tutorial:ldap:installopenldap

This is an old revision of the document!

,

Install and configure OpenLDAP on Debian 8 (Jessie)

Requirements

  • Debian 8 installation

Notes

  • ldapsearch parameters:
    • -W prompt for password
    • -x use simple auth
    • -Z try to use STARTTLS
    • -ZZ force use of STARTTLS
    • -D bind with the given name
    • -b search base

Installation

  • apt-get install slapd ldap-utils
  • During installation, set an admin password
  • Open /etc/ldap/ldap.conf and set the BASE and URI parameters:
  • #
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=my,dc=domain,dc=tld
URI     ldaps://ldap.my.domain.tld ldap://ldap.my.domain.tld:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

TLS_REQCERT ALLOW
  • Run dkpg-reconfigure slapd
    • Answer the following prompts this way:
Omit OpenLDAP server configuration? No
Organization name: <pick something>
Administrator password: <same password as before>
Confirm password: <same password as before>
Database backend to use: MDB
Do you want the database to be removed when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No
  • Test connection:
  • $> ldapsearch -x

Add Some Data

  • We want to create some basic organizational units (OUs), e.g. for people and groups
  • Create base.ldif with the following content:
  • dn: ou=people,dc=internal,dc=weichbrodt,dc=me
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=internal,dc=weichbrodt,dc=me
objectClass: organizationalUnit
ou: groups
  • Add it with ldapadd:
  • $> ldapadd -x -D cn=admin,dc=my,dc=domain,dc=tld -W -f base.ldif

Enforce Authorization

  • We do not want our directory to be world readable, so we need to setup some ACLs
  • First, get your current ACLs:
  • $> ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
  • This results in a long list, we are interested in the output under the # {1}mdb, config heading (example output):
  • # {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my,dc=domain,dc=tld
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=my,dc=
 domain,dc=tld" write by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=my,dc=domain,dc=tld" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=my,dc=domain,dc=tld
olcRootPW: {SSHA}abcdefghijklmnopqrstuvwxyz123456
olcSecurity: tls=1
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
  • Take a look at the lines starting with olcAccess
  • We want users to be able to change their own password as well as authenticate. Noone else should be able to read the password hash. The admin accounts can modify everyones passwords and can read all hashes.
  • Also we want users to authenticate before reading the directory. Anonymous access should be disallowed.
  • We need to modify olcAccess: {0} for the passwords and olcAccess: {2} for general access.
  • Create the access.ldif file:
  • dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}
-
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by dn="cn=admin,dc=my,dc=domain,dc=tld" write
  by self write
  by anonymous auth
  by * none
-
delete: olcAccess
olcAccess: {2}
-
add: olcAccess
olcAccess: {2}to *
  by dn="cn=admin,dc=my,dc=domain,dc=tld" manage
  by self write
  by anonymous auth
  by users read
  • Apply it:
  • ldapmodify -Y EXTERNAL -H ldapi:/// -f access.ldif
  • Users now need to authenticate to read the directory, like this:
  • ldapsearch -x -D "cn=admin,dc=internal,dc=weichbrodt,dc=me" -W

Enabling TLS

  • Make sure you have the following files:
    • cert.crt - Your certificate (without any other intermediate certs)
    • cert.key - Your private key
    • chain.pem - The intermediate certs
  • I assume the files are located at /opt/ssl
  • Add the openldap user to the ssl-cert group:
  • $> usermod -aG ssl-cert openldap
  • chown your files and set permissions:
  • $> chown root:ssl-cert cert.crt cert.key chain.pem
$> chmod 640 cert.crt cert.key chain.pem
  • Create the tls.ldif file:
  • dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /opt/ssl/chain.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /opt/ssl/cert.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /opt/ssl/cert.key
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3
  • And apply it
  • $> ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif
  • To enforce TLS create the following ldif file and apply it:
  • dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1
  • tutorial/ldap/installopenldap.1459717036.txt.gz
  • Last modified: 2018-06-03 14:10
  • (external edit)