Kangtain at 13:26, 11 May 2024

2024-05-11T13:26:30Z

← Older revision		Revision as of 20:26, 11 May 2024
Line 58:		Line 58:

	== Step 3: Configuring the LDAP Clients ==		== Step 3: Configuring the LDAP Clients ==
	<code>/etc/ldap/ldap.conf</code> is the configuration file for all OpenLDAP clients. Open this file.		<code>/etc/ldap/ldap.conf</code> is the configuration file for all OpenLDAP clients. Open this file.<syntaxhighlight lang="bash">
	sudo nano /etc/ldap/ldap.conf		sudo nano /etc/ldap/ldap.conf
	We need to specify two parameters: the '''base DN''' and the '''URI''' of our OpenLDAP server. Copy and paste the following text at the end of the file. Replace <code>your-domain</code> and <code>com</code> as appropriate.		</syntaxhighlight>We need to specify two parameters: the '''base DN''' and the '''URI''' of our OpenLDAP server. Copy and paste the following text at the end of the file. Replace <code>your-domain</code> and <code>com</code> as appropriate.<syntaxhighlight lang="bash">
	BASE dc=your-domain,dc=com		BASE dc=your-domain,dc=com
	URI ldap://localhost		URI ldap://localhost
	The first line defines the base DN. It tells the client programs where to start their search in the directory. If you used a subdomain when configuring OpenLDAP server, then you need to add the subdomain here like so		</syntaxhighlight>The first line defines the base DN. It tells the client programs where to start their search in the directory. If you used a subdomain when configuring OpenLDAP server, then you need to add the subdomain here like so<syntaxhighlight lang="bash">
	BASE dc=subdomain,dc=your-domain,dc=com		BASE dc=subdomain,dc=your-domain,dc=com
	The second line defines the URI of our OpenLDAP server. Since the LDAP server and client are on the same machine, we should set the URI to <code>ldap://localhost</code>. You can add multiple URIs later if the need arises.		</syntaxhighlight>The second line defines the URI of our OpenLDAP server. Since the LDAP server and client are on the same machine, we should set the URI to <code>ldap://localhost</code>. You can add multiple URIs later if the need arises.

	Save and close the file.		Save and close the file.
Line 72:		Line 72:
	Now that OpenLDAP server is running and client configuration is done, run the following command to make test connections to the server.		Now that OpenLDAP server is running and client configuration is done, run the following command to make test connections to the server.
	ldapsearch -x		ldapsearch -x
	Output:		Output:<syntaxhighlight lang="bash">
	# extended LDIF		# extended LDIF
	#		#
	# LDAPv3		# LDAPv3
	# base <dc=linuxbabe,dc=com> (default) with scope subtree		# base <dc=linuxbabe,dc=com> (default) with scope subtree
	# filter: (objectclass=*)		# filter: (objectclass=*)
	# requesting: ALL		# requesting: ALL
	#		#

	# linuxbabe.com		# linuxbabe.com
	dn: dc=linuxbabe,dc=com		dn: dc=linuxbabe,dc=com
	objectClass: top		objectClass: top
	objectClass: dcObject		objectClass: dcObject
	objectClass: organization		objectClass: organization
	o: LinuxBabe		o: LinuxBabe
	dc: linuxbabe		dc: linuxbabe

	# admin, linuxbabe.com		# admin, linuxbabe.com
	dn: cn=admin,dc=linuxbabe,dc=com		dn: cn=admin,dc=linuxbabe,dc=com
	objectClass: simpleSecurityObject		objectClass: simpleSecurityObject
	objectClass: organizationalRole		objectClass: organizationalRole
	cn: admin		cn: admin
	description: LDAP administrator		description: LDAP administrator

	# search result		# search result
	search: 2		search: 2
	~~'''~~result: 0 Success~~'''~~		result: 0 Success

	# numResponses: 3		# numResponses: 3
	# numEntries: 2		# numEntries: 2
	'''~~Result~~: 0 Success''' indicates that OpenLDAP server is working. If you get the following line, then it’s not working.		</syntaxhighlight>'''sult: 0 Success''' indicates that OpenLDAP server is working. If you get the following line, then it’s not working.
	result: 32 No such object		result: 32 No such object

Kangtain: /* Source */

2024-05-09T14:10:52Z

Source

← Older revision		Revision as of 21:10, 9 May 2024
Line 233:		Line 233:
	== Source ==		== Source ==

	* [https://www.linuxbabe.com/debian/set-up-openldap-server-debian linuxbabe.com]		* [https://www.linuxbabe.com/debian/set-up-openldap-server-debian linuxbabe.com] [https://web.archive.org/web/20240509135259/http://web.archive.org/screenshot/https://www.linuxbabe.com/debian/set-up-openldap-server-debian archived]

	[[Category:Linux]]		[[Category:Linux]]
	[[Category:Debian]]		[[Category:Debian]]
	[[Category:Ubuntu]]		[[Category:Ubuntu]]

Kangtain: Created page with "'''OpenLDAP''' is an open-source and fast '''directory server''' that provides network clients with directory services. Client applications connect to OpenLDAP server using the '''Lightweight Directory Access Protocol (LDAP)''' to access organizational information stored on that server. Given the appropriate access, clients can search the directory, modify and manipulate records in the directory. OpenLDAP is efficient in both reading and modifying data in the directory...."

2024-05-09T13:01:26Z

Created page with "'''OpenLDAP''' is an open-source and fast '''directory server''' that provides network clients with directory services. Client applications connect to OpenLDAP server using the '''Lightweight Directory Access Protocol (LDAP)''' to access organizational information stored on that server. Given the appropriate access, clients can search the directory, modify and manipulate records in the directory. OpenLDAP is efficient in both reading and modifying data in the directory...."

New page

'''OpenLDAP''' is an open-source and fast '''directory server''' that provides network clients with directory services. Client applications connect to OpenLDAP server using the '''Lightweight Directory Access Protocol (LDAP)''' to access organizational information stored on that server. Given the appropriate access, clients can search the directory, modify and manipulate records in the directory. OpenLDAP is efficient in both reading and modifying data in the directory.

OpenLDAP servers are most commonly used to provide centralized management of user accounts. For example, you can create an account in OpenLDAP and if it is connected with a mail server, FTP server, Samba server, or any other server, you can use the account to log in to these servers without creating a new account for each server.

OpenLDAP is considered lightweight in comparison to the X.500 directory service. LDAP v3 has only 9 core operations and provides a simpler model for programmers and administrators.

== Step 1: Install OpenLDAP Server on Debian 11 ==
Run the following command to install OpenLDAP server and the client command-line utilities from Debian 11 package repository. <code>slapd</code> stands for the '''Stand-Alone LDAP Daemon'''.<syntaxhighlight lang="bash">
sudo apt install slapd ldap-utils
</syntaxhighlight>You will be asked to set a password for the admin entry in the LDAP directory.

Once it’s done, <code>slapd</code> will be automatically started. You can check out its status with:<syntaxhighlight lang="bash">
systemctl status slapd
</syntaxhighlight>Sample output:<syntaxhighlight lang="bash">
● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)
Loaded: loaded (/etc/init.d/slapd; generated)
Drop-In: /usr/lib/systemd/system/slapd.service.d
└─slapd-remain-after-exit.conf
Active: active (running) since Wed 2022-05-25 16:28:52 CST; 13s ago
Docs: man:systemd-sysv-generator(8)
Process: 208178 ExecStart=/etc/init.d/slapd start (code=exited, status=0/SUCCESS)
Tasks: 3 (limit: 1093)
Memory: 3.1M
CPU: 26ms
CGroup: /system.slice/slapd.service
</syntaxhighlight>'''Hint''': If the above command doesn’t quit immediately, you need to press Q to get back to the command prompt.

'''Hint''': If the above command doesn’t quit immediately, you need to press <code>Q</code> to get back to the command prompt.

By default, it runs as the <code>openldap</code> user as is defined in <code>/etc/default/slapd</code> file.

== Step 2: Basic Post-Installation Configuration ==
The installation process installs the package without any configurations. To have our OpenLDAP server running properly, we need to do some basic post-installation configuration. Run the following command to start the configuration wizard.<syntaxhighlight lang="bash">
sudo dpkg-reconfigure slapd
</syntaxhighlight>You will need to answer a series of questions. Answer these questions as follows:

* '''Omit LDAP server configuration''': '''''NO'''''.
* '''DNS domain name''': Enter your domain name like <code>linuxbabe.com</code>. You will need to set a correct A record for your domain name. You can also use a subdomain like <code>directory.linuxbabe.com</code>. This information is used to create the '''base DN (distinguished name)''' of the LDAP directory.

* '''Organization name''': Enter your organization name like ''LinuxBabe''.

* '''Administrator password''': Enter the same password set during installation.

* Database backend to use: '''MDB'''.
* '''BDB''' (Berkeley Database) is slow and cumbersome. It is deprecated and support will be dropped in future OpenLDAP releases.
* '''HDB''' (Hierarchical Database) is a variant of the BDB backend and will also be deprecated.
* '''MDB''' reads are 5-20x faster than BDB. Writes are 2-5x faster. And it consumes 1/4 as much RAM as BDB. So we choose MDB as the database backend.

* Do you want the database to be removed when slapd is purged? '''No'''.

* Move old database? '''Yes'''.

* Allow LDAPv2 protocol? '''No'''. The latest version of LDAP is LDAP v.3, developed in 1997. LDAPv2 is obsolete.

Now the process will reconfigure the OpenLDAP service according to your answers. Your OpenLDAP server is now ready to use.

If you made a mistake, you can always run the <code>sudo dpkg-reconfigure slapd</code> command again to re-configure OpenLDAP.

== Step 3: Configuring the LDAP Clients ==
<code>/etc/ldap/ldap.conf</code> is the configuration file for all OpenLDAP clients. Open this file.
sudo nano /etc/ldap/ldap.conf
We need to specify two parameters: the '''base DN''' and the '''URI''' of our OpenLDAP server. Copy and paste the following text at the end of the file. Replace <code>your-domain</code> and <code>com</code> as appropriate.
BASE dc=your-domain,dc=com
URI ldap://localhost
The first line defines the base DN. It tells the client programs where to start their search in the directory. If you used a subdomain when configuring OpenLDAP server, then you need to add the subdomain here like so
BASE dc=subdomain,dc=your-domain,dc=com
The second line defines the URI of our OpenLDAP server. Since the LDAP server and client are on the same machine, we should set the URI to <code>ldap://localhost</code>. You can add multiple URIs later if the need arises.

Save and close the file.

== Step 4: Testing OpenLDAP Server ==
Now that OpenLDAP server is running and client configuration is done, run the following command to make test connections to the server.
ldapsearch -x
Output:
# extended LDIF
#
# LDAPv3
# base <dc=linuxbabe,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# linuxbabe.com
dn: dc=linuxbabe,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: LinuxBabe
dc: linuxbabe

# admin, linuxbabe.com
dn: cn=admin,dc=linuxbabe,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# search result
search: 2
'''result: 0 Success'''

# numResponses: 3
# numEntries: 2
'''Result: 0 Success''' indicates that OpenLDAP server is working. If you get the following line, then it’s not working.
result: 32 No such object

== Step 5: Installing LDAP Account Manager ==
'''LDAP Account Manager''' is a web-based program for managing OpenLDAP server. The command-line utilities can be used to manage our OpenLDAP server, but for those who want an easy-to-use interface, you can install LDAP Account Manager.

Run the following command to install LDAP Account Manager from Debian package repository.
sudo apt install ldap-account-manager
If your Debian server doesn’t have a web server running, then the above command will install the Apache web server as a dependency. If there’s already a web server such as Nginx, then Apache won’t be installed.

== Step 6: Install Required and Recommended PHP Modules ==
Run the following command to install PHP modules required or recommended by LDAP account manager.
sudo apt install php7.4-fpm php7.4-imap php7.4-mbstring php7.4-mysql php7.4-json php7.4-curl php7.4-zip php7.4-xml php7.4-bz2 php7.4-intl php7.4-gmp php7.4-redis

== Step 7: Create a Virtual Host for LDAP Account Manager ==

=== Apache ===
If you use Apache web server, create a virtual host for LDAP Account Manager.
sudo nano /etc/apache2/sites-available/ldap-account-manager.conf
Put the following text into the file. Replace <code>openldap.example.com</code> with your real domain name and don’t forget to set DNS A record for it.
<VirtualHost *:80>
ServerName openldap.example.com
DocumentRoot /usr/share/ldap-account-manager

ErrorLog ${APACHE_LOG_DIR}/ldap-account-manager_error.log
CustomLog ${APACHE_LOG_DIR}/ldap-account-manager_access.log combined

Alias /lam /usr/share/ldap-account-manager
<Directory />
Options FollowSymLinks
AllowOverride All
Require all granted
DirectoryIndex index.html
</Directory>

<Directory /var/lib/ldap-account-manager/tmp>
Options -Indexes
</Directory>

<Directory /var/lib/ldap-account-manager/tmp/internal>
Options -Indexes
Require all denied
</Directory>

<Directory /var/lib/ldap-account-manager/sess>
Options -Indexes
Require all denied
</Directory>

<Directory /var/lib/ldap-account-manager/config>
Options -Indexes
Require all denied
</Directory>

<Directory /usr/share/ldap-account-manager/lib>
Options -Indexes
Require all denied
</Directory>

<Directory /usr/share/ldap-account-manager/help>
Options -Indexes
Require all denied
</Directory>

<Directory /usr/share/ldap-account-manager/locale>
Options -Indexes
Require all denied
</Directory>

</VirtualHost>
Save and close the file. Then enable this virtual host with:
sudo a2ensite ldap-account-manager.conf
Reload Apache for the changes to take effect.
sudo systemctl reload apache2
Now you should be able to access the LDAP Account Manager web interface at <code><nowiki>http://openldap.example.com</nowiki></code>.

=== Nginx ===
If you use Nginx web server, create a virtual host for LDAP Account Manager.
sudo nano /etc/nginx/conf.d/ldap-account-manager.conf
Copy the following text and paste it to the file. Replace ldap.your-domain.com with your preferred domain name.
server {
listen 80;
server_name openldap.your-domain.com;

root /usr/share/ldap-account-manager/;
index index.php index.html index.htm;

error_log /var/log/nginx/ldap-account-manager.error;
access_log /var/log/nginx/ldap-account-manager.access;

location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
include fastcgi_params;
}
}
Save and close the file. Then text Nginx configurations.
sudo nginx -t
If the test is successful, reload Nginx for the changes to take effect.
sudo systemctl reload nginx
Now you can access LDAP Account Manager web interface at <code>openldap.example.com</code>.

== Step 8: Enabling HTTPS ==
To encrypt the HTTP traffic, we can enable HTTPS by installing a free TLS certificate issued from Let’s Encrypt. Run the following command to install Let’s Encrypt client (certbot) on Debian server.
sudo apt install certbot
If you use '''Apache''', install the Certbot Apache plugin.
sudo apt install python3-certbot-apache
And run this command to obtain and install TLS certificate.
sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d openldap.example.com
If you use '''Nginx''', then you also need to install the Certbot Nginx plugin.
sudo apt install python3-certbot-nginx
Next, run the following command to obtain and install TLS certificate.
sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d openldap.example.com
Where

* <code>--nginx</code>: Use the nginx plugin.
* <code>--apache</code>: Use the Apache plugin.
* <code>--agree-tos</code>: Agree to terms of service.
* <code>--redirect</code>: Force HTTPS by 301 redirect.
* <code>--hsts</code>: Add the Strict-Transport-Security header to every HTTP response. Forcing browser to always use TLS for the domain. Defends against SSL/TLS Stripping.
* <code>--staple-ocsp</code>: Enables OCSP Stapling. A valid OCSP response is stapled to the certificate that the server offers during TLS.

The certificate should now be obtained and automatically installed, which is indicated by the message below.

== Step 9: Accessing LDAP Account Manager Web Interface ==
We can now test out the LDAP Account Manager tool with our web browser. When LDAP Account Manager first loads, it redirects you to the login page.

== Source ==

* [https://www.linuxbabe.com/debian/set-up-openldap-server-debian linuxbabe.com]

[[Category:Linux]]
[[Category:Debian]]
[[Category:Ubuntu]]

Debian: Set Up OpenLDAP Server - Revision history

Kangtain at 13:26, 11 May 2024

Kangtain: /* Source */