Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
vms:openldap [2015/11/12 17:50] admin |
vms:openldap [2015/11/16 18:44] (current) admin [Securing access with a self-signed certificate] |
||
|---|---|---|---|
| Line 4: | Line 4: | ||
| Starting from a fresh (template) Debian install, we'll have to use one **Bridged adapter** on this VM since it has to be accessible from outside the hypervisor's sub-networks. | Starting from a fresh (template) Debian install, we'll have to use one **Bridged adapter** on this VM since it has to be accessible from outside the hypervisor's sub-networks. | ||
| + | |||
| + | <code> | ||
| + | > nano /etc/network/interfaces | ||
| + | ... | ||
| + | # The primary network interface | ||
| + | auto eth0 | ||
| + | iface eth0 inet static | ||
| + | #dns-nameservers 8.8.8.8 | ||
| + | address 192.168.1.XXX | ||
| + | netmask 255.255.255.0 | ||
| + | broadcast 192.168.1.255 | ||
| + | network 192.168.1.0 | ||
| + | ... | ||
| + | </code> | ||
| + | |||
| + | ==== Install OpenLDAP packages ==== | ||
| <code> | <code> | ||
| Line 13: | Line 29: | ||
| <code> | <code> | ||
| > nano /etc/ldap/ldap.conf | > nano /etc/ldap/ldap.conf | ||
| + | |||
| + | # | ||
| + | # LDAP Defaults | ||
| + | # | ||
| + | |||
| + | # See ldap.conf(5) for details | ||
| + | # This file should be world readable but not world writable. | ||
| + | |||
| + | BASE dc=home,dc=brussels | ||
| + | URI ldap://192.168.1.201 ldap://192.168.1.201:666 | ||
| + | |||
| + | #SIZELIMIT 12 | ||
| + | #TIMELIMIT 15 | ||
| + | #DEREF never | ||
| + | |||
| + | # TLS certificates (needed for GnuTLS) | ||
| + | TLS_CACERT /etc/ssl/certs/ca-certificates.crt | ||
| </code> | </code> | ||
| + | |||
| + | Then we reconfigure the LDAP package with the newly introduced values: | ||
| + | <code> | ||
| + | > dpkg-reconfigure slapd | ||
| + | </code> | ||
| + | | ||
| + | * Omit: NO | ||
| + | * DNS domain name: home.brussels | ||
| + | * Organisation: Family | ||
| + | * Password: ***** | ||
| + | * Database: HDB | ||
| + | * Remove when purged: YES | ||
| + | * Move old: YES | ||
| + | * LDAPv2: NO | ||
| + | |||
| + | Check install with: | ||
| + | <code> | ||
| + | > ldapsearch -x | ||
| + | </code> | ||
| + | ==== Install phpLDAPadmin ==== | ||
| + | |||
| + | We need an Apache server, php and MySQL installed to run phpLDAPadmin Web GUI: | ||
| + | |||
| + | <code> | ||
| + | > apt-get install apache2 php5 php5-mysql | ||
| + | > apt-get install phpldapadmin | ||
| + | </code> | ||
| + | |||
| + | Then we configure phpLDAPadmin: | ||
| + | <code> | ||
| + | > nano -c /etc/phpldapadmin/config.php | ||
| + | |||
| + | [line 85] $config->custom->appearance['timezone'] = 'Europe/Brussels'; | ||
| + | [line 161] $config->custom->appearance['hide_template_warning'] = true; | ||
| + | [line 286] $servers->setValue('server','name','Home LDAP Server'); | ||
| + | [line 300] $servers->setValue('server','base',array('dc=home,dc=brussels')); | ||
| + | [line 326] $servers->setValue('login','bind_id','cn=admin,dc=home,dc=brussels'); | ||
| + | </code> | ||
| + | |||
| + | Now we should be able to access the phpLDAPadmin Web GUI at http://192.168.1.201/phpldapadmin | ||
| + | |||
| + | ==== Securing access with a self-signed certificate ==== | ||
| + | |||
| + | This comes from [[https://www.rosehosting.com/blog/install-and-configure-openldap-and-phpldapadmin-on-ubuntu-14-04/|this article]]. | ||
| + | |||
| + | Create a directory to hold your certificate and key: | ||
| + | <code> | ||
| + | > mkdir /etc/apache2/ssl | ||
| + | > openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt | ||
| + | </code> | ||
| + | |||
| + | After you answer the questions, your certificate and key will be written to the **/etc/apache2/ssl** directory. We need to activate the apache ssl module, and we'll redirect all http requests to https: | ||
| + | <code> | ||
| + | > a2enmod ssl | ||
| + | > nano /etc/apache2/sites-enabled/000-default | ||
| + | ... | ||
| + | DocumentRoot /var/www | ||
| + | Redirect permanent /phpldapadmin https://192.168.1.201/phpldapadmin | ||
| + | <Directory /> | ||
| + | ... | ||
| + | </code> | ||
| + | |||
| + | Now let's enable the default ssl apache configuration: | ||
| + | <code> | ||
| + | > nano -c /etc/apache2/sites-available/default-ssl | ||
| + | ... | ||
| + | ServerAdmin webmaster@localhost | ||
| + | ServerName 192.168.1.211 | ||
| + | ... | ||
| + | [line 43/44] | ||
| + | SSLCertificateFile /etc/apache2/ssl/apache.crt | ||
| + | SSLCertificateKeyFile /etc/apache2/ssl/apache.key | ||
| + | ... | ||
| + | |||
| + | > a2ensite default-ssl | ||
| + | > service apache2 restart | ||
| + | </code> | ||
| + | |||
| + | We now have an encrypted connection to our LDAP server. [[http://www.linux.com/learn/tutorials/377952:manage-ldap-data-with-phpldapadmin|This article]] gives a basic example of creating and managing groups and users. | ||
