Install and configure OpenLDAP on Debian 8 (Jessie)

  • Debian 8 installation

  • ldapsearch parameters:
    • -W prompt for password
    • -x use simple auth
    • -Z try to use STARTTLS
    • -ZZ force use of STARTTLS
    • -D bind with the given name
    • -b search base
  • ldaps:// on port 636 is deprecated with LDAPv3. Use ldap:// on port 389 with STARTTLS instead.

  • apt-get install slapd ldap-utils
  • During installation, set an admin password
  • Open /etc/ldap/ldap.conf and set the BASE and URI parameters:
  • #
    # LDAP Defaults
    #
    
    # See ldap.conf(5) for details
    # This file should be world readable but not world writable.
    
    BASE    dc=my,dc=domain,dc=tld
    URI     ldaps://ldap.my.domain.tld ldap://ldap.my.domain.tld:666
    
    #SIZELIMIT      12
    #TIMELIMIT      15
    #DEREF          never
    
    # TLS certificates (needed for GnuTLS)
    TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
    
    TLS_REQCERT ALLOW
  • Run dkpg-reconfigure slapd
    • Answer the following prompts this way:
Omit OpenLDAP server configuration? No
Organization name: <pick something>
Administrator password: <same password as before>
Confirm password: <same password as before>
Database backend to use: MDB
Do you want the database to be removed when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No
  • Test connection:
  • $> ldapsearch -x

  • We want to create some basic organizational units (OUs), e.g. for people and groups
  • Create base.ldif with the following content:
  • dn: ou=people,dc=internal,dc=weichbrodt,dc=me
    objectClass: organizationalUnit
    ou: people
    
    dn: ou=groups,dc=internal,dc=weichbrodt,dc=me
    objectClass: organizationalUnit
    ou: groups
  • Add it with ldapadd:
  • $> ldapadd -x -D cn=admin,dc=my,dc=domain,dc=tld -W -f base.ldif

  • We do not want our directory to be world readable, so we need to setup some ACLs
  • First, get your current ACLs:
  • $> ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
  • This results in a long list, we are interested in the output under the # {1}mdb, config heading (example output):
  • # {1}mdb, config
    dn: olcDatabase={1}mdb,cn=config
    objectClass: olcDatabaseConfig
    objectClass: olcMdbConfig
    olcDatabase: {1}mdb
    olcDbDirectory: /var/lib/ldap
    olcSuffix: dc=my,dc=domain,dc=tld
    olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=my,dc=
     domain,dc=tld" write by self write by * none
    olcAccess: {1}to dn.base="" by * read
    olcAccess: {2}to * by dn="cn=admin,dc=my,dc=domain,dc=tld" write by * read
    olcLastMod: TRUE
    olcRootDN: cn=admin,dc=my,dc=domain,dc=tld
    olcRootPW: {SSHA}abcdefghijklmnopqrstuvwxyz123456
    olcSecurity: tls=1
    olcDbCheckpoint: 512 30
    olcDbIndex: objectClass eq
    olcDbIndex: cn,uid eq
    olcDbIndex: uidNumber,gidNumber eq
    olcDbIndex: member,memberUid eq
    olcDbMaxSize: 1073741824
  • Take a look at the lines starting with olcAccess
  • We want users to be able to change their own password as well as authenticate. Noone else should be able to read the password hash. The admin accounts can modify everyones passwords and can read all hashes.
  • Also we want users to authenticate before reading the directory. Anonymous access should be disallowed.
  • We need to modify olcAccess: {0} for the passwords and olcAccess: {2} for general access.
  • Create the access.ldif file:
  • dn: olcDatabase={1}mdb,cn=config
    changetype: modify
    delete: olcAccess
    olcAccess: {0}
    -
    add: olcAccess
    olcAccess: {0}to attrs=userPassword,shadowLastChange
      by dn="cn=admin,dc=my,dc=domain,dc=tld" write
      by self write
      by anonymous auth
      by * none
    -
    delete: olcAccess
    olcAccess: {2}
    -
    add: olcAccess
    olcAccess: {2}to *
      by dn="cn=admin,dc=my,dc=domain,dc=tld" manage
      by self write
      by anonymous auth
      by users read
    
  • Apply it:
  • ldapmodify -Y EXTERNAL -H ldapi:/// -f access.ldif
  • Users now need to authenticate to read the directory, like this:
  • ldapsearch -x -D "cn=admin,dc=my,dc=domain,dc=tld" -W

  • Make sure you have the following files:
    • cert.crt - Your certificate (without any other intermediate certs)
    • cert.key - Your private key
    • chain.pem - The intermediate certs
  • I assume the files are located at /opt/ssl
  • Add the openldap user to the ssl-cert group:
  • $> usermod -aG ssl-cert openldap
  • chown your files and set permissions:
  • $> chown root:ssl-cert cert.crt cert.key chain.pem
    $> chmod 640 cert.crt cert.key chain.pem
  • Create the tls.ldif file:
  • dn: cn=config
    changetype: modify
    add: olcTLSCipherSuite
    olcTLSCipherSuite: NORMAL
    -
    add: olcTLSCRLCheck
    olcTLSCRLCheck: none
    -
    add: olcTLSVerifyClient
    olcTLSVerifyClient: never
    -
    add: olcTLSCACertificateFile
    olcTLSCACertificateFile: /opt/ssl/chain.pem
    -
    add: olcTLSCertificateFile
    olcTLSCertificateFile: /opt/ssl/cert.crt
    -
    add: olcTLSCertificateKeyFile
    olcTLSCertificateKeyFile: /opt/ssl/cert.key
    -
    add: olcTLSProtocolMin
    olcTLSProtocolMin: 3.3
  • And apply it
  • $> ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
  • To enforce TLS create the following ldif file and apply it:
  • dn: olcDatabase={1}mdb,cn=config
    changetype: modify
    add: olcSecurity
    olcSecurity: tls=1
  • Users now need to use STARTTLS (e.g. with -Z in ldapsearch):
  • ldapsearch -x -Z -D "cn=admin,dc=my,dc=domain,dc=tld" -W

  • We do not want to give every admin the admin account credentials
  • We need an admin group which all admins are a member of
  • We can give this group manage permissions
  • I assume you already have created a admins posixGroup in the groups ou
  • Take a look at the ldif to enforce authorization and change it to this:
  • dn: olcDatabase={1}mdb,cn=config
    changetype: modify
    delete: olcAccess
    olcAccess: {3}
    -
    add: olcAccess
    olcAccess: {3}to *
      by dn="cn=admin,dc=my,dc=domain,dc=tld" manage
      by set="user/uid & [cn=admins,ou=groups,dc=my,dc=domain,dc=tld]/memberUid" manage
      by self write
      by anonymous auth
      by users read
    -
  • Apply it like above
  • tutorial/ldap/installopenldap.txt
  • Last modified: 2016-04-08 21:07
  • by Nico Weichbrodt