Difference between revisions of "LDAP server"

(Created page with "LDAP server =Installation= ==Packages== <syntaxhighlight lang="bash"> apt-get install slapd ldap-utils </syntaxhighlight> You'll have to choose a LDAP admin password. C...")
 
Line 39: Line 39:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
* Select NO to the first question = it will create a new database
+
* Select NO to the first question = it will '''create a new database'''
* Put the same domain as before: "'''dev.daxiongmao.eu'''". This must match your (DC=...,DC=....,DC=....)
+
* Current LDAP server: "'''dev.daxiongmao.eu'''". This must match your (DC=...,DC=....,DC=....)
* Put your administrator password - the same as earlier
+
* Root LDAP server: put your root or the same value as before.
* Select HDB (Berkley database)
+
* Put your '''administrator password - the same as earlier'''
* Do NOT remove database on package removal
+
* Select '''HDB''' (Berkley database)
* Move old database
+
* '''Do NOT remove database''' on package removal
* Do NOT allow LDAP v2
+
* '''Move''' old database
 +
* '''Do NOT allow''' LDAP v2
  
  
Line 93: Line 94:
 
==Generate server certificates==
 
==Generate server certificates==
  
See SSL documentation to generate a certificate for the current server.
+
See [[SSL server]] documentation to generate a certificate for the current server.
Hints
+
 
Do not encrypt your private key
+
 
You cannot generate 2 certificates with the same server name.
+
-- Hints --
 +
 
 +
* Do not encrypt your private key
 +
* You cannot generate 2 certificates with the same server name.
 +
 
 
If you already have a server certificate for the current FQDN, please use it!
 
If you already have a server certificate for the current FQDN, please use it!
 +
 +
 
Make files accessible for OpenLDAP
 
Make files accessible for OpenLDAP
 
You have to copy / symlink your server private key + server certificate and CA certificate.
 
You have to copy / symlink your server private key + server certificate and CA certificate.

Revision as of 13:43, 25 May 2014

LDAP server


Installation

Packages

apt-get install slapd ldap-utils

You'll have to choose a LDAP admin password. Choose a strong password!!


Set domain

Edit configuration file:

vim /etc/ldap/ldap.conf


Uncomment and adjust:

BASE dc=dev,dc=daxiongmao,dc=eu
URI ldap://dev.daxiongmao.eu


Launch LDAP configuration

Launch configuration:

dpkg-reconfigure slapd
  • Select NO to the first question = it will create a new database
  • Current LDAP server: "dev.daxiongmao.eu". This must match your (DC=...,DC=....,DC=....)
  • Root LDAP server: put your root or the same value as before.
  • Put your administrator password - the same as earlier
  • Select HDB (Berkley database)
  • Do NOT remove database on package removal
  • Move old database
  • Do NOT allow LDAP v2


Open firewall

Add the following rules to your firewall

# LDAP
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 389 -j ACCEPT # LDAP
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 636 -j ACCEPT # LDAP over SSL


Maintenance operations

Export database

The whole database may be exported as ldif file using this command:

slapcat


Get current configuration:

slapcat –b cn=config


Test

Install a LDAP client and test to access the server. It should be OK 


Installation # Encryption – SSL

By default OpenLDAP communication is not encrypted. Therefore, if some user have clear password anyone can used them.


Generate server certificates

See SSL server documentation to generate a certificate for the current server.


-- Hints --

  • Do not encrypt your private key
  • You cannot generate 2 certificates with the same server name.

If you already have a server certificate for the current FQDN, please use it!


Make files accessible for OpenLDAP You have to copy / symlink your server private key + server certificate and CA certificate.

  1. mkdir /etc/ldap/ssl
  2. cd /etc/ldap/ssl
  3. ln -s /srv/ssl/private/ldapServer.nopass.key /etc/ldap/ssl/
  4. ln -s /srv/ssl/certs/ldapServer.cert.pem /etc/ldap/ssl/
  5. ln -s /srv/ssl/cacerts.pem /etc/ldap/ssl/
  6. chown -R root:openldap /etc/ldap/ssl

Update SLAPD configuration TO BE FINISHED Edit slapd.conf >> Where is it ?!? Add / update following values: TLSCACertificateFile /etc/ldap/ssl/cacerts.pem TLSCertificateFile /etc/ldap/ssl/ldapServer.cert.pem TLSCertificateKeyFile /etc/ldap/ssl/ldapServer.nopass.key TLSCipherSuite HIGH:MEDIUM:+SSLv2 Enable SSL Edit SLAP service to start in SSL mode

  1. vim /etc/default/slapd

Adjust

  1. SLAPD_SERVICES="ldap:/// ldapi:///"

SLAPD_SERVICES="ldaps:///" Restart service

  1. service slapd restart

Connect to the server on port 686Apache 2 Modules You have to enable to the following modules:

  1. a2enmod authnz_ldap

Virtual host / service configuration List of apache 2.2.x modules with roles and recommended values:  AuthType Role Value Mandatory  AuthName Role Value Mandatory  Value Mandatory Value Mandatory The distinguished name (DN) of service account. This user will be used to scan the LDAP and perform real user authentication UID=myUser,OU=myGroup,DC=myServer uid=svn,ou=applications,dc=dev,dc=daxiongmao,dc=eu No AuthLDAPBindPassword Role Value Mandatory  Tells Apache whether or not a failed authentication request can be passed to other Apache modules off Yes AuthLDAPBindDN Role  This tells Apache which authentication module you want to use for ldap Yes AuthzLDAPAuthoritative Role  Authentication window name “Authentication to my service” Yes AuthBasicProvider Role Value Mandatory  This tells Apache which authentication module you want to use basic Yes The password for the user account configured via the AuthLDAPBindDN directive No AuthLDAPURL Role Value Mandatory URL that tells: - Where the directory server is, - Where to look for users at, - What user attribute is used to identify a user ldap://myServer:389/OU=group&,OU=group2,DC=myServer?attribute ldap://192.168.1.2:389/cn=users,dc=server2,dc=intranet,dc=myCompany,dc=com ldap://localhost:389/ou=people,dc=vehco,dc=com?uid Yes See Apache 2 documentation to get more infoInstallation # Graphical interface [server side] Packages

  1. apt-get install phpldapadmin
  2. apt-get install php-fpdf

Source: http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page Edit configuration

  1. vim /etc/phpldapadmin/config.php

Edit / adjust following lines: 278 282 286 293 296 300 318 326 $servers = new Datastore(); $servers->newServer('ldap_pla'); $servers->setValue('server','name','DEV daxiongmao.eu LDAP'); $servers->setValue('server','host','dev.daxiongmao.eu'); // $servers->setValue('server','port',389); $servers->setValue('server','base',array('dc=dev,dc=daxiongmao,dc=eu')); $servers->setValue('login','auth_type','session'); $servers->setValue('login','bind_id','cn=admin,dc=dev,dc=daxiongmao,dc=eu'); Reload apache2 configuration

  1. service apache2 reload

Access service Then you can access Ldap Account Manager on: http://myServer/phpldapadmin Improve security For better security you should not use /phpldapadmin but something else. Edit configuration file:

  1. vim /etc/phpldapadmin/apache.conf

Adjust

  1. Define /phpldapadmin alias, this is the default

<IfModule mod_alias.c> Alias /phpldapadmin /usr/share/phpldapadmin/htdocs </IfModule> Replace phpldapadmin by your own value. For instance: ldapmanager Login using Admin password Login: Login user: cn=admin,{ldap DN}Basic configuration Create Organizational Units Create a child entry Generic organizational unit [ou=] Create:  people  groups Create Groups Then, create 2 groups called “administrators” & “users” Click on ou=groups Create a child entry Create a generic posix group [cn=] Create:  administrators  users Create Users Create some users Click on ou=people Create a child entry Create a generic User Account [ua=]Installation # Graphical interface [client side] On the local machine you can download a LDAP browser to manage it remotely. I’ll use “LDAP Admin” http://www.ldapadmin.org/ Installation  Download the latest version o Choose the EXE version  Unzip it to the target directory Create new connection  Just run “LdapAdmin.exe”  Start  Connect  Create a new connection o Double click on “new connection” Fill up the form like this: LDAP Dn Then you can connect to the remote server Admin accountConfiguration Create new Organizational Units Right click to the root  New  Organizational Unit... Create:     people groups locations applications for users for users groups specific area Create new groups  Right click on “ou=groups”  New  Group... Create:  administrators  users  services Domain administrators Domain users System and services accounts Create locations structure  Right click on “ou=locations”  New  Location... You can create a location tree to sort your users. Example: Create users  Right click on “ou=users”  New  User...  You can organized your users by sub organizational units as wellFill up the form Mandatory Home directory must match username Depending on your local policy, the username might be:  FirstName.LastName  [1 st letter first name][last name]  It doesn’t matter as long as this is the same pattern for all users! Register the user to some group Don’t forget to set the primary group!Edit user To update the user using the same wizard:  Right click on user  Properties The Edit Entry... is a technical link. You can add email + address data.