tutorial:ldap:installopenldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
tutorial:ldap:installopenldap [2016-04-03 22:32] – [Enforce Authorization] weichbrtutorial:ldap:installopenldap [2025-06-16 14:43] (current) – removed weichbr
Line 1: Line 1:
-{{tag>tutorial ldap}} 
  
-====== Install and configure OpenLDAP on Debian 8 (Jessie) ====== 
- 
-===== Requirements ===== 
-  * Debian 8 installation 
- 
----- 
- 
-===== Installation ===== 
-  * <code>apt-get install slapd ldap-utils</code> 
-  * During installation, set an admin password 
-  * Open ''%%/etc/ldap/ldap.conf%%'' and set the ''%%BASE%%'' and ''%%URI%%'' parameters: 
-  * <code> 
-# 
-# LDAP Defaults 
-# 
- 
-# See ldap.conf(5) for details 
-# This file should be world readable but not world writable. 
- 
-BASE    dc=my,dc=domain,dc=tld 
-URI     ldaps://ldap.my.domain.tld ldap://ldap.my.domain.tld:666 
- 
-#SIZELIMIT      12 
-#TIMELIMIT      15 
-#DEREF          never 
- 
-# TLS certificates (needed for GnuTLS) 
-TLS_CACERT      /etc/ssl/certs/ca-certificates.crt 
- 
-TLS_REQCERT ALLOW 
-</code> 
-  * Run ''%%dkpg-reconfigure slapd%%'' 
-    * Answer the following prompts this way: 
- 
-| Omit OpenLDAP server configuration?                           | No                         | 
-| Organization name:                                            | <pick something>           | 
-| Administrator password:                                       | <same password as before>  | 
-| Confirm password:                                             | <same password as before>  | 
-| Database backend to use:                                      | MDB                        | 
-| Do you want the database to be removed when slapd is purged?  | No                         | 
-| Move old database?                                            | Yes                        | 
-| Allow LDAPv2 protocol?                                        | No                         | 
- 
-  * Test connection: 
-  * <code>$> ldapsearch -x</code> 
- 
----- 
- 
-===== Add Some Data ===== 
-  * We want to create some basic organizational units (OUs), e.g. for people and groups 
-  * Create ''%%base.ldif%%'' with the following content: 
-  * <code> 
-dn: ou=people,dc=internal,dc=weichbrodt,dc=me 
-objectClass: organizationalUnit 
-ou: people 
- 
-dn: ou=groups,dc=internal,dc=weichbrodt,dc=me 
-objectClass: organizationalUnit 
-ou: groups 
-</code> 
-  * Add it with ''%%ldapadd%%'': 
-  * <code>$> ldapadd -x -D cn=admin,dc=my,dc=domain,dc=tld -W -f base.ldif</code> 
- 
----- 
-===== Enforce Authorization ===== 
-  * We do not want our directory to be world readable, so we need to setup some ACLs 
-  * First, get your current ACLs: 
-  * <code>$> ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config</code> 
-  * This results in a long list, we are interested in the output under the ''%%# {1}mdb, config%%'' heading (example output): 
-  * <code> 
-# {1}mdb, config 
-dn: olcDatabase={1}mdb,cn=config 
-objectClass: olcDatabaseConfig 
-objectClass: olcMdbConfig 
-olcDatabase: {1}mdb 
-olcDbDirectory: /var/lib/ldap 
-olcSuffix: dc=my,dc=domain,dc=tld 
-olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=my,dc= 
- domain,dc=tld" write by self write by * none 
-olcAccess: {1}to dn.base="" by * read 
-olcAccess: {2}to * by dn="cn=admin,dc=my,dc=domain,dc=tld" write by * read 
-olcLastMod: TRUE 
-olcRootDN: cn=admin,dc=my,dc=domain,dc=tld 
-olcRootPW: {SSHA}abcdefghijklmnopqrstuvwxyz123456 
-olcSecurity: tls=1 
-olcDbCheckpoint: 512 30 
-olcDbIndex: objectClass eq 
-olcDbIndex: cn,uid eq 
-olcDbIndex: uidNumber,gidNumber eq 
-olcDbIndex: member,memberUid eq 
-olcDbMaxSize: 1073741824 
-</code> 
- 
----- 
-===== Enabling TLS ===== 
-  * Make sure you have the following files: 
-    * ''%%cert.crt%%'' - Your certificate (without any other intermediate certs) 
-    * ''%%cert.key%%'' - Your private key 
-    * ''%%chain.pem%%'' - The intermediate certs 
-  * I assume the files are located at ''%%/opt/ssl%%'' 
-  * Add the openldap user to the ssl-cert group: 
-  * <code>$> usermod -aG ssl-cert openldap</code> 
-  * chown your files and set permissions: 
-  * <code> 
-$> chown root:ssl-cert cert.crt cert.key chain.pem 
-$> chmod 640 cert.crt cert.key chain.pem 
-</code> 
-  * Create the ''%%tls.ldif%%'' file: 
-  * <code> 
-dn: cn=config 
-changetype: modify 
-add: olcTLSCipherSuite 
-olcTLSCipherSuite: NORMAL 
-- 
-add: olcTLSCRLCheck 
-olcTLSCRLCheck: none 
-- 
-add: olcTLSVerifyClient 
-olcTLSVerifyClient: never 
-- 
-add: olcTLSCACertificateFile 
-olcTLSCACertificateFile: /opt/ssl/chain.pem 
-- 
-add: olcTLSCertificateFile 
-olcTLSCertificateFile: /opt/ssl/cert.crt 
-- 
-add: olcTLSCertificateKeyFile 
-olcTLSCertificateKeyFile: /opt/ssl/cert.key 
-- 
-add: olcTLSProtocolMin 
-olcTLSProtocolMin: 3.3 
-</code> 
-  * And apply it 
-  * <code>$> ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif</code> 
-  * To enforce TLS create the following ldif file and apply it: 
-  * <code> 
-dn: olcDatabase={1}mdb,cn=config 
-changetype: modify 
-add: olcSecurity 
-olcSecurity: tls=1 
-</code> 
  • tutorial/ldap/installopenldap.1459715548.txt.gz
  • Last modified: 2018-06-03 14:10
  • (external edit)