This is an old revision of the document!
Install and configure OpenLDAP on Debian 8 (Jessie)
Requirements
- Debian 8 installation
Installation
apt-get install slapd ldap-utils
- During installation, set an admin password
- Open
/etc/ldap/ldap.conf
and set theBASE
andURI
parameters: # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=my,dc=domain,dc=tld URI ldaps://ldap.my.domain.tld ldap://ldap.my.domain.tld:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_REQCERT ALLOW
- Run
dkpg-reconfigure slapd
- Answer the following prompts this way:
Omit OpenLDAP server configuration? | No |
Organization name: | <pick something> |
Administrator password: | <same password as before> |
Confirm password: | <same password as before> |
Database backend to use: | MDB |
Do you want the database to be removed when slapd is purged? | No |
Move old database? | Yes |
Allow LDAPv2 protocol? | No |
- Test connection:
$> ldapsearch -x
Add Some Data
- We want to create some basic organizational units (OUs), e.g. for people and groups
- Create
base.ldif
with the following content: dn: ou=people,dc=internal,dc=weichbrodt,dc=me objectClass: organizationalUnit ou: people dn: ou=groups,dc=internal,dc=weichbrodt,dc=me objectClass: organizationalUnit ou: groups
- Add it with
ldapadd
: $> ldapadd -x -D cn=admin,dc=my,dc=domain,dc=tld -W -f base.ldif
Enforce Authorization
- We do not want our directory to be world readable, so we need to setup some ACLs
- First, get your current ACLs:
$> ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
- This results in a long list, we are interested in the output under the
# {1}mdb, config
heading (example output): # {1}mdb, config dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=my,dc=domain,dc=tld olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=my,dc= domain,dc=tld" write by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=admin,dc=my,dc=domain,dc=tld" write by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=my,dc=domain,dc=tld olcRootPW: {SSHA}abcdefghijklmnopqrstuvwxyz123456 olcSecurity: tls=1 olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbMaxSize: 1073741824
Enabling TLS
- Make sure you have the following files:
cert.crt
- Your certificate (without any other intermediate certs)cert.key
- Your private keychain.pem
- The intermediate certs
- I assume the files are located at
/opt/ssl
- Add the openldap user to the ssl-cert group:
$> usermod -aG ssl-cert openldap
- chown your files and set permissions:
$> chown root:ssl-cert cert.crt cert.key chain.pem $> chmod 640 cert.crt cert.key chain.pem
- Create the
tls.ldif
file: dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: NORMAL - add: olcTLSCRLCheck olcTLSCRLCheck: none - add: olcTLSVerifyClient olcTLSVerifyClient: never - add: olcTLSCACertificateFile olcTLSCACertificateFile: /opt/ssl/chain.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /opt/ssl/cert.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /opt/ssl/cert.key - add: olcTLSProtocolMin olcTLSProtocolMin: 3.3
- And apply it
$> ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
- To enforce TLS create the following ldif file and apply it:
dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcSecurity olcSecurity: tls=1