Ubuntu 8.10 LDAP Server with TLS

This should also work with Ubuntu 9.04

apt-get install slapd ldap-utils libnss-ldap libpam-ldap migrationtools

Much like Debian, we must perform an extra step to make our changes permanent.

dpkg-reconfigure slapd

Omit OpenLDAP server configuration? No
DNS domain name: your-server
Organization name: whatever
Database backend to use: HDB
Do you want the database to be removed when slapd is purged? No
Move old database? Yes
Admin password: <password>
Confirm: <password>
Allow LDAPv2 protocol: No

Now we will populate LDAP. You should probably add a temporary LDAP user for testing. After we populate LDAP we’ll remove it.

adduser test
cd /usr/share/migrationtools

Edit migrate_common.ph and replace “padl.com” with your domain and dc=padl,dc=com with dc=YOUR,dc=DOMAIN

./migrate_base.pl > /tmp/base.ldif

./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif

./migrate_group.pl /etc/group /tmp/group.ldif

Remove the top section of /tmp/base.ldif

dn: dc=dev
dc: dev
objectClass: top
objectClass: domain

Restart LDAP and add our information to LDAP


/etc/init.d/slapd restart

ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/base.ldif
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/passwd.ldif
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/group.ldif

To enable PAM I suggest


cd /tmp
wget http://st0rage.org/files/pam.d.tar
tar xf pam.d.tar -C /etc

Alternativly, you can try the following Ubuntu specific method:


auth-client-config -t nss -p lac_ldap
pam-auth-update ldap

Please note that I was unable to change user passwords with ‘passwd’ using this method.

Remove the test user

userdel test

Set up TLS Certificate

mkdir /etc/ldap/ssl
cd /etc/ldap/ssl

openssl req -new -nodes -out req.pem -keyout key.pem
#No challenge password, leave empty
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 9999
mv new.key.pem server.pem
cat ca-cert >> server.pem

Enable TLS on server

ldapmodify -x -D cn=admin,cn=config -W

Paste in the following:

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/server.pem

Press ENTER a few times to finish modifying and then Control+C when you see:

modifying entry "cn=config"

Edit /etc/default/slapd and add

SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"

Restart slapd

/etc/init.d/slapd restart

If it fails, try:


chown -R openldap /etc/ldap/ssl
/etc/init.d/slapd restart

Client configuration

vi /etc/ldap.conf

uri ldaps://server
port 636
ssl start_tls
ssl on
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/server.pem


vi /etc/nsswitch.conf

passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: ldap

Now test! Make sure to stop nscd if you’re using it

/etc/init.d/nscd stop

Test LDAP

$ id test
uid=1001(test) gid=1001(test) groups=1001(test)

Remember to keep an eye on /var/log/auth.log if you run into any problems

14 Responses to “Ubuntu 8.10 LDAP Server with TLS”

  1. Eric G says:

    I was following the steps perfectly until the slapd restart, upon which I received the following error:

    [email protected]:/etc/ldap# /etc/init.d/slapd restart
    Stopping OpenLDAP: slapd.
    Starting OpenLDAP: slapd – failed.
    The operation failed but no output was produced. For hints on what went
    wrong please refer to the system’s logfiles (e.g. /var/log/syslog) or
    try running the daemon in Debug mode like via “slapd -d 16383” (warning:
    this will create copious output).

    Below, you can find the command line options used by this script to
    run slapd. Do not forget to specify those options if you
    want to look to debugging output:
    slapd -g openldap -u openldap -f /etc/ldap/slapd.conf

    My ldap.conf BASE is set to dc=sharedobj,dc=com

    My slapd.conf is as follows:

    #######################################################################
    # Global Directives:

    # Features to permit
    #allow bind_v2

    # Schema and objectClass definitions
    include /etc/ldap/schema/core.schema
    include /etc/ldap/schema/cosine.schema
    include /etc/ldap/schema/nis.schema
    include /etc/ldap/schema/inetorgperson.schema

    # Where the pid file is put. The init.d script
    # will not stop the server if you change this.
    pidfile /var/run/slapd/slapd.pid

    # List of arguments that were passed to the server
    argsfile /var/run/slapd/slapd.args

    # Read slapd.conf(5) for possible values
    loglevel none

    # Where the dynamically loaded modules are stored
    modulepath /usr/lib/ldap
    moduleload back_hdb

    # The maximum number of entries that is returned for a search operation
    sizelimit 500

    # The tool-threads parameter sets the actual amount of cpu’s that is used
    # for indexing.
    tool-threads 1

    #######################################################################
    # Specific Backend Directives for hdb:
    # Backend specific directives apply to this backend until another
    # ‘backend’ directive occurs
    backend hdb

    #######################################################################
    # Specific Backend Directives for ‘other’:
    # Backend specific directives apply to this backend until another
    # ‘backend’ directive occurs
    #backend

    #######################################################################
    # Specific Directives for database #1, of type hdb:
    # Database specific directives apply to this databasse until another
    # ‘database’ directive occurs
    #database hdb

    # The base of your directory in database #1
    suffix “dc=sharedobj,dc=com”

    # rootdn directive for specifying a superuser on the database. This is needed
    # for syncrepl.
    rootdn “cn=manager,dc=sharedobj,dc=com”
    #rootpw
    # pwd-three45_

    # Where the database file are physically stored for database #1
    directory “/var/lib/ldap/sharedobjcom”

    #
    # The dbconfig settings are used to generate a DB_CONFIG file the first
    # time slapd starts. They do NOT override existing an existing DB_CONFIG
    # file. You should therefore change these settings in DB_CONFIG directly
    # or remove DB_CONFIG and restart slapd for changes to take effect.

    # For the Debian package we use 2MB as default but be sure to update this
    # value if you have plenty of RAM
    dbconfig set_cachesize 0 2097152 0

    # Sven Hartge reported that he had to set this value incredibly high
    # to get slapd running at all. See http://bugs.debian.org/303057 for more
    # information.

    # Number of objects that can be locked at the same time.
    dbconfig set_lk_max_objects 1500
    # Number of locks (both requested and granted)
    #dbconfig set_lk_max_locks 1500
    # Number of lockers
    #dbconfig set_lk_max_lockers 1500

    # Indexing options for database #1
    index objectClass eq

    # Save the time that the entry gets modified, for database #1
    lastmod on

    # Checkpoint the BerkeleyDB database periodically in case of system
    # failure and to speed slapd shutdown.
    checkpoint 512 30

    # Where to store the replica logs for database #1
    # replogfile /var/lib/ldap/replog

    # The userPassword by default can be changed
    # by the entry owning it if they are authenticated.
    # Others should not be able to see it, except the
    # admin entry below
    # These access lines apply to database #1 only
    access to attrs=userPassword,shadowLastChange
    by dn=”cn=manager,dc=sharedobj,dc=com” write
    by anonymous auth
    by self write
    by * none

    # Ensure read access to the base for things like
    # supportedSASLMechanisms. Without this you may
    # have problems with SASL not knowing what
    # mechanisms are available and the like.
    # Note that this is covered by the ‘access to *’
    # ACL below too but if you change that as people
    # are wont to do you’ll still need this if you
    # want SASL (and possible other things) to work
    # happily.
    access to dn.base=”” by * read

    # The admin dn has full write access, everyone else
    # can read everything.
    access to *
    by dn=”cn=manager,dc=sharedobj,dc=com” write
    by * read

    # For Netscape Roaming support, each user gets a roaming
    # profile for which they have write access to
    #access to dn=”.*,ou=Roaming,o=morsnet”
    # by dn=”cn=admin,dc=example,dc=com” write
    # by dnattr=owner write

    I am new to LDAP and realize the high probability of a seat-to-keyboard error. Your step-by-step was the best example I have found on the web. And trust me when I say, I have put at least 36 hours (within the last 72) into getting my arms around LDAP.

    I know what I what to do; however, I need the foundational pieces in place to move on (i.e. creating, modifying, and deleting directory structures) so I can then move into shema development. I have a framework in mind but my lack of knowledge is slowing me down.

    Thanx!
    EG

  2. termina says:

    Are you sure you’re using Ubuntu 8.10? slapd.conf has been replaced by the slapd.d directory in 8.10

    Also, wordpress messes up the ” character so if you’ve been copying and pasting that could be the issue.

    Usually this is due to a permission error; try the following (as root):

    slapd -g openldap -u openldap -d 999

    You should see an error as to why it’s not starting.

    Try running it as root too, if the above doesn’t produce anything helpful:

    slapd -d 999

  3. Pietro says:

    Everything ok… but…
    ldapmodify -x -D cn=admin,cn=config -W
    Enter LDAP Password:
    ldap_bind: Invalid credentials (49)
    I tryed
    ldapmodify -x -D cn=admin,dc=taverne,dc=oz -W
    I can insert the password and then, after inserting the acl:
    modifying entry “cn=config”
    ldap_modify: Insufficient access (50)
    Can you help me?

    • termina says:

      The password for cn=config may be different than taverne.oz; it should be the password you entered during the installation of slapd. You may also want to try it without a password (blank).

      I’d suggest trying the following to reset your password

      dpkg-reconfigure slapd

  4. Pietro says:

    I used (it’s a test environment) the password “admin” everywhere…
    If I try now the reconfiguration, I get a lot of errors…
    If I connect to the ldap database via phpldapadmin, I have no problems, but if I force the phpldapadmin to ldaps I get a TLS error.
    Maybe I’m doing something wrong, but I followed the procedure step by step, modifying only cn=admin,dc=example,dc=net in cn=admin,dc=taverne,dc=oz

  5. termina says:

    I’ve updated this document so that quote characters will no longer be gargled when you copy/paste.

  6. iqah says:

    hi,

    A very nice site btw,im using ubuntu server 9.04 and new to linux and trying to set up openldap server and when i typed
    ldapsearch -xLLL -H ldap://192.168.2.1 -b “dc=itb,dc=network”
    it shows all the information that have been created using the migrationtools
    but i was wondering slapd -d 999 it shows an error:

    deamon: bind(8) failed errno=98 (Address already in use)
    deamon: bind(8) failed errno=98 (Address already in use)
    slap_open_listener: failed on ldap:///
    slapd stopped.
    connections_destroy: nothing to destroy.

    Another quest when i install the ldapscripts using ubuntu documentation as reference, when i ldapadduser

    ldapadduser george example
    it shows cannot resolve group test to gid: not found

    any idea?

    • termina says:

      If slapd -d is showing “address already in use” then slapd is running in the background or another service is using that port.

      /etc/init.d/slapd stop
      ps -ef | grep slapd

      Kill any processes still running.

      If you’re still getting that error, try:

      /etc/init.d/slapd stop
      lsof -i tcp:389

      And see what’s using that port

      I’m not going to worry about any other errors you got until this one is fixed since it’s probably the source of your other problems.

  7. iqah says:

    hi,

    i did like what u asked using

    /etc/init.d/slapd stop
    ps -ef | grep slapd

    Then when i type the command ‘slapd -d 999’

    the result shows:

    slapd startup: initiated.
    backend_startup_one: starting “cn=config”
    config_back_db_open
    Backend ACL: access to *
    by * none

    config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context
    backend_startup_one: starting “dc=example,dc=com”
    hdb_db_open: “dc=example,dc=com”
    hdb_db_open: database “dc=example,dc=com”: dbenv_open(/var/lib/ldap).
    slapd starting

    (blank)

    deamon: shutdown requested and initiated.
    slapd shutdown: waiting for 0 operations/tasks to finish
    slapd shutdown: initiated
    ===> bdb_cache_release_all
    slapd destroy: freeing system resources.
    slapd stopped.

    any idea because im not sure whats goin on..can you help me?

  8. Termina says:

    Well, the error from your slapd output shows:


    backend_startup_one: starting “dc=example,dc=com”
    hdb_db_open: “dc=example,dc=com”
    hdb_db_open: database “dc=example,dc=com”: dbenv_open(/var/lib/ldap).

    Yet your above post shows:


    ldapsearch -xLLL -H ldap://192.168.2.1 -b “dc=itb,dc=network”

    So it looks to me like you’re mis-matching dn’s and need to double-check all your config files.

  9. iqah says:

    hi,

    owh yeah! when u mentioned that then i notice….thanx but where can i find the file to edit it? because i was searching for it and it doesnt work…

    and speaking of the ldap scripts…its working except adding the group…

    thank u.

  10. iqah says:

    hi,

    its working already, thanx for the info…..

    but another prob occurs….
    when i use slapdscripts….by using ldapadduser and deleteuser, its working but when i ldapaddgroup it doesnt work…saying cannot error adding group to LDAP

    Thank you so much for your help 🙂

  11. Termina says:

    Do you have an ou=Group?

    Any errors in /var/log/auth.log or /var/log/syslog?

    Otherwise, I’d suggest trying phpldapadmin for group management.

  12. smart says:

    Just I wan to say about ldapmodify, I ran into this problem and searched the internet but without getting the solution, and I got it from one administrator, the problem is after the ldapmodify to modify cn=config, I got “insufficient access (50)”, even if I used the rootDN like this
    ldapmodify -x -D cn=admin,dc=admin-computer -f ssl.ldif -W
    Enter LDAP Password:
    modifying entry “cn=config”
    ldap_modify: Insufficient access (50)

    The problem is, because the admin does not have right to manage the config file, and you must use EXTERNAL to solve this problem, the olcAccess is written in the olcDatabase={-1}frontend.ldif

    So you must right it like this:
    ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif
    It should work, I’m sharing this with you because I don’t want you to be desperate.

Leave a Reply to iqah Cancel reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.