Bind DNS + OpenLDAP MDB == Dynamic Domain and Fully Delegated Sub-Domain Configuration of DNS

June 7, 2013June 8, 2013 hspencer77bind9, cloud computing, dns, dynamic dns configuration, eucalyptus, eucalyptus dns, eustore, mdb, openldap7 Comments

This blog post was driven by the need to make it easier to test Eucalyptus DNS in a lab environment. The goal was to have a scriptable way to add/delete fully delegated sub-domains without having to reload/restart DNS when Eucalyptus clouds were being deployed/destroyed. This was tested on an CentOS 6 instance running in a Eucalyptus 3.3 HA Cloud.

Prerequisites

This entry will not cover setting up Eucalyptus HA, creating a Eucalyptus user, using eustore to register the image, and/or opening up ports in security groups. Its assumed the reader understands these concepts. The focus will be configuring and deploying Bind9 and OpenLDAP.

In addition to using a CentOS 6.4 image, the following is needed:

ports open for DNS (tcp and udp 53)
port open for OpenLDAP (tcp 389)
port open for SSH (tcp 22)

Now that the prereqs have been covered, lets jump into setting up the environment.

Base Software Installation

There are a series of packages needed to install OpenLDAP (since we are building from source), and Bind9. Once the instance is launched and running, SSH into the instance, and run the following commands:

# sudo yum -y upgrade
# sudo yum install -y git cyrus-sasl gcc glibc-devel libtool-ltdl \
db4-devel openssl-devel unixODBC-devel libtool-ltdl-devel libtool \
cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-lib cyrus-sasl-md5 \
make bind-dyndb-ldap

All the packages except for bind-dyndb-ldap are needed to build OpenLDAP from source. The reason we are building OpenLDAP from source is to take advantage of their powerful backend – MDB. Check out my previous blogs on this topic from this listing.

The key package for Bind9 DNS to communicate to OpenLDAP as a backend is bind-dyndb-ldap. This plug-in is used by the FreeIPA Identity/Policy Management application to help leverage 389 Directory Servers (which is based off OpenLDAP) for storing domain name information.

OpenLDAP Installation and Configuration

Since all the base packages are installed, we can now grab and install the latest source version of OpenLDAP. While still being logged into the instance, run the following command:

# git clone git://git.openldap.org/openldap.git ~/openldap

Since we are working with an instance based on the CentOS 6 image on eustore, we will use the ephemeral store (which is mounted under /media/ephemeral0) for the location of our OpenLDAP installation. Create a directory for installing OpenLDAP on the ephemeral store by running the command below:

# mkdir /media/ephemeral0/openldap

Next, configure OpenLDAP:

# cd ~/openldap
# ./configure --prefix=/media/ephemeral0/openldap --enable-debug=yes \
--enable-syslog --enable-dynamic --enable-slapd --enable-dynacl \
--enable-spasswd --enable-modules --enable-rlookups --enable-mdb \
--enable-monitor --enable-overlays --with-cyrus-sasl --with-threads \
--with-tls=openssl CC="gcc" LDFLAGS="-L/usr/lib64/sasl2" CPPFLAGS="-I/usr/include/sasl"

After thats completed successfully, compile and install OpenLDAP:

# make depend
# make
# sudo make install

After the installation is complete, create the openldap user that will be responsible for running OpenLDAP:

# sudo useradd -m -U -c "OpenLDAP User" -s /bin/bash openldap
# sudo passwd -l openldap

Since the bind-dyndb-ldap package was installed earlier, copy the schema to where OpenLDAP stores its schemas, so that it can be added to the OpenLDAP configuration:

# sudo cp /usr/share/doc/bind-dyndb-ldap-2.3/schema \
/media/ephemeral0/openldap/etc/openldap/schema/bind-dyndb-ldap.schema

Next, create the LDAP password for the cn=admin,cn=config user. This user is responsible for managing the configuration of the OpenLDAP server using OLC:

# /media/ephemeral0/openldap/sbin/slappasswd -h {SSHA}

Modify the slapd.conf file located under /media/ephemeral0/openldap/etc/openldap/, to set up the base configuration structure (cn=config) for OpenLDAP. When completed, it should look like the following:

#######################################################################
# Config database definitions
#######################################################################
pidfile /media/ephemeral0/openldap/var/run/slapd.pid
argsfile /media/ephemeral0/openldap/var/run/slapd.args
database config
rootdn cn=admin,cn=config
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx - (password created for cn=admin,cn=config user)
# Schemas, in order
include /media/ephemeral0/openldap/etc/openldap/schema/core.schema
include /media/ephemeral0/openldap/etc/openldap/schema/cosine.schema
include /media/ephemeral0/openldap/etc/openldap/schema/inetorgperson.schema
include /media/ephemeral0/openldap/etc/openldap/schema/collective.schema
include /media/ephemeral0/openldap/etc/openldap/schema/corba.schema
include /media/ephemeral0/openldap/etc/openldap/schema/duaconf.schema
include /media/ephemeral0/openldap/etc/openldap/schema/dyngroup.schema
include /media/ephemeral0/openldap/etc/openldap/schema/misc.schema
include /media/ephemeral0/openldap/etc/openldap/schema/nis.schema
include /media/ephemeral0/openldap/etc/openldap/schema/openldap.schema
include /media/ephemeral0/openldap/etc/openldap/schema/ppolicy.schema
include /media/ephemeral0/openldap/etc/openldap/schema/bind-dyndb-ldap.schema

Create the slapd.d directory under /media/ephemeral0/openldap/etc/openldap/. This will contain all the directory information:

# sudo chown -R openldap:openldap /media/ephemeral0/openldap/* 
# su - openldap -c "mkdir /media/ephemeral0/openldap/etc/openldap/slapd.d"

Populate the slapd.d directory with the base configuration by running the following command:

su - openldap -c "/media/ephemeral0/openldap/sbin/slaptest \
-f /media/ephemeral0/openldap/etc/openldap/slapd.conf \
-F /media/ephemeral0/openldap/etc/openldap/slapd.d"
config file testing succeeded

For this example, we will be setting up the directory to use dc=eucalyptus,dc=com as the LDAP base. Create the cn=Directory Manager,dc=eucalyptus,dc=com LDAP password:

# /media/ephemeral0/openldap/sbin/slappasswd -h {SSHA}

Create an LDIF that will define the configuration of the DB associated with the information regarding the DNS entries. For this example, the LDIF will be called directory-layout.ldif. It should look like the following:

#######################################################################
# MDB database definitions
#######################################################################
#
dn: olcDatabase=mdb,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=eucalyptus,dc=com
olcRootDN: cn=Directory Manager,dc=eucalyptus,dc=com
olcRootPW: {SSHA}xxxx - (password of cn=Directory Manager,dc=eucalyptus,dc=com user)
olcDbDirectory: /media/ephemeral0/openldap/var/openldap-data/dns
olcDbIndex: objectClass eq
olcAccess: to attrs=userPassword by dn="cn=Directory Manager,dc=eucalyptus,dc=com"
 write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=Directory Manager,dc=eucalyptus,dc=com" write by * read
olcDbMaxReaders: 0
olcDbMode: 0600
olcDbSearchStack: 16
olcDbMaxSize: 4294967296
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbNoSync: FALSE
olcDbEnvFlags: writemap
olcDbEnvFlags: nometasync

Make sure and create the directory where the DB information will be stored:

# su - openldap -c "mkdir /media/ephemeral0/openldap/var/openldap-data/dns"

Start up the OpenLDAP directory:

# sudo /media/ephemeral0/openldap/libexec/slapd -h "ldap:/// ldapi:///" \
-u openldap -g openldap

After OpenLDAP has been started successfully, upload the directory-layout.ldif as the cn=admin,cn=config user:

# /media/ephemeral0/openldap/bin/ldapadd -D cn=admin,cn=config -W \
-f directory-layout.ldif
Enter LDAP Password:
adding new entry "olcDatabase=mdb,cn=config"

To allow search access to the directory, create an LDIF called frontend.ldif, that contains the following:

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcAccess
olcAccess: to dn.base="" by * read
olcAccess: to dn.base="cn=Subschema" by * read
olcAccess: to * by self write by users read by anonymous auth

Upload the LDIF using the ldapmodify command:

# /media/ephemeral0/openldap/bin/ldapmodify -D cn=admin,cn=config -W -f frontend.ldif
Enter LDAP Password:
modifying entry "olcDatabase={-1}frontend,cn=config"

To check the results of these changes, use ldapsearch:

# /media/ephemeral0/openldap/bin/ldapsearch -D cn=admin,cn=config -W -b cn=config
Enter LDAP Password:
(ldapsearch results...)

After confirming that the base configurations have been stored, create an LDIF called dns-domain.ldif that lays out the directory structure for the database. As seen previously in the directory-layout.ldif, the base is dc=eucalyptus,dc=com. The dns-domain.ldif file should look like the following:

dn: dc=eucalyptus,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Eucalyptus Systems Inc - QA DNS Domain
dc: eucalyptus
description: Test LDAP+DNS Setup
 
dn: ou=dns,dc=eucalyptus,dc=com
objectClass: organizationalUnit
ou: dns

After creating the dns-domain.ldif file, upload the file using the cn=Directory Manager,dc=eucalyptus,dc=com user:

# /media/ephemeral0/openldap/bin/ldapadd -H ldap://localhost \
-D "cn=Directory Manager,dc=eucalyptus,dc=com" -W -f dns-domain.ldif
Enter LDAP Password:
adding new entry "dc=eucalyptus,dc=com"
adding new entry "ou=dns,dc=eucalyptus,dc=com"

To allow the cn=Directory Manager,dc=eucalyptus,dc=com user to see what updates are being done to the Directory, enable the Access Log overlay. To enable this option, create an LDIF file called access-log.ldif. The contents should look like the following:

dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /media/ephemeral0/openldap/var/openldap-data/access
olcSuffix: cn=log
olcDbIndex: reqStart eq
olcDbMaxSize: 1073741824
olcDbMode: 0600
olcAccess: {1}to * by dn="cn=Directory Manager,dc=eucalyptus,dc=com" read

dn: olcOverlay={1}accesslog,olcDatabase={3}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: {1}accesslog
olcAccessLogDB: cn=log
olcAccessLogOps: all
olcAccessLogPurge: 7+00:00 1+00:00
olcAccessLogSuccess: TRUE
olcAccessLogOld: (objectclass=idnsRecord)

After creating the access-log.ldif, create the directory for storing the access database:

# su - openldap -c "mkdir /media/ephemeral0/openldap/var/openldap-data/access"

Upload the LDIF using the cn=admin,cn=config user:

# /media/ephemeral0/openldap/bin/ldapadd -D cn=admin,cn=config -W -f access-log.ldif

Now that OpenLDAP is ready to go, let’s work on configuring Bind9 DNS.

Bind9 DNS Configuration

Since bind-dyndb-ldap has a dependency package of bind, named has already been installed on the instance. The only thing left to do is edit /etc/named.conf so that we are able to use the dynamic ldap backend module. Edit /etc/named.conf so that it looks like the following:

options {
 listen-on port 53 { <private IP address of the instance>; };
 listen-on-v6 port 53 { ::1; };
 directory "/var/named";
 dump-file "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 recursion yes;

 dnssec-enable yes;
 dnssec-validation yes;
 dnssec-lookaside auto;

/* Path to ISC DLV key */
 bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
 allow-recursion { any; };
};

dynamic-db "qa_dns_test" {
 library "ldap.so";
 arg "uri ldap://localhost";
 arg "base ou=dns,dc=eucalyptus, dc=com";
 arg "auth_method none";
 arg "cache_ttl 10";
 arg "zone_refresh 1";
 arg "dyn_update yes";
};

logging {
 channel default_debug {
 file "data/named.run";
 severity debug;
 print-time yes;
 };
};

zone "." IN {
 type hint;
 file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

As seen above, the dynamic-db section is the configuration for connecting to the OpenLDAP server. For more advanced configurations, please reference the README in the bind-dyndb-ldap repository on git.fedorahosted.org.

Now we are ready to start named (the bind DNS server). Before starting the server, make sure and create the rndc key, then start named:

# rndc-confgen -a -r /dev/urandom
# service named start

You have successfully created an Bind9 DNS + OpenLDAP deployment. Let’s run a quick test.

Test the Deployment

To test the deployment, I created an LDIF called test-cloud.ldif. The configuration sets up a domain called eucalyptus-systems.com. It also creates a sub-domain that will be forwarding requests for euca-hasp.eucalyptus-systems.com to the CLCs of the Eucalyptus HA deployment that has been set up. The contents of the file are as follows:

dn: idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com
objectClass: top
objectClass: idnsZone
objectClass: idnsRecord
idnsName: eucalyptus-systems.com
idnsUpdatePolicy: grant EUCALYPTUS-SYSTEMS.COM krb5-self * A;
idnsZoneActive: TRUE
idnsSOAmName: server.eucalyptus-systems.com
idnsSOArName: root.server.eucalyptus-systems.com
idnsAllowQuery: any;
idnsAllowDynUpdate: TRUE
idnsSOAserial: 1
idnsSOArefresh: 10800
idnsSOAretry: 900
idnsSOAexpire: 604800
idnsSOAminimum: 86400
NSRecord: ns
ARecord: 192.168.55.103 - (the public IP of the instance)

dn: idnsName=ns,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com
objectClass: idnsRecord
objectClass: top
idnsName: ns
aRecord: 192.168.55.103

dn: idnsName=server,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com
objectClass: idnsRecord
objectClass: top
idnsName: server
CNAMERecord: eucalyptus-systems.com.

dn: idnsname=39.168.192.in-addr.arpa.,ou=dns,dc=eucalyptus,dc=com
objectClass: idnszone
objectClass: idnsrecord
objectClass: top
idnsName: 39.168.192.in-addr.arpa.
idnsSOAmName: server.eucalyptus-systems.com
idnsSOArName: root.server.eucalyptus-systems.com
idnsSOAserial: 1350039556
idnsSOArefresh: 10800
idnsSOAretry: 900
idnsSOAexpire: 604800
idnsSOAminimum: 86400
idnsZoneActive: TRUE
idnsAllowDynUpdate: TRUE
idnsAllowQuery: any;
idnsAllowTransfer: none;
idnsUpdatePolicy: grant EUCALYPTUS-SYSTEMS.COM krb5-subdomain 39.168.192.in-addr.arpa. PTR;
nSRecord: server.eucalyptus-systems.com.

dn: idnsName=_ldap._tcp,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com
objectClass: idnsRecord
objectClass: top
idnsName: _ldap._tcp
SRVRecord: 0 100 389 server

dn: idnsName=_ntp._udp,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com
objectClass: idnsRecord
objectClass: top
idnsName: _ntp._udp
SRVRecord: 0 100 123 server

# The DNS entries for the CLCs of the cloud - viking-01 and viking-02

dn: idnsName=viking-02,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com
objectClass: idnsRecord
objectClass: top
idnsName: viking-02
aRecord: 192.168.39.102

dn: idnsname=102,idnsname=39.168.192.in-addr.arpa.,ou=dns,dc=eucalyptus,dc=com
objectClass: idnsrecord
objectClass: top
idnsName: 102
pTRRecord: viking-02.eucalyptus-systems.com.

dn: idnsName=viking-01,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com
objectClass: idnsRecord
objectClass: top
idnsName: viking-01
aRecord: 192.168.39.101

dn: idnsname=101,idnsname=39.168.192.in-addr.arpa.,ou=dns,dc=eucalyptus,dc=com
objectClass: idnsrecord
objectClass: top
idnsName: 101
pTRRecord: viking-01.eucalyptus-systems.com.

# The delegated zone - euca-hasp.eucalyptus-systems.com

dn: idnsName=euca-hasp,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com
objectClass: top
objectClass: idnsRecord
objectClass: idnsZone
idnsForwardPolicy: first
idnsAllowDynUpdate: FALSE
idnsZoneActive: TRUE
idnsAllowQuery: any;
idnsForwarders: 192.168.39.101
idnsForwarders: 192.168.39.102
idnsName: euca-hasp
idnsSOAmName: server.eucalyptus-systems.com
idnsSOArName: root.server.eucalyptus-systems.com
idnsSOAretry: 15
idnsSOAserial: 1
idnsSOArefresh: 80
idnsSOAexpire: 120
idnsSOAminimum: 30
nSRecord: viking-01.eucalyptus-systems.com
nSRecord: viking-02.eucalyptus-systems.com

Since this was intended for a lab environment where sub-domains (and possibly domains) would be added/deleted on a regular basis, the SOA records were not set to the RFC 1912 standards defined for production DNS use.

After creating this LDIF, it was uploaded to the LDAP server as the cn=Directory Manager,dc=eucalyptus,dc=com user:

# /media/ephemeral0/openldap/bin/ldapadd -H ldap://localhost \
-D "cn=Directory Manager,dc=eucalyptus,dc=com" -W -f test-cloud.ldif
Enter LDAP Password:
adding new entry "idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com"
adding new entry "idnsName=ns,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com"
adding new entry "idnsName=server,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com"
adding new entry "idnsname=39.168.192.in-addr.arpa.,ou=dns,dc=eucalyptus,dc=com"
adding new entry "idnsName=_ldap._tcp,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com"
adding new entry "idnsName=_ntp._udp,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com"
adding new entry "idnsName=viking-02,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com"
adding new entry "idnsname=102,idnsname=39.168.192.in-addr.arpa.,ou=dns,dc=eucalyptus,dc=com"
adding new entry "idnsName=viking-01,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com"
adding new entry "idnsname=101,idnsname=39.168.192.in-addr.arpa.,ou=dns,dc=eucalyptus,dc=com"
adding new entry "idnsName=euca-hasp,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com"

To test out the setup, tests were ran against the public IP address of the instance to resolve for the various configurations:

# nslookup viking-01.eucalyptus-systems.com 192.168.55.103
Server: 192.168.55.103
Address: 192.168.55.103#53

Name: viking-01.eucalyptus-systems.com
Address: 192.168.39.101

# nslookup 192.168.39.101 192.168.55.103
Server: 192.168.55.103
Address: 192.168.55.103#53

101.39.168.192.in-addr.arpa name = viking-01.eucalyptus-systems.com.

# nslookup eucalyptus.euca-hasp.eucalyptus-systems.com 192.168.55.103
Server: 192.168.55.103
Address: 192.168.55.103#53

Non-authoritative answer:
Name: eucalyptus.euca-hasp.eucalyptus-systems.com
Address: 192.168.39.102

# nslookup walrus.euca-hasp.eucalyptus-systems.com 192.168.55.103
Server: 192.168.55.103
Address: 192.168.55.103#53

Non-authoritative answer:
Name: walrus.euca-hasp.eucalyptus-systems.com
Address: 192.168.39.101

As see above, not only did the resolution come back correct for the machines under the eucalyptus-systems.com domain, but it also forwarded the requests for the hosts under euca-hasp.eucalyptus-systems.com correctly, and returned the correct response.

To delete the set up, an LDIF called delete-test-cloud.ldif from the test-cloud.ldif as follows:

# tac test-cloud.ldif | grep dn: > delete-test-cloud.ldif

Open up the delete-test-cloud.ldif and add the following lines between each dn:

changetype: delete
(empty line)

Now, use ldapmodify as the cn=Directory Manager,dc=eucalyptus,dc=com user to delete the entries:

# /media/ephemeral0/openldap/bin/ldapmodify -H ldap://localhost -D "cn=Directory Manager,dc=eucalyptus,dc=com" -W -f delete-test-cloud.ldif
Enter LDAP Password:
deleting entry "idnsName=euca-hasp,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com"
deleting entry "idnsname=101,idnsname=39.168.192.in-addr.arpa.,ou=dns,dc=eucalyptus,dc=com"
deleting entry "idnsName=viking-01,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com"
deleting entry "idnsname=102,idnsname=39.168.192.in-addr.arpa.,ou=dns,dc=eucalyptus,dc=com"
deleting entry "idnsName=viking-02,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com"
deleting entry "idnsName=_ntp._udp,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com"
deleting entry "idnsName=_ldap._tcp,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com"
deleting entry "idnsname=39.168.192.in-addr.arpa.,ou=dns,dc=eucalyptus,dc=com"
deleting entry "idnsName=server,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com"
deleting entry "idnsName=ns,idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com"
deleting entry "idnsName=eucalyptus-systems.com,ou=dns,dc=eucalyptus,dc=com"

To confirm, do a lookup against one of the entries to see if it still exists:

# nslookup viking-01.eucalyptus-systems.com 192.168.55.103
Server: 192.168.55.103
Address: 192.168.55.103#53

** server can't find viking-01.eucalyptus-systems.com: NXDOMAIN

There you have it! A successful Bind9 DNS + OpenLDAP deployment is ready to be used.

Enjoy! And as always, questions/suggestions/comments are always welcome.

OpenLDAP: A comparison of back-mdb and back-hdb performance

May 16, 2013May 16, 2013 hspencer77back-hdb, back-mdb, lmdb, openldap, zimbraLeave a comment

Great insight on how much performance improvement you get with OpenLDAP when you use back-mdb instead of back-hdb.

Quanah's LDAP Blog

One of the biggest changes to OpenLDAP in years has made its way into the latest OpenLDAP 2.4 releases, and that is a brand new backend named “back-mdb”. This new backend leverages the Lightning Memory-Mapped Database from Symas. To see why this new backend was introduced, it is useful to look at the differences in performance and resource utilization between old BDB based back-hdb and the new LMDB based back-mdb.

Hardware details

Dell PowerEdge R710
36GB of RAM
ESXi 5.1 hypervisor
2 CPU, 4 cores per CPU, with hyperthreading (16 vCPUs)
1.2 TB RAID array from 4x SEAGATE ST9300603SS 300GB 10kRPM drives
Ubuntu12 64-bit OS (3.5.0-28-generic #48~precise1-Ubuntu SMP kernel)
LDAP data is stored on its own /ldap partition, using ext2 as the filesystem type
ext2 options: noatime,defaults

Software details

OpenLDAP 2.4 Engineering from 5/10/2013
Berkeley DB 5.2.36 for the back-hdb backend
For read tests, slamd 2.0.1 was used to…

View original post 658 more words

OpenLDAP Sandbox in the Clouds

December 8, 2012 hspencer77aws, cloud computing, eucalyptus, iaas, openldap, s3, sandbox, walrusLeave a comment

Background

I really enjoy OpenLDAP. I think folks really don’t understand the power of OpenLDAP, concerning its robustness (i.e. use multiple back-ends), speed and efficiency.

I think its important to have sandboxes to test various technologies. The “cloud” is the best place for this. To test out the latest builds provided by OpenLDAP (via git), I created a cloud-init script that allows me to configure, build, and install an OpenLDAP sandbox environment in the cloud (on-premise and/or public). This script has been tested on AWS and Eucalyptus using Ubuntu Precise 12.04 LTS. This blog entry is a compliment to my past blog regarding overlays, MDB and OpenLDAP.

Lean Requirements – Script, Image, and Cloud

When thinking about this setup, there were three goals in mind:

Ease of configuration – this is why cloud-init was used. Its very powerful in regards to bootstrapping instances as they boot up. You can use Puppet, Chef or others (e.g. Salt Stack, Juju, etc.), but I decided to go with cloud-init. The script does the following:
- Downloads all the prerequisites for building OpenLDAP from source, including euca2ools.
- Downloads OpenLDAP using Git
- Set up ephemeral storage to be the installation point for OpenLDAP (e.g. configuration, storage, etc.)
- Adds information into /etc/rc.local to make sure ephemeral gets re-mounted on reboots of the instance, and hostname is set.
- Configures, builds and installs OpenLDAP.
Cloud image that is ready to go – Ubuntu has done a wonderful job with their cloud images. They have made it really easy to access them on AWS. These images can be used on Eucalyptus as well.
Public and Private Cloud Deployment – Since Eucalyptus follows the AWS EC2 API very closely, it makes it really easy to test on both AWS and Eucalyptus.

Now that the background has been covered a bit, the next section will cover deploying the sandbox on AWS and/or Eucalyptus.

Deploy the Sandbox

To set the sandbox setup, use the following steps:

Make sure and have an account on AWS and/or Eucalyptus (and the correct AWS/Eucalyptus IAM policies are in place so that you can bundle, upload and register images to AWS S3 and Eucalyptus Walrus).
Make sure you have access to a registered AMI/EMI that runs Ubuntu Precise 12.04 LTS. *NOTE* If you are using AWS, you can just go to the Ubuntu Precise Cloud Image download page, and select the AMI in the region that you have access to.
Download the openldap cloud-init recipe from Eucalyptus/recipes repository.
Download and install the latest Euca2ools (I used the command-line tool euca-run-instances to run these instances).
After you have downloaded your credentials from AWS/Eucalyptus, define your global environments by either following the documentation for AWS EC2 or the documentation for Eucalyptus.

Use euca-run-instances with the –user-data-file option to launch the instance:

euca-run-instances -k hspencer.pem ....
 --user-data-file cloud-init-openldap.config [AMI | EMI]

After the instance is launched, ssh into the instance, and you will see something similar to the following:

ubuntu@euca-10-106-69-149:~$ df -ah
Filesystem Size Used Avail Use% Mounted on
/dev/vda1 1.4G 1.2G 188M 86% /
proc 0 0 0 - /proc
sysfs 0 0 0 - /sys
none 0 0 0 - /sys/fs/fuse/connections
none 0 0 0 - /sys/kernel/debug
none 0 0 0 - /sys/kernel/security
udev 494M 12K 494M 1% /dev
devpts 0 0 0 - /dev/pts
tmpfs 200M 232K 199M 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 498M 0 498M 0% /run/shm
/dev/vda2 8.0G 159M 7.5G 3% /opt/openldap

Your sandbox environment is now set up. From here, just following the instructions in the OpenLDAP Administrator’s Guide on configuring your openldap server, or continue from the “Setup – OLC and MDB” section located in my previous blog. *NOTE* As you configure your openldap server, make sure and use euca-authorize to control access to your instance.

Enjoy!

Overlays + MDB == OpenLDAP Fun!

June 11, 2012December 8, 2012 hspencer77access log, audit log, cloud computing, cn=config, dynamic slapd, mdb, memory-mapped database, monitoring, olc, openldap, overlays, rewrite, slapd.d9 Comments

Recently, I was given the task/honor of setting up an OpenLDAP server to be used for the enterprise. In the past, I have set up a few OpenLDAP servers – some built from source; others from packages. This time, it was different. Back in early May, I went to UDS in Oakland, California. When I was there, I sat in on a track where Howard Chu presented MDB: A Memory-Mapped Database and Backend for OpenLDAP. Every since then, I was inspired to deploy an OpenLDAP server utilizing MDB – which also gave me a chance to play around with Overlays. This blog will give a breakdown of what steps were taken to deploy an OpenLDAP server from source, using MDB backends – utilizing a few overlays.

Prerequisites

First off, we need to get the source code for the latest version of OpenLDAP. Go to the Downloads link on the OpenLDAP home page. Once there, grab any one of the links there and use wget/curl to download the tar-gzipped file.

wget ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-2.4.31.tgz

Once the tar-gzipped file is downloaded, untar it:

tar -zxvf openldap-2.4.31.tgz

The prerequisites for OpenLDAP are listed on the prerequisites page.

The prerequisites I used were as follows:

gcc
glibc-devel
libtool-ltdl
db4-devel
openssl-devel
unixODBC-devel

These were used based upon the features to be utilized with OpenLDAP. To learn more about what features can be used with OpenLDAP, use the configure command to get some help:

cd openldap-2.4.31; ./configure --help

Configure, Build, Install

After determining what features will be used with OpenLDAP, its time to configure the build. Here is an example of running the configure command:

./configure --prefix=/opt/openldap --enable-debug=yes --enable-syslog --enable-dynamic --enable-slapd --enable-dynacl --enable-cleartext --enable-spasswd --enable-modules --enable-rewrite --enable-rlookups --enable-bdb --enable-dnssrv=mod --enable-hdb --enable-mdb --enable-monitor --enable-overlays --with-cyrus-sasl --with-threads --with-tls=openssl CC="gcc" LDFLAGS="-L/usr/lib64/sasl2" CPPFLAGS="-I/usr/include/sasl"

After that has ran successfully, all that is left is to use make to complete the installation. Run the following commands:

make depends
make
make test (Here’s the time to go grab some dinner and watch the NBA playoffs)

If all goes well, all that is left is to install:

make install

Setup – OLC and MDB

Create a user that will run the slapd process:

useradd -m -U -c "OpenLDAP User" -s /bin/bash openldap

Create the directory where the main database will be running:

mkdir /opt/openldap-2.4.31/var/openldap-data/main; chown -R openldap:openldap /opt/openldap-2.4.31/var/openldap-data/main

Create passwords for admin user for config database, and Directory Manager for main directory by using slappasswd:

/opt/openldap-2.4.31/sbin/slappasswd -h {SSHA} (Run this for each password to be created.)

Now we need to configure the server. We will be using the on-line configuration (OLC) of slapd (instead of the old configuration way – slapd.conf. OLC provides close to zero down-time configuration, cn=config and slapd.d directory. For more information concerning usage of cn=config, please refer to Configuring slapd in the online OpenLDAP Administrator’s Guide.

Not only will OLC be used, but MDB will be set up for the main database. For more information about MDB, please refer to the whitepaper, MDB: A Memory-Mapped Database and Backend for OpenLDAP.

For the setup, we need to create a slapd.conf, with the following information:

####################################################################### # Config database definitions ####################################################################### dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /opt/openldap-2.4.31/var/run/slapd.args olcPidFile: /opt/openldap-2.4.31/var/run/slapd.pid


dn: olcDatabase=config,cn=config

olcDatabase: config

olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxx

olcAccess: to * by * none

olcLogLevel: -1
dn: cn=schema,cn=config

objectClass: olcSchemaConfig

cn: schema
include: file:///opt/openldap-2.4.31/etc/openldap/schema/core.ldif

include: file:///opt/openldap-2.4.31/etc/openldap/schema/collective.ldif

include: file:///opt/openldap-2.4.31/etc/openldap/schema/corba.ldif

include: file:///opt/openldap-2.4.31/etc/openldap/schema/cosine.ldif

include: file:///opt/openldap-2.4.31/etc/openldap/schema/duaconf.ldif

include: file:///opt/openldap-2.4.31/etc/openldap/schema/dyngroup.ldif

include: file:///opt/openldap-2.4.31/etc/openldap/schema/inetorgperson.ldif

include: file:///opt/openldap-2.4.31/etc/openldap/schema/misc.ldif

include: file:///opt/openldap-2.4.31/etc/openldap/schema/nis.ldif

include: file:///opt/openldap-2.4.31/etc/openldap/schema/openldap.ldif

include: file:///opt/openldap-2.4.31/etc/openldap/schema/ppolicy.ldif
# Frontend settings

#

dn: olcDatabase=frontend,cn=config

objectClass: olcDatabaseConfig

olcDatabase: frontend

olcAccess: to dn.base="" by * read

olcAccess: to dn.base="cn=Subschema" by * read

olcAccess: to *

	by self write

	by users read

	by anonymous auth

####################################################################### # MDB database definitions ####################################################################### # dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcSuffix: dc=example,dc=com olcRootDN: cn=Directory Manager,dc=example,dc=com olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxx olcDbDirectory: /opt/openldap-2.4.31/var/openldap-data/main olcDbIndex: objectClass eq olcAccess: to attrs=userPassword by dn="cn=Directory Manager,dc=example, dc=com" write by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * read olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=Directory Manager,dc=example,dc=com" write by * read olcDbMaxReaders: 0 olcDbMode: 0600 olcDbSearchStack: 16 olcDbMaxSize: 4294967296 olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: TRUE olcDbNoSync: FALSE olcDbEnvFlags: writemap olcDbEnvFlags: nometasync

Schema Information

In the schema section, the following LDIFs were included:

collective => Collective attributes
corba => Corba Object
core => OpenLDAP “core”
cosine => COSINE Pilot
duaconf => Client Configuration
dyngroup => Dynamic Group
inetorgperson => InetOrgPerson
misc => Miscellaneous Schema
nis => Network Information Service
openldap => OpenLDAP Project
ppolicy => Password Policy Schema

For more information about the schema configuration, please refer to the following links:

Config Information

For more information concerning using OLC (cn=config), please check out these links:

After the slapd.conf file is set up, use slaptest to create the slapd.d directory to finish out the configuration:

/opt/openldap-2.4.31/sbin/slaptest -f /opt/openldap-2.4.31/etc/openldap/slapd.conf -F /opt/openldap-2.4.31/etc/openldap/slapd.d

Ready to Start the OpenLDAP Server

Now its time to start the OpenLDAP server. To start OpenLDAP, run the following command:

/opt/openldap-2.4.31/libexec/slapd -F /opt/openldap-2.4.31/etc/openldap/slapd.d/ -h "ldap:/// ldapi:/// ldaps:///" -d -1 -u openldap -g openldap

If all is well, the overlays can now be added.

Overlays and Additional Databases

Rewrite Overlay

The Rewrite Overlay uses the slapo-rwm overlay and the relay proxy backend. This overlay/backend combo will allow “dc=example,dc=com” or “o=example” to be used by ldap tools, such as ldapsearch.

To implement this, create an LDIF file with the following information

# cat rewrite-overlay.ldif


dn: olcDatabase={2}relay,cn=config

objectClass: olcDatabaseConfig

objectClass: olcRelayConfig

olcDatabase: {2}relay

olcSuffix: o=example

olcRelay: dc=example,dc=com

dn: olcOverlay={0}rwm,olcDatabase={2}relay,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {0}rwm olcRwmRewrite: {0}rwm-rewriteEngine "on" olcRwmRewrite: {1}rwm-suffixmassage "dc=example,dc=com"

Once that file is created, add the ldif to the cn=config database:

ldapadd -x -D cn=admin,cn=config -w -f rewrite-overlay.ldif

When data is added to dc=example,dc=com, searches can be done using the base “dc=example,dc=com” or “o=example”.

Monitoring

Setting up the monitoring database gives the ability to monitor the status and gain statistics of the OpenLDAP server through ldapsearch.

To set up the monitoring database, create the following LDIF:

# cat monitor.ldif

dn: olcDatabase={3}Monitor,cn=config objectClass: olcDatabaseConfig objectClass: olcMonitorConfig olcDatabase: {3}Monitor olcAccess: {0}to * by dn="cn=Directory Manager,dc=example,dc=com" read

After this file has been created, use ldapadd to add it to the config database:

ldapadd -x -D cn=admin,cn=config -w -f monitor.ldif

Now, statistics can be gathered by the Directory Manager searching against the monitor database:

ldapsearch -x -D 'cn=Directory Manager,dc=example,dc=com' -w -b 'cn=Monitor' -s base 1.1

Auditing Overlay

The auditing overlay is great for security audits. For a given database, an LDIF file is created of all ldap operations completed against the database. This is also helpful for disaster recovery as well.

Since the config database and the main mdb database (dc=example,dc=com) will be accessed the most, lets create an audit overlay for them. To do so, add the following information to an LDIF:

# cat auditlog.ldif


dn: olcOverlay={0}auditlog,olcDatabase={0}config,cn=config

objectClass: olcOverlayConfig

objectClass: olcAuditlogConfig

olcOverlay: {0}auditlog

olcAuditlogFile: /var/log/ldap/auditlog-config.ldif

dn: olcOverlay={0}auditlog,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcAuditlogConfig olcOverlay: {0}auditlog olcAuditlogFile: /var/log/ldap/auditlog-mdb.ldif

To apply the overlay, use ldapadd on the config database:

ldapadd -x -D cn=admin,cn=config -w -f auditlog.ldif

There will now be an ldif file for each database under /var/log/ldap directory.

Access Log Overlay

The accesslog overlay is another overlay that is implemented with data storage database. This overlay allows the Directory Manager to see all successful ldap modifies, deletes, searches, adds against the main directory (dc=example,dc=com). This information can be accessed using ldapsearch. There is the ability to implement log purging as well. In this setup, any logs older than 7 days will be deleted. Since the database will be stored under /opt/openldap-2.4.31/var/openldap-data/access, we need to make sure and create that directory, and set the ownership to the openldap user:

mkdir /opt/openldap-2.4.31/var/openldap-data/access;chown -R openldap:openldap /opt/openldap-2.4.31/var/openldap-data/access

To set up the accesslog overlay, create the following LDIF:

# cat access-log.ldif dn: olcDatabase={4}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {4}mdb olcDbDirectory: /opt/openldap-2.4.31/var/openldap-data/access olcSuffix: cn=log olcDbIndex: reqStart eq olcDbMaxSize: 1073741824 olcDbMode: 0600 olcAccess: {0}to * by dn="cn=Directory Manager,dc=example,dc=com" read

dn: olcOverlay={1}accesslog,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: {1}accesslog olcAccessLogDB: cn=log olcAccessLogOps: all olcAccessLogPurge: 7+00:00 1+00:00 olcAccessLogSuccess: TRUE olcAccessLogOld: (objectclass=person)

Logging will be done for any action done by any person in the main directory (dc=example,dc=com). Now its time to add the ldif to the config database:

ldapadd -x -D cn=admin,cn=config -w -f access-log.ldif

Logging can now be accessed by the Directory Manager by using ldapsearch:

# ldapsearch -D "cn=Directory Manager,dc=example,dc=com" -w -b cn=log


# extended LDIF

#

# LDAPv3

# base  with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#
# log

dn: cn=log

objectClass: auditContainer

cn: log
# 20120607233002.000000Z, log

dn: reqStart=20120607233002.000000Z,cn=log

objectClass: auditBind

reqStart: 20120607233002.000000Z

reqEnd: 20120607233002.000001Z

reqType: bind

reqSession: 1071

reqAuthzID:

reqDN: cn=Directory Manager,dc=example,dc=com

reqResult: 0

reqVersion: 3

reqMethod: SIMPLE

........

Thats pretty much it. OpenLDAP using MDB, with some pretty cool overlays. What more could you ask for?

More Mind Spew-age from Harold Spencer Jr.

Random Information – sometimes techie, sometimes not..

Menu

openldap

OpenLDAP: A comparison of back-mdb and back-hdb performance

Hardware details

Software details