LDAP server
LDAP server
Contents
Installation
Packages
apt-get install slapd ldap-utilsYou'll have to choose a LDAP admin password. Choose a strong password!!
Set domain
Edit configuration file:
vim /etc/ldap/ldap.conf
Uncomment and adjust:
BASE dc=dev,dc=daxiongmao,dc=eu
URI ldap://dev.daxiongmao.eu
Launch LDAP configuration
Launch configuration:
dpkg-reconfigure slapd- Select NO to the first question = it will create a new database
- Current LDAP server: "dev.daxiongmao.eu". This must match your (DC=...,DC=....,DC=....)
- Root LDAP server: put your root or the same value as before.
- Put your administrator password - the same as earlier
- Select HDB (Berkley database)
- Do NOT remove database on package removal
- Move old database
- Do NOT allow LDAP v2
Open firewall
Add the following rules to your firewall
# LDAP
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 389 -j ACCEPT # LDAP
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 636 -j ACCEPT # LDAP over SSL
Maintenance operations
Export database
The whole database may be exported as ldif file using this command:
slapcat
Get current configuration:
slapcat –b cn=config
Test
Install a LDAP client and test to access the server. It should be OK ! ^-^
See the following page to get more information: LDAP client
Installation # Encryption – SSL
By default OpenLDAP communication is not encrypted. Therefore, if some user have clear password anyone can used them.
Generate server certificates
See SSL server documentation to generate a certificate for the current server.
-- Hints --
- Do not encrypt your private key
- You cannot generate 2 certificates with the same server name.
If you already have a server certificate for the current FQDN, please use it!
Make files accessible for OpenLDAP
You have to copy / symlink your server private key + server certificate and CA certificate.
mkdir /etc/ldap/ssl
cd /etc/ldap/ssl
ln -s /srv/ssl/private/ldapServer.nopass.key /etc/ldap/ssl/ldapServer.key
ln -s /srv/ssl/certs/ldapServer.cert.pem /etc/ldap/ssl/ldapServer.pem
ln -s /srv/ssl/cacerts.pem /etc/ldap/ssl/
chown -R root:openldap /etc/ldap/ssl
Register certificates
SLAPD service
Since OpenLDAP 2.4 there is no more "slapd.conf" file.
All the configuration is now dynamic and set in database.
Create the .ldif file
vim /etc/ldap/slapd.d/tls.ldifAdd the following params:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/cacerts.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/ldapServer.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldapServer.key
Apply the configuration
ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/tls.ldif
Allow TLS protocol
vim /etc/default/slapdAdd the "ldaps" protocol (line 24):
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
Restart the service
/etc/init.d/slapd restart
OpenLDAP configuration
Edit the LDAP configuration
vim /etc/ldap/ldap.conf
Adjust the TLS certificate
TLS_CACERT /etc/ldap/ssl/cacerts.pemYou have to use the same as before in the "slapd" configuration.
Restart service
service slapd restart
Now you can connect to the server on port 686 and test your LDAP server over TLS!
Apache 2
Modules
You have to enable to the following modules:
a2enmod authnz_ldap
Virtual host / service configuration
List of apache 2.2.x modules with roles and recommended values:
- AuthType
| Role | This tells Apache which authentication module you want to use |
| Value | basic |
| Mandatory | Yes |
- AuthName
| Role | Authentication window name |
| Value | “Authentication to my service” |
| Mandatory | Yes |
- AuthBasicProvider
| Role | This tells Apache which authentication module you want to use |
| Value | ldaps |
| Mandatory | Yes |
- AuthzLDAPAuthoritative
| Role | Tells Apache whether or not a failed authentication request can be passed to other Apache modules |
| Value | off |
| Mandatory | Yes |
- AuthLDAPBindDN
| Role | The distinguished name (DN) of service account.
This user will be used to scan the LDAP and perform real user authentication |
| Value | UID=myUser,OU=myGroup,DC=myServer
uid=svn,ou=applications,dc=dev,dc=daxiongmao,dc=eu |
| Mandatory | No |
- AuthLDAPBindPassword
| Role | The password for the user account configured via the AuthLDAPBindDN directive |
| Value | |
| Mandatory | No |
- AuthLDAPURL
| Role | URL that tells:
|
| Value | ldaps://myServer:636/OU=group&,OU=group2,DC=myServer?attribute
ldap://myServer:389/OU=group&,OU=group2,DC=myServer?attribute ldap://192.168.1.2:389/cn=users,dc=server2,dc=intranet,dc=myCompany,dc=com ldap://localhost:389/ou=people,dc=vehco,dc=com?uid |
| Mandatory | Yes |
See Apache 2 documentation to get more info
Graphical interface - PhpLdapAdmin
Requirements:
- Apache 2 server
- PHP 5 or +
- MySQL database
Packages
apt-get install phpldapadmin
apt-get install php-fpdfSource: http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page
Edit configuration
vim /etc/phpldapadmin/config.phpEdit / adjust following lines: 278 282 286 293 296 300 318 326 $servers = new Datastore(); $servers->newServer('ldap_pla'); $servers->setValue('server','name','DEV daxiongmao.eu LDAP'); $servers->setValue('server','host','dev.daxiongmao.eu'); // $servers->setValue('server','port',389); $servers->setValue('server','base',array('dc=dev,dc=daxiongmao,dc=eu')); $servers->setValue('login','auth_type','session'); $servers->setValue('login','bind_id','cn=admin,dc=dev,dc=daxiongmao,dc=eu'); Reload apache2 configuration
- service apache2 reload
Access service Then you can access Ldap Account Manager on: http://myServer/phpldapadmin Improve security For better security you should not use /phpldapadmin but something else. Edit configuration file:
- vim /etc/phpldapadmin/apache.conf
Adjust
- Define /phpldapadmin alias, this is the default
<IfModule mod_alias.c> Alias /phpldapadmin /usr/share/phpldapadmin/htdocs </IfModule> Replace phpldapadmin by your own value. For instance: ldapmanager Login using Admin password Login: Login user: cn=admin,{ldap DN}Basic configuration Create Organizational Units Create a child entry Generic organizational unit [ou=] Create: people groups Create Groups Then, create 2 groups called “administrators” & “users” Click on ou=groups Create a child entry Create a generic posix group [cn=] Create: administrators users Create Users Create some users Click on ou=people Create a child entry Create a generic User Account [ua=]Installation # Graphical interface [client side] On the local machine you can download a LDAP browser to manage it remotely. I’ll use “LDAP Admin” http://www.ldapadmin.org/ Installation Download the latest version o Choose the EXE version Unzip it to the target directory Create new connection Just run “LdapAdmin.exe” Start Connect Create a new connection o Double click on “new connection” Fill up the form like this: LDAP Dn Then you can connect to the remote server Admin accountConfiguration Create new Organizational Units Right click to the root New Organizational Unit... Create: people groups locations applications for users for users groups specific area Create new groups Right click on “ou=groups” New Group... Create: administrators users services Domain administrators Domain users System and services accounts Create locations structure Right click on “ou=locations” New Location... You can create a location tree to sort your users. Example: Create users Right click on “ou=users” New User... You can organized your users by sub organizational units as wellFill up the form Mandatory Home directory must match username Depending on your local policy, the username might be: FirstName.LastName [1 st letter first name][last name] It doesn’t matter as long as this is the same pattern for all users! Register the user to some group Don’t forget to set the primary group!Edit user To update the user using the same wizard: Right click on user Properties The Edit Entry... is a technical link. You can add email + address data.
