Most modern LinuxDistributions will support OpenLDAP and TLS "out of the box". They'll all require generation of appropriate SSL certificates, and some will require additional configuration.
You'll want to create certificates. See SSLNotes to learn how.
When creating certificates, set the HostName (cn) to the name that you'll be connecting to the server on! It'll fail otherwise. For example, if you'll be using LDAP + TLS to ldap.wlug.org.nz, set the Common Name to ldap.wlug.org.nz, and only ever connect to that name. If you use another name that resolves to the same IP, it's not going to work.
It is important to have the permissions and ownership set right on your slapd.pem certificate. If you don't, slapd(8)? will fail to start and exit without displaying an error. The exact permissions will depend on your distribution.
TLSCACertificateFile /etc/ssl/cacert.pem TLSCertificateFile /etc/ldap/certs/slapd-cert.pem TLSCertificateKeyFile /etc/ldap/certs/slapd-key.pem TLSRandFile /etc/ldap/certs/randfile TLSCipherSuite HIGH:MEDIUM:+SSLv2
Debian Woody ships with a version of slapd(8)? that doesn't have TLS support enabled. Check out the References section below for links to backports available for Debian Woody, or else rebuild the Debian slapd(8)? Package with TLS support yourself. Change the line in debian/rules from --without-tls to --with-tls.
You'll also need to change the init script: in /etc/init.d/slapd, change the line that says start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd to read start-stop-daemon --start --quiet --pidfile "$pf" --exec /usr/sbin/slapd -- -h "ldaps:/// ldap:///". This starts slapd(8)? listening on the ldaps and ldap Ports. You can also use ldapi to use LDAP over a Unix domain socket.
SLAPD_SERVICES="ldap://127.0.0.1/ ldaps:///"
The example above will cause slapd(8)? to listen on the ldap port only on the localhost interface, and on the ldaps port on any interface.
RedHat 7.x supports TLS out of the box. All you have to do is recreate your slapd(8)? certificate and uncomment the TLS config lines in /etc/openldap/slapd.conf.
cd /usr/share/ssl/certs make slapd.pem ... answer some questions ...
Remember our advice about the Common Name here.
Use the following commands to set the permissions correctly for RH 7.x:
chmod u=rw,g=r,o= slapd.pem chown root.ldap slapd.pem
See LDAPAuthentication for a detailed example for having user accounts in LDAP.
After configuring LDAP client authentication, you probably want to enable nscd(8) to load at boot (in runlevels 2, 3, 4, & 5). nscd(8) is a dæmon which keeps a cache of looked up passwords and groups for running programs, so that your LDAP (or NIS) server won't get hammered. It also increases clients responvity.
First, enable apache's LDAP authentication module (which should be distributed with apache2 in recent distributions), which is called authnz_ldap. (Debian-based distros: run a2enmod authnz_ldap)
The following assumes you are only doing this on SSL-enabled sites or on a LAN so that packet sniffing isn't a security concern:
<Location /ldap.html>
AuthName "test ldap auth"
AuthType Basic
# the following will check against the uid attribute
AuthLDAPURL ldap://ldapserver.hostname/ou=People,dc=yourdomain,dc=com?uid
# our ldap server allows anonymous binds, so don't need these:
# AuthLDAPBindDN
# AuthLDAPBindPassword
# choose a method of access:
# 1) TO LIMIT ACCESS TO A SET OF USERS:
#Require ldap-user user1 user2 user3
# 2) TO LIMIT ACCESS TO VALID USERS IN LDAP:
# use ldap instead of default "file"
AuthBasicProvider ldap
# allow AuthBasic to work
AuthzLDAPAuthoritative off
# valid-user is an AuthBasic directive...
Require valid-user
# 3) TO LIMIT ACCESS TO MEMBERS OF A GROUP:
## which ldap attribute do we use (defaults to uniqueMember)
## posixGroup objectClass uses the memberUid attribute:
#AuthLDAPGroupAttribute memberUid
#AuthLDAPGroupAttributeIsDN off
#Require ldap-group cn=admins,ou=Group,dc=yourdomain,dc=com
</Location>
There are a few things to get tripped up on with LDAP.
Perhaps the permissions on your database files disallow slapd(8)? from reading them (you'd think OpenLDAP would give an error in this case, but noooo...)
There's also the possibility that you forgot to edit /etc/ldap/ldap.conf (in Debian Sarge at least) to define the BASE and URI settings.
You should also try ldapsearch(1), passing the -h <hostname> and -b <base dn> too!
OpenLDAP has a special root account that has root access to the LDAP tree, bypassing any ACLs that you have in place. This account is controlled through the rootdn and rootpw attributes in slapd.conf.
rootpw must be initialised from the output of the slappasswd command. This isn't immediately obvious from any of the documentation and trying to bind as the rootdn will fail silently if you initialise it with a plaintext value.
Directory Administrator - An extremely handy GTK user maintenance tool.gq - A GTK-based LDAP client.Erudite Directory Service Admin - A small pyGTK2 user management.
gosa - A full-featured web-based host and account management system.phpldapadmin - Web-based account management system.JXplorer - Java based LDAP browser and editor. Supports custom HTML templates.directoryassistant - A small (and improvable) LDAP address book managerturba - The contact manager from the Horde projectBrian Masney's patch for DHCP to use LDAP as a backend.Intro to LDAPSAGE guide on LDAP system authenticationLDAP related notesMichael Jason-Smith's LDAP pageThe Debian Wiki's LDAP entryNotes on replicationDebian Woody backports of various LDAP utilitiesSome more notesPart of CategoryNotes and CategorySystemAdministration
6 pages link to LDAPNotes:
