Install and configure OpenLDAP on Debian 8 (Jessie)

Install and configure OpenLDAP on Debian 8 (Jessie)

Requirements

Debian 8 installation

Notes

ldapsearch parameters:
- -W prompt for password
- -x use simple auth
- -Z try to use STARTTLS
- -ZZ force use of STARTTLS
- -D bind with the given name
- -b search base
ldaps:// on port 636 is deprecated with LDAPv3. Use ldap:// on port 389 with STARTTLS instead.

Installation

```
apt-get install slapd ldap-utils
```
During installation, set an admin password
Open /etc/ldap/ldap.conf and set the BASE and URI parameters:

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=my,dc=domain,dc=tld
URI     ldaps://ldap.my.domain.tld ldap://ldap.my.domain.tld:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

TLS_REQCERT ALLOW

Run dkpg-reconfigure slapd
- Answer the following prompts this way:

Omit OpenLDAP server configuration?	No
Organization name:	<pick something>
Administrator password:	<same password as before>
Confirm password:	<same password as before>
Database backend to use:	MDB
Do you want the database to be removed when slapd is purged?	No
Move old database?	Yes
Allow LDAPv2 protocol?	No

Test connection:
```
$> ldapsearch -x
```

Add Some Data

We want to create some basic organizational units (OUs), e.g. for people and groups
Create base.ldif with the following content:

dn: ou=people,dc=my,dc=domain,dc=tld
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=my,dc=domain,dc=tld
objectClass: organizationalUnit
ou: groups

Add it with ldapadd:

$> ldapadd -x -D cn=admin,dc=my,dc=domain,dc=tld -W -f base.ldif

Enforce Authorization

We do not want our directory to be world readable, so we need to setup some ACLs
First, get your current ACLs:

$> ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

This results in a long list, we are interested in the output under the # {1}mdb, config heading (example output):

# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my,dc=domain,dc=tld
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=my,dc=
 domain,dc=tld" write by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=my,dc=domain,dc=tld" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=my,dc=domain,dc=tld
olcRootPW: {SSHA}abcdefghijklmnopqrstuvwxyz123456
olcSecurity: tls=1
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824

Take a look at the lines starting with olcAccess
We want users to be able to change their own password as well as authenticate. Noone else should be able to read the password hash. The admin accounts can modify everyones passwords and can read all hashes.
Also we want users to authenticate before reading the directory. Anonymous access should be disallowed.
We need to modify olcAccess: {0} for the passwords and olcAccess: {2} for general access.
Create the access.ldif file:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}
-
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by dn="cn=admin,dc=my,dc=domain,dc=tld" write
  by self write
  by anonymous auth
  by * none
-
delete: olcAccess
olcAccess: {2}
-
add: olcAccess
olcAccess: {2}to *
  by dn="cn=admin,dc=my,dc=domain,dc=tld" manage
  by self write
  by anonymous auth
  by users read

Apply it:

ldapmodify -Y EXTERNAL -H ldapi:/// -f access.ldif

Users now need to authenticate to read the directory, like this:

ldapsearch -x -D "cn=admin,dc=my,dc=domain,dc=tld" -W

Enabling TLS

Make sure you have the following files:
- cert.crt - Your certificate (without any other intermediate certs)
- cert.key - Your private key
- chain.pem - The intermediate certs
I assume the files are located at /opt/ssl
Add the openldap user to the ssl-cert group:
```
$> usermod -aG ssl-cert openldap
```
chown your files and set permissions:

$> chown root:ssl-cert cert.crt cert.key chain.pem
$> chmod 640 cert.crt cert.key chain.pem

Create the tls.ldif file:

dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /opt/ssl/chain.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /opt/ssl/cert.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /opt/ssl/cert.key
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3

And apply it

$> ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif

To enforce TLS create the following ldif file and apply it:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1

Users now need to use STARTTLS (e.g. with -Z in ldapsearch):

ldapsearch -x -Z -D "cn=admin,dc=my,dc=domain,dc=tld" -W

Add an admin group

We do not want to give every admin the admin account credentials
We need an admin group which all admins are a member of
We can give this group manage permissions
I assume you already have created a admins posixGroup in the groups ou
Take a look at the ldif to enforce authorization and change it to this:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {3}
-
add: olcAccess
olcAccess: {3}to *
  by dn="cn=admin,dc=my,dc=domain,dc=tld" manage
  by set="user/uid & [cn=admins,ou=groups,dc=my,dc=domain,dc=tld]/memberUid" manage
  by self write
  by anonymous auth
  by users read
-

Apply it like above

Table of Contents

Install and configure OpenLDAP on Debian 8 (Jessie)

Requirements

Notes

Installation

Add Some Data

Enforce Authorization

Enabling TLS

Add an admin group