Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
tutorial:ldap:installopenldap [2016-04-03 22:32] weichbr [Enforce Authorization] |
tutorial:ldap:installopenldap [2019-08-14 19:43] weichbr |
||
---|---|---|---|
Line 1: | Line 1: | ||
{{tag> | {{tag> | ||
+ | |||
====== Install and configure OpenLDAP on Debian 8 (Jessie) ====== | ====== Install and configure OpenLDAP on Debian 8 (Jessie) ====== | ||
Line 5: | Line 6: | ||
===== Requirements ===== | ===== Requirements ===== | ||
* Debian 8 installation | * Debian 8 installation | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ===== Notes ===== | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
---- | ---- | ||
Line 53: | Line 66: | ||
* Create '' | * Create '' | ||
* < | * < | ||
- | dn: ou=people, | + | dn: ou=people, |
objectClass: | objectClass: | ||
ou: people | ou: people | ||
- | dn: ou=groups, | + | dn: ou=groups, |
objectClass: | objectClass: | ||
ou: groups | ou: groups | ||
Line 65: | Line 78: | ||
---- | ---- | ||
+ | |||
===== Enforce Authorization ===== | ===== Enforce Authorization ===== | ||
* We do not want our directory to be world readable, so we need to setup some ACLs | * We do not want our directory to be world readable, so we need to setup some ACLs | ||
Line 93: | Line 107: | ||
olcDbMaxSize: | olcDbMaxSize: | ||
</ | </ | ||
+ | * Take a look at the lines starting with '' | ||
+ | * We want users to be able to change their own password as well as authenticate. Noone else should be able to read the password hash. The admin accounts can modify everyones passwords and can read all hashes. | ||
+ | * Also we want users to authenticate before reading the directory. Anonymous access should be disallowed. | ||
+ | * We need to modify '' | ||
+ | * Create the '' | ||
+ | * < | ||
+ | dn: olcDatabase={1}mdb, | ||
+ | changetype: modify | ||
+ | delete: olcAccess | ||
+ | olcAccess: {0} | ||
+ | - | ||
+ | add: olcAccess | ||
+ | olcAccess: {0}to attrs=userPassword, | ||
+ | by dn=" | ||
+ | by self write | ||
+ | by anonymous auth | ||
+ | by * none | ||
+ | - | ||
+ | delete: olcAccess | ||
+ | olcAccess: {2} | ||
+ | - | ||
+ | add: olcAccess | ||
+ | olcAccess: {2}to * | ||
+ | by dn=" | ||
+ | by self write | ||
+ | by anonymous auth | ||
+ | by users read | ||
+ | |||
+ | </ | ||
+ | * Apply it: | ||
+ | * < | ||
+ | * Users now need to authenticate to read the directory, like this: | ||
+ | * < | ||
---- | ---- | ||
+ | |||
===== Enabling TLS ===== | ===== Enabling TLS ===== | ||
* Make sure you have the following files: | * Make sure you have the following files: | ||
Line 142: | Line 190: | ||
olcSecurity: | olcSecurity: | ||
</ | </ | ||
+ | * Users now need to use STARTTLS (e.g. with '' | ||
+ | * < | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ===== Add an admin group ==== | ||
+ | * We do not want to give every admin the admin account credentials | ||
+ | * We need an admin group which all admins are a member of | ||
+ | * We can give this group manage permissions | ||
+ | * I assume you already have created a '' | ||
+ | * Take a look at the ldif to enforce authorization and change it to this: | ||
+ | * < | ||
+ | dn: olcDatabase={1}mdb, | ||
+ | changetype: modify | ||
+ | delete: olcAccess | ||
+ | olcAccess: {3} | ||
+ | - | ||
+ | add: olcAccess | ||
+ | olcAccess: {3}to * | ||
+ | by dn=" | ||
+ | by set=" | ||
+ | by self write | ||
+ | by anonymous auth | ||
+ | by users read | ||
+ | - | ||
+ | </ | ||
+ | * Apply it like above |