OpenLDAP Server on Debian

This will be based on this article at HowToForge.

Starting from a fresh (template) Debian install, we'll have to use one Bridged adapter on this VM since it has to be accessible from outside the hypervisor's sub-networks.

> nano /etc/network/interfaces
...
# The primary network interface
auto eth0
iface eth0 inet static
#dns-nameservers 8.8.8.8
   address 192.168.1.XXX
   netmask 255.255.255.0
   broadcast 192.168.1.255
   network 192.168.1.0
...

Install OpenLDAP packages

> apt-get update  
> apt-get install slapd ldap-utils

Configure LDAP:

> nano /etc/ldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=home,dc=brussels
URI     ldap://192.168.1.201 ldap://192.168.1.201:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

Then we reconfigure the LDAP package with the newly introduced values:

> dpkg-reconfigure slapd
* Omit: NO
* DNS domain name: home.brussels
* Organisation: Family
* Password: *****
* Database: HDB
* Remove when purged: YES
* Move old: YES
* LDAPv2: NO

Check install with:

> ldapsearch -x

Install phpLDAPadmin

We need an Apache server, php and MySQL installed to run phpLDAPadmin Web GUI:

> apt-get install apache2 php5 php5-mysql
> apt-get install phpldapadmin

Then we configure phpLDAPadmin:

> nano -c /etc/phpldapadmin/config.php

[line 85]  $config->custom->appearance['timezone'] = 'Europe/Brussels';
[line 161] $config->custom->appearance['hide_template_warning'] = true;
[line 286] $servers->setValue('server','name','Home LDAP Server');
[line 300] $servers->setValue('server','base',array('dc=home,dc=brussels'));
[line 326] $servers->setValue('login','bind_id','cn=admin,dc=home,dc=brussels');

Now we should be able to access the phpLDAPadmin Web GUI at http://192.168.1.201/phpldapadmin

Securing access with a self-signed certificate

This comes from this article.

Create a directory to hold your certificate and key:

> mkdir /etc/apache2/ssl
> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

After you answer the questions, your certificate and key will be written to the /etc/apache2/ssl directory. We need to activate the apache ssl module, and we'll redirect all http requests to https:

> a2enmod ssl
> nano /etc/apache2/sites-enabled/000-default
...
    DocumentRoot /var/www
    Redirect permanent /phpldapadmin https://192.168.1.201/phpldapadmin
    <Directory />
...

Now let's enable the default ssl apache configuration:

> nano -c /etc/apache2/sites-available/default-ssl
...
    ServerAdmin webmaster@localhost
    ServerName 192.168.1.211
...
[line 43/44]
   SSLCertificateFile    /etc/apache2/ssl/apache.crt
   SSLCertificateKeyFile /etc/apache2/ssl/apache.key 
...

> a2ensite default-ssl
> service apache2 restart

We now have an encrypted connection to our LDAP server. This article gives a basic example of creating and managing groups and users.