Debian LDAP Server Setup
I. OpenLDAP Server Installation
- Install openldap server
- aptitude install ldap-server
- Admin Password: XXXXXXXX
- Confirm Admin Password: XXXXXXXX
- Configure openldap server
- dpkg-reconfigure slapd
- Omit OpenLDAP server configuration? no
- DNS domain name: example.org.au
- Name of your orgnization: example.org.au
- Admin Password: XXXXXXXX
- Confirm Password: XXXXXXXX
- Database backend to use: BDB
- Do you want your database to be removed when slapd is purged? Yes
- Move old database? Yes
- Allow LDAPv2 protocol? No
- vim /etc/ldap/slapd.conf (optional)
- uncomment:
- rootdn "cn=admin,dc=example,dc=org,dc=au"
- Test installation
- aptitude install ldap-utils
- ldapsearch -H ldap://localhost -b "dc=example,dc=org,dc=au" -D "cn=admin,dc=example,dc=org,dc=au" -x -W
II. Migrate existing information(password,group) into LDAP
- aptitude install ldap-utils migrationtools
- pwconv; grpconv (optional, required if wants to enable shadow)
- vi /etc/migrationtools/migrate_common.ph
- $DEFAULT_MAIL_DOMAIN = "example.org.au";
- $DEFAULT_BASE = "dc=example,dc=org,dc=au";
- $IGNORE_UID_BELOW = 1000; #(Uncomment to exclude Debian-managed system users)
- $IGNORE_GID_BELOW = 100; #(Uncomment to exclude Debian-managed system groups)
- cd /usr/share/migrationtools/
- ./migrate_base.pl > /root/ldap/base.ldif
- You will need to remove the top entries "dn: dc=org,dc=au" and "dn: dc=example,dc=org,dc=au" in /root/ldap/base.ldif since those top entries have been intialized when setting up the server.
- ./migrate_passwd.pl /etc/passwd /root/ldap/passwd.ldif
- ./migrate_passwd.pl /etc/group /root/ldap/group.ldif
- ldapadd -H ldap://localhost -D "cn=admin,dc=example,dc=org,dc=au" -x -W -f /root/ldap/base.ldif
- ldapadd -H ldap://localhost -D "cn=admin,dc=example,dc=org,dc=au" -x -W -f /root/ldap/passwd.ldif
- ldapadd -H ldap://localhost -D "cn=admin,dc=example,dc=org,dc=au" -x -W -f /root/ldap/group.ldif
III. Enable TLS (optional)
- Generate CA-signed SSL Certificate
- Modify /etc/ldap/slapd.conf
- TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
- TLSCACertificateFile /etc/ssl/certs/cacert.pem
- TLSCertificateFile /etc/ssl/certs/server-cert.pem
- TLSCertificateKeyFile /etc/ssl/certs/server-key.pem
- TLSVerifyClient allow
- Modify /etc/default/slapd
- To enable both StartTLS and ldaps://
- SLAPD_SERVICES="ldap:/// ldaps:///"
- To enable only StartTLS
- SLAPD_SERVICES="ldap:///"
- To enable only ldaps://
- SLAPD_SERVICES="ldaps:///"
- See also StartTLS vs. ldaps://
- Force to use TLS connection:
- vim /etc/ldap/slapd.conf
- security ssf=56 update_ssf=112
- see also 1 and 2
- Restart ldap server
- /etc/init.d/slapd restart
- Test installation:
- If ldaps:/// is enabled, you can use the following command to test:
- openssl s_client -connect localhost:636 -showcerts
- On the ldap server itself, make sure ldap-utils installed (aptitude install ldap-utils)
- vim /etc/ldap/ldap.conf
- BASE dc=example, dc=org, dc=au
- URI ldap://localhost
- ssl on
- ssl start_tls
- TLS_CACERT /etc/ssl/certs/cacert.pem
- TLS_REQCERT demand
- ldapsearch -x -W -d 1 -ZZ -D "cn=admin,dc=example,dc=org,dc=au"
- ldapsearch -H ldap://localhost -x -W -d 1 -ZZ -D "cn=admin,dc=example,dc=org,dc=au"
- More detail at http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
- See also http://www.openldap.org/doc/admin24/tls.html
IV. DUAConfigProfile.schema Support (Optional)
- What is DUA? Directory User Agent.
- Download the DUAConfigProfile.schema
- Include the schema in slapd.conf
- vim /etc/ldap/slapd.conf
- include /etc/ldap/schema/DUAConfigProfile.schema
- Restart ldap server
- /etc/init.d/slapd restart
V. Enable openldap server logging
- modify /etc/ldap/slapd.conf
- modify /etc/syslog.conf
- append
- local4.* /var/log/ldap.log
- restart syslog daemon
- trouble shooting
No comments:
Post a Comment