Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| tutorial:ldap:installopenldap [2016-04-03 22:59] – [Notes] weichbr | tutorial:ldap:installopenldap [2025-06-16 14:43] (current) – removed weichbr | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | {{tag> | ||
| - | ====== Install and configure OpenLDAP on Debian 8 (Jessie) ====== | ||
| - | |||
| - | ===== Requirements ===== | ||
| - | * Debian 8 installation | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ===== Notes ===== | ||
| - | * '' | ||
| - | * '' | ||
| - | * '' | ||
| - | * '' | ||
| - | * '' | ||
| - | * '' | ||
| - | * '' | ||
| - | * '' | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ===== Installation ===== | ||
| - | * < | ||
| - | * During installation, | ||
| - | * Open '' | ||
| - | * < | ||
| - | # | ||
| - | # LDAP Defaults | ||
| - | # | ||
| - | |||
| - | # See ldap.conf(5) for details | ||
| - | # This file should be world readable but not world writable. | ||
| - | |||
| - | BASE    dc=my, | ||
| - | URI | ||
| - | |||
| - | # | ||
| - | # | ||
| - | # | ||
| - | |||
| - | # TLS certificates (needed for GnuTLS) | ||
| - | TLS_CACERT | ||
| - | |||
| - | TLS_REQCERT ALLOW | ||
| - | </ | ||
| - | * Run '' | ||
| - | * Answer the following prompts this way: | ||
| - | |||
| - | | Omit OpenLDAP server configuration? | ||
| - | | Organization name:                                            | <pick something> | ||
| - | | Administrator password: | ||
| - | | Confirm password: | ||
| - | | Database backend to use: | MDB | | ||
| - | | Do you want the database to be removed when slapd is purged? | ||
| - | | Move old database? | ||
| - | | Allow LDAPv2 protocol? | ||
| - | |||
| - | * Test connection: | ||
| - | * < | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ===== Add Some Data ===== | ||
| - | * We want to create some basic organizational units (OUs), e.g. for people and groups | ||
| - | * Create '' | ||
| - | * < | ||
| - | dn: ou=people, | ||
| - | objectClass: | ||
| - | ou: people | ||
| - | |||
| - | dn: ou=groups, | ||
| - | objectClass: | ||
| - | ou: groups | ||
| - | </ | ||
| - | * Add it with '' | ||
| - | * < | ||
| - | |||
| - | ---- | ||
| - | ===== Enforce Authorization ===== | ||
| - | * We do not want our directory to be world readable, so we need to setup some ACLs | ||
| - | * First, get your current ACLs: | ||
| - | * < | ||
| - | * This results in a long list, we are interested in the output under the '' | ||
| - | * < | ||
| - | # {1}mdb, config | ||
| - | dn: olcDatabase={1}mdb, | ||
| - | objectClass: | ||
| - | objectClass: | ||
| - | olcDatabase: | ||
| - | olcDbDirectory: | ||
| - | olcSuffix: dc=my, | ||
| - | olcAccess: {0}to attrs=userPassword, | ||
| - |  | ||
| - | olcAccess: {1}to dn.base="" | ||
| - | olcAccess: {2}to * by dn=" | ||
| - | olcLastMod: TRUE | ||
| - | olcRootDN: cn=admin, | ||
| - | olcRootPW: {SSHA}abcdefghijklmnopqrstuvwxyz123456 | ||
| - | olcSecurity: | ||
| - | olcDbCheckpoint: | ||
| - | olcDbIndex: objectClass eq | ||
| - | olcDbIndex: cn,uid eq | ||
| - | olcDbIndex: uidNumber, | ||
| - | olcDbIndex: member, | ||
| - | olcDbMaxSize: | ||
| - | </ | ||
| - | * Take a look at the lines starting with '' | ||
| - | * We want users to be able to change their own password as well as authenticate. Noone else should be able to read the password hash. The admin accounts can modify everyones passwords and can read all hashes. | ||
| - | * Also we want users to authenticate before reading the directory. Anonymous access should be disallowed. | ||
| - | * We need to modify '' | ||
| - | * Create the '' | ||
| - | * < | ||
| - | dn: olcDatabase={1}mdb, | ||
| - | changetype: modify | ||
| - | delete: olcAccess | ||
| - | olcAccess: {0} | ||
| - | - | ||
| - | add: olcAccess | ||
| - | olcAccess: {0}to attrs=userPassword, | ||
| - | by dn=" | ||
| - | by self write | ||
| - | by anonymous auth | ||
| - | by * none | ||
| - | - | ||
| - | delete: olcAccess | ||
| - | olcAccess: {2} | ||
| - | - | ||
| - | add: olcAccess | ||
| - | olcAccess: {2}to * | ||
| - | by dn=" | ||
| - | by self write | ||
| - | by anonymous auth | ||
| - | by users read | ||
| - | |||
| - | </ | ||
| - | * Apply it: | ||
| - | * < | ||
| - | * Users now need to authenticate to read the directory, like this: | ||
| - | * < | ||
| - | |||
| - | ---- | ||
| - | ===== Enabling TLS ===== | ||
| - | * Make sure you have the following files: | ||
| - | * '' | ||
| - | * '' | ||
| - | * '' | ||
| - | * I assume the files are located at '' | ||
| - | * Add the openldap user to the ssl-cert group: | ||
| - | * < | ||
| - | * chown your files and set permissions: | ||
| - | * < | ||
| - | $> chown root: | ||
| - | $> chmod 640 cert.crt cert.key chain.pem | ||
| - | </ | ||
| - | * Create the '' | ||
| - | * < | ||
| - | dn: cn=config | ||
| - | changetype: modify | ||
| - | add: olcTLSCipherSuite | ||
| - | olcTLSCipherSuite: | ||
| - | - | ||
| - | add: olcTLSCRLCheck | ||
| - | olcTLSCRLCheck: | ||
| - | - | ||
| - | add: olcTLSVerifyClient | ||
| - | olcTLSVerifyClient: | ||
| - | - | ||
| - | add: olcTLSCACertificateFile | ||
| - | olcTLSCACertificateFile: | ||
| - | - | ||
| - | add: olcTLSCertificateFile | ||
| - | olcTLSCertificateFile: | ||
| - | - | ||
| - | add: olcTLSCertificateKeyFile | ||
| - | olcTLSCertificateKeyFile: | ||
| - | - | ||
| - | add: olcTLSProtocolMin | ||
| - | olcTLSProtocolMin: | ||
| - | </ | ||
| - | * And apply it | ||
| - | * < | ||
| - | * To enforce TLS create the following ldif file and apply it: | ||
| - | * < | ||
| - | dn: olcDatabase={1}mdb, | ||
| - | changetype: modify | ||
| - | add: olcSecurity | ||
| - | olcSecurity: | ||
| - | </ | ||
| - | * Users now need to use STARTTLS (e.g. with '' | ||
| - | * < | ||