This is an old revision of the document!


Install and configure OpenLDAP on Debian 8 (Jessie)

  • Debian 8 installation

  • apt-get install slapd ldap-utils
  • During installation, set an admin password
  • Open /etc/ldap/ldap.conf and set the BASE and URI parameters:
  • #
    # LDAP Defaults
    #
    
    # See ldap.conf(5) for details
    # This file should be world readable but not world writable.
    
    BASE    dc=my,dc=domain,dc=tld
    URI     ldaps://ldap.my.domain.tld ldap://ldap.my.domain.tld:666
    
    #SIZELIMIT      12
    #TIMELIMIT      15
    #DEREF          never
    
    # TLS certificates (needed for GnuTLS)
    TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
    
    TLS_REQCERT ALLOW
  • Run dkpg-reconfigure slapd
    • Answer the following prompts this way:
Omit OpenLDAP server configuration? No
Organization name: <pick something>
Administrator password: <same password as before>
Confirm password: <same password as before>
Database backend to use: MDB
Do you want the database to be removed when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No
  • Test connection:
  • $> ldapsearch -x

  • We want to create some basic organizational units (OUs), e.g. for people and groups
  • Create base.ldif with the following content:
  • dn: ou=people,dc=internal,dc=weichbrodt,dc=me
    objectClass: organizationalUnit
    ou: people
    
    dn: ou=groups,dc=internal,dc=weichbrodt,dc=me
    objectClass: organizationalUnit
    ou: groups
  • Add it with ldapadd:
  • ldapadd -x -D cn=admin,dc=my,dc=domain,dc=tld -W -f base.ldif

  • We do not want our directory to be world readable, so we need to setup some ACLs

  • Make sure you have the following files:
    • cert.crt - Your certificate (without any other intermediate certs)
    • cert.key - Your private key
    • chain.pem - The intermediate certs
  • I assume the files are located at /opt/ssl
  • Add the openldap user to the ssl-cert group:
  • $> usermod -aG ssl-cert openldap
  • chown your files and set permissions:
  • $> chown root:ssl-cert cert.crt cert.key chain.pem
    $> chmod 640 cert.crt cert.key chain.pem
  • Create the tls.ldif file:
  • dn: cn=config
    changetype: modify
    add: olcTLSCipherSuite
    olcTLSCipherSuite: NORMAL
    -
    add: olcTLSCRLCheck
    olcTLSCRLCheck: none
    -
    add: olcTLSVerifyClient
    olcTLSVerifyClient: never
    -
    add: olcTLSCACertificateFile
    olcTLSCACertificateFile: /opt/ssl/chain.pem
    -
    add: olcTLSCertificateFile
    olcTLSCertificateFile: /opt/ssl/cert.crt
    -
    add: olcTLSCertificateKeyFile
    olcTLSCertificateKeyFile: /opt/ssl/cert.key
    -
    add: olcTLSProtocolMin
    olcTLSProtocolMin: 3.3
  • And apply it
  • $> ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
  • To enforce TLS create the following ldif file and apply it:
  • dn: olcDatabase={1}mdb,cn=config
    changetype: modify
    add: olcSecurity
    olcSecurity: tls=1
  • tutorial/ldap/installopenldap.1459714826.txt.gz
  • Last modified: 2018-06-03 14:10
  • (external edit)