title

Blog of René Jochum

Blogging about Programming, Security, Linux, Networking and Web Apps.

Æ-DIR installation


In the last few days, I’ve created an OpenLDAP Cluster with Æ-DIR for the Webmeisterei, the Installation wasn’t straight forward but the creator of Æ-DIR Michael Ströder helped me a lot with it.

Prerequisites

  • 4 x Debian/openSUSE/CentOS VM’s (2xProvider, 2xConsumer).
  • DNS with correct A and PTR entries, resolveable from the installation Host AND the VM’s.
  • Recommended A extra Network for LDAP.
  • Recommended Extra Subdomain like ldap.example.com.
  • Basic Knowledge of Ansible and the Linux Terminal.

Installation

First read through the installation doku of Æ-DIR.

Prepare your Ansible env

sudo virtualenv -p /usr/bin/pyhton2.7 /opt/ansible
sudo /opt/ansible/bin/pip2 install --upgrade ansible Jinja2==2.8.1 dnspython paramiko

In a folder of your choice clone the ansible-example-site to aedir-env

git clone --recurse-submodules https://gitlab.com/ae-dir/ansible-example-site aedir-env
cd aedir-env/roles/ae-dir-server
git checkout master
cd ../../

Then you have to edit hosts, group_vars/ae-dir-servers and group_vars/ae-dir-providers

See as example our Installation, the changes should be very interesting too.

Add your ca-chain.pem

Whatever you have your own private CA or use a public CA recommended if you want connections to services like KeyCloak copy its ca-chain.pem to files/.

Ready to install

Call ansible :)

/opt/ansible/bin/ansible-playbook ae-dir-server.yml -i myenv/hosts --become -K --become-method=su --extra-vars='{"aedir_init":True, "openldap_keygen":True}'

Debugging

Michael told me some fine tricks that might help you too to debug replication:

This command gives as last line the uid of itself on a provider/consumer, with it you see if TLS Auth works:

root@fp2:~# LDAPRC=/opt/ae-dir/etc/ldap.conf ldapwhoami -Y EXTERNAL -H ldaps://fp1.ldap.webmeisterei.com
SASL/EXTERNAL authentication started
SASL username: cn=fp2.ldap.webmeisterei.com,ou=EssentialSSL,ou=Domain Control Validated
SASL SSF: 0
dn:uid=ae-dir-slapd_fp2,cn=ae,dc=ae-dir,dc=ldap,dc=webmeisterei,dc=com

And with slapd_checkmk.sh you can check everything, each line MUST contain a ‘OK’ when everything is ok.

root@fp2:~# /opt/ae-dir/sbin/slapd_checkmk.sh 
0 SlapdCert - OK - Server cert '/opt/ae-dir/etc/tls/fp2.ldap.webmeisterei.com.crt' valid until 2021-07-30 23:59:59 UTC (730 days left, 0.0 % elapsed), modulus_match==True, (via module cryptography)
0 SlapdConfig - OK - Successfully connected to 'ldapi://%2Fopt%2Fae-dir%2Frun%2Fslapd%2Fldapi' as 'dn:cn=root,dc=ae-dir,dc=ldap,dc=webmeisterei,dc=com' found 'cn=config' and 'cn=Monitor'
0 SlapdConns percent=3.90625|count=5 OK - 5 open connections (max. 128)
0 SlapdContextCSN_2_dc_ae-dir_dc_ldap_dc_webmeisterei_dc_com_fp1.ldap.webmeisterei.com - OK - 2 contextCSN attribute values retrieved for 'dc=ae-dir,dc=ldap,dc=webmeisterei,dc=com' from 'ldaps://fp1.ldap.webmeisterei.com'
0 SlapdDatabases - OK - Found 2 real databases: {1}mdb: cn=accesslog-ae-dir / {2}mdb: dc=ae-dir,dc=ldap,dc=webmeisterei,dc=com
0 SlapdEntryCount_1_cn_accesslog-ae-dir count=178 OK - 'cn=accesslog-ae-dir' has 178 entries (response time 0.0 s)
0 SlapdEntryCount_2_dc_ae-dir_dc_ldap_dc_webmeisterei_dc_com count=102 OK - 'dc=ae-dir,dc=ldap,dc=webmeisterei,dc=com' has 102 entries (response time 0.0 s)
0 SlapdMDBSize_1_cn_accesslog-ae-dir mdb_pages_max=24414|mdb_use_percentage=0.684032|mdb_pages_used=167 OK - DB file '/opt/ae-dir/slapd-db/accesslog/data.mdb' has 684032 of max. 100000000 bytes (0.7 %)
0 SlapdMDBSize_2_dc_ae-dir_dc_ldap_dc_webmeisterei_dc_com mdb_pages_max=12207|mdb_use_percentage=1.449984|mdb_pages_used=177 OK - DB file '/opt/ae-dir/slapd-db/um/data.mdb' has 724992 of max. 50000000 bytes (1.4 %)
0 SlapdMonitor - OK - Successfully retrieved 82 entries from 'cn=Monitor' on 'ldapi://%2Fopt%2Fae-dir%2Frun%2Fslapd%2Fldapi'
0 SlapdOps ops_waiting=1|ops_completed_rate=0.0631346223086|ops_initiated_rate=0.064169616117 OK - 10 operation types / completed 61 of 62 operations (0.06/s completed, 0.06/s initiated, 1 waiting)
0 SlapdOps_Abandon ops_waiting=0|ops_completed_rate=0.0|ops_initiated_rate=0.0 OK - completed 0 of 0 operations (0.00/s completed, 0.00/s initiated, 0 waiting)
0 SlapdOps_Add ops_waiting=0|ops_completed_rate=0.0|ops_initiated_rate=0.0 OK - completed 0 of 0 operations (0.00/s completed, 0.00/s initiated, 0 waiting)
0 SlapdOps_Bind ops_waiting=0|ops_completed_rate=0.0155249071251|ops_initiated_rate=0.0155249071251 OK - completed 15 of 15 operations (0.02/s completed, 0.02/s initiated, 0 waiting)
0 SlapdOps_Compare ops_waiting=0|ops_completed_rate=0.0|ops_initiated_rate=0.0 OK - completed 0 of 0 operations (0.00/s completed, 0.00/s initiated, 0 waiting)
0 SlapdOps_Delete ops_waiting=0|ops_completed_rate=0.0|ops_initiated_rate=0.0 OK - completed 0 of 0 operations (0.00/s completed, 0.00/s initiated, 0 waiting)
0 SlapdOps_Extended ops_waiting=0|ops_completed_rate=0.00620996285003|ops_initiated_rate=0.00620996285003 OK - completed 6 of 6 operations (0.01/s completed, 0.01/s initiated, 0 waiting)
0 SlapdOps_Modify ops_waiting=0|ops_completed_rate=0.0|ops_initiated_rate=0.0 OK - completed 0 of 0 operations (0.00/s completed, 0.00/s initiated, 0 waiting)
0 SlapdOps_Modrdn ops_waiting=0|ops_completed_rate=0.0|ops_initiated_rate=0.0 OK - completed 0 of 0 operations (0.00/s completed, 0.00/s initiated, 0 waiting)
0 SlapdOps_Search ops_waiting=1|ops_completed_rate=0.0300148204418|ops_initiated_rate=0.0310498142501 OK - completed 29 of 30 operations (0.03/s completed, 0.03/s initiated, 1 waiting)
0 SlapdOps_Unbind ops_waiting=0|ops_completed_rate=0.0113849318917|ops_initiated_rate=0.0113849318917 OK - completed 11 of 11 operations (0.01/s completed, 0.01/s initiated, 0 waiting)
0 SlapdProviders percent=100.0|count=1 OK - Connected to 1 of 1 (100.0%) providers:
0 SlapdReplTopology - OK - successfully retrieved syncrepl topology with 1 items: {'ldaps://fp1.ldap.webmeisterei.com': [(2, 'dc=ae-dir,dc=ldap,dc=webmeisterei,dc=com', SyncReplDesc(rid=001))]}
0 SlapdSASLHostname - OK - olcSaslHost 'fp2.ldap.webmeisterei.com' found
0 SlapdSelfConn - OK - successfully bound to 'ldaps://fp2.ldap.webmeisterei.com' as 'dn:uid=ae-dir-slapd_fp2,cn=ae,dc=ae-dir,dc=ldap,dc=webmeisterei,dc=com'
0 SlapdSock - OK - Found 1 back-sock listeners
0 SlapdSock__opt_ae-dir_run_hotp_validator_socket sockBytesReceived=48.0|sockRequestBindCount=0.0|sockMaxResponseTime=0.00083|sockHOTPMaxLookAheadSeen=0.0|sockBytesSent=2209.0|sockRequestCompareCount=0.0|sockThreadCount=1.0|sockRequestMonitorCount=6.0|sockHOTPKeyCount=0.0|sockRequestAll=6.0|sockAvgResponseTime=2e-05 OK - Connected to bind/compare listener '/opt/ae-dir/run/hotp_validator/socket' and received 443 bytes
0 SlapdStart - OK - slapd[133771] started at 2019-07-31 09:31:54, 2:02:10.856144 ago
0 SlapdStats bytes=25.1079147965|entries=0.108674349875|pdu=0.159389046484|referrals=0.159389046484 OK - Stats: 24259 bytes (25.1 bytes/sec) / 105 entries (0.1 entries/sec) / 154 PDUs (0.2 PDUs/sec) / 0 referrals (0.2 referrals/sec)
0 SlapdSyncRepl_2_dc_ae-dir_dc_ldap_dc_webmeisterei_dc_com max_csn_timedelta=0.0 OK - 'dc=ae-dir,dc=ldap,dc=webmeisterei,dc=com' max. contextCSN delta: 0.0 / no replication issues determined
0 SlapdThreads threads_pending=0|threads_active=1 OK - Thread counts active:1 pending: 0