How do I configure LDAP on Centos 6 for user authentication in the most secure and correct way?

During the last couple of days I have been using a lot of F-words, while browsing Internet for good documentation about how to setup an LDAP-server. So far I have found none, but plenty that are less than good, but better than bad. So I had to do it the usual Linux way, read, test, scream, read, test and scream.

My goals for the LDAP-server are:

  • Install LDAP on a Centos 6 minimum installation, both for server and clients.
  • Install in the way that the developers of OpenLDAP intended.
  • Install LDAP securely with LDAPS, iptables, SELinux etc. enabled.
  • Use SSSD on the clients for the "authentication" connections to the LDAP-server.

This is the kind of question that I usually answer myself, but I would appreciate suggestions about how to do the installation even better.


Here is a couple of shell scripts that will install and configure openldap on a server and install and configure sssd for user authentication against the LDAP-server.

One that installs the LDAP-server with groups, users etc.

#!/bin/sh
###########################################################
# Install LDAP-server
###########################################################

# Enable SELinux for higher security.
setenforce 1
setsebool -P domain_kernel_load_modules 1

# Communication with the LDAP-server needs to be done with domain name, and not
# the ip. This ensures the dns-name is configured.
cat >> /etc/hosts << EOF
10.100.110.7 ldap.syco.net
EOF

# Install all required packages.
yum -y install openldap-servers openldap-clients

# Create backend database.
cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap

# Set password for cn=admin,cn=config (it's secret)
cat >> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif << EOF
olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb
EOF

# Autostart slapd after reboot.
chkconfig slapd on

# Start ldap server
service slapd start

# Wait for slapd to start.
sleep 1

###########################################################
# General configuration of the server.
###########################################################

# Create folder to store log files in
mkdir /var/log/slapd
chmod 755 /var/log/slapd/
chown ldap:ldap /var/log/slapd/

# Redirect all log files through rsyslog.
sed -i "/local4.*/d" /etc/rsyslog.conf
cat >> /etc/rsyslog.conf << EOF
local4.*                        /var/log/slapd/slapd.log
EOF
service rsyslog restart

# Do the configurations.
ldapadd -H ldap://ldap.syco.net -x -D "cn=admin,cn=config" -w secret << EOF

# Setup logfile (not working now, propably needing debug level settings.)
dn: cn=config
changetype:modify
replace: olcLogLevel
olcLogLevel: config stats shell
-
replace: olcIdleTimeout
olcIdleTimeout: 30

# Set access for the monitor db.
dn: olcDatabase={2}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="cn=Manager,dc=syco,dc=net" read  by * none

# Set password for cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb

# Change LDAP-domain, password and access rights.
dn: olcDatabase={1}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=syco,dc=net
-
replace: olcRootDN
olcRootDN: cn=Manager,dc=syco,dc=net
-
replace: olcRootPW
olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb
-
replace: olcAccess
olcAccess: {0}to attrs=employeeType by dn="cn=sssd,dc=syco,dc=net" read by self read by * none
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
olcAccess: {2}to dn.base="" by * none
olcAccess: {3}to * by dn="cn=admin,cn=config" write by dn="cn=sssd,dc=syco,dc=net" read by self write by * none
EOF

##########################################################
# Configure sudo in ldap
#
# Users that should have sudo rights, are configured in
# in the ldap-db. The ldap sudo schema are not configured
# by default, and are here created.
#
# http://eatingsecurity.blogspot.com/2008/10/openldap-continued.html
# http://www.sudo.ws/sudo/man/1.8.2/sudoers.ldap.man.html
##########################################################

# Copy the sudo Schema into the LDAP schema repository
/bin/cp -f /usr/share/doc/sudo-1.7.2p2/schema.OpenLDAP /etc/openldap/schema/sudo.schema
restorecon /etc/openldap/schema/sudo.schema

# Create a conversion file for schema
mkdir ~/sudoWork
echo "include /etc/openldap/schema/sudo.schema" > ~/sudoWork/sudoSchema.conf

# Convert the "Schema" to "LDIF".
slapcat -f ~/sudoWork/sudoSchema.conf -F /tmp/ -n0 -s "cn={0}sudo,cn=schema,cn=config" > ~/sudoWork/sudo.ldif

# Remove invalid data.
sed -i "s/{0}sudo/sudo/g" ~/sudoWork/sudo.ldif

# Remove last 8 (invalid) lines.
head -n-8 ~/sudoWork/sudo.ldif > ~/sudoWork/sudo2.ldif

# Load the schema into the LDAP server
ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret -f ~/sudoWork/sudo2.ldif

# Add index to sudoers db
ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: sudoUser    eq
EOF

###########################################################
# Create modules area
#
###########################################################
ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib64/openldap/
EOF

###########################################################
# Add auditlog overlay.
#
# http://www.manpagez.com/man/5/slapo-auditlog/
###########################################################
ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=module{0},cn=config
changetype:modify
add: olcModuleLoad
olcModuleLoad: auditlog.la

dn: olcOverlay=auditlog,olcDatabase={1}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /var/log/slapd/auditlog.log
EOF

###########################################################
# Add accesslog overlay.
#
# http://www.manpagez.com/man/5/slapo-accesslog/
#
# TODO: Didn't get it working.
#
###########################################################
# ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
# dn: cn=module,cn=config
# objectClass: olcModuleList
# cn: module
# olcModulePath: /usr/lib64/openldap/
# olcModuleLoad: access.la
#
#
# dn: olcOverlay=accesslog,olcDatabase={1}bdb,cn=config
# changetype: add
# olcOverlay: accesslog
# objectClass: olcOverlayConfig
# objectClass: olcAccessLogConfig
# logdb: cn=auditlog
# logops: writes reads
# # read log every 5 days and purge entries
# # when older than 30 days
# logpurge 180+00:00 5+00:00
# # optional - saves the previous contents of
# # person objectclass before performing a write operation
# logold: (objectclass=person)
# EOF

###########################################################
# Add pwdpolicy overlay
#
# http://www.zytrax.com/books/ldap/ch6/ppolicy.html
# http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5&apropos=0&manpath=OpenLDAP+2.3-Release
# http://www.symas.com/blog/?page_id=66
###########################################################

ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=module{0},cn=config
changetype:modify
add: olcModuleLoad
olcModuleLoad: ppolicy.la

dn: olcOverlay=ppolicy,olcDatabase={1}bdb,cn=config
olcOverlay: ppolicy
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyDefault: cn=default,ou=pwpolicies,dc=syco,dc=net
EOF

##########################################################
# Add users, groups, sudoers. Ie. the dc=syco,dc=net database.
##########################################################
ldapadd  -H ldap:/// -x -D "cn=Manager,dc=syco,dc=net" -w secret  -f /opt/syco/doc/ldap/manager.ldif

###########################################################
# Create certificates
###########################################################

# Create CA
echo "00" > /etc/openldap/cacerts/ca.srl
openssl req -new -x509 -sha512 -nodes -days 3650 -newkey rsa:4096\
    -out /etc/openldap/cacerts/ca.crt \
    -keyout /etc/openldap/cacerts/ca.key \
    -subj '/O=syco/OU=System Console Project/CN=systemconsole.github.com'

# Creating server cert
openssl req -new -sha512 -nodes -days 1095 -newkey rsa:4096 \
    -keyout /etc/openldap/cacerts/slapd.key \
    -out /etc/openldap/cacerts/slapd.csr \
    -subj '/O=syco/OU=System Console Project/CN=ldap.syco.net'
openssl x509 -req -sha512 -days 1095 \
    -in /etc/openldap/cacerts/slapd.csr \
    -out /etc/openldap/cacerts/slapd.crt \
    -CA /etc/openldap/cacerts/ca.crt \
    -CAkey /etc/openldap/cacerts/ca.key

#
# Customer create a CSR (Certificate Signing Request) file for client cert
#
openssl req -new -sha512 -nodes -days 1095 -newkey rsa:4096 \
    -keyout /etc/openldap/cacerts/client.key \
    -out /etc/openldap/cacerts/client.csr \
    -subj '/O=syco/OU=System Console Project/CN=client.syco.net'

#
# Create a signed client crt.
#
cat > /etc/openldap/cacerts/sign.conf << EOF
[ v3_req ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
EOF

openssl x509 -req -days 1095 \
    -sha512 \
    -extensions v3_req \
    -extfile /etc/openldap/cacerts/sign.conf \
    -CA /etc/openldap/cacerts/ca.crt \
    -CAkey /etc/openldap/cacerts/ca.key \
    -in /etc/openldap/cacerts/client.csr \
    -out /etc/openldap/cacerts/client.crt

# One file with both crt and key. Easier to manage the cert on client side.
cat /etc/openldap/cacerts/client.crt /etc/openldap/cacerts/client.key > \
    /etc/openldap/cacerts/client.pem

# Create hash and set permissions of cert
/usr/sbin/cacertdir_rehash /etc/openldap/cacerts
chown -Rf root:ldap /etc/openldap/cacerts
chmod -Rf 750 /etc/openldap/cacerts
restorecon -R /etc/openldap/cacerts

# View cert info
# openssl x509 -text -in /etc/openldap/cacerts/ca.crt
# openssl x509 -text -in /etc/openldap/cacerts/slapd.crt
# openssl x509 -text -in /etc/openldap/cacerts/client.pem
# openssl req -noout -text -in /etc/openldap/cacerts/client.csr

###########################################################
# Configure ssl
#
# Configure slapd to only be accessible over ssl,
# with client certificate.
#
# http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0
# http://www.openldap.org/faq/data/cache/185.html
###########################################################
ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=config
changetype:modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/cacerts/slapd.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/cacerts/slapd.crt
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/cacerts/ca.crt
-
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:MEDIUM:-SSLv2
-
replace: olcTLSVerifyClient
olcTLSVerifyClient: demand
EOF

# Enable LDAPS and dispable LDAP
sed -i 's/[#]*SLAPD_LDAPS=.*/SLAPD_LDAPS=yes/g' /etc/sysconfig/ldap
sed -i 's/[#]*SLAPD_LDAP=.*/SLAPD_LDAP=no/g' /etc/sysconfig/ldap
service slapd restart

# Configure the client cert to be used by ldapsearch for user root.
sed -i '/^TLS_CERT.*\|^TLS_KEY.*/d' /root/ldaprc
cat >> /root/ldaprc  << EOF
TLS_CERT /etc/openldap/cacerts/client.pem
TLS_KEY /etc/openldap/cacerts/client.pem
EOF

###########################################################
# Require higher security from clients.
###########################################################
ldapadd -H ldaps://ldap.syco.net -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=config
changetype:modify
replace: olcLocalSSF
olcLocalSSF: 128
-
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,noplain

dn: cn=config
changetype:modify
replace: olcSecurity
olcSecurity: ssf=128
olcSecurity: simple_bind=128
olcSecurity: tls=128
EOF

###########################################################
# Open firewall
#
# Let clients connect to the server through the firewall.
# This is done after everything else is done, so we are sure
# that the server is secure before letting somebody in.
# TODO: Add destination ip
###########################################################
iptables -I INPUT -m state --state NEW -p tcp -s 10.100.110.7/24 --dport 636 -j ACCEPT

And one that installs sssd on the client, and connects to the LDAP-server.

#!/bin/sh
###########################################################
# Install LDAP-client
#
# This part should be executed on both LDAP-Server and
# on all clients that should authenticate against the
# LDAP-server
#
# This script is based on information from at least the following links.
#   http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=2
#   http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap-SSSD_User_Guide-Introduction.html
#
###########################################################

###########################################################
# Uninstall sssd
#
# Note: Only needed if sssd has been setup before.
#       might need --skip-broken when installing sssd.
###########################################################
#yum -y remove openldap-clients sssd
#rm -rf /var/lib/sss/

###########################################################
# Install relevant packages
###########################################################
# Install packages
yum -y install openldap-clients

# Pick one package from the Continuous Release
# Version 1.5.1 of sssd.
yum -y install sssd --skip-broken
yum -y install centos-release-cr
yum -y update sssd
yum -y remove centos-release-cr

###########################################################
# Get certificate from ldap server
#
# This is not needed to be done on the server.
###########################################################
if [ ! -f /etc/openldap/cacerts/client.pem ];
then
    scp [email protected]:/etc/openldap/cacerts/client.pem /etc/openldap/cacerts/client.pem
fi

if [ ! -f /etc/openldap/cacerts/ca.crt ];
then
    scp [email protected]:/etc/openldap/cacerts/ca.crt /etc/openldap/cacerts/ca.crt
fi

/usr/sbin/cacertdir_rehash /etc/openldap/cacerts
chown -Rf root:ldap /etc/openldap/cacerts
chmod -Rf 750 /etc/openldap/cacerts
restorecon -R /etc/openldap/cacerts

###########################################################
# Configure client authenticate against ldap.
###########################################################
# Setup iptables before configuring sssd, so it can connect to the server.
iptables -I OUTPUT -m state --state NEW -p tcp -d 10.100.110.7 --dport 636 -j ACCEPT

# Communication with the LDAP-server needs to be done with domain name, and not
# the ip. This ensures the dns-name is configured.
sed -i '/^10.100.110.7.*/d' /etc/hosts
cat >> /etc/hosts << EOF
10.100.110.7 ldap.syco.net
EOF

# Configure all relevant /etc files for sssd, ldap etc.
authconfig \
    --enablesssd --enablesssdauth --enablecachecreds \
    --enableldap --enableldaptls --enableldapauth \
    --ldapserver=ldaps://ldap.syco.net --ldapbasedn=dc=syco,dc=net \
    --disablenis --disablekrb5 \
    --enableshadow --enablemkhomedir --enablelocauthorize \
    --passalgo=sha512 \
    --updateall

# Configure the client cert to be used by ldapsearch for user root.
sed -i '/^TLS_CERT.*\|^TLS_KEY.*/d' /root/ldaprc
cat >> /root/ldaprc  << EOF
TLS_CERT /etc/openldap/cacerts/client.pem
TLS_KEY /etc/openldap/cacerts/client.pem
EOF

###########################################################
# Configure sssd
###########################################################

# If the authentication provider is offline, specifies for how long to allow
# cached log-ins (in days). This value is measured from the last successful
# online log-in. If not specified, defaults to 0 (no limit).
sed -i '/\[pam\]/a offline_credentials_expiration=5' /etc/sssd/sssd.conf

cat >> /etc/sssd/sssd.conf << EOF
# Enumeration means that the entire set of available users and groups on the
# remote source is cached on the local machine. When enumeration is disabled,
# users and groups are only cached as they are requested.
enumerate=true

# Configure client certificate auth.
ldap_tls_cert = /etc/openldap/cacerts/client.pem
ldap_tls_key = /etc/openldap/cacerts/client.pem
ldap_tls_reqcert = demand

# Only users with this employeeType are allowed to login to this computer.
access_provider = ldap
ldap_access_filter = (employeeType=Sysop)

# Login to ldap with a specified user.
ldap_default_bind_dn = cn=sssd,dc=syco,dc=net
ldap_default_authtok_type = password
ldap_default_authtok = secret
EOF

# Restart sssd
service sssd restart

# Start sssd after reboot.
chkconfig sssd on

###########################################################
# Configure the client to use sudo
###########################################################
sed -i '/^sudoers.*/d' /etc/nsswitch.conf
cat >> /etc/nsswitch.conf << EOF
sudoers: ldap files
EOF

sed -i '/^sudoers_base.*\|^binddn.*\|^bindpw.*\|^ssl on.*\|^tls_cert.*\|^tls_key.*\|sudoers_debug.*/d' /etc/ldap.conf
cat >> /etc/ldap.conf << EOF
# Configure sudo ldap.
uri ldaps://ldap.syco.net
base dc=syco,dc=net
sudoers_base ou=SUDOers,dc=syco,dc=net
binddn cn=sssd,dc=syco,dc=net
bindpw secret
ssl on
tls_cacertdir /etc/openldap/cacerts
tls_cert /etc/openldap/cacerts/client.pem
tls_key /etc/openldap/cacerts/client.pem
#sudoers_debug 5
EOF    

Provided are also an LDIF files that needs to be placed in the same folder as the above scripts.

# Filename: manager.ldif
###########################################################
# NEW DATABASE
###########################################################
dn: dc=syco,dc=net
objectClass: top
objectclass: dcObject
objectclass: organization
o: System Console Project
dc: syco
description: Tree root

# Used by sssd to ask general queries.
dn: cn=sssd,dc=syco,dc=net
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: sssd
description: Account for sssd.
userPassword: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb

###########################################################
# Add pwdpolicy overlay
# Need to be done before adding new users.
###########################################################
dn: ou=pwpolicies,dc=syco,dc=net
objectClass: organizationalUnit
objectClass: top
ou: policies

dn: cn=default,ou=pwpolicies,dc=syco,dc=net
cn: default
#objectClass: pwdPolicyChecker
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: 2.5.4.35
#pwdCheckModule: crackcheck.so
#pwdCheckQuality: 2
pwdExpireWarning: 604800
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 0
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 3600
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 3600
pwdMinLength: 12
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: dummy value
EOF

###########################################################
# GROUPS
###########################################################
dn: ou=group,dc=syco,dc=net
objectClass: top
objectclass: organizationalunit
ou: group

dn: cn=sycousers,ou=group,dc=syco,dc=net
cn: sycousers
objectClass: posixGroup
gidNumber: 2000
memberUid: user1
memberUid: user2
memberUid: user3

dn: cn=sysop,ou=group,dc=syco,dc=net
cn: sysop
objectClass: posixGroup
gidNumber: 2001
memberUid: user1
memberUid: user2

dn: cn=management,ou=group,dc=syco,dc=net
cn: management
objectClass: posixGroup
gidNumber: 2002
memberUid: user1

###########################################################
# USERS
###########################################################
dn: ou=people,dc=syco,dc=net
objectClass: top
objectclass: organizationalunit
ou: people

dn: uid=user1,ou=people,dc=syco,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user1
employeeType: Sysop
givenName: User1
surname: Syco
displayName: Syco User1
commonName: Syco User1
gecos: Syco User1
initials: SU
title: System Administrator (fratsecret)
userPassword: {CRYPT}frzelFSD.VhkI
loginShell: /bin/bash
uidNumber: 2001
gidNumber: 2000
homeDirectory: /home/user1
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: [email protected]
postalCode: 666666
mobile: +46 (0)73 xx xx xx xx
homePhone: +46 (0)8 xx xx xx xx
postalAddress:

dn: uid=user2,ou=people,dc=syco,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user2
employeeType: Sysop
givenName: User2
surname: Syco
displayName: Syco User2
commonName: Syco User2
gecos: Syco User2
initials: SU
title: System Administrator
userPassword: {CRYPT}frzelFSD.VhkI
loginShell: /bin/bash
uidNumber: 2002
gidNumber: 2000
homeDirectory: /home/user2
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: [email protected]
postalCode: 666666
mobile: +46 (0)73 xx xx xx xx
homePhone: +46 (0)8 xx xx xx xx
postalAddress:

dn: uid=user3,ou=people,dc=syco,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user3
employeeType: Developer
givenName: User3
surname: Syco
displayName: Syco User3
commonName: Syco User3
gecos: Syco User3
initials: SU
title: System Administrator
userPassword: {CRYPT}frzelFSD.VhkI
loginShell: /bin/bash
uidNumber: 2003
gidNumber: 2000
homeDirectory: /home/user3
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: [email protected]
postalCode: 666666
mobile: +46 (0)73 xx xx xx xx
homePhone: +46 (0)8 xx xx xx xx
postalAddress:

###########################################################
# SUDOERS
###########################################################
dn: ou=SUDOers,dc=syco,dc=net
objectClass: top
objectClass: organizationalUnit
ou: SUDOers

dn: cn=defaults,ou=SUDOers,dc=syco,dc=net
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOptions go here
sudoOption: requiretty
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
sudoOption: env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path=/sbin:/bin:/usr/sbin:/usr/bin

dn: cn=root,ou=SUDOers,dc=syco,dc=net
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

# Allow all sysops to execute anything
dn: cn=%sysop,ou=SUDOers,dc=syco,dc=net
objectClass: top
objectClass: sudoRole
cn: %sysop
sudoUser: %sysop
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

You will need to understand and edit the scripts before they are executed on your server. Amongst other things you need to customized for you installation is the things related to "syco.net", users, groups and passwords.


Client Setup

I've referred to Arlukin's answer quite a bit but I thought a pared-down version of the client setup would be helpful. Once you've got your certificates set up just do the following:

yum install sssd pam_ldap
chkconfig sssd on

authconfig      \
 --enablesssd --enablesssdauth --enablecachecreds \
 --enableldap --enableldaptls --enableldapauth \
 --ldapserver=ldap://ldap.example.com --ldapbasedn=dc=example,dc=com \
 --disablenis --disablekrb5 \
 --enableshadow --enablemkhomedir --enablelocauthorize \
 --passalgo=sha512 --updateall

Add these settings to the [domain/default] section of /etc/sssd/sssd.conf:

ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_search_base = dc=People,dc=example,dc=com
ldap_group_search_base = dc=Roles,dc=example,dc=com
ldap_group_member = member
ldap_group_nesting_level = 4

ldap_default_bind_dn = cn=fooServer,dc=Devices,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = yourSecretPassword

To test your setup without certificates:

ldap_id_use_start_tls = False
ldap_auth_disable_tls_never_use_in_production = true

OpenLDAP Access Control

Some access control rules to help you get started (order does matter). Keep in mind that break allows for other rules that match the same target to be processed. Some of this is targeted toward nested groups--see dn-based linux groups from ldap for help setting them up.

to attrs=userPassword,sambaLMPassword,sambaNTPassword
  by anonymous auth
  by self =rwdx
  by set="user & [cn=Administrators,ou=LDAP,dc=Applications,dc=example,dc=com]/member*" manage
  by dn.children="ou=Special Accounts,dc=example,dc=com" auth
  • lets anonymous users authenticate
  • authenticated users can change their own passwords
  • members of the LDAP admin group can change anyone's password
  • last line is for proxy authentication by members of Special Accounts

to *
  by set="user & [cn=Administrators,ou=LDAP,dc=Applications,dc=example,dc=com]/member*" manage
  by * break

allows all ldap admins to change anything


to dn.children="dc=Roles,dc=example,dc=com" attrs=member
  by set="user & this/owner" manage
  by set="user & this/owner*/member*" manage
  by set="user & this/owner*/manager*" manage
  by set="user & this/owner*/member*/manager*" manage
  by * break
  • allows users to manage groups they own
  • groups can be owners too
  • anyone who is the manager of an owner of the group can manage the group as well
  • if group foo is an owner of group bar, managers of anyone in foo can manage bar as well

to dn.children="ou=Special Accounts,dc=example,dc=com" attrs=authzTo
  by * auth

Allows proxy authentication from special accounts to any other user. This might be used so that a webserver can bind once using a special account and then check the credentials of normal users on the same connection.


to dn.children="dc=People,dc=example,dc=com" 
  attrs=givenName,sn,middleName,dateOfBirth,displayName,cn,
    telephoneNumber,fax,postalAddress,homePhone,homePostalAddress,mobile,pager,
    postalCode,postOfficeBox,preferredLanguage,streetAddress,l,st,c 
  by self write
  by * break
  • allows users to edit their "profile" fields

It's important that users aren't allowed to change any of their attributes which would affect their permissions, such as manager, or memberOf if your server supports that.


to dn.children="dc=People,dc=example,dc=com"   
  attrs=uid,uidNumber,gidNumber,mail,telephoneNumber,mobile,departmentNumber,manager,
    title,initials,givenName,sn,displayName,cn,dateHired,dateTerminated,fax,middleName,
    organizationName,organizationalUnitName,pager,postalAddress,l,st,c 
  by * read

Make some basic contact info visible to anyone.