====== OpenLDAP Server on Debian ======

This will be based on [[https://www.howtoforge.com/how-to-install-openldap-server-on-debian-and-ubuntu|this article at HowToForge]].

Starting from a fresh (template) Debian install, we'll have to use one **Bridged adapter** on this VM since it has to be accessible from outside the hypervisor's sub-networks.

<code>
> nano /etc/network/interfaces
...
# The primary network interface
auto eth0
iface eth0 inet static
#dns-nameservers 8.8.8.8
   address 192.168.1.XXX
   netmask 255.255.255.0
   broadcast 192.168.1.255
   network 192.168.1.0
...
</code>

==== Install OpenLDAP packages ====

<code>
> apt-get update  
> apt-get install slapd ldap-utils
</code>

Configure LDAP:
<code>
> nano /etc/ldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=home,dc=brussels
URI     ldap://192.168.1.201 ldap://192.168.1.201:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
</code>

Then we reconfigure the LDAP package with the newly introduced values:
<code>
> dpkg-reconfigure slapd
</code>
  
  * Omit: NO
  * DNS domain name: home.brussels
  * Organisation: Family
  * Password: *****
  * Database: HDB
  * Remove when purged: YES
  * Move old: YES
  * LDAPv2: NO

Check install with:
<code>
> ldapsearch -x
</code>
==== Install phpLDAPadmin ====

We need an Apache server, php and MySQL installed to run phpLDAPadmin Web GUI:

<code>
> apt-get install apache2 php5 php5-mysql
> apt-get install phpldapadmin
</code>

Then we configure phpLDAPadmin:
<code>
> nano -c /etc/phpldapadmin/config.php

[line 85]  $config->custom->appearance['timezone'] = 'Europe/Brussels';
[line 161] $config->custom->appearance['hide_template_warning'] = true;
[line 286] $servers->setValue('server','name','Home LDAP Server');
[line 300] $servers->setValue('server','base',array('dc=home,dc=brussels'));
[line 326] $servers->setValue('login','bind_id','cn=admin,dc=home,dc=brussels');
</code>

Now we should be able to access the phpLDAPadmin Web GUI at http://192.168.1.201/phpldapadmin

==== Securing access with a self-signed certificate ====

This comes from [[https://www.rosehosting.com/blog/install-and-configure-openldap-and-phpldapadmin-on-ubuntu-14-04/|this article]].

Create a directory to hold your certificate and key:
<code>
> mkdir /etc/apache2/ssl
> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
</code>

After you answer the questions, your certificate and key will be written to the **/etc/apache2/ssl** directory. We need to activate the apache ssl module, and we'll redirect all http requests to https:
<code>
> a2enmod ssl
> nano /etc/apache2/sites-enabled/000-default
...
    DocumentRoot /var/www
    Redirect permanent /phpldapadmin https://192.168.1.201/phpldapadmin
    <Directory />
...
</code>

Now let's enable the default ssl apache configuration:
<code>
> nano -c /etc/apache2/sites-available/default-ssl
...
    ServerAdmin webmaster@localhost
    ServerName 192.168.1.211
...
[line 43/44]
   SSLCertificateFile    /etc/apache2/ssl/apache.crt
   SSLCertificateKeyFile /etc/apache2/ssl/apache.key 
...

> a2ensite default-ssl
> service apache2 restart
</code>

We now have an encrypted connection to our LDAP server. [[http://www.linux.com/learn/tutorials/377952:manage-ldap-data-with-phpldapadmin|This article]] gives a basic example of creating and managing groups and users.