.302-1.fc14.x86_64, ruby-ldap-0.9.7-10.fc12.x86_64
- simple connection works
#!/bin/env ruby require 'ldap' _host = 'openldap03.fedoraproject.org' _port = 389 _binddn = 'cn=Tester,dc=gold,dc=testday' _bindpw = 'openldap' _base = 'ou=alich,ou=free,dc=gold,dc=testday' connection = LDAP::Conn.new(_host, _port) connection.bind(_binddn, _bindpw) connection.perror("bind") scope = LDAP::LDAP_SCOPE_SUBTREE attrs = ['dn', 'cn'] items = ['posixAccount', 'posixGroup'] items.each { |item| filter = "(objectClass=#{item})" begin connection.search(_base, scope, filter) { |record| print "DN: #{record.dn}\n" print "ATTRS: #{record.attrs}\n" print "\tCN: #{record.vals('cn')}\n" print "#{record.to_hash}\n" } rescue LDAP::ResultError connection.perror("search") exit 1 end connection.perror("search") } connection.unbind
- all data were found successfully
[jvcelak] Tested program: autofs-5.0.5-31.fc15.x86_64
- reported bug #643045 (outdated autofs.schema in openldap-servers)
- automounter connects to LDAP server with TLS (ldap:// + requiretls, ldaps://)
- automountMap successfully found
- referring to another server using ldap:server:dn works
- volumes mounted as expected
[shanks] Tested program: sssd-1.3.0-35.fc14.x86_64
- Not tested deeply, basic operation of LDAP ID and auth works:
[sssd[be[LDAP]]] [get_server_status] (7): Status of server 'fed14sssdldap.gsr.pnq.redhat.com' is 'working' [sssd[be[LDAP]]] [be_resolve_server_done] (4): Found address for server fed14sssdldap.gsr.pnq.redhat.com: [10.65.201.183] [sssd[be[LDAP]]] [sdap_connect_send] (4): Executing START TLS [sssd[be[LDAP]]] [sdap_ldap_connect_callback_add] (9): New LDAP connection to [ldap://fed14sssdldap.gsr.pnq.redhat.com:389] with fd [26]. [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0xe9d210], connected[1], ops[0xe7e280], ldap[0xea1220] [sssd[be[LDAP]]] [sdap_connect_done] (3): START TLS result: Success(0), Start TLS request accepted.Server willing to negotiate SSL. [sssd[be[LDAP]]] [fo_set_port_status] (4): Marking port 389 of server 'fed14sssdldap.gsr.pnq.redhat.com' as 'working' [sssd[be[LDAP]]] [set_server_common_status] (4): Marking server 'fed14sssdldap.gsr.pnq.redhat.com' as 'working' [sssd[be[LDAP]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0xec7d50 [sssd[be[LDAP]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0xec78c0 [sssd[be[LDAP]]] [ldb] (9): tevent: Destroying timer event 0xec78c0 "ltdb_timeout" [sssd[be[LDAP]]] [ldb] (9): tevent: Ending timer event 0xec7d50 "ltdb_callback" [sssd[be[LDAP]]] [find_password_expiration_attributes] (9): No password policy requested. [sssd[be[LDAP]]] [simple_bind_send] (4): Executing simple bind as: uid=puser1,ou=People,dc=example,dc=com [sssd[be[LDAP]]] [simple_bind_send] (8): ldap simple bind sent, msgid = 2 [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0xe9d210], connected[1], ops[0xec79e0], ldap[0xea1220] [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: ldap_result found nothing! [sssd[be[LDAP]]] [sdap_process_result] (8): Trace: sh[0xe9d210], connected[1], ops[0xec79e0], ldap[0xea1220] [sssd[be[LDAP]]] [simple_bind_done] (5): Server returned no controls. [sssd[be[LDAP]]] [simple_bind_done] (3): Bind result: Success(0), (null)
[jgorig] Tested program: proftpd-1.3.3b-1.fc14.x86_64
- user authentication works
- Mustuniversity
- Must University