Migrate LDAP server from CentOS 6 to CentOS 7

Migrate LDAP server from CentOS 6 to CentOS 7

First It should need to install the openldap services. Run the below command to install it.

# yum -y install openldap openldap-clients openldap-servers openldap-devel

Start and enable the LDAP daemon from the boot.

# systemctl start slapd.service

# systemctl enable slapd.service

Then take the backup from the existing LDAP server. It is required to take configuration file backup (slapd.conf) and ldif database backup.

To take the ldif backup it is possible to use slapcat tool. Below command depicts the example of taking backup.

slapcat -n 1 -l /<dir_location>/Latest_2020.ldif

You must take the backup of slapd.conf file, but there might be changes need to do when you migrating it to the CentOS 7 operating systems. The major change I have done there is database type, changed from “bdb” to “mdb”. If you are using TLS for communication either you need to create new TLS certificate or you can take the old server key and related certificate from the locations. Rest of the configuration file can be placed as it is.

Then it should required to restore the ldif database. For that it should required to follow the given steps.

• Stop the LDAP service. : systemctl stop slapd.service
• Remove the existing databases in /var/lib/ldap directory : rm -rf /var/lib/ldap/*
• The configuration file contain slapd.d directory, since this is not going to use in the live environment and we have already restore the slapd.conf file remove the slapd.d directory : rm -rf /etc/openldap/slapd.d
• Then before restoring the ldif database start the slapd service : systemctl start slapd.service
• Then try to restore with the ldapadd tool : ldapadd -x -D "cn=admin,dc=testdomain,dc=com" -f Latest-2020.ldif -W
  

It will prompt for the LDAP admin user password. Sometime due to old strings restore might not success. Error will produce the exact string which are not compatible with the latest openldap server. If it is the case remove the incompatible strings from the ldif file. Below command can be used for remove the incompatible strings.

sed '/structuralObjectClass/d' Latest-2020.ldif > mod.ldif

Then again it can run the restore command again. Once you successfully restore the LDAP database restart the slapd service.

systemctl restart slapd.service

Configure Chroot Jail SFTP Server

Configure Chroot Jail SFTP Server

Problem Statement: By using one of the article publish in the internet I have configured the SFTP server with the chrooted environment. The SFTP server is catering to several customers to upload their content and user’s home directories are shared.

When ever the users logged in, it will direct to their home folder but still the users can browse entire directory architecture. Even the users can change the directory location to /var directory and access the content there since it can be readable by any user.

Below depicts the sshd_config file configuration for SFTP server.

Subsystem sftp internal-sftp

Match group ftpaccess

ChrootDirectory %h

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp

Solutions: I have referred several sites to find out proper solution to configure SFTP in a chroot jail environment. Below are the links which I used.

Referenced Link : https://unix.stackexchange.com/questions/359523/restrict-sftp-user-to-multiple-folders/359554

https://vkaustubh.github.io/blog/geek/2018-05-29-setting-up-sftp-server.html

By referencing I have configured the sshd_config file in the below way.

Subsystem sftp /usr/libexec/openssh/sftp-server

Match user dave

ChrootDirectory /home/dave

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp

Match user anne

ChrootDirectory /home/anne

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp

Match user sam

ChrootDirectory /home/sam

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp

But once I configured it there was issue with the login. When I checked the /var/log/secure there was an error stating the bad permission.

“fatal: bad ownership or modes for chroot directory "/home/dave" [postauth]

Since it was configured to used with the chroot, the folder should be owned by the root and it should have the 755 permission on it. Therefore I have run the below commands to set it.

chown root:root /home/dave

chmod 755 /home/dave

These permissions should not be change at any cost. If there is minor change in the permission it would again give you the bad permission error.

It has arised another issue that since the folder is not owned by the user who is going to do SFTP, the user can not perform any upload to folder location. I have tried with adding ACL, but then again bad permission error occurred. The only workaround which remain is to create a folder inside the shared folder and set the relevant permissions.

mkdir /home/dave/dave

chown dave:dave /home/dave/dave

with that everything has resolved and now users who are logged in through SFTP is restricted to their own home directory.