Debian 4.0 (Etch) LDAP Server

LDAP still gets me from time to time. I’ve set up multiple Debian LDAP servers now, and each time it seems like something new gets me. I’m going to try to put together a set-by-step LDAP guide that is sure to work (with Debian Etch). If you have any problems, please post! This setup has been tested on x86 and amd64 Debian variants.There seem to be some bugs with debian’s default ldap install (missing .so files, config files that don’t work, not remembering settings from the setup screens). However, once everything works it’s rock solid.

apt-get install slapd ldap-utils libnss-ldap libpam-ldap nscd migrationtools


Add your admin password, and accept default ldapi for now. Replace example and net with your domain/hostname (where each “.” is a “dc=”).

libnss-ldap and libpam-ldap are set up the same way, use identical answers (passwords are saved in /etc/*.secret make sure permissions are 600!)

When prompted, replace ‘manager’ with ‘admin’ and example/net with your domain/hostname


Make root local database admin = yes

Database require login = no

Uncomment “rootdn” in /etc/ldap/slapd.conf and make sure all suffix’s are your domain and not a debian default (for example, localdomain or example.net)

Place a “rootpw password” entry under rootdn

/etc/nsswitch.conf should look like:

passwd: compat ldap
group: compat ldap
shadow: compat ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: ldap

cd /usr/share/migrationtools

Edit migrate_common.ph and replace “padl.com” with your domain

./migrate_base.pl > /tmp/base.ldif

./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif

./migrate_group.pl /etc/group /tmp/group.ldif

/etc/init.d/slapd restart

ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/base.ldif

ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/passwd.ldif

ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/group.ldif

cp -p /usr/share/doc/libpam-ldap/examples/pam.d/* /etc/pam.d

apt-get install libpam-cracklib

ln -s /lib/security/pam_unix.so /lib/security/pam_pwdb.so

You may have to remove the first block of text in base.ldif (ldap should already have it)

As far as I can tell, pam_ldap.conf and libnss-ldap.conf are broken by default. Do this to fix them.

echo > /etc/pam_ldap.conf

vim /etc/pam_ldap.conf

base dc=example,dc=net

uri ldap://127.0.0.1/

ldap_version 3

rootbinddn cn=admin,dc=example,dc=net

port 389

pam_password crypt

cp /etc/pam_ldap.conf /etc/libnss-ldap.conf

/etc/init.d/slapd restart

/etc/init.d/nscd restart

You might want to remove a test user from /etc/passwd and /etc/shadow that has been imported to ldap.

su – username

Is a good test. Check /var/log/auth.log if you have problems. If nothing is there, try

/etc/init.d/slapd stop

slapd -u openldap -g openldap -d 999

That will have slapd run as the users it’s supposed to, and be very verbose.

At this point, everything should be working (if not, don’t go forward yet!). Now we can use encryption, to increase the security of our ldap server.

cd /etc/ldap

mkdir ssl

openssl req -new -x509 -nodes -out ldap.pem -keyout ldap.pem -days 3650

chmod 640 ssl/ldap.pem

chmod 750 ssl

chown -R root:openldap ssl

At the very top of /etc/ldap/slapd.conf put

TLSCACertificateFile /etc/ldap/ssl/ldap.pem
TLSCertificateFile /etc/ldap/ssl/ldap.pem
TLSCertificateKeyFile /etc/ldap/ssl/ldap.pem
TLSCipherSuite HIGH:+MEDIUM:!LOW

SSLVerifyClient none

Find the "access"lines near the bottom of slapd.conf and change them like this

access to attrs=userPassword,shadowLastChange
by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=net" write
by tls_ssf=128 ssf=128 anonymous auth
by tls_ssf=128 ssf=128 self write
by * none

and

access to *
by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=net" write
by * read

Make sure you restart

/etc/init.d/slapd restart

Assuming all goes well, you should still be able to "su - username" to your ldap-only user with the added benefit of encryption.

Additionally, if you find that SSL isn't working for you, try doing this.

Add the following to /etc/ldap/ldap.conf

TLS_CACERT /etc/ldap/ssl/ldap.pem
TLS_REQCERT demand

Add this to both pam_ldap.conf and libnss-ldap.conf

ssl start_tls

tls_checkpeer no

tls_cacertfile /etc/ldap/ssl/ldap.pem

After further investigation, 'ssl start_tls' is the way to go. Make sure ldap.conf has your SSL stuff in it and restart slapd and nscd.

http://bbis.us/etch-ldap.tar.gz

Tags:

46 Responses to “Debian 4.0 (Etch) LDAP Server”

  1. Termina says:

    Updated some of the information here; one line for slapd.conf and one word change in pam_ldap.conf/libnss-ldap.conf.

    Added a link to the (clean) config files from the working ldap test server I set up for this article.

    Assuming your permissions are right (owned by openldap in most cases), you know how to run ‘slapd -d 999’ and your database is in good condition everything should work just fine.

    You might want to apt-get install phpldapadmin to make adding users easier.

  2. Robert says:

    chmod 600 ssl/ldap.pem

    sould probably be

    chmod 640 ssl/ldap.pem

  3. termina says:

    Good call, fixed that. 🙂

  4. emilioj says:

    Hi,

    your instruction have been very useful to me, as I am setting a ldap sevice in a debian machine and my ldap knoledge was 0 before starting. Debian packages didn’t provide enough help and I was in a complete deadlock.

    After following your instructions everythink worked ok, at least before adding the TLS stuff. I even try the ldap_integration module in drupal and it worked ok against the sladp server.

    Now I am trying to add the security layer and everything seems to be ok (again after following your instructions), but I am not able of doing that the drupal module work again. Well, really I am not sure whether TLS configuration is working, though I can do ‘su – username’ with success in command line after adding all the TLS stuff and restarting the daemons. Shouldn’t slapd be running in other port (636?) now?

    Anyhow, thank you very much for you tutorial 🙂

  5. termina says:

    Nope, it will still run on 389.

    You might want to restart nscd and/or restart the machine and see if you can still ‘su – username’ with TLS enabled.

    Sorry, I’ve never used drupal so I can’t help. My only suggestion is to make sure it’s not trying to validate the certificate (since it’s self-signed) and that it’s listening on ldap://, not ldaps://

  6. Hroc says:

    Thanks, worked fine for me!

    I had to chmod a+r /etc/libnss-ldap.conf to make it work
    (http://blog.herbertm.ca/articles/2007/06/04/libnss-ldap-conf-permissions-bug)

  7. termina says:

    Hroc, thanks. 🙂

    However, you may want to do something like 640 instead (openldap as owner/group), since libnss-ldap.conf may contain sensitive information depending on how you set it up (proxyagents and whatnot).

  8. randall says:

    thanks for this…….

    your instructions worked flawlessly except for a missing cd /etc/ldap/ssl.

    i shamelesly copied this part and added it to my set up as described on http:/songshu.org/doku

  9. nasif says:

    hi,
    i am nasif. i’ve succed installed ldap server with ssl/tls in my debian. but now, i can’t open my ldap from phpldapadmin. is there something wrong? cause i’ve allready did every step just like your instruction..

    btw, thanx for your help…

  10. termina says:

    nasif,

    What error do you have with phpldapadmin?

    You might want to try restarting slapd and then restarting apache.

  11. nasif says:

    i’ve allready restarted slapd and apache. but phpldapadmin still can’t log me in. after googling, some forum said that phpldapadmin doesn’t support ssl/tls. is that correct? any applicaton can handle ldap as easy as phpldapadmin??
    thanx for you reply…

  12. termina says:

    That is not correct.

    Installing it via apt-get works just fine for me; you might want to check out your apache error.log file for more information, or ask on the phpldapadmin mailing list.

  13. kidnap says:

    i have problem with ldap.. This error

    dpkg: error processing slapd (–configure):
    subprocess post-installation script returned error exit status 1
    Setting up ldap-utils (2.3.30-5+etch1) …
    Errors were encountered while processing:
    slapd

    please help me…. what wrong??

  14. termina says:

    There should be more to the error message, describing why it failed.

    Otherwise, try:

    apt-get remove –purge slapd
    apt-get install slapd

  15. kidnap says:

    i can’t try apt-get remove -purge slapd
    Reading package lists… Done
    Building dependency tree… Done
    E: Couldn’t find package –purge

    but when i try apt-get install slapd this message error

    Starting OpenLDAP: slapd – failed:
    Unrecognized database type (bdb)
    invoke-rc.d: initscript slapd, action “start” failed.
    dpkg: error processing slapd (–configure):
    subprocess post-installation script returned error exit status 1
    Errors were encountered while processing:
    slapd
    E: Sub-process /usr/bin/dpkg returned an error code (1)

  16. termina says:

    It’s –purge, with two hyphens before purge.

    WordPress for whatever reason screws up two hyphens in a row. *shrugs*

  17. Diederik says:

    Thanks for the great tutorial!

  18. Adam says:

    Did anyone install OpenLDAP + TLS on ubuntu 8.04? it seems that gnutls has issues. If anyone successfully implemented OpenLDAP + TLS please post the procedure here.

  19. krisbfunk says:

    I am unable to get past these lines:

    ldapadd -x -W -D ‘cn=admin,dc=my_domain,dc=com’ < /tmp/base.ldif

    ldapadd -x -W -D ‘cn=admin,dc=my_domain,dc=com’ < /tmp/passwd.ldif

    ldapadd -x -W -D ‘cn=admin,dc=my_domain,dc=com’ < /tmp/group.ldif

    The single quotes return a syntax error, and when replaced with double quotes, it states ” dc=my_domain,dc=com ” already exists.

  20. Mike says:

    Everything was going fine until I configed tls. It seems libnss is broken. I can’t su to a ldap users, id user or getent, etc.. Commands like ldapsearch are working fine and the network calls are encrypted. I’m running Debian Etch 4.0.

  21. termina says:

    krisbfunk: WordPress messes up those quotes; replace all the weird quotes with actual quotes.

  22. termina says:

    Mike: You might want to try downloading the config files from the article and replacing things where necessary.

  23. masterslave says:

    Where is the link to download the config files??

  24. Manfred says:

    Thanks for the graete tutorial. Ive been trying to set this up for a couple of days before I found this and finally it works!

  25. h3rbz says:

    Great instructions. Worked for me all the way.

    I have one suggestion though.. Since LDAP is especialy usefull in a setup with many clients using one LDAP resource, it might be a good idea to clearly separate client and server setups.

    This would offer a reference for setting up extra clients to use an already setup LDAP server.

    The actions to be performed on clients can be logicaly extracted from the whole, but offering them in clearly separated form, might be an upgrade to an already very nice tutorial.

    Thx! 2 cent

  26. pachuco says:

    This is my second attempt; I can never get past these lines:
    ldapadd -x -W -D ‘cn=admin,dc=my_domain,dc=com’ < /tmp/base.ldif
    ldapadd -x -W -D ‘cn=admin,dc=my_domain,dc=com’ < /tmp/passwd.ldif
    ldapadd -x -W -D ‘cn=admin,dc=my_domain,dc=com’ < /tmp/group.ldif
    I always get prompted for a password and no matter what password I enter,
    I get an error that says: ”ldap_bind: invalid DN syntax (34)
    My LDAP admin password is “ldapadmin01” and my domain is “nassau.VOBtec.net”
    Please any help would be much appreciated.

  27. termina says:

    h3rbz, I did that already. 🙂 If it feels that this server has too much client information in it, it’s because I figure people will want to be able to authenticate with LDAP to the LDAP server.

    If you only want it to serve LDAP, and not act as a client, just skip the pam.d configuration as well as /etc/nsswitch.conf

  28. termina says:

    pachuco, did you set a rootpw entry in /etc/ldap/slapd.conf?

  29. pachuco says:

    Thank you for the fast response. I actually don’t know how to set up rootpw properly.
    I just placed the following: “rootpw password” in slapd.conf file.

  30. Termina says:

    It should be “rootpw ldapadmin01”

  31. pachuco says:

    Thank you very much. It works.

  32. red says:

    Is this how to can be use for Debian Lenny as well?

    Thanks

  33. termina says:

    I’d suggest using the following link for you /etc/pam.d files

    They work on Debian and Ubuntu clients. Useful if you are having problems changing password

    # passwd test
    passwd: Module is unknown
    passwd: password unchanged

    http://st0rage.org/files/pam.d.tar

  34. neverland says:

    Hi the following lines are my problem.
    testldap2:/tmp# ldapadd -x -W -D ‘cn=admin,dc=mydomain,dc=net’ < /tmp/base.ldif
    Enter LDAP Password:
    ldap_bind: Invalid credentials (49)
    testldap2:/tmp# ldapadd -x -W -D 'cn=admin,dc=mydomain' < /tmp/base.ldif
    Enter LDAP Password:
    adding new entry "dc=mydomain,dc=net"
    ldap_add: Server is unwilling to perform (53)
    additional info: no global superior knowledge
    I have tried like you answer for pachuco and krisbfunk. But no answer is working for me …please help.

  35. termina says:

    neverland,

    The first issue is with you copying/pasting and wordpress messing up the quote characters.

    I’ve updated this article so copying/pasting should work now.

    I’d suggest starting over and making sure the correct quote characters are used.

  36. neverland says:

    It is still not working for me , is it ok to skip
    those three lines?

  37. neverland says:

    testldap4:/usr/share/migrationtools# ldapadd -x -W -D ‘cn=admin,dc=mydomain’ it result in ldap_bind: Invalid credentials (49)which the password I provide is password like exactly after rootpw

  38. neverland says:

    Hi there, now I am successful installing ldap. But when I change config for security. It makes my ldap didn’t work. What should I do?

    BTW: while I do openssl req -new -x509 -nodes -out ldap.pem -keyout ldap.pem -days 3650, I use ip address as common name ,would it cause any problem?

  39. neverland says:

    Again about adding security problem, here is log file
    debian:/etc/ldap# tail /var/log/syslog
    Feb 24 02:54:27 debian slapd[2496]: slapd stopped.
    Feb 24 02:54:28 debian slapd[2528]: @(#) $OpenLDAP: slapd 2.4.11 (Nov 26 2009 09:17:06) $#012#[email protected]:/tmp/buildd/openldap-2.4.11/debian/build/servers/slapd
    Feb 24 02:54:29 debian slapd[2529]: slapd starting
    Feb 24 02:55:58 debian slapd[2529]: daemon: shutdown requested and initiated.
    Feb 24 02:55:58 debian slapd[2529]: slapd shutdown: waiting for 0 threads to terminate
    Feb 24 02:55:58 debian slapd[2529]: slapd stopped.
    Feb 24 02:55:58 debian slapd[2542]: @(#) $OpenLDAP: slapd 2.4.11 (Nov 26 2009 09:17:06) $#012#[email protected]:/tmp/buildd/openldap-2.4.11/debian/build/servers/slapd
    Feb 24 02:55:58 debian slapd[2542]: /etc/ldap/slapd.conf: line 145: unknown directive inside backend database definition.
    Feb 24 02:55:58 debian slapd[2542]: slapd stopped.
    Feb 24 02:55:58 debian slapd[2542]: connections_destroy: nothing to destroy.

    • neverland says:

      Regarding to this error
      Feb 24 02:55:58 debian slapd[2542]: /etc/ldap/slapd.conf: line 145: unknown directive inside backend database definition.
      It is this line.
      SSLVerifyClient none

  40. Hans says:

    Hi,

    [sorry, my 4 year old daughter got hold of the computer and submitted my previous unfinished comment …]

    I have two issues, TLS does not work for me 🙁 , but that is a minor issue for me …

    The other,more important issue, is as soon as I comment out the “rootbinddn” in /etc/ldap.conf and restart nscd I cannot cannot access my ldap accounts.

    It appears it does not try to authenticate using anonymous, I allowed anonymous to auth in slapd.conf.

    access to attrs=”userPassword”
    by anonymous auth
    by self write
    by * none

    access to *
    by anonymous auth
    by self write
    by * none

    Even when I set an LDAP account per dn as follows and try to use that as authentication account, it does not work.

    I really do not want to keep my rootbinddn password in ldap.secret, as that is far too dangerous … passwords in cleartext? incredible that that is necessary … that defeats the whole purpose of LDAP.

    I want to secure my computer as much as possible from external threats …

  41. termina says:

    Hans,

    All right, let’s start with “rootbinddn”. You are not using Debian Etch if you are using /etc/ldap.conf. Did you make a typo as to what config file you’re talking about?

    ldap.secret unfortunately must be plain-text. Keep in mind that ldap.secret should be readable only by root… if root is compromised you’re system is already insecure!

  42. neverland says:

    Thank for quick reply, would you provide step how to do secure ldap on Debian Lenny? I can only do normal ldap till now.

Leave a Reply to Mike Cancel reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.