HOWTO setup a small server

OpenLDAP (Directory Server)

Client Installation

Prerequisite: OpenSSL The following configuration depends on a correctly setup public-key infrastructure. Especially, the certificate of the CA must be available on all hosts.

The server and clients using the LDAP database require the following packages:

# apt-get install libldap-2.4-2 ldap-utils libnss-ldap

During the installation some questions will be asked to configure libnss-ldap ...

LDAP server URI
should be set to ldaps:/// on the server and to ldaps://server.example.com/ on other hosts
DN of the search root
this should be set to the domain name or, more precisely, every level of the domain is added in a comma separated list with preceeding dc= (in our example: dc=example,dc=com )
LDAP version
the default 3 is just fine
LDAP account for root
should be cn=admin,dc=example,dc=com
admin password to save in configuration file
should be left empty

... and to configure libpam-ldap:

make local root database admin
set to no
LDAP requires login
set to no

The automatic configurations should essentially lead to the following entries in the corresponding configuration files. (The uri depends on whether the FQDN of the server was entered or not.)

Excerpts: /etc/libnss-ldap.conf and /etc/pam_ldap.conf

# DN of the search root
base dc=example,dc=com

# LDAP server URI
uri ldaps:///

# LDAP version
ldap_version 3

Client Configuration

The LDAP library should be configured for system-wide defaults of the clients. On the server this should be something like:

Excerpt: /etc/ldap/ldap.conf

BASE		dc=example,dc=com
URI		ldap:// ldaps://
TLS_CACERT	/etc/ssl/certs/ca.crt

On other hosts the FQDN of the server must be appended to the URIs.

Name Service Switch Configuration

To do user and group authorization with LDAP users or groups, respectively, append ldap (separated with a space) to the lines begining with passwd and group in /etc/nsswitch.conf. For example:

Excerpt: /etc/nsswitch.conf

passwd: compat ldap
group: compat ldap

Finally, restart the Name Service Cache Daemon:

# /etc/init.d/nscd restart

PAM Minimum and Maximum UID

Sometimes it is advantageous to restrict the PAM UIDs to a certain range. This can be accomplished by:

Excerpts: /etc/libnss-ldap.conf and /etc/pam_ldap.conf

# Specify a minimum or maximum UID number allowed
pam_min_uid 10000
pam_max_uid 20000

Server Installation

Prerequisite: Heimdal The following configuration depends on a working Heimdal Kerberos installation.

Install the neccessary packages for OpenLDAP server. During the installation process there are some questions that should be answered as suggested below.

# apt-get install slapd libsasl2-modules-gssapi-heimdal sasl2-bin
administrator password
this is the password of the admin account that has full read and write access to the directory (choose one)

Server SSL Configuration

Next you can configure the LDAP daemon's runlevel script by setting the following variable in its configuration file:

Excerpt: /etc/default/slapd

SLAPD_SERVICES="ldap://127.0.0.1/ ldaps://0.0.0.0/"

Additionally, the following block is required in the daemon's configuration file to be able to establish encrypted connections:

Excerpt: /etc/ldap/slapd.conf

##########################################################
# SSL stuff
TLSCACertificateFile /etc/ssl/certs/ca.crt
TLSCertificateFile /etc/ssl/certs/server.crt
TLSCertificateKeyFile /etc/ssl/private/server.key

Now you will have to permit LDAP to read the key of the server:

# usermod -a -G ssl-cert openldap

Finally, restart the OpenLDAP daemon:

# /etc/init.d/slapd restart

Server Kerberos Configuration

Again the configuration of LDAP daemon's runlevel script must be changed by setting following variable:

Excerpt: /etc/default/slapd

export KRB5_KTNAME=/etc/krb5.keytab.ldap

The following must be appended in the daemon's configuration file to be able to do SASL/GSSAPI authentication:

Excerpt: /etc/ldap/slapd.conf

##########################################################
# restrict the SASL mechanisms to just GSSAPI, otherwise
# DIGEST-MD5 is also advertised being prefered by clients
# and requiring "-Y GSSAPI" to be added to ldap commands
# (default: noanonymous,noplain)
sasl-secprops noanonymous,noplain,noactive

# map SASL authentication DNs to LDAP DNs leaving
# "username/admin" principals untouched
sasl-regexp uid=([^,]*),cn=gssapi,cn=auth uid=$1,ou=people,dc=example,dc=com
# this should be a   ^  plus, not a star, but slapd will
# not accept it

Obviously, you will also have to create the keytab file for LDAP:

# kadmin -l
> add --random-key ldap/server.example.com
> ext_keytab -k /etc/krb5.keytab.ldap ldap/server.example.com
> q
# chown openldap /etc/krb5.keytab.ldap

Finally, restart the OpenLDAP daemon:

# /etc/init.d/slapd restart

Server Testing

You can check whether the LDAP is working properly or not with the following commands (parameters in square brackets are optionally). The first command will fail, if -x is omitted and there is no Kerberos ticket available.

# ldapsearch -H ldap://localhost/ -b dc=example,dc=com [-ZZ] [-x]
# ldapsearch -H ldaps://localhost/ -b dc=example,dc=com [-x]

In order to check just the validity of the certificate of the LDAP server, you can use:

# openssl s_client -host server.example.com \
  -port 636 -CAfile /etc/ssl/certs/ca.crt

Database Management

Now your LDAP is ready and it is a good idea to make a backup of the initial database:

# mkdir /root/ldap
# slapcat -l /root/ldap/debian_initial.ldif

Now you are ready to add the basic structure for users and groups to the LDAP database. Create the following file:

File: /root/ldap/basics.ldif

dn: ou=people,dc=example,dc=com
objectclass: organizationalUnit
## must:
ou: people
## may:
description: Users
## and a lot more ...

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
## must:
ou: groups
## may:
description: Groups
## and a lot more ...

dn: ou=machines,dc=example,dc=com
objectClass: organizationalUnit
## must:
ou: machines
## may:
description: Machines
## and a lot more ...

Add it to the LDAP database:

# ldapadd -x -D cn=admin,dc=example,dc=com -W -f /root/ldap/basics.ldif

Similarly, you can add users and groups to the LDAP database with the following snippet:

File: /root/ldap/user_group.ldif

## testuser
dn: uid=testuser,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
## must:
cn: testuser
givenName: Givenname
sn: Surname
uid: testuser
uidNumber: 10000
gidNumber: 10000
homeDirectory: /nonexistent
## may:
# password is "foobar"
#userPassword: {CRYPT}x6t7sYgk89VcY
loginShell: /usr/sbin/nologin
#gecos: ...
#telephoneNumber: ...
#seeAlso: ...
#description: ...

## testgroup
dn: cn=testgroup,ou=groups,dc=example,dc=com
objectClass: posixGroup
## must:
cn: testgroup
gidNumber: 10000
## may:
memberUid: testuser
## (memberUid may be repeated several times for other users)
#description: ...

and the command:

# ldapadd -x -D cn=admin,dc=example,dc=com -W -f /root/ldap/user_group.ldif

Networking Requirements

Prerequisite: Shorewall If using a packet filter like Shorewall, you will have to accept connections from other hosts:

Excerpt: /etc/shorewall/rules

# LDAP/LDAPS
#
#ACCEPT		net		$FW		tcp	389
ACCEPT		net		$FW		tcp	636
#

And restart Shorewall:

# shorewall restart

Back to index.