Difference between revisions of "OpenLDAP"

From ArchWiki
Jump to: navigation, search
(Start slapd with SSL: add bug)
(The server: important things first)
Line 18: Line 18:
 
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}
 
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}
  
First prepare the run directory:
+
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.
# mkdir /run/openldap
+
# chown ldap:ldap /run/openldap
+
 
+
Next we prepare the server configuration file: {{ic|/etc/openldap/slapd.conf}}.
+
  
 
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we'll use ''root'' here).
 
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we'll use ''root'' here).
Line 49: Line 45:
 
index  dc              eq
 
index  dc              eq
 
}}
 
}}
 +
 +
Now prepare the run directory:
 +
# mkdir /run/openldap
 +
# chown ldap:ldap /run/openldap
  
 
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:
 
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:

Revision as of 17:48, 5 November 2013


Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: slapd.conf(5) is deprecated; use slapd-config(5) (Discuss in Talk:OpenLDAP#)

OpenLDAP, LDAP & Directory services are an enormous topic. Configuration is therefore complex. This page is a starting point for a basic OpenLDAP installation and a sanity check.

If you are totally new to those concepts, this is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.

Installation

OpenLDAP contains both a LDAP server and client. Install it with the package openldap, available in the official repositories.

Configuration

The server

Note: If you already have an OpenLDAP database on your machine, remove it by deleting everything inside /var/lib/openldap/openldap-data/.

The server configuration file is located at /etc/openldap/slapd.conf.

Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use example for the domain name, and com for the tld. The rootdn is your LDAP administrator's name (we'll use root here).

suffix     "dc=example,dc=com"
rootdn     "cn=root,dc=example,dc=com"

Now we delete the default root password and create a strong one:

# sed -i "/rootpw/ d" slapd.conf #find the line with rootpw and delete it
# echo "rootpw    $(slappasswd)" >> slapd.conf  #add a line which includes the hashed password output from slappasswd

You will likely want to add some typically used schemas to the top of slapd.conf:

include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

You will likely want to add some typically used indexes to the bottom of slapd.conf:

index   uid             pres,eq
index   mail            pres,sub,eq
index   cn              pres,sub,eq
index   sn              pres,sub,eq
index   dc              eq

Now prepare the run directory:

# mkdir /run/openldap
# chown ldap:ldap /run/openldap

Now prepare the database directory. You will need to copy the default config file and set the proper ownership:

# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG

Perform an intial index after you populate your directory:

# slapindex
# chown ldap:ldap /var/lib/openldap/openldap-data/*

Finally you can start the slapd daemon with slapd.service using systemd.

If you want to change the port the server should listen on or if you want to use SSL, you will need to edit /etc/conf.d/slapd. See #OpenLDAP over TLS for more information.

The client

The client is usually not such a big deal, just keep in mind that your apps that require LDAP auth use it, so if something goes wrong with LDAP, do not waste your time with the app, start debugging the client instead.

The client config file is located at /etc/openldap/ldap.conf It is actually very simple.

If you decide to use SSL:

  • The protocol (ldap or ldaps) in the URI entry has to conform with the slapd configuration
  • If you decide to use self-signed certificates, you have to add them to TLS_CACERT

Test your new OpenLDAP installation

This is easy, just run the command below:

ldapsearch -x -b "" -s base '(objectclass=*)' namingContexts

Or more explicitly using the example configuration we had above:

ldapsearch -v -W -D "cn=root,dc=example,dc=com" -b "" -x -s base '(objectclass=*)' namingContexts

Now you should see some information about your database.

OpenLDAP over TLS

Note: upstream documentation is much more useful/complete than this section

If you access the Openldap server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.

In order to use TLS, we must first create a certificate. You can have a certificate signed, or create your own Certificate Authority (CA), but for our purposed, a self-signed certificate will suffice.

Warning: OpenLDAP cannot use a certificate that has a password associated to it.

Create a self-signed certificate

To create a self-signed certificate, type the following:

openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365

You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).

Now that the certificate files have been created copy them to /etc/openldap/ssl/ (if this directory doesn't exist create it) and secure them. IMPORTANT: slapdcert.pem must be world readable because it contains the public key. slapdkey.pem on the other hand should only be readable for the ldap user for security reasons:

cp slapdcert.pem slapdkey.pem /etc/openldap/ssl/
chown ldap slapdkey.pem
chmod 400 slapdkey.pem
chmod 444 slapdcert.pem

Configure slapd for SSL

Edit the daemon configuration file (/etc/openldap/slapd.conf) to tell LDAP where the certificate files reside by adding the following lines:

# Certificate/SSL Section
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem

The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. NOTE: HIGH, MEDIUM, and +SSLv2 are all wildcards.

Note: To see which ciphers are supported by your local OpenSSL installation, type the following: openssl ciphers -v ALL

Start slapd with SSL

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: systemd doesn't use /etc/conf.d/, see FS#35477. (Discuss in Talk:OpenLDAP#)

In order to tell OpenLDAP to start using encryption, edit /etc/conf.d/slapd, uncomment the SLAPD_SERVICES line and set it to the following:

SLAPD_SERVICES="ldaps:///"

Localhost connections don't need to use SSL so you can use this instead:

SLAPD_SERVICES="ldap://127.0.0.1 ldaps:///:


IMPORTANT: If you created a self-signed certificate above be sure to add the following line to /etc/openldap/ldap.conf or you won't be able connect to the server to test it:

TLS_REQCERT allow

Finally restart the server.

Next Steps

You now have a basic ldap installation. The step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to ldap, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, Postfix, etc).

A directory for system authentication is the LDAP Authentication article.

Troubleshooting

If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:

# chown ldap:ldap /var/lib/openldap/openldap-data/*

to allow slapd write access to its data directory as the user "ldap"

See Also