Difference between revisions of "LDAP server"

Line 251: Line 251:
 
==Virtual host / service configuration==
 
==Virtual host / service configuration==
  
See Apache 2 documentation to get more info: [[Apache 2]]
+
See Apache 2 documentation to get more info: [[Apache 2 - LDAP access]]
 
 
=Graphical interface - PhpLdapAdmin=
 
 
 
Requirements:
 
* Apache 2 server
 
* PHP 5 or +
 
* MySQL database
 
 
 
 
 
 
 
==Packages==
 
 
 
<syntaxhighlight lang="bash">
 
apt-get install phpldapadmin
 
apt-get install php-fpdf
 
</syntaxhighlight>
 
 
 
Source: http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page
 
 
 
 
 
==Edit configuration==
 
 
 
<syntaxhighlight lang="bash">
 
vim /etc/phpldapadmin/config.php
 
</syntaxhighlight>
 
 
 
Edit / adjust following lines:
 
278
 
282
 
286
 
293
 
296
 
300
 
318
 
326
 
$servers = new Datastore();
 
$servers->newServer('ldap_pla');
 
$servers->setValue('server','name','DEV daxiongmao.eu LDAP');
 
$servers->setValue('server','host','dev.daxiongmao.eu');
 
// $servers->setValue('server','port',389);
 
$servers->setValue('server','base',array('dc=dev,dc=daxiongmao,dc=eu'));
 
$servers->setValue('login','auth_type','session');
 
$servers->setValue('login','bind_id','cn=admin,dc=dev,dc=daxiongmao,dc=eu');
 
Reload apache2 configuration
 
# service apache2 reload
 
Access service
 
Then you can access Ldap Account Manager on: http://myServer/phpldapadmin
 
Improve security
 
For better security you should not use /phpldapadmin but something else.
 
Edit configuration file:
 
# vim /etc/phpldapadmin/apache.conf
 
Adjust
 
# Define /phpldapadmin alias, this is the default
 
<IfModule mod_alias.c>
 
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
 
</IfModule>
 
Replace phpldapadmin by your own value. For instance: ldapmanager
 
Login using Admin password
 
Login:
 
Login user:
 
cn=admin,{ldap DN}Basic configuration
 
Create Organizational Units
 
Create a child entry
 
Generic organizational unit [ou=]
 
Create:
 
 people
 
 groups
 
Create Groups
 
Then, create 2 groups called “administrators” & “users”
 
Click on ou=groups
 
Create a child entry
 
Create a generic posix group [cn=]
 
Create:
 
 administrators
 
 users
 
Create Users
 
Create some users
 
Click on ou=people
 
Create a child entry
 
Create a generic User Account [ua=]Installation # Graphical interface [client side]
 
On the local machine you can download a LDAP browser to manage it remotely.
 
I’ll use “LDAP Admin” http://www.ldapadmin.org/
 
Installation
 
 Download the latest version
 
o Choose the EXE version
 
 Unzip it to the target directory
 
Create new connection
 
 Just run “LdapAdmin.exe”
 
 Start  Connect
 
 Create a new connection
 
o Double click on “new connection”
 
Fill up the form like this:
 
LDAP Dn
 
Then you can connect to the remote server
 
Admin accountConfiguration
 
Create new Organizational Units
 
Right click to the root  New  Organizational Unit...
 
Create:
 
 
 
 
 
people
 
groups
 
locations
 
applications
 
for users
 
for users groups
 
specific area
 
Create new groups
 
 Right click on “ou=groups”  New  Group...
 
Create:
 
 administrators
 
 users
 
 services
 
Domain administrators
 
Domain users
 
System and services accounts
 
Create locations structure
 
 Right click on “ou=locations”  New  Location...
 
You can create a location tree to sort your users.
 
Example:
 
Create users
 
 Right click on “ou=users”  New  User...
 
 You can organized your users by sub organizational units as wellFill up the form
 
Mandatory
 
Home directory must
 
match username
 
Depending on your local policy, the username might be:
 
 FirstName.LastName
 
 [1 st letter first name][last name]
 
 It doesn’t matter as long as this is the same pattern for all users!
 
Register the user to some group
 
Don’t forget to set the
 
primary group!Edit user
 
To update the user using the same wizard:
 
 Right click on user  Properties
 
The Edit Entry... is a technical link.
 
You can add email + address data.
 

Revision as of 17:37, 8 June 2014

LDAP server


Installation

Packages

apt-get install slapd ldap-utils

# For SSL - TLS access
apt-get install gnutls-bin

You'll have to choose a LDAP admin password. Choose a strong password!!


Set domain

Edit configuration file:

vim /etc/ldap/ldap.conf


Uncomment and adjust:

BASE dc=dev,dc=daxiongmao,dc=eu
URI ldap://dev.daxiongmao.eu


Launch LDAP configuration

Launch configuration:

dpkg-reconfigure slapd
  • Select NO to the first question = it will create a new database
  • Current LDAP server: "dev.daxiongmao.eu". This must match your (DC=...,DC=....,DC=....)
  • Name of your organization: daxiongmao.eu
  • Root LDAP server: put your root or the same value as before.
  • Put your administrator password - the same as earlier
  • Select HDB (Berkley database)
  • Do NOT remove database on package removal
  • Move old database
  • Do NOT allow LDAP v2


Open firewall

Add the following rules to your firewall

# LDAP
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 389 -j ACCEPT # LDAP
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 636 -j ACCEPT # LDAP over SSL


Maintenance operations

Export database

The whole database may be exported as ldif file using this command:

slapcat


Get current configuration:

slapcat –b cn=config


Test

Install a LDAP client and test to access the server. It should be OK ! ^-^

See the following page to get more information: LDAP client



Installation # Encryption – SSL

By default OpenLDAP communication is not encrypted. Therefore, if some user have clear password anyone can used them.


Generate server certificates

See SSL server documentation to generate a certificate for the current server.


-- Hints --

  • Do not encrypt your private key
  • You cannot generate 2 certificates with the same server name.


If you already have a server certificate for the current FQDN, please use it!


Make files accessible for OpenLDAP

You have to copy your server private key + server certificate and CA certificate.

mkdir /etc/ldap/ssl
cd /etc/ldap/ssl
cp /srv/ssl/private/ldapServer.nopass.key ldapServer.key
cp /srv/ssl/certs/ldapServer.cert.pem ldapServer.pem
cp /srv/ssl/cacerts.pem .
chown -R root:openldap /etc/ldap/ssl


... Symlink might work but you can have some rights issues. It's just simpler - in my case - to copy the data.


Register certificates

SLAPD service

Since OpenLDAP 2.4 there is no more "slapd.conf" file.

All the configuration is now dynamic and set in database.


Create the .ldif file

vim /etc/ldap/slapd.d/tls.ldif

Add the following params:

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/cacerts.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/ldapServer.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldapServer.key


Adjust rights

chown openldap:openldap /etc/ldap/slapd.d/tls.ldif


Apply the configuration

ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/tls.ldif


Allow TLS protocol

vim /etc/default/slapd


Add the "ldaps" protocol (line 24):

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

# For more security you can now restrict the LDAP to localhost
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"


Restart the service

/etc/init.d/slapd restart


OpenLDAP configuration

Edit the LDAP configuration

vim /etc/ldap/ldap.conf


Adjust the TLS certificate path

TLS_CACERT      /etc/ldap/ssl/cacerts.pem

You have to use the same as before in the "slapd" configuration.


Restart service

service slapd restart


Now you can connect to the server on port 686 and test your LDAP server over TLS!


Bonus

Now you can edit your firewall and close the port 389



Apache 2

See Apache_2#Apache_2_configuration_.23_LDAP_authentication



Virtual host / service configuration

See Apache 2 documentation to get more info: Apache 2 - LDAP access