2010-10-14 OpenLDAP/NSS

DATE	TIME	WHERE
2010-10-14	From 09:00 to 21:00 UTC (5am -> 5pm EDT)	#fedora-test-day (webirc)

Can't make the date?
If you come to this page before or after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find at Bugzilla, and add your results to the results section. If this page is more than a month old when you arrive here, please check the current schedule and see if a similar but more recent Test Day is planned or has already happened.

What to test?

Today's installment of Fedora Test Day will focus on OpenLDAP with TLS encryption. OpenLDAP in Fedora 14 uses Mozilla NSS instead of OpenSSL crypto backend. This change should have no effect for users, but to be sure we want to test OpenLDAP server and as many programs using OpenLDAP libraries (libldap) as possible.

Who's available

The following cast of characters will be available testing, workarounds, bug fixes, and general discussion ...

Development - Jan Zeleny (jzeleny), Jan Vcelak (jvcelak), Rich Megginson (rmeggins)
Quality Assurance - Ondrej Moris (omoris)

Prerequisite for Test Day

Fedora 14 (or Rawhide) system
openldap and openldap-clients packages
optionally for testing server: openldap-servers package
at least one application from package list below

Packages list

Priority 1 (the most important packages)

Package	Taken by	Notes
openldap-clients
openldap-servers
am-utils
audit
autofs
krb5-workstation
nss_ldap
nss-pam-ldapd
openssh
pam_ldap
python-ldap
ruby-ldap
sssd
sudo
libuser
nfs-utils-lib
quota

Priority 2

Package	Taken by	Notes
bdii
bind-dyndb-ldap
bind
cups
curl
dhcp
dirmngr
httpd
lighttpd
mod_authz_ldap
mod_perl
mod_revocator
openvpn-auth-ldap
php
postgresql
proftpd
pure-ftpd

Priority 3

Package	Taken by	Notes
cyrus-imapd
cyrus-sasl
dbmail
dovecot
exim
freeradius
jabberd
sendmail
samba
samba4
ocspd
pdns
postfix
ss5
zabbix

Priority 4

Package	Taken by	Notes
activemq-cpp
apr-util
ipa
asterisk
callweaver
cluster
dspam
nagios-plugins
nufw
opal
openser
opensips
squid
virtuoso-opensource
zarafa

Priority 5

Package	Taken by	Notes
alpine
claws-mail
ekiga
evolution-exchange
evolution
GConf2
gq
gnupg
gnupg2
kdesvn
ldapvi
myproxy
rapidsvn
seahorse
subcommander
sylpheed
wine

Priority 6 (the least important packages)

Package	Taken by	Notes
echoping
kdebase3
kdepimlibs
log4cxx
migrationtools
ovaldi
pathfinder
ptlib
root

Testing environment

Update your machine

If you're running Fedora 14, make sure you have all the current updates for it installed, using the update manager.

Kickstart / Live DVD

We recommend the testing to be done in virtual machine, using a Fedora 14 network install as installation medium. Boot and installation images are available (i386, x86_64)

If you want to download Live medium, we have two LiveCDs available for you here. These images contain LiveCDs with shortcuts to IRC and this wiki page. They also have all Tier 1 programs pre-installed in case you want to test one of them.

Available testing servers

Servers are not ready
We are working on this right now

server	service	package version	base DN
openldap01.fedoraproject.org	OpenLDAP + OpenSSL	openldap-servers-2.4.21-11.fc13.x86_64	dc=silver,dc=testday
openldap02.fedoraproject.org	389 Directory Server	(not installed yet)	dc=bronze,dc=testday
openldap03.fedoraproject.org	OpenLDAP + MozNSS	openldap-servers-2.4.22-7.fc14.x86_64	dc=gold,dc=testday

Download OpenLDAP Testday CA certificate (PEM format). Certificates of testing servers are signed by this CA.

How to test?

Choose one of applications in the list above and mark it on this page by adding your name into "Taken by" column. Perform some testing. Below is a table of features what might be tested. The table lists common OpenLDAP based applications and the tls options used. The table lists some features which are supported by ldap.conf file. If your application uses OpenLDAP and is able to configure it to use TLS/SSL, you will probably have similar configuration options.

Application: OpenLDAP command line tools - ldapsearch, ldapmodify, et. al.
Default config file: /etc/openldap/ldap.conf, ~/.ldaprc
see man ldap.conf for more information
Use the -Z or -ZZ command line option to use StartTLS with ldap:// URIs

Config option	Description	Example
URI	LDAP URI - use ldaps:// for LDAPS, or use ldap:// with -Z cmd line flag for starttls	ldaps://ldap.example.com:636/
TLS_CACERT	Full path and filename of file containing CA certificates to use	/etc/pki/tls/certs/ca-bundle.crt
TLS_CACERTDIR	Full path name of directory containing CA certificates in separate files	/etc/openldap/cacerts
TLS_CERT	Full path name and file name of client cert file	/home/user/myusercert.pem
TLS_KEY	Full path name and file name of cert private key file - must be unencrypted	/home/user/myuserkey.pem
TLS_CIPHER_SUITE	Specifies TLS cipher suites to use	HIGH:MEDIUM:+SSLv3
TLS_REQCERT	Specifies what checks to perform on server certs	demand

Application: OpenLDAP server
Default config file: /etc/openldap/slapd.d/cn=config.ldif
see man slapd-config for more information
Use the -H command line option to have slapd listen for LDAPS requests (e.g. slapd -H ldaps://hostname ....)

Config option	Description	Example
olcTLSCACertificateFile	Full path and filename of file containing CA certificates to use	/etc/pki/tls/certs/ca-bundle.crt
olcTLSCACertificatePath	Full path name of directory containing CA certificates in separate files	/etc/openldap/cacerts
olcTLSCertificateFile	Full path name and file name of server cert file	/home/user/myusercert.pem
olcTLSCertificateKeyFile	Full path name and file name of server private key file - must be unencrypted	/home/user/myuserkey.pem
olcTLSCipherSuite	Specifies TLS cipher suites to use	HIGH:MEDIUM:+SSLv3
olcTLSVerifyClient	Specifies what checks to perform on incoming client certs	demand

For OpenLDAP server, we also need to test server-to-server interactions that use TLS. For example, test replication from a server using Mozilla NSS to another server using OpenSSL using LDAPS or StartTLS. Try a back-ldap or back-meta configuration using TLS/SSL.

Application: pam_ldap/nss_ldap
Default config file: /etc/ldap.conf
see man nss_ldap for more information

Config option	Description	Example
uri	LDAP URI - use ldaps:// for LDAPS, or use ldap:// with ssl start_tls option (see below)	uri ldaps://ldap.example.com:636/
ssl on,off,start_tls	off - no TLS ; on - use LDAPS ; start_tls - use LDAP with the StartTLS operation (recommended)	ssl start_tls
tls_cacertfile	Full path and filename of file containing CA certificates to use	tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt
tls_cacertdir	Full path name of directory containing CA certificates in separate files	tls_cacertdir /etc/openldap/cacerts
tls_cert	Full path name and file name of client cert file for client cert auth (SASL/EXTERNAL)	tls_cert /path/to/myusercert.pem
tls_key	Full path name and file name of client cert private key file - must be unencrypted	tls_key /path/to/myuserkey.pem
tls_ciphers	Specifies TLS cipher suites to use	tls_ciphers HIGH:MEDIUM:+SSLv3
tls_checkpeer yes,no	check the server cert or no	tls_checkpeer yes

You can use our prepared LDAP server for your testing.

After you perform testing, it is important to report results. A special section Test Results is available. Here you should write: what program have you tested, what was tested (i.e. what tests were performed) and what was the result. After you fill this report, please add a mark into "Notes" column in package list:

pass	in case everything was ok
warn	in case there was probably something wrong
fail	in case the test failed

In the latter two cases a description of what went wrong should be available in Test Results section below.

Step by step configuration of libldap

You have to proceed this
This describes how to setup trusted certificate authorities. Server certificates signed by these will be accepted. If you want to do testing with our testday servers, you will have to add at least our CA certificate.

There are more possibilities of configuring trusted CAs. The easiest way is probably using TLS_CACERTDIR directory (/etc/openldap/cacerts in this example) with certificate files in PEM format.
You can do it your way - may the force (man ldap.conf) be with you. Directory with MozNSS cert database, and one bundle CA file are supported as well.

install OpenLDAP client tools to have some simple tool for your configuration testing: yum install openldap-clients
you need hash for each certificate, you can use c_hash tool:
- run: /etc/pki/tls/misc/c_hash /path/to/cert.pem
- you should get something like: 537ced62.0 => /path/to/cert.pem
create symlink in CA certs directory:
- ln -s /path/to/cert.pem /etc/openldap/cacerts/537ced62.0
repeat previous steps for each CA you trust
make sure, all certificates are readable for all users trough created symlinks
update /etc/openldap/ldap.conf
- add: TLS_CACERTDIR /etc/openldap/cacerts
- optionally, you can set up default server (URI) and search base (BASE)

If you have a lot of certificates, you can use c_rehash tool from openssl-perl package.

Test Results

After you are finished testing, please file a testing report below. The first report can
be used as an example how it should look like. If you encounter any issue, please first
consult it on IRC. If it will be verified as a bug, file a bugzilla against openldap
component and add a note about it to your report.

Tested program: abcd-1.5-3-fc14.x86_64

tried against all referential servers
tried TLS connection with and without client certificate
all test were tun with option CDEF turned on
all test were running fine, except one
bug #123456 was filed
bug #123457 was filed

Advanced configuration

How to setup your own server

This is an optional step
You don't have to set up your server. You can use our testday servers.)

Usual mistakes
Do not leave any empty lines in OpenLDAP server configuration files (everything in /etc/openldap/slapd.d).
No olcTLS* option must be the last line in your database configuration or your server will not start (bug #641946), possible workaround is adding one extra line with comment (starting #).

Quick help: man slapd-config

install OpenLDAP server: yum install openldap-servers
choose and set your server base DN, e.g. dc=copper,dc=testday
generate admin (manager) user password hash:
slappasswd
update /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
- olcSuffix: dc=copper,dc=testday
- olcRootDN: cn=Manager,dc=copper,dc=testday
- olcRootPW: <admin-user-password-hash>
update /etc/openldap/slapd.d/cn=config/{2}monitor.ldif
- olcAccess: {0}to * by dn.base="cn=manager,dc=copper,dc=testday" read by * non
start your server: service slapd start
try your serve functionality
- ldapsearch -H ldap://localhost -x -b "" -s base "(objectclass=*)" namingContexts
- you should get: namingContexts: dc=copper,dc=testday
create base nodes
- download example root DN nodes (LDIF)
- update DNs in that file
- import that file into the database:
  ldapadd -x -D "cn=Manager,dc=copper,dc=testday" -W -f root.ldif
install BDB configuration file
- cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_EXAMPLE
restart your server: service slapd restart
your server is now configured and running without TLS
generate certificates for your server (if you don't have any)
- TODO
update /etc/openldap/slapd.d/cn=config.ldif, add following options (customised):
- olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem
- olcTLSCertificateFile: /etc/openldap/certs/server.pem
- olcTLSCertificateKeyFile: /etc/openldap/certs/server.pem
make your certificates readable for ldap user
enable at least ldaps:// interface in /etc/sysconfig/ldap:
- SLAPD_LDAP=yes (default)
- SLAPD_LDAPS=yes
- SLAPD_LDAPI=yes (optional)
restart your server: service slapd restart
your server is running with TLS support
test that your configuration is working
- without TLS: ldapsearch -x -H ldap://localhost -b "dc=copper,dc=testday"
- with TLS: ldapsearch -x -H ldaps://localhost -b "dc=copper,dc=testday"

Generating certificates for server

TODO
jvcelak: write this

Search

Test Day:2010-10-14 OpenLDAP/NSS

Contents