Using OpenLDAP commands

The Server Suite OpenLDAP proxy service includes a set of OpenLDAP commands that have been modified to support looking up information in Active Directory domain controllers and the global catalog. The Server Suite distribution of OpenLDAP supports most of the standard options and syntax for performing LDAP operations, but the ldap commands in the Server Suite distribution of OpenLDAP also support the following options that are not supported in a standard OpenLDAP distribution:

Use this option To do this
-m Use the local machine credentials from the /etc/krb5.keytab file. This option requires root user access.
-r Disable line wrapping when printing out LDIF entries.

The Server Suite distribution of OpenLDAP also provides extended URL support for Active Directory. With Server Suite LDAP commands, you can use the following URLs to connect to Active Directory computers:

Use this To do this
ldap://domain_name Connect to the appropriate domain controller for the specified domain within the Active Directory site.
ldap:// Connect to the joined domain.
gc://[domain_name] Connect to the global catalog domain controller for the joined domain. You can use the optional domain_name parameter to specify a domain in a different forest.

The Server Suite distribution of OpenLDAP includes the following commands:

  • ldapsearch

  • ldapadd

  • ldapmodify

  • ldapmodrdn

  • ldapcompare

  • ldapdelete

The ldappasswd and ldapwhoami commands do not work with Active Directory. For more information about using the OpenLDAP commands or the standard options available, see the man page for each command.

Server Suite OpenLDAP proxy commands attributes

The Server Suite OpenLDAP proxy commands accept the following attributes.

  • dn - Specifying the dn attribute returns only the distinguished name

  • 1.1 - Specifying the 1.1 attribute returns only the distinguished name

  • * - Specifying the asterisk (*) attribute return is situational:

    • If only * is specified, Server Suite OpenLDAP proxy returns all our supported attributes.

    • If the * is specified with additional attributes, Server Suite OpenLDAP proxy returns the given additional attributes.

Searching for users and groups

If you want to use ldapsearch to find a user, do not use objectclass=user or objectcategory=person to specify the filter. Instead, you should use objectclass=posixaccount. For example, to find the user with the UNIX name jtr enter a command similar to the following:

/usr/share/centrifydc/bin/ldapsearch -x -h localhost -D
“CN=Administrator,CN=Users,DC=pistolas,DC=org” -W -b
“dc=pistolas,dc=org” "(&(objectclass=posixaccount)(uid=jtr))"“

Optionally, use the UID number instead of the UNIX name:

"(&(objectclass=posixaccount)(uidNumber=1234567))"

Similarly, use objectclass=posixgroup to retrieve information on a group. This filter supports the following options:

  • cn: Find a group with a given UNIX name

  • gidNumber: Find a group with a given GID

  • memberUID: Search for secondary group membership of given UNIX user.

Searching the global catalogs

In most cases, you use the Server Suite OpenLDAP proxy service to search for information through the domain controller. However, you can also use the Server Suite OpenLDAP proxy service to perform searches in the global catalog, if needed. The global catalog search is especially useful if you have a large, multiple-domain forest.

To specify that you want the Server Suite OpenLDAP proxy service to search the global catalog, add “CN=$” to the front of the search base.

To search Active Directory for a specific account, use the syntax:

"(&(objectCategory=Person)(Name=amy.adams*))"

For example, in the global catalog, you might type a command similar

to the following:

/usr/share/centrifydc/bin/ldapsearch -h localhost -D
"cn=amy.adams,cn=NewUsers,dc=ajax,dc=org" -w password -x -b "cn=$"

By default the Centrify OpenLDAP proxy service is configured to disable anonymous binds. To allow anonymous binds:

  1. Edit the /etc/centrifydc/openldap/slapd.conf file.

  2. Remove or comment following line.

    require authc

If anonymous binds are disabled, you no longer need to specify the -D and -w parameters to invoke an ldapsearch. For example:

ldapsearch -h localhost -x -b "dc=wonder,dc=land"
"(&(objectClass=User)(displayName=Mister\*))" displayName

Minimizing search traffic to adclient

To minimize the traffic to adclient and subsequently to Active Directory, during an ldapsearch, the Server Suite OpenLDAP proxy implements memory cache. The Server Suite OpenLDAP proxy memory cache is disabled by default.

To enable the Server Suite OpenLDAP proxy memory cache, change slapd.conf to:

ldapproxy.cache.enabled true

Enabling encrypted communication

If you are using SASL/GSSAPI to authenticate to the OpenLDAP proxy, it provides a data security layer which provides data integrity and data confidentiality services to secure communications between LDAP clients and the Server Suite OpenLDAP proxy service. For more information, see Enabling SASL/GSSAPI authentication.

If you are using simple authentication, communication between LDAP clients and the Server Suite OpenLDAP proxy service is not encrypted. In this situation, you use Transport Layer Security (TLS) to secure communications between LDAP clients and the Server Suite OpenLDAP proxy service. In order to use TLS you must create or obtain the required certificates and configure both the LDAP client and the LDAP server to use the certificates. In addition, you must configure the LDAP server with the certification authority (CA) certificate, its own server certificate, and a private key.

The current versions of the ldapsearch client and ldapproxy server support Transport Layer Security (TLS) v1.2.

Depending on your network topology, you might also need to modify client-side or server-side configuration settings to successfully return search results.

Preparing for auto-enrollment

You can configure the Server Suite OpenLDAP proxy service to automatically get the certificate, private key, and CA chain for secure LDAP (ldaps) connections. To configure automatic enrollment for certificates, however, you must have an Active Directory domain controller that you can use as a certification authority for issuing certificates.

The following steps summarize how to prepare the domain controller:

  1. Use Server Manager to add the Active Directory Certificate Services role to a domain controller.

  2. In the Add Roles wizard, select the Certification Authority role service and follow the prompts displayed to configure the server role.

  3. Open the Certificates MMC snap-in, select the domain controller certificate, right-click, then click Open.

  4. Select the Details tab, click Copy to file, then follow the prompts displayed to export the certificate to a file.

  5. From Administrative Tools, select Group Policy Management, then select an appropriate Group Policy Object for the forest and domain you want to edit.

  6. Right-click the Group Policy Object, then click Edit.

  7. Under Computer Configuration, expand Policies > Windows Settings > Security Settings, then select Public Key Policies.

  8. Select Trusted Root Certificate Authorities, right-click to select Import, then follow the prompts displayed to import the certificate.

  9. Select Certificate Services Client - Auto-Enrollment, then select Enabled.

  10. From Administrative Tools, select Certification Authority, expand the name of the domain controller you are using as the certification authority, then select Certificate Templates.

  11. Right-click to select Manage, select an appropriate template to use, such as the Computer template, right-click, then click Duplicate Template to open the properties page for the new template.

  12. Type an appropriate name for the new template, such as Server Suite OpenLDAP Proxy.

  13. Click the Security tab, select the Domain Computers group, select Allow for the Autoenroll permission, then click Apply.

    You can set other properties on the remaining tabs, as needed. For example, you might want to click the Subject Name tab to change the subject nameformat to Fully distinguished name. When you are finished setting properties for the template, click OK.

  14. In the Certification Authority console, select Certificate Templates, right-click to select New, then click Certificate Template to Issue.

  15. Select the template you created, for example, select the Centrify OpenLDAP Proxy template, then click OK.

Updating the Server Suite OpenLDAP proxy computer

After you have prepared the domain controller with the policy for certificate autoenrollment, you can use the following steps to provide the required certificate, private key, and certification authority.

  1. Verify the computer where you are running the Server Suite LDAP proxy service is joined to an Active Directory domain.

  2. Change to the directory where certificates for auto-enrollment are located.

    cd /var/centrify/net/certs/

    You should see files similar to the following listed in the directory:

    auto_LDAPProxy.cert
    auto_LDAPProxy.chain
    auto_LDAPProxy.key
    trust_41DFF689876FCE52E02EE73FC7E3782964DC54BB.crl
    trust_F7842B2A65489F15A1722518E41F5E6B0F4FBC5E.cert

  3. Run an openssl command similar to the following to create the certificate:

    openssl pkcs7 -in auto_LDAPProxy.chain -text -out auto_LDAPProxy_CA.pem
print_certs

  4. Add the following lines to /etc/centrifydc/openldap/slapd.conf configuration file. Comment out the old TLSCipherSuite line, as shown here.

    TLSCertificateFile /var/centrify/net/certs/auto_LDAPProxy_CA.pem
    TLSCertificateFile /var/centrify/net/certs/auto_LDAPProxy.cert
    TLSCertificateKeyFile /var/centrify/net/certs/auto_LDAPProxy.key
    TLSCipherSuite TLSv1.2
    # TLSCipherSuite SSLv3

    You should also review and modify other server configuration settings, if needed. For example, you might use settings similar to the following:

    # Require START TLS on port 389
    security tls=1
    # Require TLS v1.0 or better
    TLSProtocolMin 3.1
    TLSVerifyClient try

  5. Add the following line to /etc/centrifydc/openldap/ldap.conf configuration file:

    TLS_CACERT /var/centrify/net/certs/auto_LDAPProxy_CA.pem

    You should also review and modify other configuration settings, if needed. For example, you might need to change the TIMEOUT value to allow clients to wait an appropriate number of seconds for a response:

    TIMEOUT 15

  6. Restart the Centrify OpenLDAP proxy service.

    sudo /usr/share/centrifydc/bin/centrify-ldapproxy start -h ldaps:///

  7. Test operation by running an OpenLDAP command, such as ldapsearch.

    /usr/share/centrifydc/bin/ldapsearch -x -H ldaps://localhost:636 -b
'cn=users,dc=win2012,dc=test' -D administrator@win2012.test -W
"(cn=test_user)"

  8. To confirm that TLSv1.2 is being used, use openssl s_client to connect to the slapd. For example, enter:

    $ openssl s_client -connect localhost:636 -showcerts -state -CAfile
/etc/centrifydc/openldap/cacert.pem

  9. Review the output from the previous command and confirm that the protocol is TLSv1.2, as shown here:

    ...
    SSL Session:
    Protocol : TLSv1.2

  10. (Optional) Alternatively, to confirm that TLSv1.2 is used, run a software tool like Wireshark to capture and inspect the ldapsearch traffic.

Securing communication without auto-enrollment

If you are not using an Active Directory domain controller and autoenrollment for certificate distribution, you can manually configure the Centrify OpenLDAP proxy service to use the server certificate and private key you create.

The following steps summarize how you can manually configure the Centrify OpenLDAP proxy service to use certificates.

  1. Use CA.sh to create the certificates:

    /usr/share/centrifydc/ssl/misc/CA.pl -newca
    /usr/share/centrifydc/bin/openssl req -new -nodes -keyout newreq.pem -out
newreq.pem
    /usr/share/centrifydc/ssl/misc/CA.pl -sign

  2. Install the certificates in the /etc/centrifydc/openldap directory.

    cp demoCA/cacert.pem /etc/centrifydc/openldap/cacert.pem
    mv newcert.pem /etc/centrifydc/openldap/servercrt.pem
    mv newreq.pem /etc/centrifydc/openldap/serverkey.pem

  3. Add the following lines to /etc/centrifydc/openldap/slapd.conf configuration file:

    TLSCACertificateFile /etc/centrifydc/openldap/cacert.pem
    TLSCertificateFile /etc/centrifydc/openldap/servercrt.pem
    TLSCertificateKeyFile /etc/centrifydc/openldap/serverkey.pem

  4. Add the following line to /etc/centrifydc/openldap/ldap.conf configuration file:

    TLS_CACERT /etc/centrifydc/openldap/cacert.pem

  5. Start the slapd deamon using the following:

    /usr/share/centrifydc/libexec/slapd -h "ldaps:///"

    or

    sudo /usr/share/centrifydc/bin/centrify-ldapproxy start -h ldaps:///