5

I'm in the process of reading up on documentation and setting up OpenLDAP to handle authentication throughout my network, for email, web services, user accounts, any anything else that I could throw at it. It's not going to be anything SUPER big, but I want it to feel live, since I'm doing it in my home lab.

What are some good things to keep in mind or something to make sure I always remember when setting up OpenLDAP? Should I make sure that I always travel over SSL? Should I use Kerbeos? Anything would be appreciated to keep in mind.

Chiggins
  • 811
  • 8
  • 21
  • 37

3 Answers3

6

A partial list in no particular order:

  • Use cn=config (see man slapd-config).
  • Set up Master-Master replication at your core.
  • Always use some sort of encryption for authentication.
  • LDAPS (port 636) is deprecated in favor of STARTTLS for LDAP.
  • SASL-GSSAPI and SASL-EXTERNAL are useful if you don't like entering passwords a lot.
  • Disable SASL mechanism you don't support.
  • Don't use the root DN when you don't have to.
  • Pay attention to your ACLs (e.g. users should not have write access to uidNumber and gidNumber).
  • ldapseach -x -H $URI is a an anonymous search. (ldapwhoami -x -H $URI).
  • Limited local replicas can be much better than nscd (self access via ldapi:///).
  • Overlay memberof is very handy for group membership.

Probably important:
Understand the documentation. It's not everything you need, but it sure helps.

neirbowj
  • 338
  • 2
  • 10
84104
  • 12,905
  • 6
  • 45
  • 76
  • Question, what exactly do you mean by Master-Master replication at the core? – Chiggins Dec 21 '11 at 21:59
  • @Chiggins You should not have master server, but master *servers*. I prefer N-Way multimaster. Mirror-Mode is also a decent option. I've edited in an attempt to clarify. – 84104 Dec 21 '11 at 22:13
4

SSL Libraries

Debian(and thus Ubuntu) package OpenLDAP compiled against gnuTLS instead of OpenSSL. This is fine for playing around, but gnuTLS has been significantly slower on our network. I always rebuild the Ubuntu package compiled against OpenSSL.

Other distros may do the same or different.

Kerberos

Kerberos doesn't really seem useful in my environment(~200 linux workstations, ~40 macs, nfs servers, imap, smtp, web server). None of our common client applications support kerberos authentication(Firefox, Thunderbird). It would just be used on a host level for NFS and as a PAM module for authentication. I think SSL can do just as good a job at keeping passwords secret.

If you do use kerberos, you should use Heimdal for integration with the OpenLDAP smbk5pwd overlay.

Client Libraries

The default library for nss from PADL is a bit bloated and troublesome. I recommend you try SSS or nss-pam-ldapd. They both work very well in my environment.

SSS does so much more than PADL's libraries. It includes caching, so you don't need nscd.

nss-pam-ldapd is a rewrite of the PADL libraries made to be much more efficient.

Managing your data

I am a big fan of phpLDAPAdmin. It makes it very easy to view your schemas and modify individual entries.

Other LDAP Servers

They may be slower, but they have more advanced features.

You might want to try ApacheDS since it has builtin kerberos.

Jeff Strunk
  • 2,127
  • 1
  • 24
  • 29
  • There is so much to say here. Should I turn this answer into a community wiki? – Jeff Strunk Dec 21 '11 at 21:52
  • +1 for the gnuTLS note -- I've found gnuTLS to be impractcally slow for production workloads, and quite frankly OpenSSL has more extensive adoption, and thus more complete testing. – voretaq7 Dec 21 '11 at 21:52
2

This question is really too broad to answer, and any answer would be heavily dependent on your environment.

Some things I would consider are:

  • Does LDAP make sense as the authentication system?
    • If not, what might be better?
  • Does LDAP make sense as the authorization system?
    (authorization would be things like sudoers)
    • If not, what might be better?
  • What kind of security makes sense?
    • SSL? (pretty much definitely)
    • Kerberos? (Does everything support it? WILL everything support it in the future?)
    • What about security within LDAP itself (ACLs)
      • Object/Subtree permissions
      • Browsable/Searchable by... (anyone (anonymous), registered users, admins, etc...)
      • How will users change their password?
  • How will we get the individual workstations to respect LDAP information?
    • pam_ldap/nss_ldap? (old & busted, but works)
    • pam_ldapd (new hotness: Fewer LDAP connections, other benefits, but some unimplemented features)
  • Will we have to interact with Windows - EVER?
    (If you say "yes" here you really need to use AD as the LDAP server)
voretaq7
  • 79,879
  • 17
  • 130
  • 214