Debian 4.0 (Etch) LDAP Server

Posted in HowTo, Networking, Security on January 17th, 2008 by termina

LDAP still gets me from time to time. I’ve set up multiple Debian LDAP servers now, and each time it seems like something new gets me. I’m going to try to put together a set-by-step LDAP guide that is sure to work (with Debian Etch). If you have any problems, please post! This setup has been tested on x86 and amd64 Debian variants.There seem to be some bugs with debian’s default ldap install (missing .so files, config files that don’t work, not remembering settings from the setup screens). However, once everything works it’s rock solid.

apt-get install slapd ldap-utils libnss-ldap libpam-ldap nscd migrationtools

Add your admin password, and accept default ldapi for now. Replace example and net with your domain/hostname (where each “.” is a “dc=”).

libnss-ldap and libpam-ldap are set up the same way, use identical answers (passwords are saved in /etc/*.secret make sure permissions are 600!)

When prompted, replace ‘manager’ with ‘admin’ and example/net with your domain/hostname

Make root local database admin = yes

Database require login = no

Uncomment “rootdn” in /etc/ldap/slapd.conf and make sure all suffix’s are your domain and not a debian default (for example, localdomain or

Place a “rootpw password” entry under rootdn

/etc/nsswitch.conf should look like:

passwd: compat ldap
group: compat ldap
shadow: compat ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: ldap

cd /usr/share/migrationtools

Edit and replace “” with your domain

./ > /tmp/base.ldif

./ /etc/passwd /tmp/passwd.ldif

./ /etc/group /tmp/group.ldif

/etc/init.d/slapd restart

ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/base.ldif

ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/passwd.ldif

ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/group.ldif

cp -p /usr/share/doc/libpam-ldap/examples/pam.d/* /etc/pam.d

apt-get install libpam-cracklib

ln -s /lib/security/ /lib/security/

You may have to remove the first block of text in base.ldif (ldap should already have it)

As far as I can tell, pam_ldap.conf and libnss-ldap.conf are broken by default. Do this to fix them.

echo > /etc/pam_ldap.conf

vim /etc/pam_ldap.conf

base dc=example,dc=net

uri ldap://

ldap_version 3

rootbinddn cn=admin,dc=example,dc=net

port 389

pam_password crypt

cp /etc/pam_ldap.conf /etc/libnss-ldap.conf

/etc/init.d/slapd restart

/etc/init.d/nscd restart

You might want to remove a test user from /etc/passwd and /etc/shadow that has been imported to ldap.

su – username

Is a good test. Check /var/log/auth.log if you have problems. If nothing is there, try

/etc/init.d/slapd stop

slapd -u openldap -g openldap -d 999

That will have slapd run as the users it’s supposed to, and be very verbose.

At this point, everything should be working (if not, don’t go forward yet!). Now we can use encryption, to increase the security of our ldap server.

cd /etc/ldap

mkdir ssl

openssl req -new -x509 -nodes -out ldap.pem -keyout ldap.pem -days 3650

chmod 640 ssl/ldap.pem

chmod 750 ssl

chown -R root:openldap ssl

At the very top of /etc/ldap/slapd.conf put

TLSCACertificateFile /etc/ldap/ssl/ldap.pem
TLSCertificateFile /etc/ldap/ssl/ldap.pem
TLSCertificateKeyFile /etc/ldap/ssl/ldap.pem

SSLVerifyClient none

Find the "access"lines near the bottom of slapd.conf and change them like this

access to attrs=userPassword,shadowLastChange
by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=net" write
by tls_ssf=128 ssf=128 anonymous auth
by tls_ssf=128 ssf=128 self write
by * none


access to *
by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=net" write
by * read

Make sure you restart

/etc/init.d/slapd restart

Assuming all goes well, you should still be able to "su - username" to your ldap-only user with the added benefit of encryption.

Additionally, if you find that SSL isn't working for you, try doing this.

Add the following to /etc/ldap/ldap.conf

TLS_CACERT /etc/ldap/ssl/ldap.pem

Add this to both pam_ldap.conf and libnss-ldap.conf

ssl start_tls

tls_checkpeer no

tls_cacertfile /etc/ldap/ssl/ldap.pem

After further investigation, 'ssl start_tls' is the way to go. Make sure ldap.conf has your SSL stuff in it and restart slapd and nscd.