相关文章推荐
孤独的煎鸡蛋  ·  《西方哲学史:从古希腊到当下》电子书在线阅读 ...·  1 月前    · 
冷冷的萝卜  ·  专访北大教授吴国盛:中国古代没有数理科学,这 ...·  1 月前    · 
一直单身的鸵鸟  ·  复旦大学吴晓群教授作客第97期博士沙龙探讨古 ...·  1 年前    · 
一直单身的鸵鸟  ·  从宙斯到耶和华:希腊人是如何皈依基督教的?·  1 年前    · 
一直单身的鸵鸟  ·  第四章 ...·  1 年前    · 
一直单身的鸵鸟  ·  清华学堂-牛津古希腊哲学暑期营顺利举办-清华 ...·  1 年前    · 
一直单身的鸵鸟  ·  古希腊哲学术语数据库建设--全国哲学社会科学 ...·  1 年前    · 
小百科  ›  “庞贝神话——意大利那不勒斯国家考古博物馆藏古希腊古罗马珍品 ...
古希腊宗教 考古 神话 博物馆 古希腊
一直单身的鸵鸟
1 年前

We use LetsEncrypt to issue a certificate to each server, and OpenLDAP can take the certificate and use it to encrypt and authenticate connections from other LDAP servers.

One of the problems I encountered was when setting up replication between servers. We use SaltStack to build and maintain our server estate, so deployment and configuration needs to be automated. This normally means spending a week automating a process which you’ll only do twice – once when you install it, and once again when you’re rebuilding the server and have forgotten everything you’ve done.

To secure OpenSSL, add this LDIF file to your directory: 

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/letsencrypt/live/ldap1.example.com/fullchain.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/letsencrypt/live/ldap1.example.com/cert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/letsencrypt/live/ldap1.example.com/privkey.pem

Every time we did this, a vague error popped up: 

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ./ssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0 modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)

Restarting slapd , the LDAP daemon, with full debugging showed nothing, neither did running the daemon through strace .

Several days of painful troubleshooting followed. We eventually found the issue – the LDAP daemon wasn’t able to access the TLS certificates! AppArmor was blocking access to the files under /etc/letsencrypt , and so we did two simple things.

First, we used setfacl to give the openldap user ‘rx’ permissions on /etc/letsencrypt/live and /etc/letsencrypt/archive : 

$ sudo setfacl -m user:openldap:r-x /etc/letsencrypt/live
$ sudo setfacl -m user:openldap:r-x /etc/letsencrypt/archive

This lets the LDAP daemon read and following the symbolic links in the live directory to the actual files.

Next, we needed to tell AppArmor to let the LDAP daemon, slapd , access the files themselves. It’s as easy as creating a file called /etc/apparmor.d/local/usr.sbin.slapd with the following: 

/etc/letsencrypt/live/{{ grains.id }} r,
/etc/letsencrypt/archive/{{ grains.id }} r,
/etc/letsencrypt/archive/{{ grains.id }}/** r,

The trailing comma on the last line isn’t a mistake – if you don’t include it, AppArmor won’t install the rule. I won’t admit how long it took us to realise this!

Daniel

Very helpful article Peter! Would you mind telling me which “setfacl” settings you had?

Cheers,
Daniel

Peter Hicks

If I’ve understood your question correctly, here’s what I have in the Salt state file: 

ldap-access-to-machine-live-dir:
  acl.present:
    - name: /etc/letsencrypt/live
    - acl_type: user
    - acl_name: openldap
    - perms: rx
ldap-access-to-machine-archive-dir:
  acl.present:
    - name: /etc/letsencrypt/archive
    - acl_type: user
    - acl_name: openldap
    - perms: rx

YEEEEEEEEEEEESSSS! FINALLY! THANK YOU!

I can’t say how many hours I have read blogs and Stack articles which only gave half the story, or where someone hacked the permissions in a way most don’t want.

Your instructions about setfacl and the three lines for apparmor was what finally made it work.

I had already tried all kinds of combinations of permissions for the directories and files, even manually copying the certificates elsewhere, and that didn’t work either.

Don’t forget to restart apparmor and slapd after adding the access exceptions.

service apparmor restart
service slapd restart

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

 
推荐文章
孤独的煎鸡蛋  ·  《西方哲学史:从古希腊到当下》电子书在线阅读-【挪威】奎纳尔·希 ...
1 月前
冷冷的萝卜  ·  专访北大教授吴国盛:中国古代没有数理科学,这本是命运
1 月前
一直单身的鸵鸟  ·  复旦大学吴晓群教授作客第97期博士沙龙探讨古希腊人的神灵观
1 年前
一直单身的鸵鸟  ·  从宙斯到耶和华:希腊人是如何皈依基督教的?
1 年前
一直单身的鸵鸟  ·  第四章 古代欧洲哲学思想中的核心价值观--理论-人民网
1 年前
一直单身的鸵鸟  ·  清华学堂-牛津古希腊哲学暑期营顺利举办-清华大学哲学系
1 年前
一直单身的鸵鸟  ·  古希腊哲学术语数据库建设--全国哲学社会科学工作办公室--人民网
1 年前
今天看啥   ·   Py中国   ·   codingpro   ·   小百科   ·   link之家   ·   卧龙AI搜索
删除内容请联系邮箱 2879853325@qq.com
小百科 - 百科知识指南
© 2024 ~ 沪ICP备11025650号