tutorial:ldap:installopenldap

This is an old revision of the document!

,

Install and configure OpenLDAP on Debian 8 (Jessie)

Requirements

  • Debian 8 installation

Installation

  • apt-get install slapd ldap-utils
  • During installation, set an admin password
  • Open /etc/ldap/ldap.conf and set the BASE and URI parameters:
  • #
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=my,dc=domain,dc=tld
URI     ldaps://ldap.my.domain.tld ldap://ldap.my.domain.tld:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

TLS_REQCERT ALLOW
  • Run dkpg-reconfigure slapd
    • Answer the following prompts this way:
    • Omit OpenLDAP server configuration? No
    • DNS domain name: my.domain.tld
    • Organization name: <pick something>
    • Administrator password: <same password as before>
    • Confirm password: <same password as before>
    • Database backend to use: MDB
    • Do you want the database to be removed when slapd is purged? No
    • Move old database? Yes
    • Allow LDAPv2 protocol? No
  • Test connection:
  • $> ldapsearch -x

Step 2

  • TODO

Enabling TLS

  • Make sure you have the following files:
    • cert.crt - Your certificate (without any other intermediate certs)
    • cert.key - Your private key
    • chain.pem - The intermediate certs
  • I assume the files are located at /opt/ssl
  • Add the openldap user to the ssl-cert group:
  • $> usermod -aG ssl-cert openldap
  • chown your files and set permissions:
  • $> chown root:ssl-cert cert.crt cert.key chain.pem
$> chmod 640 cert.crt cert.key chain.pem
  • Create the tls.ldif file:
  • dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /opt/ssl/chain.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /opt/ssl/cert.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /opt/ssl/cert.key
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3
  • And apply it
  • $> ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
  • To enforce TLS create the following ldif file and apply it:
  • dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1
  • tutorial/ldap/installopenldap.1459713149.txt.gz
  • Last modified: 2018-06-03 14:10
  • (external edit)