LDAP

Contents

Installation and Configuration

follow https://www.vennedey.net/resources/0-Getting-started-with-OpenLDAP-on-Debian-8.

While proceeding we ignore SLDAPD_SERVICES changes and slapd_setup_basic.ldif.

Setup SSL/TLS

see: https://kifarunix.com/setup-openldap-server-with-ssl-tls-on-debian-10/, “Configure OpenLDAP with SSL/TLS”

Set the new directory for certificates in /usr/lib/ssl/openssl.cnf:

[ CA_default ]
dir = /etc/ssl/openldap

The certificate for openldap and the CA can generated by (for comments see the reference)

#!/bin/bash
mkdir -p /etc/ssl/openldap/{private,certs,newcerts}
echo "1001" > /etc/ssl/openldap/serial
touch /etc/ssl/openldap/index.txt
openssl genrsa -aes256 -out /etc/ssl/openldap/private/cakey.pem 4096
openssl rsa -in /etc/ssl/openldap/private/cakey.pem -out /etc/ssl/openldap/private/cakey.pem
openssl req -new -x509 -days 3650 -key /etc/ssl/openldap/private/cakey.pem -out /etc/ssl/openldap/certs/cacert.pem # TODO configure validity
openssl genrsa -aes256 -out /etc/ssl/openldap/private/ldapserver-key.key 4096
openssl rsa -in /etc/ssl/openldap/private/ldapserver-key.key -out /etc/ssl/openldap/private/ldapserver-key.key
openssl req -new -key /etc/ssl/openldap/private/ldapserver-key.key -out /etc/ssl/openldap/certs/ldapserver-cert.csr
openssl ca -keyfile /etc/ssl/openldap/private/cakey.pem -cert /etc/ssl/openldap/certs/cacert.pem -in /etc/ssl/openldap/certs/ldapserver-cert.csr -out /etc/ssl/openldap/certs/ldapserver-cert.crt
openssl verify -CAfile /etc/ssl/openldap/certs/cacert.pem /etc/ssl/openldap/certs/ldapserver-cert.crt
chown -R openldap: /etc/ssl/openldap/

To configure the certificate in openldap create an ldif-file with the following content, e.g. ldap-tls.ldif:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/openldap/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/ldapserver-cert.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/ldapserver-key.key

and run

ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap-tls.ldif

To check the configuration run

slaptest -u

Restart ldap

systemctl restart slapd

and test the set via

ldapwhoami -H ldap://<domain> -x -ZZ

The command should return

anonymous

LDAP Account Manager

follow https://computingforgeeks.com/how-to-install-and-configure-ldap-account-manager-on-ubuntu-18-04-ubuntu-16-04-lts/

Note that the apache configuration must not contain the header settings, compare Apache.

LDAP for Mail

https://www.vennedey.net/resources/2-LDAP-managed-mail-server-with-Postfix-and-Dovecot-for-multiple-domains

MemberOf-Overlay

http://blog.cgiesel.de/blog/2013/07/23/memberof-in-openldap-unter-debian-aktivieren/