23. Other Server Software

Here you will find many ways to share your machine with the rest of the world or your local network. Before installing any packages in this chapter, you need to be sure you understand what the package does and how to set it up correctly. It might also be helpful to learn about the consequences of an improper setup so that you can analyze the risks.

23.1 OpenLDAP-2.6.4

Introduction to OpenLDAP

The OpenLDAP package provides an open source implementation of the Lightweight Directory Access Protocol.

This package is known to build and work properly using an LFS 11.3 platform.

Package Information

Additional Downloads

OpenLDAP Dependencies

Cyrus SASL-2.1.28

Optional

GnuTLS-3.8.0, Pth-2.0.7, unixODBC-2.3.11, MariaDB-10.6.12 or PostgreSQL-15.2 or MySQL, OpenSLP, WiredTiger, and Berkeley DB-5.3.28 (for slapd, but deprecated)

User Notes: https://wiki.linuxfromscratch.org/blfs/wiki/openldap

Installation of OpenLDAP

Note

If you only need to install the client side ldap* binaries, corresponding man pages, libraries and header files (referred to as a “client-only” install), issue these commands instead of the following ones (no test suite available):

patch -Np1 -i ../openldap-2.6.4-consolidated-1.patch &&
autoconf &&

./configure --prefix=/usr     \
            --sysconfdir=/etc \
            --disable-static  \
            --enable-dynamic  \
            --enable-versioning=yes  \
            --disable-debug   \
            --disable-slapd &&

make depend &&
make

Then, as the root user:

make install

There should be a dedicated user and group to take control of the slapd daemon after it is started. Issue the following commands as the root user:

groupadd -g 83 ldap &&
useradd  -c "OpenLDAP Daemon Owner" \
         -d /var/lib/openldap -u 83 \
         -g ldap -s /bin/false ldap

Install OpenLDAP by running the following commands:

patch -Np1 -i ../openldap-2.6.4-consolidated-1.patch &&
autoconf &&

./configure --prefix=/usr         \
            --sysconfdir=/etc     \
            --localstatedir=/var  \
            --libexecdir=/usr/lib \
            --disable-static      \
            --enable-versioning=yes \
            --disable-debug       \
            --with-tls=openssl    \
            --with-cyrus-sasl     \
            --without-systemd     \
            --enable-dynamic      \
            --enable-crypt        \
            --enable-spasswd      \
            --enable-slapd        \
            --enable-modules      \
            --enable-rlookups     \
            --enable-backends=mod \
            --disable-sql         \
            --disable-wt          \
            --enable-overlays=mod &&

make depend &&
make

The tests appear to be fragile. Errors may cause the tests to abort prior to finishing, apparently due to timing issues. The tests take about 65 minutes and are processor independent. To test the results, issue: make test.

Now, as the root user:

make install &&

sed -e "s/\.la/.so/" -i /etc/openldap/slapd.{conf,ldif}{,.default} &&

install -v -dm700 -o ldap -g ldap /var/lib/openldap     &&

install -v -dm700 -o ldap -g ldap /etc/openldap/slapd.d &&
chmod   -v    640     /etc/openldap/slapd.{conf,ldif}   &&
chown   -v  root:ldap /etc/openldap/slapd.{conf,ldif}   &&

install -v -dm755 /usr/share/doc/openldap-2.6.4 &&
cp      -vfr      doc/{drafts,rfc,guide} \
                  /usr/share/doc/openldap-2.6.4

Command Explanations

--disable-static: This switch prevents installation of static versions of the libraries.

--disable-debug: This switch disables the debugging code in OpenLDAP.

--enable-dynamic: This switch forces the OpenLDAP libraries to be dynamically linked to the executable programs.

--enable-versioning: This switch enables symbol versioning in the OpenLDAP libraries. Without this, some applications might generate a warning about missing symbol versions.

--enable-crypt: This switch enables using crypt(3) passwords.

--enable-spasswd: This switch enables SASL password verification.

--enable-modules: This switch enables dynamic module support.

--enable-rlookups: This switch enables reverse lookups of client hostnames.

--enable-backends: This switch enables all available backends.

--enable-overlays: This switch enables all available overlays.

--disable-sql: This switch explicitly disables the SQL backend. Omit this switch if a SQL server is installed and you are going to use a SQL backend.

--disable-wt: This switch explicitly disables the WiredTiger backend. Omit this switch if WiredTiger is installed and you are going to use a WiredTiger backend.

--libexecdir=/usr/lib: This switch controls where the /usr/lib/openldap directory is installed. Everything in that directory is a library, so it belongs under /usr/lib instead of /usr/libexec.

--enable-slp: This switch enables SLPv2 support. Use it if you have installed OpenSLP.

Note

You can run ./configure –help to see if there are other switch you can pass to the configure command to enable other options or dependency packages.

install …, chown …, and chmod …: Having slapd configuration files and ldap databases in /var/lib/openldap readable by anyone is a SECURITY ISSUE, especially since a file stores the admin password in PLAIN TEXT. That’s why mode 640 and root:ldap ownership were used. The owner is root, so only root can modify the file, and group is ldap, so that the group which owns slapd daemon could read but not modify the file in case of a security breach.

Configuring OpenLDAP

Config Files

Configuration Information

Configuring the slapd servers can be complex. Securing the LDAP directory, especially if you are storing non-public data such as password databases, can also be a challenging task. In order to set up OpenLDAP, you’ll need to modify either the /etc/openldap/slapd.conf file (old method), or the /etc/openldap/slapd.ldif file and then use ldapadd to create the LDAP configuration database in /etc/openldap/slapd.d (recommended by the OpenLDAP documentation).

Warning

The instructions above install an empty LDAP structure and a default /etc/openldap/slapd.conf file, which are suitable for testing the build and other packages using LDAP. Do not use them on a production server.

Resources to assist you with topics such as choosing a directory configuration, backend and database definitions, access control settings, running as a user other than root and setting a chroot environment include:

Systemd Unit

To automate the startup of the LDAP server at system bootup, install the slapd.service unit included in the blfs-systemd-units-20220720 package using the following command:

make install-slapd

Note

You’ll need to modify /etc/default/slapd to include the parameters needed for your specific configuration. See the slapd man page for parameter information.

Testing the Configuration

Start the LDAP server using systemctl:

systemctl start slapd

Verify access to the LDAP server with the following command:

ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

The expected result is:

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#

#
dn:
namingContexts: dc=my-domain,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Contents

Installed Programs: ldapadd, ldapcompare, ldapdelete, ldapexop, ldapmodify, ldapmodrdn, ldappasswd, ldapsearch, ldapurl, ldapvc, ldapwhoami, slapacl, slapadd, slapauth, slapcat, slapd, slapdn, slapindex, slapmodify, slappasswd, slapschema, and slaptest

Installed Libraries: liblber.so, libldap.so, and several under /usr/lib/openldap

Installed Directories: /etc/openldap, /{usr,var}/lib/openldap, and /usr/share/doc/openldap-2.6.4

Short Descriptions

ldapadd opens a connection to an LDAP server, binds and adds entries.

ldapcompare opens a connection to an LDAP server, binds and performs a compare using specified parameters.

ldapdelete opens a connection to an LDAP server, binds and deletes one or more entries.

ldapexop issues the LDAP extended operation specified by oid or one of the special keywords whoami, cancel, or refresh.

ldapmodify opens a connection to an LDAP server, binds and modifies entries.

ldapmodrdn opens a connection to an LDAP server, binds and modifies the RDN of entries.

ldappasswd is a tool used to set the password of an LDAP user.

ldapsearch opens a connection to an LDAP server, binds and performs a search using specified parameters.

ldapurl is a command that allows to either compose or decompose LDAP URIs.

ldapvc verifies LDAP credentials.

ldapwhoami opens a connection to an LDAP server, binds and displays whoami information.

slapacl is used to check the behavior of slapd by verifying access to directory data according to the access control list directives defined in its configuration.

slapadd is used to add entries specified in LDAP Directory Interchange Format (LDIF) to an LDAP database.

slapauth is used to check the behavior of the slapd in mapping identities for authentication and authorization purposes, as specified in slapd.conf.

slapcat is used to generate an LDAP LDIF output based upon the contents of a slapd database.

slapd is the standalone LDAP server.

slapdn checks a list of string-represented DNs based on schema syntax.

slapindex is used to regenerate slapd indexes based upon the current contents of a database.

slapmodify modifies entries in a slapd database.

slappasswd is an OpenLDAP password utility.

slapschema is used to check schema compliance of the contents of a slapd database.

slaptest checks the sanity of the slapd.conf file.

liblber.so is a set of Lightweight Basic Encoding Rules routines. These routines are used by the LDAP library routines to encode and decode LDAP protocol elements using the (slightly simplified) Basic Encoding Rules defined by LDAP. They are not normally used directly by an LDAP application program except in the handling of controls and extended operations.

libldap.so supports the LDAP programs and provide functionality for other programs interacting with LDAP.

23.2 Unbound-1.17.1

Introduction to Unbound

Unbound is a validating, recursive, and caching DNS resolver. It is designed as a set of modular components that incorporate modern features, such as enhanced security (DNSSEC) validation, Internet Protocol Version 6 (IPv6), and a client resolver library API as an integral part of the architecture.

This package is known to build and work properly using an LFS 11.3 platform.

Package Information

Unbound Dependencies

Optional

libevent-2.1.12, Nettle-3.8.1, Python-2.7.18, sphinx-6.1.3 (for Python bindings documentation), SWIG-4.1.1 (for Python bindings), Doxygen-1.9.6 (for html documentation), and dnstap

User Notes: https://wiki.linuxfromscratch.org/blfs/wiki/unbound

Installation of Unbound

There should be a dedicated user and group to take control of the unbound daemon after it is started. Issue the following commands as the root user:

groupadd -g 88 unbound &&
useradd -c "Unbound DNS Resolver" -d /var/lib/unbound -u 88 \
        -g unbound -s /bin/false unbound

Install Unbound by running the following commands:

./configure --prefix=/usr     \
            --sysconfdir=/etc \
            --disable-static  \
            --with-pidfile=/run/unbound.pid &&
make

If you have Doxygen-1.9.6 package installed and want to build html documentation, run the following command:

make doc

To test the results, issue make check.

Now, as the root user:

make install &&
mv -v /usr/sbin/unbound-host /usr/bin/

If you built the documentation, install it by running the following commands as the root user:

install -v -m755 -d /usr/share/doc/unbound-1.17.1 &&
install -v -m644 doc/html/* /usr/share/doc/unbound-1.17.1

Command Explanations

--disable-static: This switch prevents installation of static versions of the libraries.

--with-libevent: This option enables libevent support allowing use of large outgoing port ranges.

--with-pyunbound: This option enables building of the Python bindings.

Configuring Unbound

Config Files

/etc/unbound/unbound.conf

Configuration Information

In the default configuration, unbound will bind to localhost (127.0.0.1 IP address) and allow recursive queries only from localhost clients. If you want to use unbound for local DNS resolution, run the following command as the root user:

echo "nameserver 127.0.0.1" > /etc/resolv.conf

If you are using a DHCP client for connecting to a network, /etc/resolv.conf gets overwritten with values provided by DHCP server. You can override this, for example in DHCP-4.4.3-P1, by running the following command as the root user:

sed -i '/request /i\supersede domain-name-servers 127.0.0.1;' \
       /etc/dhcp/dhclient.conf

For advanced configuration see /etc/unbound/unbound.conf file and the documentation.

When Unbound is installed, some package builds fail if the file /etc/unbound/root.key is not found. Create this file by running the following command as the root user:

unbound-anchor

Systemd Unit

If you want the Unbound server to start automatically when the system is booted, install the unbound.service unit included in the blfs-systemd-units-20220720 package:

make install-unbound

Contents

Installed Programs: unbound, unbound-anchor, unbound-checkconf, unbound-control, unbound-control-setup, and unbound-host

Installed Library: libunbound.so and (optional) /usr/lib/python2.7/site-packages/_unbound.so

Installed Directories: /etc/unbound and /usr/share/doc/unbound-1.17.1 (optional)

Short Descriptions

unbound is a DNS resolver daemon.

unbound-anchor performs setup or update of the root trust anchor for DNSSEC validation.

unbound-checkconf checks the unbound configuration file for syntax and other errors.

unbound-control performs remote administration on the unbound DNS resolver.

unbound-control-setup generates a self-signed certificate and private keys for the server and client.

unbound-host is a DNS lookup utility similar to host from BIND Utilities-9.18.12.

libunbound.so provides the Unbound API functions to programs.