tutorial:ldap:installopenldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
tutorial:ldap:installopenldap [2016-04-03 21:56] – [Step 2] weichbrtutorial:ldap:installopenldap [2025-06-16 14:43] (current) – removed weichbr
Line 1: Line 1:
-{{tag>tutorial ldap}} 
  
-====== Install and configure OpenLDAP on Debian 8 (Jessie) ====== 
- 
-===== Requirements ===== 
-  * Debian 8 installation 
- 
----- 
- 
-===== Installation ===== 
-  * <code>apt-get install slapd ldap-utils</code> 
-  * During installation, set an admin password 
-  * Open ''%%/etc/ldap/ldap.conf%%'' and set the ''%%BASE%%'' and ''%%URI%%'' parameters: 
-  * <code> 
-# 
-# LDAP Defaults 
-# 
- 
-# See ldap.conf(5) for details 
-# This file should be world readable but not world writable. 
- 
-BASE    dc=my,dc=domain,dc=tld 
-URI     ldaps://ldap.my.domain.tld ldap://ldap.my.domain.tld:666 
- 
-#SIZELIMIT      12 
-#TIMELIMIT      15 
-#DEREF          never 
- 
-# TLS certificates (needed for GnuTLS) 
-TLS_CACERT      /etc/ssl/certs/ca-certificates.crt 
- 
-TLS_REQCERT ALLOW 
-</code> 
-  * Run ''%%dkpg-reconfigure slapd%%'' 
-    * Answer the following prompts this way: 
- 
-| Omit OpenLDAP server configuration?                           | No                         | 
-| Organization name:                                            | <pick something>           | 
-| Administrator password:                                       | <same password as before>  | 
-| Confirm password:                                             | <same password as before>  | 
-| Database backend to use:                                      | MDB                        | 
-| Do you want the database to be removed when slapd is purged?  | No                         | 
-| Move old database?                                            | Yes                        | 
-| Allow LDAPv2 protocol?                                        | No                         | 
- 
-  * Test connection: 
-  * <code>$> ldapsearch -x</code> 
- 
----- 
- 
-===== Enforce Authorization ===== 
-  * We do not want our directory to be world readable 
-  *  
- 
----- 
- 
-===== Enabling TLS ===== 
-  * Make sure you have the following files: 
-    * cert.crt - Your certificate (without any other intermediate certs) 
-    * cert.key - Your private key 
-    * chain.pem - The intermediate certs 
-  * I assume the files are located at ''%%/opt/ssl%%'' 
-  * Add the openldap user to the ssl-cert group: 
-  * <code>$> usermod -aG ssl-cert openldap</code> 
-  * chown your files and set permissions: 
-  * <code> 
-$> chown root:ssl-cert cert.crt cert.key chain.pem 
-$> chmod 640 cert.crt cert.key chain.pem 
-</code> 
-  * Create the tls.ldif file: 
-  * <code> 
-dn: cn=config 
-changetype: modify 
-add: olcTLSCipherSuite 
-olcTLSCipherSuite: NORMAL 
-- 
-add: olcTLSCRLCheck 
-olcTLSCRLCheck: none 
-- 
-add: olcTLSVerifyClient 
-olcTLSVerifyClient: never 
-- 
-add: olcTLSCACertificateFile 
-olcTLSCACertificateFile: /opt/ssl/chain.pem 
-- 
-add: olcTLSCertificateFile 
-olcTLSCertificateFile: /opt/ssl/cert.crt 
-- 
-add: olcTLSCertificateKeyFile 
-olcTLSCertificateKeyFile: /opt/ssl/cert.key 
-- 
-add: olcTLSProtocolMin 
-olcTLSProtocolMin: 3.3 
-</code> 
-  * And apply it 
-  * <code>$> ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif</code> 
-  * To enforce TLS create the following ldif file and apply it: 
-  * <code> 
-dn: olcDatabase={1}mdb,cn=config 
-changetype: modify 
-add: olcSecurity 
-olcSecurity: tls=1 
-</code> 
  • tutorial/ldap/installopenldap.1459713390.txt.gz
  • Last modified: 2018-06-03 14:10
  • (external edit)