{{tag>tutorial ldap}}
====== Install and configure OpenLDAP on Debian 8 (Jessie) ======
===== Requirements =====
* Debian 8 installation
----
===== Notes =====
* ''%%ldapsearch%%'' parameters:
* ''%%-W%%'' prompt for password
* ''%%-x%%'' use simple auth
* ''%%-Z%%'' try to use STARTTLS
* ''%%-ZZ%%'' force use of STARTTLS
* ''%%-D%%'' bind with the given name
* ''%%-b%%'' search base
* ''%%ldaps://%%'' on port 636 is deprecated with LDAPv3. Use ''%%ldap://%%'' on port 389 with STARTTLS instead.
----
===== Installation =====
* apt-get install slapd ldap-utils
* During installation, set an admin password
* Open ''%%/etc/ldap/ldap.conf%%'' and set the ''%%BASE%%'' and ''%%URI%%'' parameters:
*
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=my,dc=domain,dc=tld
URI ldaps://ldap.my.domain.tld ldap://ldap.my.domain.tld:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT ALLOW
* Run ''%%dkpg-reconfigure slapd%%''
* Answer the following prompts this way:
| Omit OpenLDAP server configuration? | No |
| Organization name: | |
| Administrator password: | |
| Confirm password: | |
| Database backend to use: | MDB |
| Do you want the database to be removed when slapd is purged? | No |
| Move old database? | Yes |
| Allow LDAPv2 protocol? | No |
* Test connection:
* $> ldapsearch -x
----
===== Add Some Data =====
* We want to create some basic organizational units (OUs), e.g. for people and groups
* Create ''%%base.ldif%%'' with the following content:
*
dn: ou=people,dc=my,dc=domain,dc=tld
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=my,dc=domain,dc=tld
objectClass: organizationalUnit
ou: groups
* Add it with ''%%ldapadd%%'':
* $> ldapadd -x -D cn=admin,dc=my,dc=domain,dc=tld -W -f base.ldif
----
===== Enforce Authorization =====
* We do not want our directory to be world readable, so we need to setup some ACLs
* First, get your current ACLs:
* $> ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
* This results in a long list, we are interested in the output under the ''%%# {1}mdb, config%%'' heading (example output):
*
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my,dc=domain,dc=tld
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=my,dc=
domain,dc=tld" write by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=my,dc=domain,dc=tld" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=my,dc=domain,dc=tld
olcRootPW: {SSHA}abcdefghijklmnopqrstuvwxyz123456
olcSecurity: tls=1
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
* Take a look at the lines starting with ''%%olcAccess%%''
* We want users to be able to change their own password as well as authenticate. Noone else should be able to read the password hash. The admin accounts can modify everyones passwords and can read all hashes.
* Also we want users to authenticate before reading the directory. Anonymous access should be disallowed.
* We need to modify ''%%olcAccess: {0}%%'' for the passwords and ''%%olcAccess: {2}%%'' for general access.
* Create the ''%%access.ldif%%'' file:
*
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}
-
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=my,dc=domain,dc=tld" write
by self write
by anonymous auth
by * none
-
delete: olcAccess
olcAccess: {2}
-
add: olcAccess
olcAccess: {2}to *
by dn="cn=admin,dc=my,dc=domain,dc=tld" manage
by self write
by anonymous auth
by users read
* Apply it:
* ldapmodify -Y EXTERNAL -H ldapi:/// -f access.ldif
* Users now need to authenticate to read the directory, like this:
* ldapsearch -x -D "cn=admin,dc=my,dc=domain,dc=tld" -W
----
===== Enabling TLS =====
* Make sure you have the following files:
* ''%%cert.crt%%'' - Your certificate (without any other intermediate certs)
* ''%%cert.key%%'' - Your private key
* ''%%chain.pem%%'' - The intermediate certs
* I assume the files are located at ''%%/opt/ssl%%''
* Add the openldap user to the ssl-cert group:
* $> usermod -aG ssl-cert openldap
* chown your files and set permissions:
*
$> chown root:ssl-cert cert.crt cert.key chain.pem
$> chmod 640 cert.crt cert.key chain.pem
* Create the ''%%tls.ldif%%'' file:
*
dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /opt/ssl/chain.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /opt/ssl/cert.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /opt/ssl/cert.key
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3
* And apply it
* $> ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
* To enforce TLS create the following ldif file and apply it:
*
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1
* Users now need to use STARTTLS (e.g. with ''%%-Z%%'' in ''%%ldapsearch%%''):
* ldapsearch -x -Z -D "cn=admin,dc=my,dc=domain,dc=tld" -W
----
===== Add an admin group ====
* We do not want to give every admin the admin account credentials
* We need an admin group which all admins are a member of
* We can give this group manage permissions
* I assume you already have created a ''%%admins%%'' posixGroup in the ''%%groups%%'' ou
* Take a look at the ldif to enforce authorization and change it to this:
*
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {3}
-
add: olcAccess
olcAccess: {3}to *
by dn="cn=admin,dc=my,dc=domain,dc=tld" manage
by set="user/uid & [cn=admins,ou=groups,dc=my,dc=domain,dc=tld]/memberUid" manage
by self write
by anonymous auth
by users read
-
* Apply it like above