Often it is advantageous to have authentication, security and application settings centralised for ease of management. Microsoft provide Active Directory for Windows users and through the use of OpenLDAP, we can duplicate this behaviour in a cross-platform and open-source way. An LDAP directory can be used to provide single sign-on for Linux, Windows, OSX and web-based applications as well as network authentication via RADIUS.
This article describes how to install OpenLDAP and configure a basic directory information tree.
Supported Releases
Should work in all Ubuntu releases from 8.10 up. Tested on 18.04 Ubuntu and CentOS 7.
Required Packages
For an installation that does not require password synchronisation for Windows users:
sudo apt-get install slapd ldap-utils
Alternatively, if you are using SAMBA and wish to keep your LDAP and SAMBA passwords synchronised, the following is required to work-around a packaging bug. Add the following to /etc/apt/sources.list :
#Debian Stable repository
deb Index of /debian stable main
Then, create the file /etc/apt/preferences with the following content to prevent the Debian releases automatically updating our installation:
Package: *
Pin: release l=Debian
Pin-Priority: 10
Next, edit /etc/apt/apt.conf.d/70debconf and add the following to allow for the much larger Debian repository list we must now manage:
APT::Cache-Limit "100000000";
You are now ready to obtain the Debian release keys and update your repository lists:
sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0xB98321F9
sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x473041FA
sudo apt-get update
Finally, install the required packages Ubuntu:
sudo apt-get install slapd-smbk5pwd ldap-utils
Install the required packages Centos:
yum install openldap -y
Schema Creation
A schema defines the objects and attributes in the LDAP database. Depending on the applications we are going to hook into the directory, different schema files will be needed.
LDIF files are sensitive to white space and may not import correctly if you simply copy and paste them from this page. Please click on the header at the top of each file to download a copy in its original format instead.
Log on and become root:
sudo -i
Add the basic schema files required for all directories:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif
Sudo via LDAP
To enable the management of root privileges via the directory using Sudo, load the file below. It was converted from the original, located in /usr/share/doc/sudo-ldap/schema.OpenLDAP on an Ubuntu system once the sudo-ldap package has been installed.
sudo.ldif (1.6 KB)
wget -O sudo.ldif https://vmbs.uk/uploads/short-url/aDGYo58UUhUj1bSRljxpdu8QZkF.ldif
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f sudo.ldif
Password Policy
To implement password expiry, strength controls, lockout, etc. with password policies, load the file below. It was converted from the original, located in /etc/ldap/schema/ppolicy.schema on an Ubuntu system once the slapd package has been installed.
ppolicy.ldif (2.9 KB)
wget -O ppolicy.ldif https://vmbs.uk/uploads/short-url/7ftaOtrqVejHQix9ly2CDbs1s1N.ldif
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy.ldif
Thunderbird Contacts
To store Mozilla Thunderbird contacts and groups in the directory, load the file below. It was originally downloaded from MailNews:Mozilla LDAP Address Book Schema - MozillaWiki and converted to LDIF format.
mozillaAbPersonAlpha.ldif (3.5 KB)
wget -O mozillaAbPersonAlpha.ldif https://vmbs.uk/uploads/short-url/tTQZ9xnHSyifyGipljKRHI6Zrn0.ldif
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f mozillaAbPersonAlpha.ldif
FreeRADIUS
To use RADIUS to authenticate network users via LAN, Wi-Fi or VPN in conjunction with compatible network switches, routers and access points, download the file below. It was converted from the original, located in /usr/share/doc/freeradius/examples/openldap.schema on an Ubuntu system once the freeradius-ldap package has been installed.
freeradius.ldif (11.7 KB)
wget -O freeradius.ldif https://vmbs.uk/uploads/short-url/uPWjKj7ZJ8i2cGPW3mOuda24CV8.ldif
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f freeradius.ldif
Pure FTP
To control Pure-FTPd users, home directories, quotas, bandwidth, etc. via the directory, load the file below. It was converted from the original, located in /usr/share/doc/pure-ftpd-common/pureftpd.schema on an Ubuntu system once the pure-ftpd-common package has been installed.
pureftpd.ldif (2.1 KB)
wget -O pureftpd.ldif https://vmbs.uk/uploads/short-url/4vix0wDU1wkE91XrJJWQfIfR2O2.ldif
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f pureftpd.ldif
SAMBA v3
To run as a SAMBA domain controller and/or share files and printers with Windows systems, download the file below. It was converted from the original, located in /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz on an Ubuntu system once the samba-doc package has been installed.
The file has been modified to include the attributes acctFlags, pwdLastSet, logonTime, logoffTime, kickoffTime, homeDrive, scriptPath, profilePath, userWorkstations, smbHome, rid and primaryGroupID from the SAMBA v2 configuration as these are used by the Apple OSX schema. This should not cause any problems whether you intend supporting Macs or not but leaves the option open.
samba.ldif (13.9 KB)
wget -O samba.ldif https://vmbs.uk/uploads/short-url/d4F75Yvn2aYLHAIPrAKKhEIImHC.ldif
Apply the schema modifications with the following command:
ldapadd -Y EXTERNAL -H ldapi:/// -f samba.ldif
Apple OS X
To support Apple Macintosh computers and their policies via Workgroup Manager, download the two files below. They have been converted from the originals found in /etc/openldap/schema/ on any Mac running OS X Lion.
The apple.schema file has been modified to include the attributes authAuthority, apple-user-homeDirectory and apple-acl-entry. The definition authAuthority has been moved to the beginning of the file, prior to its use. The object class apple-user has been extended to include the attribute apple-user-homeDirectory.
apple_auxillary.ldif (442 Bytes)
apple.ldif (37.7 KB)
wget -O apple_auxillary.ldif https://vmbs.uk/uploads/short-url/eSi659tTgzJuxJOn1HJlsiUAUiz.ldif
wget -O apple.ldif https://vmbs.uk/uploads/short-url/pDrY12BQxQzzW6xkZ6EE8Q9dV13.ldif
Apply the schema modifications with the following commands:
ldapadd -Y EXTERNAL -H ldapi:/// -f apple_auxillary.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f apple.ldif
Configuration
Once the schema has been established, it is necessary to set a password on the configuration directory tree and create a second tree, which will hold the data relevant to the application that hook into LDAP. The directory will have an administration account (cn=admin,dc=example,dc=com) with read/write access to both trees. Firstly we must create a password for this account:
slappasswd -s
<password>
Where <password> is a secure password you wish to use for full access to LDAP. The result will be a string similar to {SSHA}dgsahdgajdahjdhsajdhs819tqM7dhjald , which must be inserted as <slappasswd_output> when the following file is downloaded:
backend.ldif (895 Bytes)
wget -O backend.ldif https://vmbs.uk/uploads/short-url/8bELiHo7nrQciaG5ofn7U4oephe.ldif
Once downloaded and the password hash inserted in the appropriate place, create the new directory tree:
ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
We must now populate our new directory tree with the structure and user information to make it useful to us. In the example below we create the administrator (cn=admin,dc=example,dc=com) and a single Standard User (uid=user1,dc=people,dc=example,dc=com):
example.com.ldif (1.1 KB)
wget -O example.com.ldif https://vmbs.uk/uploads/short-url/oQs4PgSKgsRV8609iZMuJRwB9cu.ldif
We have now set a password on the LDAP database, so to import this file we must use the following syntax and enter the directory administrator’s password we hashed above when prompted:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f example.com.ldif
Sudo
To configure the directory to mimic the behaviour of a standard /etc/sudoers file, import the file below. Further details of the specification and configuration of sudo via LDAP can be found on the man page.
sudo.apps.example.com.ldif (392 Bytes)
wget -O sudo.apps.example.com.ldif https://vmbs.uk/uploads/short-url/pTX5lslvLXfVwsxGYwzo5S3sPfE.ldif
To import this file we must use the following command and enter the directory administrator’s password when prompted:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f sudo.apps.example.com.ldif
To improve the performance of sudoers lookups via LDAP, we must add an additional index:
sudo_index.ldif (72 Bytes)
wget -O sudo_index.ldif https://vmbs.uk/uploads/short-url/dXfpwrfWDotM7as950FYk7K4P0a.ldif
Make the index changes with the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f sudo_index.ldif
Password Policy
Import the file below to configure the directory to support password policy enforcement for parameters such as length, age, failed logons, lockout, etc. Further details of this directory overlay can be found in the OpenLDAP documentation.
The default policy created here forces users to change their password every 28 days, with a minimum length of 8 characters. They are warned 3 days prior to their password expiry and allowed a further 3 logins once it expires. Invalid login attempts are tracked and 5 within 5 minutes will lock the account out for half an hour.
policies.example.com.ldif (474 Bytes)
wget -O policies.example.com.ldif https://vmbs.uk/uploads/short-url/mFayV6ATAFtMu8Rn8jacgX6viy3.ldif
To import this file we must use the following command and enter the directory administrator’s password when prompted:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f policies.example.com.ldif
To load the password policy overlay and point it to the default policy, we must download the following file:
overlay_ppolicy.ldif (354 Bytes)
wget -O overlay_ppolicy.ldif https://vmbs.uk/uploads/short-url/yKXGJd52cEayU3PGfkh3wd4TbNe.ldif
Make the configuration changes with the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f overlay_ppolicy.ldif
Postfix
To allow Postfix mail addresses and aliases to be configured via the LDAP directory, import the file below.
mail.apps.example.com.ldif (536 Bytes)
wget -O mail.apps.example.com.ldif https://vmbs.uk/uploads/short-url/uKncpK1iCdRfcvPoO7sNqOO6JR1.ldif
To import this file we must use the following command and enter the directory administrator’s password when prompted:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f mail.apps.example.com.ldif
To improve the performance of e-mail address lookups via LDAP, we must add an additional index:
postfix_index.ldif (79 Bytes)
wget -O postfix_index.ldif https://vmbs.uk/uploads/short-url/oUruBcmwDWfH92gB1jwPDakkWev.ldif
Make the index changes with the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f postfix_index.ldif
SAMBA v3
To improve the performance of SAMBA domain and user lookups via LDAP, we must add some additional indices:
samba_index.ldif (411 Bytes)
wget -O samba_index.ldif https://vmbs.uk/uploads/short-url/LbkPoeJHHkSVxf1GFtv1ccLA15.ldif
Make the index changes with the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_index.ldif
Apple OS X
To support Apple Macs in native Open Directory mode, we must mimic the structure of the Apple directory by importing the file below.
macosx.example.com.ldif (3.4 KB)
wget -O macosx.example.com.ldif https://vmbs.uk/uploads/short-url/qZpur7Q4sLjnK4jODMxE5DYyafa.ldif
To import this file we must use the following command and enter the directory administrator’s password when prompted:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f macosx.example.com.ldif
Security
Due to the nature of the information frequently held in the LDAP directory, it is essential that we protect access to it and reduce the chances of eavesdropping.
TLS/SSL
Many applications will use the LDAP simple bind mechanism, which transmits the username and password in clear text over the network. Where this is an internal, trusted network or via a VPN, this might just about be acceptable. In all other cases we will use TLS to encrypt the data before it is sent. As OpenLDAP on Ubuntu (and Debian) is compiled against GnuTLS libraries, we must install their certificate tools:
apt-get install gnutls-bin
Now we must generate a secure private key and certificate signing request (CSR) to pass to our certificate authority (CA):
certtool --generate-privkey --bits 4096 --outfile /etc/ssl/private/severname.example.com.key
adduser openldap ssl-cert
chgrp ssl-cert /etc/ssl/private/severname.example.com.key chmod 640 /etc/ssl/private/severname.example.com.keycerttool --generate-request --load-privkey /etc/ssl/private/severname.example.com.key --outfile servername.example.com.csr
Generating a PKCS #10 certificate request…
Country name (2 chars): IE
Organization name: Example Company
Organizational unit name:
Locality name: Dublin
State or province name: Co.Dublin
Common name: servername.example.com
UID:
Enter a dnsName of the subject of the certificate: servername.example.com
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N):
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
Is this a TLS web client certificate? (y/N):
Is this also a TLS web server certificate? (y/N): y
Copy the contents of the resulting servername.example.com.csr file to your CA (in our case we used Let’s Encrypt) and ask them to certify it for you. Depending on the authority used this should require proof of identity and possibly the removal of some money. Once your key has been certified, save the certificate in /etc/letsencrypt/..../servername.example.com.pem .
It is now necessary to create a certificate chain file, which will be used to verify our new server certificate up to the CA’s root. In our case we were issued a Class 1 Server certificate, which is one level below Let’s Encrypt root. Create /etc/letsencrypt/..../letsencrypt_Class_1_Server.pem , paste into it the contents of https://letsencrypt.org/certificates/.....sub.class1.server.ca.pem followed by https://letsencrypt.org/certificates/.....ca.pem and then save the file.
The following file is then needed to enable TLS:
tls_enable.ldif (412 Bytes)
wget -O tls_enable.ldif https://vmbs.uk/uploads/short-url/haC5HBGWT8UXYgYzhySKEh4ksyF.ldif
Make the security changes with the following commands:
ldapmodify -Y EXTERNAL -H ldapi:/// -f tls_enable.ldif
Edit /etc/default/slapd and update the SLAPD_SERVICES option:
SLAPD_SERVICES=“ldap:/// ldapi:/// ldaps:///”
Finally, restart slapd and test that TLS is operational:
service slapd restart gnutls-cli-debug -p 636 localhost
Listening Interfaces
Often an LDAP server has multiple network interfaces, bound to different LANs or VLANs. It can be advantageous to limit the interfaces slapd listens on. In the example below unencrypted connections are allowed from the local machine only and
To restrict the listening interfaces in Ubuntu, edit /etc/default/slapd and update the SLAPD_SERVICES option:
SLAPD_SERVICES=“ldap://127.0.0.1/ ldapi:/// ldaps://127.0.0.1/”
To restrict the listening interfaces in Centos:
find /etc/systemd/ -name slapd*
after you can edit the result form find
vim /etc/systemd/system/multi-user.target.wants/slapd.service
Then restart slapd and check which interfaces it is listening on:
service slapd restart
netstat -tlpn | grep slapd
Testing and Tools
Once you have added the schema and data, it is necessary to stop LDAP, re-build its indices, restart it and check the system log for any problems:
service slapd stop
slapindex
chown -R openldap:openldap /var/lib/ldap
service slapd start
Examine the tail of /var/log/syslog for any errors or warnings being reported by the slapd process.
Enable LDAP logging
Configure Rsyslog to log LDAP events to log file /var/log/ldap.log .
vim /etc/rsyslog.conf
Add below line to /etc/rsyslog.conf file.
local4.* /var/log/ldap.log
Restart the rsyslog service.
systemctl restart rsyslog
If you would like to see which schema modifications have been loaded, type
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn