Labels

new blog 2.0

2007/11/16

0x04. [LPIC-301] LDAP - Secure your directory

We have a working directory service. Let's search it through running tcpdump on another terminal.

# tcpdump -i ath0 -Avvv tcp -s 1000
[...]
22:37:19.725215 IP (tos 0x0, ttl 64, id 34532, offset 0, flags [DF], proto: TCP (6), length: 451) porta.tux.ldap > princess-pc.tux.4714: P, cksum 0xe48c (correct), 107:506(399) ack 78 win 181
E.....@.@..............jW..Z~..?...........
..O...s.0......d....#cn=kitchen,ou=rooms,dc=porta,dc=tux0..[0...cn1 ..kitchen0...objectClass1...top..room0..*..description1.......
A kitchen, is a room or part of a room (sometimes called "kitchen area" or a "kitchenette") used or food preparation including cooking, and sometimes also for eating and entertaining guests, if the kitchen is large enough and designed to be used that way.
(SOURCE: WIKIPEDIA)
[...]
The information is not secured in any way. An unsecured directory is not suitable for serving sensitive data. I'm going to enable basic security by configuring TLS.

Enabling TLS
In order to enable TLS you need to have a working OpenSSL installation. We use a perl script called CA.pl (depending on the distribution/installation the script lives in /etc/ssl/misc or /usr/lib/ssl/ or possible other locations).

1. Generate a new certificate:
# cd /etc/ssl/misc
# ./CA.pl -newcert
Generating a 1024 bit RSA private key
..............++++++
.......++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IE
State or Province Name (full name) [Some-State]:Dublin
Locality Name (eg, city) []:Dublin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OOZIE
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:porta.tux
Email Address []:r00t@oozie.tux
Certificate is in newcert.pem, private key is in newkey.pem
#

2. Remove password from the newkey.pem file.
CA.pl created a password protected certificate. In other words, the certificate is encrypted with the password. If you don't remove the password from the cert you will need to enter it every time slapd starts up. We don't want that...
# cat newkey.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,96736B31B990FBA6

+sLcj1Uu98B/+2MAn51FhnOURbhE1fJDu/X1XHBn8Sg4zX4g7GcUmHFfCsrdR1Jq
in/8l3T+cPrr448BWhvgf7tDksYlOZYLFnsleiFIrroAJ0vnSsiPxymJOa4zxqU7
sd6eh/pRjjlX1EY7G0i+Xt91cq/nnVzqIeap+Co6rLiSDHPDqXbTyrm+md5HUpe1
YDfgstSYdbTkDjxs3yx6oP54HYtDixiPm8JSjFjdo630vDg4m8xK3Ona1gsY+ZLh
dAlBeRQpONNF4d7cx7Qa3i3J+qI/URMakyrNNFVJJNQeDst/sxYe8M+axykgm4H1
J1Gy6vjKegp6eI2s+WbMwXp+E35NFQIxpuriJDK2QEU1ROyqlzZi1I5XmSye76kF
LszVxJbkHGqACD7Edvlo+ZIPY3w4lh/yhpK5iiXWmiuSYLG1UZkc9Tl3nA6PqiB2
z1xhfOxbiAKS4S/YIspaTFKbZovTwnl1DXXDA4/3ghM/m0j3sIoeMLwuqDhSSmY5
2UvCv3lsCw2Fz6wOO6lghVEi6ZqzhrCVi2WneXFNavLeWIv0qUSZDGHQvS1/kjC0
Mhw/9ybjgvYbZMd62uNiffIvIy2GHTx5jhIXZnUiYDZCjtOxzDAmMjcxxaVRN/Kf
jVTM9NP6ZG/CaUl2hYjuOkNDmBUZ8H3RafnwoHuFmWMmihKG5O+mFwukql7llqcT
kIthB5nbIsRxP6bgXbF0NvHkO9M+tSnamzaPuiwYs4bvfhYbX3GWSXyQ5323sjP7
Ke+2/N0Ol+dLPONgdHmePf+FfM9anT0VgAxdf4pVs8TCbmxVNF/wrA==
-----END RSA PRIVATE KEY-----
# openssl rsa -in newkey.pem -out newerkey.pem
Enter pass phrase for newkey.pem:
writing RSA key
# cat newerkey.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDBPNnk3UN4y1Gs+qgeRkPtb/GtdjG6CShW7L1Ch9DPjmm/d1ps
MiSAk9+tqGc5u7cccERN3UWiBaBNk6aBqdrFqr3MWaV4Fm3ilnlxDAGEJJ/tdjnx
Uxl37f/UffyOrBUUW1h6DkoEgIyWtGmCHeO0GhJEkCmvqqQ4TfcJHBSHaQIDAQAB
AoGACev68CJgRYKDBhO0sCFBeZ6G1TY9ZWT0+kmbih/5G78fNOKG9Qk6EJQHJx5/
dlpqE368MxdKbQBG89TB9uRmxCppWH7GoPuCzm7WV+/GtDAxisZMvSvW89ptHMOb
Ev7FPwFvlr6ENrN+Woiz51GHGZhUBH7R7XuVRJ3uPM99v5ECQQD/nxCI9zwDoGhC
exDSYTrvDIxC/WpLNxeGXrIdj9CHoku4M16hycKduZb5AOOwCUi8gG0uufFSIqW4
pYqzKCaVAkEAwYYhN4cSwLs5O6p619FvQXbaZzv1huyEqjMcsTsrtJiv77Wj5f/m
AciTA2upDA/kcqwtb7TzaKdKrNZYKeOMhQJBAPu+jMtHKbysmmF2z/9RMHhC1FQZ
PTisHigAVMxWWVlq1cWoGbeee2NYZr3+ST6SNicnF+Af0fFBHBK4PdvpW+0CQQCI
4OgJsF4RN9tpWlF86MN6WChuMDifcBb9kx1ONf3ZxM1cDOuaOH9k74scNj/hKjR4
71NL2X74nKryyMCfEDVJAkBnNWLEgKWYkrxsTsVTekcGadNaKvY1gud//gQJ1RCM
UfAX7wccENvVTU3DquarfXF639QjQ0k8CEj1W+dwa94K
-----END RSA PRIVATE KEY-----

3. Move these files to one location and secure the permissions. It is important to change the ownership of the private key file to the user which OpenLDAP is running as, otherwise slapd won't start.
# mv newerkey.pem /etc/openldap/ldap-key.pem
# mv newcert.pem /etc/openldap/ldap-cert.pem
# chown ldap:ldap /etc/openldap/ldap-key.pem
# chmod 600 /etc/openldap/ldap-key.pem


4. Get down to slapd configuration.
There are three necessary options we should specify in slapd.conf file.
TLSCipherSuite - defines what cryptographic algorithms the server is going to use. Possible values (if multiple are used, they are separated by a colon): HIGH, MEDIUM, +SSLv2, ...
TLSCertificateFile and TLSCertificateKeyFile - these are pretty much self explanatory.
You should append the following three lines to slapd.conf and restart the daemon:

[...]
TLSCipherSuite HIGH
TLSCertificateFile /etc/openldap/ldap-cert.pem
TLSCertificateKeyFile /etc/openldap/ldap-key.pem


We should now enable slapd to listen on ldaps port (636). It can be done by passing '-h ldaps:///' to slapd while starting it, e.g. on GENTOO edit /etc/conf.d/slapd and type OPTS="-h ldaps:///". This will do the trick and the next time you restart slapd it will listen on ldaps only. If you extend the argument to "-h 'ldaps:/// ldap://'" it will listen on both ports 389 and 636.

5. Correct some lines in the ldap.conf on the client side.

An example follows.
##
# ldap.conf
##
SSL START_TLS
BASE dc=porta,dc=tux
HOST porta.tux
# If URI value is different than the CN on the certificate it may result
# in error (TLS: hostname does not match CN in peer certificate) in some configurations,
# when TLS_REQCERT is set to hard or is not specified at all.
URI ldaps://porta.tux/

TLS_CIPHER_SUITE HIGH
TLS_REQCERT allow

6. Check now if things work and if the connection is encrypted:


# tcpdump -i ath0 -Avvv tcp -s 1000
[...]
22:20:22.252954 IP (tos 0x0, ttl 64, id 11062, offset 0, flags [DF], proto: TCP (6), length: 1500) porta.tux.ldaps > princess-pc.tux.6376: . 2937:4385(1448) ack 517 win 108
E...+6@.@............|....I.9#.....l$......
.x)........Bn.e..EaP9}.... ".}W,=evN.i!{...`=,.W.W/[..MIy/._.Lp.;~.G...L.y...v.Eh.E....5m.T,:.. pR..Wqj.y..._..v...j]..H...t..>....IaV..-........P....=C...v......s*.....MS.
...
.NE.........]6.m.......b.\.c. ..Y...z5..Aco... J0.+.....[=4VHc......k....q..... a)IB....l..t.&.d...d.91..qgE..6.......l.f2....nq... ..!...D....A,.%4.XL..&..I..}..ETH..q..dx.Q..R.d....H)h.WFR.[..\...]J.k>..\v.jpHF...W..T...M..U*t...C.D......!.+,...7.....m.. .....p......y..?cj...;....J.....oZ]...&.r.!~.^....0/.....J#...^.N.1`....y.*..4Je"...............[...5.9B..;..g/g......Q4.ZH.=.....f.y.(...\Gl.=......=...AW..A.._..s.E.w}s.0...8}...
.._#(...vx.`ah...Q..CQC.X>..........F..o{U....O.i.B.....06"..r.e..
k^...V6..<&X.[...n........Q...mJ. f.w3.. _nt...C.Z.kv....Y.....J..{}...;+.E ..pI..c.#.;f6.dI..iP...>.u..^.i..f.e.|....s.-.2.X..;.d#..
[...]
That looks much better.

(Un)Setting rootdn and rootpw
rootdn comes by default in slapd.conf with a clear-text password. Keeping it this way is not the best idea, because:
- clear text passwords never are
- no ACLs apply to rootdn (in our case "cn=Manager,dc=porta,dc=tux") so it's a common practice to remove rootdn from slapd.conf and use regular accounts for introducing changes to the directory.
If you want to keep rootdn then changing the password should be done ASAP. This task can be accomplished with slappasswd program.
porta # slappasswd -s 's3(r3t' -h {SSHA}
{SSHA}HB7uA/XbtlVuDQ/ZF0jdJyWEe6E1jLc7
now ctrl+c, ctrl+v into slapd.conf
If you use slappasswd with -s option, make sure it does not stay in your .bash_history ...

No comments: