infra:openldap

You are not allowed to perform this action

OpenLDAP

Info found on https://wiki.debian.org/LDAP/OpenLDAPSetup

Install required packages

# apt-get install slapd

If required manually re-configure slapd. (E.g. to change the domain used) This is a interactive process and will ask some questions.

# dpkg-reconfigure slapd ldap-utils
# /etc/init.d/slapd start

Create a LDIF file olcDbIndex.ldif containing:

olcDbIndex.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Create the indexes.

ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcDbIndex.ldif

Create a LDIF file olcAccess.ldif containing:

olcAccess.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to attrs=loginShell,gecos
  by dn="cn=admin,dc=example,dc=com" write
  by self write
  by * read

Apply permissions by loading the ldif into OpenLDAP

ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcAccess.ldif

Have your OpenSSL: Setup a private Certificate Authority setup and allow openldap to access to:

  • Decrypted private key
  • Certificate
  • Root/Intermediate CA chain file

Update /etc/default/slapd

SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"

Create a file olcSSL.ldif containing:

olcSSL.ldif
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca-chain.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/server-key.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/server-cert.pem

Load the config info OpenLDAP

# ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcSSL.ldif





  • infra/openldap.txt
  • Last modified: 20/11/2021 20:09
  • by 87.195.130.121