Robot Has No Heart

Someone sends you an email and you want to add them to your LDAP address book, but your email client doesn’t support it *cough*thunderbird*cough*. If you think the next best way would be to just forward that email somewhere and have someone else take care of it, then allow me to introduce Clerk Simon. He’s quite attentive when it comes to such matters, and fully certified to boot. Full details at that link, check it out.

1
2
3
4

bzr co http://code.rhnh.net/clerk_simon/
cd clerk_simon
cp config.sample.yml config.yml # Edit to taste
bin/clerk_simon config.yml

First you need to install and configure the OpenLDAP server. Clearly you won’t want to use rhnh.net – just substitute in your own domain.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

sudo pkg_add -r openldap24-server
sudo pkg_add -r openssl

sudo cp /usr/local/openssl/openssl.cnf.sample /usr/local/openssl/openssl.cnf 
# Generate a self signed certificate
sudo openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
sudo mkdir /usr/local/etc/ldap
sudo mv server.pem /usr/local/etc/ldap

# /etc/rc.conf
slapd_enable="YES"
slapd_flags='-h "ldaps://rhnh.net/"'

# /usr/local/etc/openldap/ldap.conf
# Add these same settings not just on the server but for each client
BASE dc=rhnh, dc=net
URI ldaps://rhnh.net/
TLS_REQCERT allow

# /usr/local/etc/openldap/slapd.conf:
# Add
include     /usr/local/etc/openldap/schema/cosine.schema
include     /usr/local/etc/openldap/schema/inetorgperson.schema

TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCACertificateFile /usr/local/etc/ldap/server.pem
TLSCertificateFile /usr/local/etc/ldap/server.pem
TLSCertificateKeyFile /usr/local/etc/ldap/server.pem

require authc

# Modify these properties from their defaults
suffix          "dc=rhnh,dc=net"
rootdn          "cn=xavier,dc=rhnh,dc=net"
# Use slappasswd to generate your own password
rootpw          {SSHA}Iogj+Awafoj9FP5IdLVy1DmFaASDw1P5 # secret

Start up the server to make sure everything is apples

1
2

sudo /usr/local/etc/rc.d/slapd start
openssl s_client -connect rhnh.net:636 -showcerts

Load up a schema to hold your address book entries, and here is also an example entry.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

# directory.ldif
dn: dc=rhnh, dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
dc: rhnh
o:  Robot Has No Heart

dn: ou=people, dc=rhnh, dc=net
objectClass: top
objectClass: organizationalUnit
ou: people

# contact.ldif
dn: cn=Xavier Shay, ou=people, dc=rhnh, dc=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Xavier Shay
gn: Xavier
sn: Shay
mail: contact@rhnh.net
ou: people
mobile: 0400-123-456

1
2

ldapadd -D 'cn=xavier,dc=rhnh,dc=net' -f directory.ldif -W
ldapsearch -D 'cn=xavier,dc=rhnh,dc=net' -w -x # Check everything worked

To configure Thunderbird to use your address book, go to Edit - Preferences... - Composition - Edit Directories... and follow the bouncing ball. Thunderbird can’t write to the directory, which is kind of a pain. Maybe you could use Evolution, which I think works. Maybe you could write an app that monitors a drop box and updates your directory for you. Maybe you could assume I’ve already done what I suggested and wait for me to release it in the very near future.

Tested on FreeBSD 6.2-stable

References

• Building an Address Book with OpenLDAP
• Installing Secure LDAP on Ubuntu using a self-signed certificate
• OpenLDAP Administrator’s Guide

Migrated my Subversion repository to my dev server, and am getting it served up through https with LDAP authentication. Going to set up pretty formatting this afternoon – not that I ever use the web interface.

Trac also relies on the webserver for authentication, so it too is running through https/LDAP. All very pretty. One thing that’s not immediately obvious about Trac (you know, if you don’t read the welcome screen) is that managing things like components and milestones is done using the trac-admin program, and not anything on the web interface (although there is a plugin available for this). Initial inspection looks like I’m going to be using it as a glorified TODO list, but hopefully it will improve my work ethic. The value of this program would increase exponentially with the number of developers, I feel.

1
2
3
4
5
6
7
8
9

<Location /svn>
        DAV svn
        SVNPath /var/svn/repos
        AuthType Basic
        AuthName "Subversion repository"
        AuthLDAPURL ldap://rhino:389/OU=People,DC=noreality,DC=net?uid?sub?(objectClass=account)
        Require valid-user
        SSLRequireSSL
</Location>

Improvements would be using require group insert-ldap-group rather than require valid-user, and to not allow anonymous binds to my LDAP tree. I don’t have groups setup yet though…

Also set up NFS on my server – I had been using SMB (still am for windows) even on my linux clients, but recent dapper updates have really thrown a spanner in those works. I need to comment out my SMB shares in fstab before I reboot or I’ll be waiting a loooong time for the system to come up again. Noted a neat trick on the gentoo wiki for specifying a fallback kernel when recompiling the kernel on a remote box. Thankfully I didn’t have to rely on it, but hooking up a keyboard/monitor to my server-behind-the-TV is not a task I want to have to do on a weekend.

Spent the better part of the evening setting up LDAP authentication for my boxen. The portage issue I mentioned prior was because I hadn’t updated portage for like 8 months … my bad. Slapd installed without a hitch on my gentoo server, and I was even able to set it up with an SSL certificate. The problems came getting pam_ldap setup on my ubuntu client. I’m not really sure what I did, but part of my problem was installing all the packages a few days ago, and then changing my mind on the configuration today but not reinstalling the packages. As such, I learnt a handy new command, to reconfigure without reinstall:

1
2

dpkg-reconfigure libpam-ldap
dpkg-reconfigure libnss-ldap

I’d also warn against using the libnss-ldap sample nsswitch.conf without a contigency plan – I wasn’t able to execute commands (ls, sudo) after using it, and my machine wouldn’t reboot properly, even in recovery mode. Moral of the story – Always have a LiveCD handy!

I’m at the point now where everything seems to work … except passwd. When changing my password I get “passwd: Authentication information cannot be recovered”. Posted something on the forums, hopefully someone helps me out.