From SemarkIT
Jump to: navigation, search


Before OpenLDAD 2.4.23

Configure OpenLDAP for samba:

cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
gzip -d /etc/ldap/schema/samba.schema.gz
cp /usr/share/doc/gosa/contrib/openldap/*.schema /etc/ldap/schema/
cd /etc/ldap/
vi schema.conf
# LDAP - del 1
include         /etc/ldap/schema/core.schema
#include                /etc/ldap/schema/autofs.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/corba.schema
include         /etc/ldap/schema/dyngroup.schema
include         /etc/ldap/schema/java.schema
include         /etc/ldap/schema/misc.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/trust.schema
include         /etc/ldap/schema/openldap.schema
include         /etc/ldap/schema/ppolicy.schema

# GOsa
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/gosystem.schema
include         /etc/ldap/schema/gofon.schema
include         /etc/ldap/schema/goto.schema
include         /etc/ldap/schema/goto-mime.schema
# Note: before 2.6.5 this file was named gosa+samba3.schema
include         /etc/ldap/schema/gosa+samba3.schema
include         /etc/ldap/schema/gofax.schema
include         /etc/ldap/schema/goserver.schema
include         /etc/ldap/schema/pureftpd.schema
include         /etc/ldap/schema/pptp.schema

# LDAP - del 2
include         /etc/ldap/schema/collective.schema

Create a rootpw for LDAP:

slappasswd -h {MD5}

Go write this down, you have to use it in a second in your slapd.conf

vi slapd.conf

find # Schema and objectClass definitions Slet all includes-line, and write the following instead:

include         /etc/ldap/schema.conf
suffix		"dc=<domain>,dc=<local>"
rootdn          "cn=admin,dc=<domain>,dc=<local>"
rootpw          {MD5}<you pass>
directory       "/var/lib/ldap/<domain>"

For better performance do more indexing than the default:

index    objectClass,uidNumber,gidNumber,memberuid             pres,eq
index    cn,sn,uid,mail,displayName,givenName,ou               pres,sub,eq
index    gosaMailAlternateAddress,gosaMailForwardingAddress    eq
index    gosaSubtreeACL,gosaObject,gosaUser                    pres,eq
index    sambaSID,sambaPrimaryGroupSID,sambaDomainName         eq
index    default                                               eq,sub

Access controls: (The standards can do, but they are not exactly secure enough for my taste)

access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
       by dn="cn=admin,dc=<domain>,dc=<local>" write
       by * read
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
       by dn="cn=admin,dc=<domain>,dc=<local>" write
       by anonymous auth
       by self write
       by * none
access to attrs=loginShell
       by dn="cn=admin,dc=<domain>,dc=<local>" write
       by * none
access to attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,sn,givenname
       by dn="cn=admin,dc=<domain>,dc=<local>" write
       by self write
       by * read
access to attrs=loginShell,gecos
       by dn="cn=admin,dc=<domain>,dc=<local>" write
       by self write
       by * read

Create a folder in your LDAP directory

mkdir /var/lib/ldap/<domain> && chown openldap:openldap /var/lib/ldap/<domain>
/etc/init.d/slapd stop && /etc/init.d/slapd start && /etc/init.d/slapd stop
/etc/init.d/slapd start
vi ldap.conf
BASE            dc=<domain>,dc=<local>
URI             ldap://localhost:389
rootbindn       cn=admin,dc=<domain>,dc=<local>
bind_policy     hard

Configuring LDAPS

Configuring the certificate (and possibly the CA used) in /etc/ldap/slapd.conf:

TLSCACertificateFile    /etc/ssl/certs/whaterver_ca_you_use.pem
TLSCertificateKeyFile   /etc/ssl/private/example.com.pem.pem
TLSCertificateFile      /etc/ssl/certs/example.com.pem

By default, slapd runs as user/group openldap, so it can't read the key file. On Debian Lenny, the preferred solution to this dilemma seems to be to chown the key to root:ssl-cert, set permissions to 640 and add the user openldap to group ssl-cert.


In slapd debug output:

[...] TLS: could not set cipher list HIGH:MEDIUM:-SSLv2.  (or similar)

In /var/log/syslog:

[...] main: TLS init def ctx failed: -1


If you try to install the OpenLDAP server (slapd) with Debian Lenny, it comes compiled against the GnuTLS library. It means you cannot use an OpenSSL style directive like TLSCipherSuite HIGH:MEDIUM:-SSLv2 in slapd.conf.


In /etc/ldap/slapd.conf, either comment out TLSCipherSuite option to let gnutls choose rather sane default for you, or use something like:


To get all the supported GnuTLS cipher suite names:

apt-get install gnutls-bin
man gnutls-cli

And skip to TLS/SSL control options section of man page.

To use only 256 bit cyphers, use this (paranoiac?) setting:


Another useful tool to test server-supported TLS options is to use gnutls-cli-debug. First add ldaps:/// string to the SLAPD_SERVICES option in /etc/default/slapd, restart slapd and then run

gnutls-cli-debug -p 636 <fqdn_of_you_ldap_host>

That will show you cryptographic suits your LDAP server supports.

More Symptoms

If you are getting messages such as

slapd TLS: can't connect: A TLS packet with unexpected length was received..


Could not negotiate a supported cipher suite.

take a wander by this.


How did you generate your certificates? If you generated them using OpenSSL, you're going to run into problems. Debian switched over to using gnutls a while ago, and it doesn't play nice with OpenSSL certificates. So, to fix this, check out the next section.

NOTE: On Debian Squeeze openldap is linked with gnutls as well, but works just fine with certificate generated by openssl.


You're going to need the gnutls certificate generator: certtool.

Run these two commands to generate a new self-signed key (into the current working directory):

certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem

Then, update your certificate locations in /etc/ldap/slapd.conf (TLSCertificateFile points to ca-cert.pem and TLSCertificateKeyFile points to ca-key.pem), comment out TLSCACertificateFile, and change TLSVerifyClient to never.

In /etc/ldap/ldap.conf, comment out TLS_CACERT and change TLS_REQCERT to never.

Since the certificate is self-signed, we can't have gnutls trying to verify it (hence the never), otherwise it will never run.

Then restart your services, and you're good (assuming all your links point properly to ldaps://url/).

After OpenLDAP 2.4.23

Since version 2.4.23-3 the configuration of OpenLDAP has been changed to /etc/ldap/slapd.d by default. The OpenLDAP packages in Debian provide an automatic migration to the new configuration style. With the new configuration style it is possible to change values on the fly without restarting slapd. Changes are made through the use of ldif files and ldap{add,modify}. In Debian you can use the following command to search the configuration:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" 

To modify configuration use the command:

ldapmodify -Y EXTERNAL -H ldapi:/// -f <file.ldif> 

When I have this step completed I will make a guide on howto do this in Squeeze also, but for now please see the several manpages that exist or the documentation provided in upstream for help.

The use of slapd.conf remains possible (optional) but is not recommended.