tutorial:ldap:installopenldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
tutorial:ldap:installopenldap [2016-04-03 21:46]
weichbr [Step 1] 		tutorial:ldap:installopenldap [2019-08-14 19:43] (current)
weichbr
Line 5: Line 5:
 ===== Requirements ===== ===== Requirements =====
   * Debian 8 installation   * Debian 8 installation
 +
 +----
 +
 +===== Notes =====
 +  * ''%%ldapsearch%%'' parameters:
 +    * ''%%-W%%'' prompt for password
 +    * ''%%-x%%'' use simple auth
 +    * ''%%-Z%%'' try to use STARTTLS
 +    * ''%%-ZZ%%'' force use of STARTTLS
 +    * ''%%-D%%'' bind with the given name
 +    * ''%%-b%%'' search base
 +  * ''%%ldaps://%%'' on port 636 is deprecated with LDAPv3. Use ''%%ldap://%%'' on port 389 with STARTTLS instead.
  
 ---- ----
Line 32: Line 44:
 TLS_REQCERT ALLOW TLS_REQCERT ALLOW
 </code> </code>
 +  * Run ''%%dkpg-reconfigure slapd%%''
 +    * Answer the following prompts this way:
 +
 +| Omit OpenLDAP server configuration?                           | No                         |
 +| Organization name:                                            | <pick something>           |
 +| Administrator password:                                       | <same password as before>  |
 +| Confirm password:                                             | <same password as before>  |
 +| Database backend to use:                                      | MDB                        |
 +| Do you want the database to be removed when slapd is purged?  | No                         |
 +| Move old database?                                            | Yes                        |
 +| Allow LDAPv2 protocol?                                        | No                         |
 +
 +  * Test connection:
 +  * <code>$> ldapsearch -x</code>
 +
 ---- ----
  
-===== Step 2 ===== +===== Add Some Data ===== 
-  * TODO+  * We want to create some basic organizational units (OUs), e.g. for people and groups 
 +  * Create ''%%base.ldif%%'' with the following content: 
 +  * <code> 
 +dn: ou=people,dc=my,dc=domain,dc=tld 
 +objectClass: organizationalUnit 
 +ou: people 
 + 
 +dn: ou=groups,dc=my,dc=domain,dc=tld 
 +objectClass: organizationalUnit 
 +ou: groups 
 +</code> 
 +  * Add it with ''%%ldapadd%%'': 
 +  * <code>$> ldapadd -x -D cn=admin,dc=my,dc=domain,dc=tld -W -f base.ldif</code> 
 + 
 +---- 
 + 
 +===== Enforce Authorization ===== 
 +  * We do not want our directory to be world readable, so we need to setup some ACLs 
 +  * First, get your current ACLs: 
 +  * <code>$> ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config</code> 
 +  * This results in a long list, we are interested in the output under the ''%%# {1}mdb, config%%'' heading (example output): 
 +  * <code> 
 +# {1}mdb, config 
 +dn: olcDatabase={1}mdb,cn=config 
 +objectClass: olcDatabaseConfig 
 +objectClass: olcMdbConfig 
 +olcDatabase: {1}mdb 
 +olcDbDirectory: /var/lib/ldap 
 +olcSuffix: dc=my,dc=domain,dc=tld 
 +olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=my,dc= 
 + domain,dc=tld" write by self write by * none 
 +olcAccess: {1}to dn.base="" by * read 
 +olcAccess: {2}to * by dn="cn=admin,dc=my,dc=domain,dc=tld" write by * read 
 +olcLastMod: TRUE 
 +olcRootDN: cn=admin,dc=my,dc=domain,dc=tld 
 +olcRootPW: {SSHA}abcdefghijklmnopqrstuvwxyz123456 
 +olcSecurity: tls=1 
 +olcDbCheckpoint: 512 30 
 +olcDbIndex: objectClass eq 
 +olcDbIndex: cn,uid eq 
 +olcDbIndex: uidNumber,gidNumber eq 
 +olcDbIndex: member,memberUid eq 
 +olcDbMaxSize: 1073741824 
 +</code> 
 +  * Take a look at the lines starting with ''%%olcAccess%%'' 
 +  * We want users to be able to change their own password as well as authenticate. Noone else should be able to read the password hash. The admin accounts can modify everyones passwords and can read all hashes. 
 +  * Also we want users to authenticate before reading the directory. Anonymous access should be disallowed. 
 +  * We need to modify ''%%olcAccess: {0}%%'' for the passwords and ''%%olcAccess: {2}%%'' for general access. 
 +  * Create the ''%%access.ldif%%'' file: 
 +  * <code> 
 +dn: olcDatabase={1}mdb,cn=config 
 +changetype: modify 
 +delete: olcAccess 
 +olcAccess: {0} 
 +
 +add: olcAccess 
 +olcAccess: {0}to attrs=userPassword,shadowLastChange 
 +  by dn="cn=admin,dc=my,dc=domain,dc=tld" write 
 +  by self write 
 +  by anonymous auth 
 +  by * none 
 +
 +delete: olcAccess 
 +olcAccess: {2} 
 +
 +add: olcAccess 
 +olcAccess: {2}to * 
 +  by dn="cn=admin,dc=my,dc=domain,dc=tld" manage 
 +  by self write 
 +  by anonymous auth 
 +  by users read 
 + 
 +</code> 
 +  * Apply it: 
 +  * <code>ldapmodify -Y EXTERNAL -H ldapi:/// -f access.ldif</code> 
 +  * Users now need to authenticate to read the directory, like this: 
 +  * <code>ldapsearch -x -D "cn=admin,dc=my,dc=domain,dc=tld" -W</code>
  
 ---- ----
Line 41: Line 144:
 ===== Enabling TLS ===== ===== Enabling TLS =====
   * Make sure you have the following files:   * Make sure you have the following files:
-    * cert.crt - Your certificate (without any other intermediate certs) +    * ''%%cert.crt%%'' - Your certificate (without any other intermediate certs) 
-    * cert.key - Your private key +    * ''%%cert.key%%'' - Your private key 
-    * chain.pem - The intermediate certs+    * ''%%chain.pem%%'' - The intermediate certs
   * I assume the files are located at ''%%/opt/ssl%%''   * I assume the files are located at ''%%/opt/ssl%%''
   * Add the openldap user to the ssl-cert group:   * Add the openldap user to the ssl-cert group:
Line 52: Line 155:
 $> chmod 640 cert.crt cert.key chain.pem $> chmod 640 cert.crt cert.key chain.pem
 </code> </code>
-  * Create the tls.ldif file:+  * Create the ''%%tls.ldif%%'' file:
   * <code>   * <code>
 dn: cn=config dn: cn=config
Line 86: Line 189:
 olcSecurity: tls=1 olcSecurity: tls=1
 </code> </code>
 +  * Users now need to use STARTTLS (e.g. with ''%%-Z%%'' in ''%%ldapsearch%%''):
 +  * <code>ldapsearch -x -Z -D "cn=admin,dc=my,dc=domain,dc=tld" -W</code>
 +
 +----
 +
 +===== Add an admin group ====
 +  * We do not want to give every admin the admin account credentials
 +  * We need an admin group which all admins are a member of
 +  * We can give this group manage permissions
 +  * I assume you already have created a ''%%admins%%'' posixGroup in the ''%%groups%%'' ou
 +  * Take a look at the ldif to enforce authorization and change it to this:
 +  * <code>
 +dn: olcDatabase={1}mdb,cn=config
 +changetype: modify
 +delete: olcAccess
 +olcAccess: {3}
 +-
 +add: olcAccess
 +olcAccess: {3}to *
 +  by dn="cn=admin,dc=my,dc=domain,dc=tld" manage
 +  by set="user/uid & [cn=admins,ou=groups,dc=my,dc=domain,dc=tld]/memberUid" manage
 +  by self write
 +  by anonymous auth
 +  by users read
 +-
 +</code>
 +  * Apply it like above
  • tutorial/ldap/installopenldap.1459712774.txt.gz
  • Last modified: 2018-06-03 14:10
  • (external edit)