Secure OpenLDAP Server Configuration on CentOS 6: Best Practices for SSSD Integration with LDAPS and SELinux


2 views

Before we begin, ensure you have:

  • Fresh CentOS 6 minimal installation
  • Root access or sudo privileges
  • Network connectivity
  • Basic firewall knowledge (iptables)

First, install the necessary packages:

yum install -y openldap openldap-servers openldap-clients

Generate certificates for LDAPS:

openssl req -new -x509 -nodes -out /etc/openldap/certs/server.crt \
-keyout /etc/openldap/certs/server.key -days 3650 \
-subj "/C=US/ST=California/L=SanFrancisco/O=YourOrg/CN=ldap.yourdomain.com"
chown ldap:ldap /etc/openldap/certs/*
chmod 600 /etc/openldap/certs/server.key

Edit /etc/openldap/slapd.conf:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

TLSCertificateFile /etc/openldap/certs/server.crt
TLSCertificateKeyFile /etc/openldap/certs/server.key

suffix          "dc=yourdomain,dc=com"
rootdn          "cn=admin,dc=yourdomain,dc=com"
rootpw          {SSHA}hashedpassword

On client machines:

yum install -y sssd authconfig
authconfig --enableldap --enableldapauth \
--ldapserver=ldaps://ldap.yourdomain.com \
--ldapbasedn="dc=yourdomain,dc=com" --enablemkhomedir --update

Edit /etc/sssd/sssd.conf:

[sssd]
services = nss, pam
config_file_version = 2
domains = default

[domain/default]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://ldap.yourdomain.com/
ldap_search_base = dc=yourdomain,dc=com
ldap_tls_cacert = /etc/openldap/certs/ca.crt
ldap_id_use_start_tls = True
cache_credentials = True

Ensure proper SELinux contexts:

semanage port -a -t ldap_port_t -p tcp 636
setsebool -P allow_ypbind=0 authlogin_nsswitch_use_ldap=1

Configure iptables for LDAPS:

iptables -A INPUT -p tcp --dport 636 -j ACCEPT
service iptables save

Verify LDAP connectivity:

ldapsearch -x -H ldaps://ldap.yourdomain.com -b "dc=yourdomain,dc=com" -D "cn=admin,dc=yourdomain,dc=com" -W

Before diving into LDAP configuration, ensure your CentOS 6 minimal installation is updated:

yum -y update
yum -y install openldap openldap-servers openldap-clients

Create the basic directory structure and set proper permissions:

mkdir -p /var/lib/ldap
chown ldap:ldap /var/lib/ldap
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

Generate SSL certificates for LDAPS:

openssl req -new -x509 -nodes -out /etc/openldap/certs/server.crt \
-keyout /etc/openldap/certs/server.key -days 365
chown ldap:ldap /etc/openldap/certs/server.*

Add these lines to /etc/openldap/slapd.conf:

TLSCertificateFile /etc/openldap/certs/server.crt
TLSCertificateKeyFile /etc/openldap/certs/server.key
TLSCipherSuite HIGH:MEDIUM:+SSLv2

Configure iptables to allow LDAPS traffic:

iptables -I INPUT -p tcp --dport 636 -j ACCEPT
service iptables save

For SELinux, run these commands:

setsebool -P allow_ypbind=0 authlogin_nsswitch_use_ldap=1
semanage port -a -t ldap_port_t -p tcp 636

On client machines, install required packages:

yum -y install sssd authconfig
authconfig --enableldap --enableldapauth --ldapserver=ldaps://your.ldap.server \
--ldapbasedn="dc=example,dc=com" --enablemkhomedir --update

Configure /etc/sssd/sssd.conf:

[domain/default]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://your.ldap.server
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = demand

Verify LDAP connectivity from a client:

ldapsearch -x -H ldaps://your.ldap.server -b "dc=example,dc=com"

Check SSSD authentication:

getent passwd ldapuser

For better performance with SSSD, add these to /etc/sssd/sssd.conf:

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd

[pam]
offline_credentials_expiration = 2