tutorial:ldap:installopenldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
tutorial:ldap:installopenldap [2016-04-03 22:58]
weichbr [Enforce Authorization]
tutorial:ldap:installopenldap [2019-08-14 19:43] (current)
weichbr
Line 16: Line 16:
     * ''%%-D%%'' bind with the given name     * ''%%-D%%'' bind with the given name
     * ''%%-b%%'' search base     * ''%%-b%%'' search base
 +  * ''%%ldaps://%%'' on port 636 is deprecated with LDAPv3. Use ''%%ldap://%%'' on port 389 with STARTTLS instead.
  
 ---- ----
Line 65: Line 65:
   * Create ''%%base.ldif%%'' with the following content:   * Create ''%%base.ldif%%'' with the following content:
   * <code>   * <code>
-dn: ou=people,dc=internal,dc=weichbrodt,dc=me+dn: ou=people,dc=my,dc=domain,dc=tld
 objectClass: organizationalUnit objectClass: organizationalUnit
 ou: people ou: people
  
-dn: ou=groups,dc=internal,dc=weichbrodt,dc=me+dn: ou=groups,dc=my,dc=domain,dc=tld
 objectClass: organizationalUnit objectClass: organizationalUnit
 ou: groups ou: groups
Line 77: Line 77:
  
 ---- ----
 +
 ===== Enforce Authorization ===== ===== Enforce Authorization =====
   * We do not want our directory to be world readable, so we need to setup some ACLs   * We do not want our directory to be world readable, so we need to setup some ACLs
Line 140: Line 141:
  
 ---- ----
 +
 ===== Enabling TLS ===== ===== Enabling TLS =====
   * Make sure you have the following files:   * Make sure you have the following files:
Line 189: Line 191:
   * Users now need to use STARTTLS (e.g. with ''%%-Z%%'' in ''%%ldapsearch%%''):   * Users now need to use STARTTLS (e.g. with ''%%-Z%%'' in ''%%ldapsearch%%''):
   * <code>ldapsearch -x -Z -D "cn=admin,dc=my,dc=domain,dc=tld" -W</code>   * <code>ldapsearch -x -Z -D "cn=admin,dc=my,dc=domain,dc=tld" -W</code>
 +
 +----
 +
 +===== Add an admin group ====
 +  * We do not want to give every admin the admin account credentials
 +  * We need an admin group which all admins are a member of
 +  * We can give this group manage permissions
 +  * I assume you already have created a ''%%admins%%'' posixGroup in the ''%%groups%%'' ou
 +  * Take a look at the ldif to enforce authorization and change it to this:
 +  * <code>
 +dn: olcDatabase={1}mdb,cn=config
 +changetype: modify
 +delete: olcAccess
 +olcAccess: {3}
 +-
 +add: olcAccess
 +olcAccess: {3}to *
 +  by dn="cn=admin,dc=my,dc=domain,dc=tld" manage
 +  by set="user/uid & [cn=admins,ou=groups,dc=my,dc=domain,dc=tld]/memberUid" manage
 +  by self write
 +  by anonymous auth
 +  by users read
 +-
 +</code>
 +  * Apply it like above
  • tutorial/ldap/installopenldap.1459717124.txt.gz
  • Last modified: 2018-06-03 14:10
  • (external edit)