LDAP still gets me from time to time. I’ve set up multiple Debian LDAP servers now, and each time it seems like something new gets me. I’m going to try to put together a set-by-step LDAP guide that is sure to work (with Debian Etch). If you have any problems, please post! This setup has been tested on x86 and amd64 Debian variants.There seem to be some bugs with debian’s default ldap install (missing .so files, config files that don’t work, not remembering settings from the setup screens). However, once everything works it’s rock solid.
apt-get install slapd ldap-utils libnss-ldap libpam-ldap nscd migrationtools
Add your admin password, and accept default ldapi for now. Replace example and net with your domain/hostname (where each “.” is a “dc=”).
libnss-ldap and libpam-ldap are set up the same way, use identical answers (passwords are saved in /etc/*.secret make sure permissions are 600!)
When prompted, replace ‘manager’ with ‘admin’ and example/net with your domain/hostname
Make root local database admin = yes
Database require login = no
Uncomment “rootdn” in /etc/ldap/slapd.conf and make sure all suffix’s are your domain and not a debian default (for example, localdomain or example.net)
Place a “rootpw password” entry under rootdn
/etc/nsswitch.conf should look like:
passwd: compat ldap
group: compat ldap
shadow: compat ldaphosts: files dns
networks: filesprotocols: db files
services: db files
ethers: db files
rpc: db filesnetgroup: ldap
cd /usr/share/migrationtools
Edit migrate_common.ph and replace “padl.com” with your domain
./migrate_base.pl > /tmp/base.ldif
./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
./migrate_group.pl /etc/group /tmp/group.ldif
/etc/init.d/slapd restart
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/base.ldif
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/passwd.ldif
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/group.ldif
cp -p /usr/share/doc/libpam-ldap/examples/pam.d/* /etc/pam.d
apt-get install libpam-cracklib
ln -s /lib/security/pam_unix.so /lib/security/pam_pwdb.so
You may have to remove the first block of text in base.ldif (ldap should already have it)
As far as I can tell, pam_ldap.conf and libnss-ldap.conf are broken by default. Do this to fix them.
echo > /etc/pam_ldap.conf
vim /etc/pam_ldap.conf
base dc=example,dc=net
uri ldap://127.0.0.1/
ldap_version 3
rootbinddn cn=admin,dc=example,dc=net
port 389
pam_password crypt
cp /etc/pam_ldap.conf /etc/libnss-ldap.conf
/etc/init.d/slapd restart
/etc/init.d/nscd restart
You might want to remove a test user from /etc/passwd and /etc/shadow that has been imported to ldap.
su – username
Is a good test. Check /var/log/auth.log if you have problems. If nothing is there, try
/etc/init.d/slapd stop
slapd -u openldap -g openldap -d 999
That will have slapd run as the users it’s supposed to, and be very verbose.
At this point, everything should be working (if not, don’t go forward yet!). Now we can use encryption, to increase the security of our ldap server.
cd /etc/ldap
mkdir ssl
openssl req -new -x509 -nodes -out ldap.pem -keyout ldap.pem -days 3650
chmod 640 ssl/ldap.pem
chmod 750 ssl
chown -R root:openldap ssl
At the very top of /etc/ldap/slapd.conf put
TLSCACertificateFile /etc/ldap/ssl/ldap.pem
TLSCertificateFile /etc/ldap/ssl/ldap.pem
TLSCertificateKeyFile /etc/ldap/ssl/ldap.pem
TLSCipherSuite HIGH:+MEDIUM:!LOWSSLVerifyClient none
Find the "access"lines near the bottom of slapd.conf and change them like this
access to attrs=userPassword,shadowLastChange
by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=net" write
by tls_ssf=128 ssf=128 anonymous auth
by tls_ssf=128 ssf=128 self write
by * noneand
access to *
by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=net" write
by * read
Make sure you restart
/etc/init.d/slapd restart
Assuming all goes well, you should still be able to "su - username" to your ldap-only user with the added benefit of encryption.
Additionally, if you find that SSL isn't working for you, try doing this.
Add the following to /etc/ldap/ldap.conf
TLS_CACERT /etc/ldap/ssl/ldap.pem
TLS_REQCERT demand
Add this to both pam_ldap.conf and libnss-ldap.conf
ssl start_tls
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/ldap.pem
After further investigation, 'ssl start_tls' is the way to go. Make sure ldap.conf has your SSL stuff in it and restart slapd and nscd.
http://bbis.us/etch-ldap.tar.gz