tutorial:ldap:installopenldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
tutorial:ldap:installopenldap [2016-04-03 22:56]
weichbr
tutorial:ldap:installopenldap [2019-08-14 19:43] (current)
weichbr
Line 15: Line 15:
     * ''%%-ZZ%%'' force use of STARTTLS     * ''%%-ZZ%%'' force use of STARTTLS
     * ''%%-D%%'' bind with the given name     * ''%%-D%%'' bind with the given name
-    * ''%%-%%'' +    * ''%%-b%%'' search base 
 +  * ''%%ldaps://%%'' on port 636 is deprecated with LDAPv3. Use ''%%ldap://%%'' on port 389 with STARTTLS instead.
  
 ---- ----
Line 65: Line 65:
   * Create ''%%base.ldif%%'' with the following content:   * Create ''%%base.ldif%%'' with the following content:
   * <code>   * <code>
-dn: ou=people,dc=internal,dc=weichbrodt,dc=me+dn: ou=people,dc=my,dc=domain,dc=tld
 objectClass: organizationalUnit objectClass: organizationalUnit
 ou: people ou: people
  
-dn: ou=groups,dc=internal,dc=weichbrodt,dc=me+dn: ou=groups,dc=my,dc=domain,dc=tld
 objectClass: organizationalUnit objectClass: organizationalUnit
 ou: groups ou: groups
Line 77: Line 77:
  
 ---- ----
 +
 ===== Enforce Authorization ===== ===== Enforce Authorization =====
   * We do not want our directory to be world readable, so we need to setup some ACLs   * We do not want our directory to be world readable, so we need to setup some ACLs
Line 137: Line 138:
   * <code>ldapmodify -Y EXTERNAL -H ldapi:/// -f access.ldif</code>   * <code>ldapmodify -Y EXTERNAL -H ldapi:/// -f access.ldif</code>
   * Users now need to authenticate to read the directory, like this:   * Users now need to authenticate to read the directory, like this:
-  * <code>ldapsearch -x -Z -D "cn=admin,dc=internal,dc=weichbrodt,dc=me" -W</code>+  * <code>ldapsearch -x -D "cn=admin,dc=my,dc=domain,dc=tld" -W</code>
  
 ---- ----
 +
 ===== Enabling TLS ===== ===== Enabling TLS =====
   * Make sure you have the following files:   * Make sure you have the following files:
Line 187: Line 189:
 olcSecurity: tls=1 olcSecurity: tls=1
 </code> </code>
 +  * Users now need to use STARTTLS (e.g. with ''%%-Z%%'' in ''%%ldapsearch%%''):
 +  * <code>ldapsearch -x -Z -D "cn=admin,dc=my,dc=domain,dc=tld" -W</code>
 +
 +----
 +
 +===== Add an admin group ====
 +  * We do not want to give every admin the admin account credentials
 +  * We need an admin group which all admins are a member of
 +  * We can give this group manage permissions
 +  * I assume you already have created a ''%%admins%%'' posixGroup in the ''%%groups%%'' ou
 +  * Take a look at the ldif to enforce authorization and change it to this:
 +  * <code>
 +dn: olcDatabase={1}mdb,cn=config
 +changetype: modify
 +delete: olcAccess
 +olcAccess: {3}
 +-
 +add: olcAccess
 +olcAccess: {3}to *
 +  by dn="cn=admin,dc=my,dc=domain,dc=tld" manage
 +  by set="user/uid & [cn=admins,ou=groups,dc=my,dc=domain,dc=tld]/memberUid" manage
 +  by self write
 +  by anonymous auth
 +  by users read
 +-
 +</code>
 +  * Apply it like above
  • tutorial/ldap/installopenldap.1459716985.txt.gz
  • Last modified: 2018-06-03 14:10
  • (external edit)