Homelab<\/h2>\n
We have two CentOS 7 servers installed which we want to configure as follows:<\/p>\n
ldap1.hl.local (10.11.1.11) \u2013 will be configured as an LDAP master
\nldap2.hl.local (10.11.1.12) \u2013 will be configured as an LDAP slave<\/p>\n
Both servers have SELinux set to enforcing mode.<\/p>\n
See the image below to identify the homelab part this article applies to.<\/p>\n
![\"\"](\"https:\/\/www.lisenet.com\/wp-content\/uploads\/2018\/04\/lisenet-homelab-diagram_ldap.png\")
<\/p>\n
Configuration with Puppet<\/h2>\n
Puppet master runs on the Katello<\/a> server. We use camptocamp-openldap<\/a> Puppet module to configure OpenLDAP. Please see the module documentation for features supported and configuration options available.<\/p>\n See here<\/a> (CentOS 7) and here<\/a> (Debian) for blog posts on how to configure an OpenLDAP server manually.<\/p>\n Note that instructions below apply to both LDAP servers.<\/p>\n Firewall configuration to allow LDAPS access from homelab LAN:<\/p>\n firewall { ‘007 allow LDAPS’: Ensure that the private key (which we created previously) in the PKCS#8 format is available.<\/p>\n file {‘\/etc\/pki\/tls\/private\/hl.pem’: Configure the LDAP server (note how we bind to the SSL port):<\/p>\n class { ‘openldap::server’: Configure the database:<\/p>\n openldap::server::database { ‘dc=top’: Configure schemas:<\/p>\n openldap::server::schema { ‘cosine’: Configure ACLs:<\/p>\n $homelab_acl = { Base configuration:<\/p>\n file { ‘\/root\/.ldap_config.ldif’: Content of the file ldap_config.ldif can be seen below.<\/p>\n We create a read-only account cn=reader,dc=top for LDAP replication, we also create an LDAP user uid=tomas,ou=Users,dc=hl.local,dc=top to log into homelab servers.<\/p>\n dn: cn=reader,dc=top dn: dc=hl.local,dc=top dn: ou=Users,dc=hl.local,dc=top dn: uid=tomas,ou=Users,dc=hl.local,dc=top dn: ou=Groups,dc=hl.local,dc=top dn: cn=tomas,ou=Groups,dc=hl.local,dc=top Configure sync provider on the master node:<\/p>\n file { ‘\/root\/.ldap_syncprov.ldif’: Content of the file ldap_syncprov.ldif for the master server can be seen below.<\/p>\n dn: cn=module,cn=config dn: olcOverlay=syncprov,olcDatabase=hdb,cn=config Configure replication on the slave node:<\/p>\n file { ‘\/root\/.ldap_replication.ldif’: Content of the file ldap_replication.ldif for the slave server is below. Note how we bind to the SSL port.<\/p>\n dn: olcDatabase=hdb,cn=config We should end up with the following LDAP structure:<\/p>\n If you hit problems, try running the following to start the LDAP server in debug mode with logging to the console:<\/p>\n # slapd -h ldapi:\/\/\/ -u ldap -d 255<\/p>\n The logs can be a difficult to parse, but with Google search and a bit of luck you should to be able to work out what is going on.<\/p>\n We use Puppet module sgnl05-sssd<\/a> to configure SSSD.<\/p>\n Add the following to the main homelab environment manifest file \/etc\/puppetlabs\/code\/environments\/homelab\/manifests\/site.pp so that it gets applied to all servers.<\/p>\n Note how SSSD is configured to use both LDAP servers for redundancy.<\/p>\n class {‘::sssd’: After Puppet applies the configuration above, we should be able to log into all homelab servers with the LDAP user.<\/p>\n
\ndport => [636],
\nsource => ‘10.11.1.0\/24’,
\nproto => tcp,
\naction => accept,
\n}<\/p>\n
\nensure => file,
\nsource => ‘puppet:\/\/\/homelab_files\/hl.pem’,
\nowner => ‘0’,
\ngroup => ‘ldap’,
\nmode => ‘0640’,
\n}<\/p>\n
\nldap_ifs => [‘127.0.0.1:389\/’],
\nldaps_ifs => [‘0.0.0.0:636\/’],
\nssl_cert => ‘\/etc\/pki\/tls\/certs\/hl.crt’,
\nssl_key => ‘\/etc\/pki\/tls\/private\/hl.pem’,
\n}<\/p>\n
\nensure => present,
\ndirectory => ‘\/var\/lib\/ldap’,
\nsuffix => ‘dc=top’,
\nrootdn => ‘cn=admin,dc=top’,
\nrootpw => ‘cGfSAyREZC5XnJa77iP+EdR8BrvZfUuo’,
\n}<\/p>\n
\nensure => present,
\npath => ‘\/etc\/openldap\/schema\/cosine.schema’,
\n}
\nopenldap::server::schema { ‘inetorgperson’:
\nensure => present,
\npath => ‘\/etc\/openldap\/schema\/inetorgperson.schema’,
\nrequire => Openldap::Server::Schema[“cosine”],
\n}
\nopenldap::server::schema { ‘nis’:
\nensure => present,
\npath => ‘\/etc\/openldap\/schema\/nis.ldif’,
\nrequire => Openldap::Server::Schema[“inetorgperson”],
\n}<\/p>\n
\n‘0 to attrs=userPassword,shadowLastChange’ => [
\n‘by dn=”cn=admin,dc=top” write’,
\n‘by dn=”cn=reader,dc=top” read’,
\n‘by self write’,
\n‘by anonymous auth’,
\n‘by * none’,
\n],
\n‘1 to dn.base=””‘ => [
\n‘by * read’,
\n],
\n‘2 to *’ => [
\n‘by dn=”cn=admin,dc=top” write’,
\n‘by dn=”cn=reader,dc=top” read’,
\n‘by self write’,
\n‘by users read’,
\n‘by anonymous auth’,
\n‘by * none’,
\n],
\n}
\nopenldap::server::access_wrapper { ‘dc=top’ :
\nacl => $homelab_acl,
\n}<\/p>\n
\nensure => file,
\nsource => ‘puppet:\/\/\/homelab_files\/ldap_config.ldif’,
\nowner => ‘0’,
\ngroup => ‘0’,
\nmode => ‘0600’,
\nnotify => Exec[‘configure_ldap’],
\n}
\nexec { ‘configure_ldap’:
\ncommand => ‘ldapadd -c -x -D cn=admin,dc=top -w PleaseChangeMe -f \/root\/.ldap_config.ldif && touch \/root\/.ldap_config.done’,
\npath => ‘\/usr\/bin:\/usr\/sbin:\/bin:\/sbin’,
\nprovider => shell,
\nonlyif => [‘test -f \/root\/.ldap_config.ldif’],
\nunless => [‘test -f \/root\/.ldap_config.done’],
\n}<\/p>\n
\nobjectClass: simpleSecurityObject
\nobjectclass: organizationalRole
\ndescription: LDAP Read-only Access
\nuserPassword: NrBn6Kd4rW8jmf+KWmfbTMFOkcC43ctF<\/p>\n
\no: hl.local
\ndc: hl.local
\nobjectClass: dcObject
\nobjectClass: organization<\/p>\n
\nobjectClass: organizationalUnit
\nou: Users<\/p>\n
\nuid: tomas
\nuidNumber: 5001
\ngidNumber: 5001
\nobjectClass: top
\nobjectClass: person
\nobjectClass: inetOrgPerson
\nobjectClass: posixAccount
\nobjectClass: shadowAccount
\nuserPassword: aBLnLxAUZAqwwII6fNUzizyOY\/YAowtt
\ncn: Tomas
\ngn: Tomas
\nsn: Admin
\nmail: [email protected]<\/a>
\nshadowLastChange: 16890
\nshadowMin: 0
\nshadowMax: 99999
\nshadowWarning: 14
\nshadowInactive: 3
\nloginShell: \/bin\/bash
\nhomeDirectory: \/home\/guests\/tomas<\/p>\n
\nobjectClass: organizationalUnit
\nou: Groups<\/p>\n
\ngidNumber: 5001
\nobjectClass: top
\nobjectClass: posixGroup
\ncn: tomas<\/p>\nLDAP Master Server<\/h3>\n
\nensure => file,
\nsource => ‘puppet:\/\/\/homelab_files\/ldap_syncprov.ldif’,
\nowner => ‘0’,
\ngroup => ‘0’,
\nmode => ‘0600’,
\nnotify => Exec[‘configure_syncprov’],
\n}
\nexec { ‘configure_syncprov’:
\ncommand => ‘ldapadd -c -Y EXTERNAL -H ldapi:\/\/\/ -f \/root\/.ldap_syncprov.ldif && touch \/root\/.ldap_syncprov.done && systemctl restart slapd’,
\npath => ‘\/usr\/bin:\/usr\/sbin:\/bin:\/sbin’,
\nprovider => shell,
\nonlyif => [
\n‘test -f \/root\/.ldap_syncprov.ldif’,
\n‘test -f \/root\/.ldap_config.done’
\n],
\nunless => [‘test -f \/root\/.ldap_syncprov.done’],
\n}<\/p>\n
\nobjectClass: olcModuleList
\ncn: module
\nolcModulePath: \/usr\/lib64\/openldap
\nolcModuleLoad: syncprov.la<\/p>\n
\nobjectClass: olcOverlayConfig
\nobjectClass: olcSyncProvConfig
\nolcOverlay: syncprov
\nolcSpSessionLog: 100<\/p>\nLDAP Slave Server<\/h3>\n
\nensure => file,
\nsource => ‘puppet:\/\/\/homelab_files\/ldap_replication.ldif’,
\nowner => ‘0’,
\ngroup => ‘0’,
\nmode => ‘0600’,
\nnotify => Exec[‘configure_replication’],
\n}
\nexec { ‘configure_replication’:
\ncommand => ‘ldapadd -c -Y EXTERNAL -H ldapi:\/\/\/ -f \/root\/.ldap_replication.ldif && touch \/root\/.ldap_replication.done && systemctl restart slapd’,
\npath => ‘\/usr\/bin:\/usr\/sbin:\/bin:\/sbin’,
\nprovider => shell,
\nonlyif => [‘test -f \/root\/.ldap_config.done’],
\nunless => [‘test -f \/root\/.ldap_replication.done’],
\n}<\/p>\n
\nchangetype: modify
\nadd: olcSyncRepl
\nolcSyncRepl: rid=001
\nprovider=ldaps:\/\/ldap1.hl.local:636\/
\nsearchbase=”dc=hl.local,dc=top”
\ntype=refreshAndPersist
\nretry=”60 10 300 +”
\nschemachecking=on
\nbindmethod=simple
\nbinddn=”cn=reader,dc=top”
\ncredentials=PleaseChangeMe
\ntls_reqcert=never
\ntls_cert=\/etc\/pki\/tls\/certs\/hl.crt
\ntls_cacert=\/etc\/pki\/tls\/certs\/hl.crt
\ntls_key=\/etc\/pki\/tls\/private\/hl.pem<\/p>\nThe Result<\/h3>\n
![\"\"](\"https:\/\/www.lisenet.com\/wp-content\/uploads\/2018\/04\/lisenet-homelab-ldap-tree.png\")
\nAnything that gets created on the LDAP master should be automatically synced to the slave.<\/p>\nDebugging LDAP Issues<\/h3>\n
Configure All Homelab Servers to use LDAP Authentication<\/h2>\n
\nensure => ‘present’,
\nconfig => {
\n‘sssd’ => {
\n‘domains’ => ‘default’,
\n‘config_file_version’ => 2,
\n‘services’ => [‘nss’, ‘pam’],
\n},
\n‘domain\/default’ => {
\n‘id_provider’ => ‘ldap’,
\n‘auth_provider’ => ‘ldap’,
\n‘cache_credentials’ => true,
\n‘default_shell’ => ‘\/bin\/bash’,
\n‘mkhomedir’ => true,
\n‘ldap_search_base’ => ‘dc=hl.local,dc=top’,
\n‘ldap_uri’ => ‘ldaps:\/\/ldap1.hl.local,ldaps:\/\/ldap2.hl.local’,
\n‘ldap_id_use_start_tls’ => false,
\n‘ldap_tls_reqcert’ => ‘never’,
\n‘ldap_default_bind_dn’ => ‘cn=reader,dc=top’,
\n‘ldap_default_authtok’ => ‘PleaseChangeMe’,
\n}
\n}
\n}<\/p>\n