HOWTO setup a small server
OpenLDAP (Directory Server)
Client Installation
Prerequisite: OpenSSL The following configuration depends on a correctly setup public-key infrastructure. Especially, the certificate of the CA must be available on all hosts.
The server and clients using the LDAP database require the following packages:
# apt-get install libldap-2.4-2 ldap-utils libnss-ldap
During the installation some questions will be asked to configure
libnss-ldap ...
- LDAP server URI
- should be set to
ldaps:///on the server and toldaps://server.example.com/on other hosts - DN of the search root
- this should be set to the domain name or, more precisely, every level of
the domain is added in a comma separated list with preceeding
dc=(in our example:dc=example,dc=com) - LDAP version
- the default
3is just fine - LDAP account for root
- should be
cn=admin,dc=example,dc=com - admin password to save in configuration file
- should be left empty
... and to configure libpam-ldap:
- make local root database admin
- set to
no - LDAP requires login
- set to
no
The automatic configurations should essentially lead to the following
entries in the corresponding configuration files. (The uri depends
on whether the FQDN of the server was entered or not.)
Excerpts: /etc/libnss-ldap.conf and
/etc/pam_ldap.conf
# DN of the search root base dc=example,dc=com # LDAP server URI uri ldaps:/// # LDAP version ldap_version 3
Client Configuration
The LDAP library should be configured for system-wide defaults of the clients. On the server this should be something like:
Excerpt: /etc/ldap/ldap.conf
BASE dc=example,dc=com URI ldap:// ldaps:// TLS_CACERT /etc/ssl/certs/ca.crt
On other hosts the FQDN of the server must be appended to the
URIs.
Name Service Switch Configuration
To do user and group authorization with LDAP users or groups, respectively,
append ldap (separated with a space) to the lines begining with
passwd and group in /etc/nsswitch.conf.
For example:
Excerpt: /etc/nsswitch.conf
passwd: compat ldap group: compat ldap
Finally, restart the Name Service Cache Daemon:
# /etc/init.d/nscd restart
PAM Minimum and Maximum UID
Sometimes it is advantageous to restrict the PAM UIDs to a certain range. This can be accomplished by:
Excerpts: /etc/libnss-ldap.conf and
/etc/pam_ldap.conf
# Specify a minimum or maximum UID number allowed pam_min_uid 10000 pam_max_uid 20000
Server Installation
Prerequisite: Heimdal The following configuration depends on a working Heimdal Kerberos installation.
Install the neccessary packages for OpenLDAP server. During the installation process there are some questions that should be answered as suggested below.
# apt-get install slapd libsasl2-modules-gssapi-heimdal sasl2-bin
- administrator password
- this is the password of the
adminaccount that has full read and write access to the directory (choose one)
Server SSL Configuration
Next you can configure the LDAP daemon's runlevel script by setting the following variable in its configuration file:
Excerpt: /etc/default/slapd
SLAPD_SERVICES="ldap://127.0.0.1/ ldaps://0.0.0.0/"
Additionally, the following block is required in the daemon's configuration file to be able to establish encrypted connections:
Excerpt: /etc/ldap/slapd.conf
########################################################## # SSL stuff TLSCACertificateFile /etc/ssl/certs/ca.crt TLSCertificateFile /etc/ssl/certs/server.crt TLSCertificateKeyFile /etc/ssl/private/server.key
Now you will have to permit LDAP to read the key of the server:
# usermod -a -G ssl-cert openldap
Finally, restart the OpenLDAP daemon:
# /etc/init.d/slapd restart
Server Kerberos Configuration
Again the configuration of LDAP daemon's runlevel script must be changed by setting following variable:
Excerpt: /etc/default/slapd
export KRB5_KTNAME=/etc/krb5.keytab.ldap
The following must be appended in the daemon's configuration file to be able to do SASL/GSSAPI authentication:
Excerpt: /etc/ldap/slapd.conf
########################################################## # restrict the SASL mechanisms to just GSSAPI, otherwise # DIGEST-MD5 is also advertised being prefered by clients # and requiring "-Y GSSAPI" to be added to ldap commands # (default: noanonymous,noplain) sasl-secprops noanonymous,noplain,noactive # map SASL authentication DNs to LDAP DNs leaving # "username/admin" principals untouched sasl-regexp uid=([^,]*),cn=gssapi,cn=auth uid=$1,ou=people,dc=example,dc=com # this should be a ^ plus, not a star, but slapd will # not accept it
Obviously, you will also have to create the keytab file for LDAP:
# kadmin -l > add --random-key ldap/server.example.com > ext_keytab -k /etc/krb5.keytab.ldap ldap/server.example.com > q # chown openldap /etc/krb5.keytab.ldap
Finally, restart the OpenLDAP daemon:
# /etc/init.d/slapd restart
Server Testing
You can check whether the LDAP is working properly or not with the
following commands (parameters in square brackets are optionally). The
first command will fail, if -x is omitted and there is no
Kerberos ticket available.
# ldapsearch -H ldap://localhost/ -b dc=example,dc=com [-ZZ] [-x] # ldapsearch -H ldaps://localhost/ -b dc=example,dc=com [-x]
In order to check just the validity of the certificate of the LDAP server, you can use:
# openssl s_client -host server.example.com \
-port 636 -CAfile /etc/ssl/certs/ca.crt
Database Management
Now your LDAP is ready and it is a good idea to make a backup of the initial database:
# mkdir /root/ldap # slapcat -l /root/ldap/debian_initial.ldif
Now you are ready to add the basic structure for users and groups to the LDAP database. Create the following file:
File: /root/ldap/basics.ldif
dn: ou=people,dc=example,dc=com objectclass: organizationalUnit ## must: ou: people ## may: description: Users ## and a lot more ... dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ## must: ou: groups ## may: description: Groups ## and a lot more ... dn: ou=machines,dc=example,dc=com objectClass: organizationalUnit ## must: ou: machines ## may: description: Machines ## and a lot more ...
Add it to the LDAP database:
# ldapadd -x -D cn=admin,dc=example,dc=com -W -f /root/ldap/basics.ldif
Similarly, you can add users and groups to the LDAP database with the following snippet:
File: /root/ldap/user_group.ldif
## testuser dn: uid=testuser,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount ## must: cn: testuser givenName: Givenname sn: Surname uid: testuser uidNumber: 10000 gidNumber: 10000 homeDirectory: /nonexistent ## may: # password is "foobar" #userPassword: {CRYPT}x6t7sYgk89VcY loginShell: /usr/sbin/nologin #gecos: ... #telephoneNumber: ... #seeAlso: ... #description: ... ## testgroup dn: cn=testgroup,ou=groups,dc=example,dc=com objectClass: posixGroup ## must: cn: testgroup gidNumber: 10000 ## may: memberUid: testuser ## (memberUid may be repeated several times for other users) #description: ...
and the command:
# ldapadd -x -D cn=admin,dc=example,dc=com -W -f /root/ldap/user_group.ldif
Networking Requirements
Prerequisite: Shorewall If using a packet filter like Shorewall, you will have to accept connections from other hosts:
Excerpt: /etc/shorewall/rules
# LDAP/LDAPS # #ACCEPT net $FW tcp 389 ACCEPT net $FW tcp 636 #
And restart Shorewall:
# shorewall restart