Install openldap server on debian 11/10¶
1. Prepare the server¶
Before installing the ldap server, you need to prepare it.
1.1 Configure FQDN hostname for your server¶
You need to create a FQDN hostname and add a record to file/etc/hosts.
sudo vim /etc/hosts
10.50.5.57 ldap.casd.local
# Configure hostname
sudo hostnamectl set-hostname ldap.casd.local --static
1.2 Update the server¶
# fix the hashicorp repo key
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --yes --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list > /dev/null
sudo apt -y update && sudo apt -y upgrade
sudo reboot
2. Install the openldap package¶
sudo apt -y install slapd ldap-utils
slapd: is the openldap server.ldap-utils: is the ldap cli.
After the above command, you will be prompted to enter the admin password for your LDAP directory
The base dn of the ldap server will be generated base on your FQDN hostname. So if your fqdn is not right, don't continue just restart from step 1.
3. Set up the base structure¶
You can consider the ldap server as a database of your users and groups. To better organise them, we need to create some basic structures.
3.1 Create olc admin account¶
Openldap has two admin accounts, the installation guide will help you to set up the front-end admin account(e.g. cn=admin, dc=casd, dc=loacl).
There is a backend admin account cn=admin,cn=config which allows you to access the ldap olc(cn=config).
# sudo su become root user
# show the content of cn=config
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
olcRootDN entry is already created by default, all you need to do is to modify the olcRootPW
You can use slappasswd to generate the ssha of your password.
# we name this conf file as change_pwd_config.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}33aeJH8tsp6+NxNg9LIK9VjUtmhYTOnV
ldapmodify -Y EXTERNAL -H ldapi:/// -f change_pwd_config.ldif
# we name this file as create_account_config.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}33aeJH8tsp6+NxNg9LIK9VjUtmhYTOnV
ldapadd -Y EXTERNAL -H ldapi:/// -f create_account_config.ldif
to access cn=config in
Apache Directory Studio, the login will becn=admin,cn=config, the password is the password in olcRootPW, the root tree will becn=config.
3.2 Enable ldaps¶
To set up ldaps, you need three files: 1. CA certificate (location: /etc/ssl/certs/mycacert.pem) 2. service certificate for ldap signed by CA certificate (location: /etc/ldap/ldap_cert.pem) 3. private key of the service certificate (location: /etc/ldap/ldap_pri_key.pem)
you need to add the below config into cn=config
# certinfo.ldif
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/mycacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ldap_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ldap_pri_key.pem
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
To use LDAPS (LDAP over SSL), then you need to edit /etc/default/slapd and include ldaps:/// in SLAPD_SERVICES like below:
# open file
sudo vim /etc/default/slapd
# find the below line and add ldaps as authorized protocol
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
# restart slapd
sudo systemctl restart slapd
# test the ldaps
ldapwhoami -x -H ldaps://ldap.casd.local
To use apache directory studio, in the network tab, you need to change the port to 636, and encryption method to ldaps.
3.3 Add some basic structure¶
Below is an example, you can set up something more complex
dn: ou=people,dc=casd,dc=local
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=casd,dc=local
objectClass: organizationalUnit
ou: groups
Load the above entry to the ldap server
sudo ldapadd -x -D cn=admin,dc=casd,dc=local -W -f basedn.ldif
4. Add sample user account and group¶
4.1 Add a new user account¶
- Create a password hash for the user account
sudo slappasswd
New password:
Re-enter new password:
{SSHA}vjbMsVOMBOyB2/oZ1tiFGptF/ArMGwGH
- Create a
user.ldiffile
dn: uid=pliuT,ou=people,dc=casd,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Pengfei
sn: Liu
userPassword: {SSHA}vjbMsVOMBOyB2/oZ1tiFGptF/ArMGwGH
loginShell: /bin/bash
homeDirectory: /home/users/pliu
uidNumber: 3000
gidNumber: 3000
- Add it to the ldap server
sudo ldapadd -x -D cn=admin,dc=casd,dc=local -W -f user.ldif
4.2 Add a new group¶
- Create a
group.ldif
dn: cn=developers,ou=groups,dc=casd,dc=local
objectClass: posixGroup
cn: developers
gidNumber: 3000
memberUid: pliuT
sudo ldapadd -x -D cn=admin,dc=casd,dc=local -W -f group.ldif
5. Install a ldap client¶
We already have a ldap client in CLI which you can use after installing ldap-utils.
ldapsearch -x -LLL -b dc=casd,dc=local '(uid=pengfei)' cn gidNumber
# sample output
dn: uid=pengfei,ou=people,dc=casd,dc=local
gidNumber: 4000
cn: pengfei
5.1 Ldap client with GUI¶
We have many choices for advance ldap client with GUI. But I recommend Apache Directory Studio.
After download, unzip it and run the command ./ApacheDirectoryStudio
Inside the GUI, create a new ldap connection, enter the server host name and port.
Then enter the admin acount and password e.g. cn=admin,dc=casd,dc=local.
If everything works well, you should see the content of the ldap server.
6. Enable SASL/GSSAPI in openldap¶
GSSAPI (Generic Security Services API) allows OpenLDAP to authenticate users using Kerberos instead of
simple binds with passwords. This is commonly used in Active Directory (AD) or MIT Kerberos environments.
To complete this config, you must have one kerberos server(kdc) up and running. Here, we suppose the kerberos server
is running on a server with url such as krb.casd.local with a REALM called CASD.LOCAL.
the realm name is case-sensitive, by convention, it should be all in upper-case.
6.1 Install required packages¶
sudo apt update
sudo apt install krb5-user libsasl2-modules-gssapi-mit
krb5-user: kerberos client which allows user to do kinit, klist, kdestroy libsasl2-modules-gssapi-mit: SASL GSSAPI module for OpenLDAP to allow user kerberos ticket bind.
6.2 Configure Kerberos Authentication¶
The kerberos client authentication config is located at /etc/krb5.conf. Below is an example of the basic config
of the kerberos client.
[libdefaults]
default_realm = CASD.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
CASD.LOCAL = {
kdc = krb.casd.local
admin_server = krb.casd.local
}
[domain_realm]
casd.local = CASD.LOCAL
.casd.local = .CASD.LOCAL
# obtain a krb ticket from the kdc
kinit <user-principal>
# for example
kinit pengfei@CASD.LOCAL
# show the ticket
klist
# destroy the cached ticket
kdestroy