Thursday, March 29, 2012

Configuring OpenLDAP for High Availability. (Master/Slave or Provider/Consumer configuration) [Part 3 of 4]

This tech-note is the third in a series of 4, it describes the process to go through to setup openLDAP in a consumer/provider (master-slave) configuration. It is done in two steps here, the first step is setting up the two directories to replicate to each other which may be all that is required in some environments. The next step secures the consumer server so that it is accessed via LDAPS and then changes the replication configuration so that the replication is done over the encrypted channel.

Configuration of Consumer/Provider directory topology

Firstly we create an OpenLDAP directory instance on a compute node.  Perform the steps described here to create a directory but stop short of running the migrate_all.pl script.  (We do not need to create the entries in the directory as these will already exist in the master or Provider directory.)

i.e.
  1. Edit the slapd.conf file to enter password details, suffix, directory location etc.
  2. Create the directory location on the filesystem and give it ownership of ldap:ldap
  3. Run updatedb, and locate DB_CONFIG and copy the config file into the directory server location.
  4. On the provider create a user to use to for the replication traffic.  This gives an LDAP user that can be used by the consumer to authenticate to the provider directory.   I created an additional organisation unit (ou=service-users) to hold the users that are not unix OS users. Thus I have an entry as shown in the LDIF below:-

    dn: cn=replication,ou=service-users,dc=oscexa,dc=com
    objectclass: person
    objectclass: top
    cn: replication
    sn: Replication User
    userpassword: {SHA}41vs5sXm4OhspR0EQOkigqnWrIo=
  5. Edit the slapd.conf file to add in all the details that will enable replication.
First change the slapd.conf on the provider putting the following lines at the end of the file (and the serverID up at the point in which the base info is defined.)

...
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

serverID 001database bdb
suffix "dc=el01,dc=com"
...
...
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

Where
  • overlay syncprov - Specifies that the overlay syncprov is to be used. (Essentially an overlay is an add-on or plugin to extend openLDAP functionality.  In the recent releases this overlay is compiled into the base openldap service so there is no need to specifically load the module.)
  • syncprov-checkpoint - Defines the number of operations or the number of minutes elapsed since the last checkpoint before checkpointing again. (eg. In our example the system will allow either 100 updates before checkpointing the system or 10 minutes.)
  • syncprov-sessionlog - The number represents the maximum number of session log entries.


Now change the slapd.conf on the consumer, again adding in the lines highlighed in bold.

...
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

serverID 002database bdb
suffix "dc=el01,dc=com"
...
...
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM

syncrepl rid=001 provider=ldap://<The IP/hostname of provider server>:389 type=refreshAndPersist searchbase="dc=oscexa,dc=com" filter="(objectClass=*)" scope=sub attrs="*" bindmethod=simple binddn="cn=replication,ou=service-users,dc=el01,dc=com" credentials=welcome1 tls_cert=/etc/openldap/cacerts/server.pem
mirrormode on updateref ldap://<The IP/hostname of provider server>:389

The changes mentioned above are:-

  • ServerID - Adding a unique ID for each consumer server to add to the environment.
  • syncrepl rid=001 - This parameter and all the sub-parameters define the URL of the provider server to replicate from, what data is to be copied, the credentials of the user to use, how they bind, if LDAPS is to be used the location of the certificate file to use etc.
  • mirrormode - Defines that the server is to be a mirror of the provider and take over as the master should the original provider fail.
  • updateref - As this is a consumer any attempted updates are to be directed back to the provider.

Now restart the directory on the provider and then start the directory on the consumer . Check that the contents have been replicated over to the consumer by performing some queries against it.
Note - I ran into some oddities when setting this up myself in that I had added some additional security to my provider which limited the visibility of entries in the directory.  Ensure that the user you are using to authenticate to the directory with has full visibility of the subtree required for authenticating Unix users.  (In particular the Group and People subtrees.)

Configure Consumer for LDAPS

Setting up a consumer to use LDAPS is the same as described here. In summary:-
  • Create a self signed certificate and private key via the usage of the openssl command line
    • # cd /etc/openldap/cacerts
    • # openssl req -newkey rsa:1024 -x509 -nodes -out cacerts.pem -keyout slave-key.pem -days 3650
  • Edit the slapd.conf file to specify that the server is to start up an SSL listener. Using the cacerts.pem file as the CA certificate file and the slave.pem for encrypting & key.
    • TLSCACertificateFile /etc/openldap/cacerts/cacerts.pem
    • TLSCertificateFile /etc/openldap/cacerts/slave-key.pem
    • TLSCertificateKeyFile /etc/openldap/cacerts/slave-key.pem
  • Edit the /etc/sysconfig/ldap file to specify that the server is to startup the LDAPS listener.
  • Restart the directory.
    • service ldap restart
Test connecting to the directory to ensure that it has started up using the LDAPS self-signed certificate.

Configure Replication to use LDAPS

In this case the consumer will be connecting to the provider server using SSL encryption for the LDAP traffic. This means that the configuration for the replication must be changed to make use of the LDAPS URL and because we are using self-signed certificates we will have to include the public key from the provider server into the cacerts file that the consumer uses so that it will trust the certificate. Thus there are two steps to setting up secure replication:-
  1. Copy the contents of the cacerts file on the provider machine (Everything from -----BEGIN CERTIFICATE....... to END CERTIFICATE -----) and add it to the consumer's TLSCACertificateFile. (Namely the /etc/openldap/cacerts/cacerts.pem file above.)  Thus the Cert Authority (CA) Certificate's file contains the public keys for both the provider and the consumer directories.
  2. Change the slapd.conf file to use the LDAPS protocol for connecting.
Thus the /etc/openldap/cacerts/cacerts.pem file on the consumer will look similar to:-
-----BEGIN CERTIFICATE-----
MIIDjTCCAvagAwIBAgIJALnM0ossPNG7MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYD
VQQGEwJHQjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MQ8w
DQYDVQQKEwZPcmFjbGUxDTALBgNVBAsTBEVTQVQxETAPBgNVBAMTCHZiZWxjbjAy
MSQwIgYJKoZIhvcNAQkBFhVkb24uZm9yYmVzQG9yYWNsZS5jb20wHhcNMTIwMjI3
MTcwMzI4WhcNMjIwMjI0MTcwMzI4WjCBjDELMAkGA1UEBhMCR0IxEjAQBgNVBAgT
CUJlcmtzaGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEPMA0GA1UEChMGT3JhY2xlMQ0w
CwYDVQQLEwRFU0FUMREwDwYDVQQDEwh2YmVsY24wMjEkMCIGCSqGSIb3DQEJARYV
ZG9uLmZvcmJlc0BvcmFjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDAAayDQPmwZR+imG3nKHsx5578pnlupzqINfsujjhWmc0YqVjs4YATgsN/tVpl
iGHWvXMUzIiadeZF0n7/esj5aDgcfS46oUFasPCv99oWUoTDGeFrpPM7J/mfay+F
CnI5mOUuRpKt4dsafq9MIkA+ja3lMPpdBqqANE3H9Fo3mQIDAQABo4H0MIHxMB0G
A1UdDgQWBBTbmP3A7dsaf7R3NxnFz9ra0GuhhjCBwQYDVR0jBIG5MIG2gBTbmP3A
77R3NxnFz9ra0GgV0quhhqGBkqSBjzCBjDELMAkGA1UEBhMCR0IxEjAQBgNVBAgT
CUJlcmtzaGlyZTEQMA4GAds1UEBxMHTmV3YnVyEPMA0GA1UEChMGT3JhY2xlMQ0w
CwYDVQQLEwRFU0FUMREwDwYDVQQDEwh2YmVsY24wMjEkMCIGCSqGSIb3DQEJARYV
ZG9uLmZvcmJlc0BvcmFjbGUuY29tggkAuczSiyw80bswDAYDVR0TBAUwAwEB/zAN
BgkqhkiG9w0BAQUFAAOBgQBF2AOdub20EbRUnzCWik9l7s8Xji5PVSq9dVbNrLBA
7OhkzzzVux2+4ce9GaiAwjSdMVbLJmH0z0O5URvtGA7/sx/F2/QwUBIPhb097ymK
Qh9+CJN+iWkcRHOPvsEjnvLnoytwqeb7MZgSPvm/KmhBB5YumyBe41AZAjWDQtwP
CQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDjTCCAvagAwIBAgIJAK0aMmYpr7uXMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYD
VQQGEwJHQjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MQ8w
DQYDVQQKEwZPcmFjbGUxDTALBgNVBAsTBEVTQVQxETAPBgNVBAMTCHZiZWxjbjAx
MSQwIgYJKoZIhvcNAQkBFhVkb24uZm9yYmVzQG9yYWNsZS5jb20wHhcNMTIwMzI5
MTU1MzMxWhcNMjIwMzI3MTU1MzMxWjCBjDELMAkGA1UEBhMCR0IxEjAQBgNVBAgT
CUJlcmtzaGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEPMA0GA1UEChMGT3JhY2xlMQ0w
CwYDVQQLEwRFU0FUMREwDwYDVQQDEwh2YmVsY24wMTEkMCIGCSqGSIb3DQEJARYV
ZG9uLmZvcmJlc0BvcmFjbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCxKekSkIPiw7IDMzGYzC6aiDhC9rJIlJizziig4W+OgrpUqLpDaK2xmoSewD/V
RxCc8yjzPElI7YOcnb69M7rVfhPs8IEXl2YkW4qfy76FdiOwNcbRsoPk3WT9h69k
du8DgSddRvk537XhejCg0vpR/Lfj0U6tsuudVxIY+yWclwIDAQABo4H0MIHxMB0G
A1UdDgQWBBR8PO0bvXCJlARZbMHLu289yFzqCjCBwQYDVR0jBIG5MIG2gBR8PO0b
vXCJlARZbMHLu289yFzqCqGBkqSBjzCBjDELMAkGA1UEBhMCR0IxEjAQBgNVBAgT
CUJlcmtzaGlyZTEQMA4GAwDwYDVQQDEwh2YsY24wMTEkMCIGCSqGSIb3DQEJARYV
ZG9uLmZvcmJlc0BvcmFjbGUuY29tggkArRoyZimvu5cwDAYDVR0TBAUwAwEB/zAN
BgkqhkiG9w0BAQUFAAOBgQA+KrjdrkERBL4OaPib8BtEnLRMKCsgtKin0hbOJd+w
GJIr9BQNhYXB6qib2RWZBn9tF/7WfqLHavhaPgD3qo3d01TOWs2A09TaeX7FBk+g
Y4UU7QP9UarkZLSdEPfPuMmniCr8mrqRph/fH/qVVecU1U4mIVekQzanqd1vHii8
xg==
-----END CERTIFICATE-----
And the slapd.conf will have a section that looks similar to:-

...
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
syncrepl rid=001
provider=ldaps://<Hostname of provider LDAP server>:636
type=refreshAndPersist
searchbase="dc=el01,dc=com"
filter="(objectClass=*)"
...

In the same manner the update URL is switched to use the LDAPS URL as well.

Now edit the file /etc/sysconfig/ldap on both the provider and consumer servers and set them to only start up the LDAPS listener. The contents of the file looking like:-

# Parameters to ulimit called right before starting slapd
# - use this to change system limits for slapd
ULIMIT_SETTINGS=

# How long to wait between sending slapd TERM and KILL
# signals when stopping slapd by init script
# - format is the same as used when calling sleep
STOP_DELAY=3s

# By default only listening on ldap:/// is turned on.
# If you want to change listening options for slapd,
# set following three variables to yes or no
SLAPD_LDAP=no
SLAPD_LDAPS=yes
SLAPD_LDAPI=no

And now restart the directory services on both instances and test to ensure you can only access the services on the secure port (636) and that replication is working as you would expect.

# service ldap restart