This is an old revision of the document!
Install and configure OpenLDAP on Debian 8 (Jessie)
Requirements
- Debian 8 installation
Installation
apt-get install slapd ldap-utils
- During installation, set an admin password
- Open
/etc/ldap/ldap.conf
and set theBASE
andURI
parameters: # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=my,dc=domain,dc=tld URI ldaps://ldap.my.domain.tld ldap://ldap.my.domain.tld:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_REQCERT ALLOW
- Run
dkpg-reconfigure slapd
- Answer the following prompts this way:
Omit OpenLDAP server configuration? | No |
Organization name: | <pick something> |
Administrator password: | <same password as before> |
Confirm password: | <same password as before> |
Database backend to use: | MDB |
Do you want the database to be removed when slapd is purged? | No |
Move old database? | Yes |
Allow LDAPv2 protocol? | No |
- Test connection:
$> ldapsearch -x
Add Some Data
- We want to create some basic organizational units (OUs), e.g. for people and groups
- Create
base.ldif
with the following content: dn: ou=people,dc=internal,dc=weichbrodt,dc=me objectClass: organizationalUnit ou: people dn: ou=groups,dc=internal,dc=weichbrodt,dc=me objectClass: organizationalUnit ou: groups
- Add it with
ldapadd
: ldapadd -x -D cn=admin,dc=my,dc=domain,dc=tld -W -f base.ldif
Enforce Authorization
- We do not want our directory to be world readable, so we need to setup some ACLs
Enabling TLS
- Make sure you have the following files:
- cert.crt - Your certificate (without any other intermediate certs)
- cert.key - Your private key
- chain.pem - The intermediate certs
- I assume the files are located at
/opt/ssl
- Add the openldap user to the ssl-cert group:
$> usermod -aG ssl-cert openldap
- chown your files and set permissions:
$> chown root:ssl-cert cert.crt cert.key chain.pem $> chmod 640 cert.crt cert.key chain.pem
- Create the tls.ldif file:
dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: NORMAL - add: olcTLSCRLCheck olcTLSCRLCheck: none - add: olcTLSVerifyClient olcTLSVerifyClient: never - add: olcTLSCACertificateFile olcTLSCACertificateFile: /opt/ssl/chain.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /opt/ssl/cert.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /opt/ssl/cert.key - add: olcTLSProtocolMin olcTLSProtocolMin: 3.3
- And apply it
$> ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
- To enforce TLS create the following ldif file and apply it:
dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcSecurity olcSecurity: tls=1