Debian LDAP Server Setup








 

I. OpenLDAP Server Installation
  1. Install openldap server
    • aptitude install ldap-server
      • Admin Password: XXXXXXXX
      • Confirm Admin Password: XXXXXXXX
  2. Configure openldap server
    • dpkg-reconfigure slapd
      • Omit OpenLDAP server configuration? no
      • DNS domain name: example.org.au
      • Name of your orgnization: example.org.au
      • Admin Password: XXXXXXXX
      • Confirm Password: XXXXXXXX
      • Database backend to use: BDB
      • Do you want your database to be removed when slapd is purged? Yes
      • Move old database? Yes
      • Allow LDAPv2 protocol? No
  3. vim /etc/ldap/slapd.conf (optional)
    • uncomment:
      • rootdn "cn=admin,dc=example,dc=org,dc=au"
  4. Test installation
    • aptitude install ldap-utils
    • ldapsearch -H ldap://localhost -b "dc=example,dc=org,dc=au" -D "cn=admin,dc=example,dc=org,dc=au" -x -W
II. Migrate existing information(password,group) into LDAP
  1. aptitude install ldap-utils migrationtools
  2. pwconv; grpconv (optional, required if wants to enable shadow)
  3. vi /etc/migrationtools/migrate_common.ph
    • $DEFAULT_MAIL_DOMAIN = "example.org.au";
    • $DEFAULT_BASE = "dc=example,dc=org,dc=au";
    • $IGNORE_UID_BELOW = 1000; #(Uncomment to exclude Debian-managed system users)
    • $IGNORE_GID_BELOW = 100; #(Uncomment to exclude Debian-managed system groups)
  4. cd /usr/share/migrationtools/
  5. ./migrate_base.pl > /root/ldap/base.ldif
    • You will need to remove the top entries "dn: dc=org,dc=au" and "dn: dc=example,dc=org,dc=au" in /root/ldap/base.ldif since those top entries have been intialized when setting up the server.
  6. ./migrate_passwd.pl /etc/passwd /root/ldap/passwd.ldif
  7. ./migrate_passwd.pl /etc/group /root/ldap/group.ldif
  8. ldapadd -H ldap://localhost -D "cn=admin,dc=example,dc=org,dc=au" -x -W -f /root/ldap/base.ldif
  9. ldapadd -H ldap://localhost -D "cn=admin,dc=example,dc=org,dc=au" -x -W -f /root/ldap/passwd.ldif
  10. ldapadd -H ldap://localhost -D "cn=admin,dc=example,dc=org,dc=au" -x -W -f /root/ldap/group.ldif
III. Enable TLS (optional)
  1. Generate CA-signed SSL Certificate
  2. Modify /etc/ldap/slapd.conf
    • TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
    • TLSCACertificateFile /etc/ssl/certs/cacert.pem
    • TLSCertificateFile /etc/ssl/certs/server-cert.pem
    • TLSCertificateKeyFile /etc/ssl/certs/server-key.pem
    • TLSVerifyClient allow
  3. Modify /etc/default/slapd
    • To enable both StartTLS and ldaps://
      • SLAPD_SERVICES="ldap:/// ldaps:///"
    • To enable only StartTLS
      • SLAPD_SERVICES="ldap:///"
    • To enable only ldaps://
      • SLAPD_SERVICES="ldaps:///"
    • See also StartTLS vs. ldaps://
  4. Force to use TLS connection:
    • vim /etc/ldap/slapd.conf
      • security ssf=56 update_ssf=112
    • see also 1 and 2
  5. Restart ldap server
    • /etc/init.d/slapd restart
  6. Test installation:
    1. If ldaps:/// is enabled, you can use the following command to test:
      • openssl s_client -connect localhost:636 -showcerts
    2. On the ldap server itself, make sure ldap-utils installed (aptitude install ldap-utils)
      • vim /etc/ldap/ldap.conf
        • BASE dc=example, dc=org, dc=au
        • URI ldap://localhost
        • ssl on
        • ssl start_tls
        • TLS_CACERT /etc/ssl/certs/cacert.pem
        • TLS_REQCERT demand
      • ldapsearch -x -W -d 1 -ZZ -D "cn=admin,dc=example,dc=org,dc=au"
      • ldapsearch -H ldap://localhost -x -W -d 1 -ZZ -D "cn=admin,dc=example,dc=org,dc=au"
  7. More detail at http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
  8. See also http://www.openldap.org/doc/admin24/tls.html
IV. DUAConfigProfile.schema Support (Optional)
  1. What is DUA? Directory User Agent.
  2. Download the DUAConfigProfile.schema
  3. Include the schema in slapd.conf
    • vim /etc/ldap/slapd.conf
      • include /etc/ldap/schema/DUAConfigProfile.schema
  4. Restart ldap server
    • /etc/init.d/slapd restart
V. Enable openldap server logging
  1. modify /etc/ldap/slapd.conf
    • change
      • loglevel 0
    • to
      • loglevel 256
    • more detail about loglevel
  2. modify /etc/syslog.conf
    • append
      • local4.* /var/log/ldap.log
  3. restart syslog daemon
    • killall -HUP syslogd
  4. trouble shooting



No comments:

Post a Comment