tutorial:ldap:installopenldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
tutorial:ldap:installopenldap [2016-04-03 22:39]
weichbr [Enforce Authorization] 		tutorial:ldap:installopenldap [2019-08-14 19:43]
weichbr
Line 1: Line 1:
 {{tag>tutorial ldap}} {{tag>tutorial ldap}}
 +
  
 ====== Install and configure OpenLDAP on Debian 8 (Jessie) ====== ====== Install and configure OpenLDAP on Debian 8 (Jessie) ======
Line 5: Line 6:
 ===== Requirements ===== ===== Requirements =====
   * Debian 8 installation   * Debian 8 installation
 +
 +----
 +
 +===== Notes =====
 +  * ''%%ldapsearch%%'' parameters:
 +    * ''%%-W%%'' prompt for password
 +    * ''%%-x%%'' use simple auth
 +    * ''%%-Z%%'' try to use STARTTLS
 +    * ''%%-ZZ%%'' force use of STARTTLS
 +    * ''%%-D%%'' bind with the given name
 +    * ''%%-b%%'' search base
 +  * ''%%ldaps://%%'' on port 636 is deprecated with LDAPv3. Use ''%%ldap://%%'' on port 389 with STARTTLS instead.
  
 ---- ----
Line 53: Line 66:
   * Create ''%%base.ldif%%'' with the following content:   * Create ''%%base.ldif%%'' with the following content:
   * <code>   * <code>
-dn: ou=people,dc=internal,dc=weichbrodt,dc=me+dn: ou=people,dc=my,dc=domain,dc=tld
 objectClass: organizationalUnit objectClass: organizationalUnit
 ou: people ou: people
  
-dn: ou=groups,dc=internal,dc=weichbrodt,dc=me+dn: ou=groups,dc=my,dc=domain,dc=tld
 objectClass: organizationalUnit objectClass: organizationalUnit
 ou: groups ou: groups
Line 65: Line 78:
  
 ---- ----
 +
 ===== Enforce Authorization ===== ===== Enforce Authorization =====
   * We do not want our directory to be world readable, so we need to setup some ACLs   * We do not want our directory to be world readable, so we need to setup some ACLs
Line 122: Line 136:
  
 </code> </code>
 +  * Apply it:
 +  * <code>ldapmodify -Y EXTERNAL -H ldapi:/// -f access.ldif</code>
 +  * Users now need to authenticate to read the directory, like this:
 +  * <code>ldapsearch -x -D "cn=admin,dc=my,dc=domain,dc=tld" -W</code>
  
 ---- ----
 +
 ===== Enabling TLS ===== ===== Enabling TLS =====
   * Make sure you have the following files:   * Make sure you have the following files:
Line 171: Line 190:
 olcSecurity: tls=1 olcSecurity: tls=1
 </code> </code>
 +  * Users now need to use STARTTLS (e.g. with ''%%-Z%%'' in ''%%ldapsearch%%''):
 +  * <code>ldapsearch -x -Z -D "cn=admin,dc=my,dc=domain,dc=tld" -W</code>
 +
 +----
 +
 +===== Add an admin group ====
 +  * We do not want to give every admin the admin account credentials
 +  * We need an admin group which all admins are a member of
 +  * We can give this group manage permissions
 +  * I assume you already have created a ''%%admins%%'' posixGroup in the ''%%groups%%'' ou
 +  * Take a look at the ldif to enforce authorization and change it to this:
 +  * <code>
 +dn: olcDatabase={1}mdb,cn=config
 +changetype: modify
 +delete: olcAccess
 +olcAccess: {3}
 +-
 +add: olcAccess
 +olcAccess: {3}to *
 +  by dn="cn=admin,dc=my,dc=domain,dc=tld" manage
 +  by set="user/uid & [cn=admins,ou=groups,dc=my,dc=domain,dc=tld]/memberUid" manage
 +  by self write
 +  by anonymous auth
 +  by users read
 +-
 +</code>
 +  * Apply it like above
  • tutorial/ldap/installopenldap.txt
  • Last modified: 2019-08-14 19:43
  • by weichbr