LDAP still gets me from time to time. I’ve set up multiple Debian LDAP servers now, and each time it seems like something new gets me. I’m going to try to put together a set-by-step LDAP guide that is sure to work (with Debian Etch). If you have any problems, please post! This setup has been tested on x86 and amd64 Debian variants.There seem to be some bugs with debian’s default ldap install (missing .so files, config files that don’t work, not remembering settings from the setup screens). However, once everything works it’s rock solid.
apt-get install slapd ldap-utils libnss-ldap libpam-ldap nscd migrationtools
Add your admin password, and accept default ldapi for now. Replace example and net with your domain/hostname (where each “.” is a “dc=”).
libnss-ldap and libpam-ldap are set up the same way, use identical answers (passwords are saved in /etc/*.secret make sure permissions are 600!)
When prompted, replace ‘manager’ with ‘admin’ and example/net with your domain/hostname
Make root local database admin = yes
Database require login = no
Uncomment “rootdn” in /etc/ldap/slapd.conf and make sure all suffix’s are your domain and not a debian default (for example, localdomain or example.net)
Place a “rootpw password” entry under rootdn
/etc/nsswitch.conf should look like:
passwd: compat ldap
group: compat ldap
shadow: compat ldaphosts: files dns
networks: filesprotocols: db files
services: db files
ethers: db files
rpc: db filesnetgroup: ldap
cd /usr/share/migrationtools
Edit migrate_common.ph and replace “padl.com” with your domain
./migrate_base.pl > /tmp/base.ldif
./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
./migrate_group.pl /etc/group /tmp/group.ldif
/etc/init.d/slapd restart
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/base.ldif
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/passwd.ldif
ldapadd -x -W -D 'cn=admin,dc=example,dc=net' < /tmp/group.ldif
cp -p /usr/share/doc/libpam-ldap/examples/pam.d/* /etc/pam.d
apt-get install libpam-cracklib
ln -s /lib/security/pam_unix.so /lib/security/pam_pwdb.so
You may have to remove the first block of text in base.ldif (ldap should already have it)
As far as I can tell, pam_ldap.conf and libnss-ldap.conf are broken by default. Do this to fix them.
echo > /etc/pam_ldap.conf
vim /etc/pam_ldap.conf
base dc=example,dc=net
uri ldap://127.0.0.1/
ldap_version 3
rootbinddn cn=admin,dc=example,dc=net
port 389
pam_password crypt
cp /etc/pam_ldap.conf /etc/libnss-ldap.conf
/etc/init.d/slapd restart
/etc/init.d/nscd restart
You might want to remove a test user from /etc/passwd and /etc/shadow that has been imported to ldap.
su – username
Is a good test. Check /var/log/auth.log if you have problems. If nothing is there, try
/etc/init.d/slapd stop
slapd -u openldap -g openldap -d 999
That will have slapd run as the users it’s supposed to, and be very verbose.
At this point, everything should be working (if not, don’t go forward yet!). Now we can use encryption, to increase the security of our ldap server.
cd /etc/ldap
mkdir ssl
openssl req -new -x509 -nodes -out ldap.pem -keyout ldap.pem -days 3650
chmod 640 ssl/ldap.pem
chmod 750 ssl
chown -R root:openldap ssl
At the very top of /etc/ldap/slapd.conf put
TLSCACertificateFile /etc/ldap/ssl/ldap.pem
TLSCertificateFile /etc/ldap/ssl/ldap.pem
TLSCertificateKeyFile /etc/ldap/ssl/ldap.pem
TLSCipherSuite HIGH:+MEDIUM:!LOWSSLVerifyClient none
Find the "access"lines near the bottom of slapd.conf and change them like this
access to attrs=userPassword,shadowLastChange
by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=net" write
by tls_ssf=128 ssf=128 anonymous auth
by tls_ssf=128 ssf=128 self write
by * noneand
access to *
by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=net" write
by * read
Make sure you restart
/etc/init.d/slapd restart
Assuming all goes well, you should still be able to "su - username" to your ldap-only user with the added benefit of encryption.
Additionally, if you find that SSL isn't working for you, try doing this.
Add the following to /etc/ldap/ldap.conf
TLS_CACERT /etc/ldap/ssl/ldap.pem
TLS_REQCERT demand
Add this to both pam_ldap.conf and libnss-ldap.conf
ssl start_tls
tls_checkpeer no
tls_cacertfile /etc/ldap/ssl/ldap.pem
After further investigation, 'ssl start_tls' is the way to go. Make sure ldap.conf has your SSL stuff in it and restart slapd and nscd.
http://bbis.us/etch-ldap.tar.gz
Updated some of the information here; one line for slapd.conf and one word change in pam_ldap.conf/libnss-ldap.conf.
Added a link to the (clean) config files from the working ldap test server I set up for this article.
Assuming your permissions are right (owned by openldap in most cases), you know how to run ‘slapd -d 999’ and your database is in good condition everything should work just fine.
You might want to apt-get install phpldapadmin to make adding users easier.
chmod 600 ssl/ldap.pem
sould probably be
chmod 640 ssl/ldap.pem
Good call, fixed that. đ
Hi,
your instruction have been very useful to me, as I am setting a ldap sevice in a debian machine and my ldap knoledge was 0 before starting. Debian packages didn’t provide enough help and I was in a complete deadlock.
After following your instructions everythink worked ok, at least before adding the TLS stuff. I even try the ldap_integration module in drupal and it worked ok against the sladp server.
Now I am trying to add the security layer and everything seems to be ok (again after following your instructions), but I am not able of doing that the drupal module work again. Well, really I am not sure whether TLS configuration is working, though I can do ‘su – username’ with success in command line after adding all the TLS stuff and restarting the daemons. Shouldn’t slapd be running in other port (636?) now?
Anyhow, thank you very much for you tutorial đ
Nope, it will still run on 389.
You might want to restart nscd and/or restart the machine and see if you can still ‘su – username’ with TLS enabled.
Sorry, I’ve never used drupal so I can’t help. My only suggestion is to make sure it’s not trying to validate the certificate (since it’s self-signed) and that it’s listening on ldap://, not ldaps://
Thanks, worked fine for me!
I had to chmod a+r /etc/libnss-ldap.conf to make it work
(http://blog.herbertm.ca/articles/2007/06/04/libnss-ldap-conf-permissions-bug)
Hroc, thanks. đ
However, you may want to do something like 640 instead (openldap as owner/group), since libnss-ldap.conf may contain sensitive information depending on how you set it up (proxyagents and whatnot).
thanks for this…….
your instructions worked flawlessly except for a missing cd /etc/ldap/ssl.
i shamelesly copied this part and added it to my set up as described on http:/songshu.org/doku
hi,
i am nasif. i’ve succed installed ldap server with ssl/tls in my debian. but now, i can’t open my ldap from phpldapadmin. is there something wrong? cause i’ve allready did every step just like your instruction..
btw, thanx for your help…
nasif,
What error do you have with phpldapadmin?
You might want to try restarting slapd and then restarting apache.
i’ve allready restarted slapd and apache. but phpldapadmin still can’t log me in. after googling, some forum said that phpldapadmin doesn’t support ssl/tls. is that correct? any applicaton can handle ldap as easy as phpldapadmin??
thanx for you reply…
That is not correct.
Installing it via apt-get works just fine for me; you might want to check out your apache error.log file for more information, or ask on the phpldapadmin mailing list.
i have problem with ldap.. This error
dpkg: error processing slapd (–configure):
subprocess post-installation script returned error exit status 1
Setting up ldap-utils (2.3.30-5+etch1) …
Errors were encountered while processing:
slapd
please help me…. what wrong??
There should be more to the error message, describing why it failed.
Otherwise, try:
apt-get remove –purge slapd
apt-get install slapd
i can’t try apt-get remove -purge slapd
Reading package lists… Done
Building dependency tree… Done
E: Couldn’t find package âpurge
but when i try apt-get install slapd this message error
Starting OpenLDAP: slapd – failed:
Unrecognized database type (bdb)
invoke-rc.d: initscript slapd, action “start” failed.
dpkg: error processing slapd (–configure):
subprocess post-installation script returned error exit status 1
Errors were encountered while processing:
slapd
E: Sub-process /usr/bin/dpkg returned an error code (1)
It’s –purge, with two hyphens before purge.
WordPress for whatever reason screws up two hyphens in a row. *shrugs*
Thanks for the great tutorial!
Did anyone install OpenLDAP + TLS on ubuntu 8.04? it seems that gnutls has issues. If anyone successfully implemented OpenLDAP + TLS please post the procedure here.
I am unable to get past these lines:
ldapadd -x -W -D âcn=admin,dc=my_domain,dc=comâ < /tmp/base.ldif
ldapadd -x -W -D âcn=admin,dc=my_domain,dc=comâ < /tmp/passwd.ldif
ldapadd -x -W -D âcn=admin,dc=my_domain,dc=comâ < /tmp/group.ldif
The single quotes return a syntax error, and when replaced with double quotes, it states ” dc=my_domain,dc=com ” already exists.
Everything was going fine until I configed tls. It seems libnss is broken. I can’t su to a ldap users, id user or getent, etc.. Commands like ldapsearch are working fine and the network calls are encrypted. I’m running Debian Etch 4.0.
krisbfunk: WordPress messes up those quotes; replace all the weird quotes with actual quotes.
Mike: You might want to try downloading the config files from the article and replacing things where necessary.
Where is the link to download the config files??
Thanks for the graete tutorial. Ive been trying to set this up for a couple of days before I found this and finally it works!
Great instructions. Worked for me all the way.
I have one suggestion though.. Since LDAP is especialy usefull in a setup with many clients using one LDAP resource, it might be a good idea to clearly separate client and server setups.
This would offer a reference for setting up extra clients to use an already setup LDAP server.
The actions to be performed on clients can be logicaly extracted from the whole, but offering them in clearly separated form, might be an upgrade to an already very nice tutorial.
Thx! 2 cent
This is my second attempt; I can never get past these lines:
ldapadd -x -W -D âcn=admin,dc=my_domain,dc=comâ < /tmp/base.ldif
ldapadd -x -W -D âcn=admin,dc=my_domain,dc=comâ < /tmp/passwd.ldif
ldapadd -x -W -D âcn=admin,dc=my_domain,dc=comâ < /tmp/group.ldif
I always get prompted for a password and no matter what password I enter,
I get an error that says: âldap_bind: invalid DN syntax (34)
My LDAP admin password is âldapadmin01â and my domain is ânassau.VOBtec.netâ
Please any help would be much appreciated.
h3rbz, I did that already. đ If it feels that this server has too much client information in it, it’s because I figure people will want to be able to authenticate with LDAP to the LDAP server.
If you only want it to serve LDAP, and not act as a client, just skip the pam.d configuration as well as /etc/nsswitch.conf
pachuco, did you set a rootpw entry in /etc/ldap/slapd.conf?
Thank you for the fast response. I actually donât know how to set up rootpw properly.
I just placed the following: ârootpw passwordâ in slapd.conf file.
It should be “rootpw ldapadmin01”
Thank you very much. It works.
Is this how to can be use for Debian Lenny as well?
Thanks
No, Lenny uses a different version of slapd that has a radically different config file. I will be posting a lenny-specific version soon
I’d suggest using the following link for you /etc/pam.d files
They work on Debian and Ubuntu clients. Useful if you are having problems changing password
# passwd test
passwd: Module is unknown
passwd: password unchanged
http://st0rage.org/files/pam.d.tar
Hi the following lines are my problem.
testldap2:/tmp# ldapadd -x -W -D ‘cn=admin,dc=mydomain,dc=net’ < /tmp/base.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
testldap2:/tmp# ldapadd -x -W -D 'cn=admin,dc=mydomain' < /tmp/base.ldif
Enter LDAP Password:
adding new entry "dc=mydomain,dc=net"
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
I have tried like you answer for pachuco and krisbfunk. But no answer is working for me …please help.
neverland,
The first issue is with you copying/pasting and wordpress messing up the quote characters.
I’ve updated this article so copying/pasting should work now.
I’d suggest starting over and making sure the correct quote characters are used.
It is still not working for me , is it ok to skip
those three lines?
No, those are important. đ
I’d try:
apt-get remove –purge slapd
And starting over
testldap4:/usr/share/migrationtools# ldapadd -x -W -D ‘cn=admin,dc=mydomain’ it result in ldap_bind: Invalid credentials (49)which the password I provide is password like exactly after rootpw
Hi there, now I am successful installing ldap. But when I change config for security. It makes my ldap didn’t work. What should I do?
BTW: while I do openssl req -new -x509 -nodes -out ldap.pem -keyout ldap.pem -days 3650, I use ip address as common name ,would it cause any problem?
Again about adding security problem, here is log file
debian:/etc/ldap# tail /var/log/syslog
Feb 24 02:54:27 debian slapd[2496]: slapd stopped.
Feb 24 02:54:28 debian slapd[2528]: @(#) $OpenLDAP: slapd 2.4.11 (Nov 26 2009 09:17:06) $#012#011root@SD6-Casa:/tmp/buildd/openldap-2.4.11/debian/build/servers/slapd
Feb 24 02:54:29 debian slapd[2529]: slapd starting
Feb 24 02:55:58 debian slapd[2529]: daemon: shutdown requested and initiated.
Feb 24 02:55:58 debian slapd[2529]: slapd shutdown: waiting for 0 threads to terminate
Feb 24 02:55:58 debian slapd[2529]: slapd stopped.
Feb 24 02:55:58 debian slapd[2542]: @(#) $OpenLDAP: slapd 2.4.11 (Nov 26 2009 09:17:06) $#012#011root@SD6-Casa:/tmp/buildd/openldap-2.4.11/debian/build/servers/slapd
Feb 24 02:55:58 debian slapd[2542]: /etc/ldap/slapd.conf: line 145: unknown directive inside backend database definition.
Feb 24 02:55:58 debian slapd[2542]: slapd stopped.
Feb 24 02:55:58 debian slapd[2542]: connections_destroy: nothing to destroy.
Regarding to this error
Feb 24 02:55:58 debian slapd[2542]: /etc/ldap/slapd.conf: line 145: unknown directive inside backend database definition.
It is this line.
SSLVerifyClient none
neverland, you are not using debian etch. I can confirm this works with Debian Etch but not Lenny.
thanks for posting the solution đ
Hi,
[sorry, my 4 year old daughter got hold of the computer and submitted my previous unfinished comment …]
I have two issues, TLS does not work for me đ , but that is a minor issue for me âŚ
The other,more important issue, is as soon as I comment out the ârootbinddnâ in /etc/ldap.conf and restart nscd I cannot cannot access my ldap accounts.
It appears it does not try to authenticate using anonymous, I allowed anonymous to auth in slapd.conf.
access to attrs=”userPassword”
by anonymous auth
by self write
by * none
access to *
by anonymous auth
by self write
by * none
Even when I set an LDAP account per dn as follows and try to use that as authentication account, it does not work.
I really do not want to keep my rootbinddn password in ldap.secret, as that is far too dangerous … passwords in cleartext? incredible that that is necessary … that defeats the whole purpose of LDAP.
I want to secure my computer as much as possible from external threats …
Hans,
All right, let’s start with “rootbinddn”. You are not using Debian Etch if you are using /etc/ldap.conf. Did you make a typo as to what config file you’re talking about?
ldap.secret unfortunately must be plain-text. Keep in mind that ldap.secret should be readable only by root… if root is compromised you’re system is already insecure!
Thank for quick reply, would you provide step how to do secure ldap on Debian Lenny? I can only do normal ldap till now.