HOWTO LDAP SAMBA PDC Security Upgrade
From Gentoo Linux Wiki
| Installation • Kernel & Hardware • Networks • Portage • Software • System • X Server • Gaming • Non-x86 • Emulators • Misc |
| Previous page | Top | Next Page |
Contents |
[edit] Create Certs
OPTIONAL Usage off SSL and or TLS encription methods is recommended as a "best practice" because passwords are transfered over the connections between the LDAP system and what ever it talks to. Using them is completely optional, but highly recommended.
First we should create our ssl certificates. The following procedure is used to create a self signed certificates for more information see OpenLDAP SSL/TLS How-To
First we need to create a directory for building our certs in. change to that directory and then create a new CA. the script will execute and ask you some questions about your orgazination.
# mkdir /var/myca # cd /var/myca # /etc/ssl/misc/CA.sh -newca
This creates a demoCA directory with various items including demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and private key)
Next we need to create a new server certificate signing request that we can later sign with the previously generated CA cert. Again it will ask you some questions about your orgazination.
# openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
Next we have the CA sign the CSR. after we execute its going to ask for us to enter the PEM pass phrase this is the challenge passphrase we gave in the previous command. its also going to ask if we want to sign the cert, which we do.
# /etc/ssl/misc/CA.sh -sign
The result of the above command should be the creation of newcert.pem our signed cert
Next we should move the certs to our desired certificate repository and rename them. i prefer to put them in /certs/openldap
# mkdir -p /certs/openldap # mv demoCA/cacert.pem /certs/openldap/CA-cert.pem # mv newcert.pem /certs/openldap/ser-crt.pem # mv newreq.pem /certs/openldap/ser-key.pem # chmod 400 /certs/openldap/ser-key.pem # chown ldap:ldap /certs/openldap/ser-key.pemThe chmod makes the private key read-only, the owner of the key should be the same user that runs slapd. a chown command will be nesscary if the owner of the server key is not the same as the user who runs slapd. The certificates should be publicly readable
Update /etc/openldap/slapd.conf to ensure the following lines are uncommented
# TLSCertificateFile /certs/openldap/ser-crt.pem # TLSCertificateKeyFile /certs/openldap/ser-key.pem # TLSCACertificateFile /certs/openldap/CA-cert.pem
You may also want to update /etc/openldap/ldap.conf. This line will let the ldapsearch client automatically use your certificate to verify the server.
|
[edit] Configure Samba to use TLS
Update the following line in/etc/samba/smb.conf in the [Global] section.
| File: smb.conf |
ldap ssl = start_tls |
Now, restart everything and hope it works!
| Code: Restart Servers |
# /etc/init.d/slapd restart # /etc/init.d/samba restart |
[edit] Securing Files
We need to secure /etc/openldap/slapd.conf from access to anyone besides root because there is a root password for are entire ldap directory in the file. We can accomplish this with the following command.
| Code: secure slapd.conf |
# chmod 600 /etc/openldap/slapd.conf # chown ldap:ldap /etc/openldap/slapd.conf |
[edit] Not using the rootdn
See Talk:HOWTO_LDAP_SAMBA_PDC_Security_Upgrade for now.
Po0ky 14:43, 29 December 2005 (GMT)
| Previous page | Top | Next Page |
