Difference between revisions of "OpenLDAP"
(→The client: remove obvious note that is unlikely to help someone)
(→The client: change 127.0.0.1 to localhost so it'll work on ipv6, remove "HOST" line as it is not there by default and unneeded)
|Line 87:||Line 87:|
TLS_REQCERT allow # only needed if you use SSL
TLS_REQCERT allow # only needed if you use SSL
Revision as of 02:30, 7 January 2014
OpenLDAP is an open-source implementation of the LDAP protocol. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or Linux system authentication, where it replaces
/etc/passwd) and basically holds the user data.
The closest analogue to real life, would be the telephone directory. Another generalised explanation of what an LDAP server does is that it is a database (which it basically is, but it is not relational) which is optimised for accessing the data and not writing them.
Commands relate to OpenLDAP that begin with
ldapsearch) are client-side utilities while commands that begin with
slapcat) are server-side.
Directory services are an enormous topic. Configuration can therefore be complex. This page is a starting point for a basic OpenLDAP installation and a sanity check.
If you are totally new to those concepts, this is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.
OpenLDAP contains both a LDAP server and client. Install it with the package official repositories., available in the
The server configuration file is located at
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use example for the domain name, and com for the tld. The rootdn is your LDAP administrator's name (we'll use root here).
suffix "dc=example,dc=com" rootdn "cn=root,dc=example,dc=com"
Now we delete the default root password and create a strong one:
# sed -i "/rootpw/ d" slapd.conf #find the line with rootpw and delete it # echo "rootpw $(slappasswd)" >> slapd.conf #add a line which includes the hashed password output from slappasswd
You will likely want to add some typically used schemas to the top of
include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
You will likely want to add some typically used indexes to the bottom of
index uid pres,eq index mail pres,sub,eq index cn pres,sub,eq index sn pres,sub,eq index dc eq
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG # chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG
Now prepare the run directory:
# mkdir /run/openldap # chown ldap:ldap /run/openldap
slap.configis deprecated. From this version on all configuration settings are stored in
To store the recent changes in
slapd.conf to the new
slapd-config(5) configuration settings, we have to delete the old configuration files first:
# rm -rf /etc/openldap/slapd.d/*
Then we generate the new configuration with:
# slapdtest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
Check if everything succeeded and finally start the slapd daemon with
slapd.service using systemd.
# slapindex # chown ldap:ldap /var/lib/openldap/openldap-data/*
The client config file is located at
It is quite simple: you'll only have to alter
BASE to reflect the suffix of the server, and
URI to reflect the address of the server, like:
BASE dc=example,dc=com URI ldap://localhost TLS_REQCERT allow # only needed if you use SSL
If you decide to use SSL:
- The protocol (ldap or ldaps) in the
URIentry has to conform with the slapd configuration
- If you decide to use self-signed certificates, add a
Test your new OpenLDAP installation
This is easy, just run the command below:
$ ldapsearch -x '(objectclass=*)'
Or authenticating as the rootdn (replacing
-D <user> -W), using the example configuration we had above:
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'
Now you should see some information about your database.
OpenLDAP over TLS
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.
In order to use TLS, we must first create a certificate. You can have a certificate signed, or create your own Certificate Authority (CA), but for our purposed, a self-signed certificate will suffice.
Create a self-signed certificate
To create a self-signed certificate, type the following:
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).
Now that the certificate files have been created copy them to
/etc/openldap/ssl/ (if this directory doesn't exist create it) and secure them.
slapdcert.pem must be world readable because it contains the public key.
slapdkey.pem on the other hand should only be readable for the ldap user for security reasons:
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/ # chmod -R 744 /etc/openldap/ssl/ # chmod 400 /etc/openldap/ssl/slapdkey.pem # chmod 444 /etc/openldap/ssl/slapdcert.pem # chown ldap /etc/openldap/ssl/slapdkey.pem
/etc/openldap/slapd.d folder and it's files should be owned by
ldap user and group:
# chown -R ldap:ldap /etc/openldap/slapd.d/
Configure slapd for SSL
Edit the daemon configuration file (
/etc/openldap/slapd.conf) to tell LDAP where the certificate files reside by adding the following lines:
# Certificate/SSL Section TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCertificateFile /etc/openldap/ssl/slapdcert.pem TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. NOTE: HIGH, MEDIUM, and +SSLv2 are all wildcards.
openssl ciphers -v ALL
Start slapd with SSL
You will have to edit
slapd.service to change to protocol slapd listens on.
slapd.service if it's enabled.
Then, copy the stock service to
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/
Edit it, and add change
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"
Localhost connections don't need to use SSL. So, if you want to access the server locally you should change the
ExecStart line to:
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"
Then reenable and start it:
# systemctl daemon-reload # systemctl restart slapd.service
slapd started successfully you can enable it with:
# systemctl enable slapd.service
/etc/openldap/ldap.confor you won't be able connect to the server.
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, Postfix, etc).
A directory for system authentication is the LDAP Authentication article.
A nice web frontend is phpLDAPadmin.
If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:
# chown ldap:ldap /var/lib/openldap/openldap-data/*
to allow slapd write access to its data directory as the user "ldap"
- Official OpenLDAP Software 2.4 Administrator's Guide
- phpLDAPadmin is a web interface tool in the style of phpMyAdmin.
- LDAP Authentication
- Arch User Repository is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations. AUR from the