tutorial:ldap:installopenldap

This is an old revision of the document!

,

Install and configure OpenLDAP on Debian 8 (Jessie)

Requirements

  • Debian 8 installation

Installation

  • apt-get install slapd ldap-utils
  • During installation, set an admin password
  • Open /etc/ldap/ldap.conf and set the BASE and URI parameters:
  • #
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=my,dc=domain,dc=tld
URI     ldaps://ldap.my.domain.tld ldap://ldap.my.domain.tld:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

TLS_REQCERT ALLOW
  • Run dkpg-reconfigure slapd
    • Answer the following prompts this way:
Omit OpenLDAP server configuration? No
Organization name: <pick something>
Administrator password: <same password as before>
Confirm password: <same password as before>
Database backend to use: MDB
Do you want the database to be removed when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No
  • Test connection:
  • $> ldapsearch -x

Add Some Data

  • We want to create some basic organizational units (OUs), e.g. for people and groups
  • Create base.ldif with the following content:
  • dn: ou=people,dc=internal,dc=weichbrodt,dc=me
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=internal,dc=weichbrodt,dc=me
objectClass: organizationalUnit
ou: groups
  • Add it with ldapadd:
  • ldapadd -x -D cn=admin,dc=my,dc=domain,dc=tld -W -f base.ldif

Enforce Authorization

  • We do not want our directory to be world readable, so we need to setup some ACLs

Enabling TLS

  • Make sure you have the following files:
    • cert.crt - Your certificate (without any other intermediate certs)
    • cert.key - Your private key
    • chain.pem - The intermediate certs
  • I assume the files are located at /opt/ssl
  • Add the openldap user to the ssl-cert group:
  • $> usermod -aG ssl-cert openldap
  • chown your files and set permissions:
  • $> chown root:ssl-cert cert.crt cert.key chain.pem
$> chmod 640 cert.crt cert.key chain.pem
  • Create the tls.ldif file:
  • dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /opt/ssl/chain.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /opt/ssl/cert.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /opt/ssl/cert.key
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3
  • And apply it
  • $> ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
  • To enforce TLS create the following ldif file and apply it:
  • dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1
  • tutorial/ldap/installopenldap.1459714791.txt.gz
  • Last modified: 2018-06-03 14:10
  • (external edit)