LDAP is short for Lightweight Directory Access Protocol. It is based on X.500 standard. Think of it as you would think about Active Directory. We will use it for holding information on various users and their groups. Directly after installation we will reconfigure package. This step is usually quiet during installation.
apt update apt install slapd ldap-utils dpkg-reconfigure slapd
Obviously do not omit server configuration. Enter domain, organization name, password. For database backend I was suggested MDB, so let’s use it. If you want to allow purge to delete database, go ahead. Move old databases. In general, just read whatever is written on screen, think about it for a moment or two and you should be good.
ufw allow 389/tcp #ldap ufw allow 636/tcp #ldaps
Right now LDAP uses plaintext to send and receive data. It is highly recommended that we encrypt it somehow. OpenLDAP uses its own user and will not have access to letsencrypt certificates by default. First we will create new group, then we will chown letsencrypt directory to that group and at last, we will add openldap user to fresh group.
addgroup letsencrypt chown -R root:letsencrypt /etc/letsencrypt chmod 750 /etc/letsencrypt /etc/letsencrypt/archive /etc/letsencrypt/keys /etc/letsencrypt/live adduser openldap letsencrypt
If you have AppArmor running then edit slapd profile and add lines:
/etc/letsencrypt/ r, /etc/letsencrypt/** r,
OK, OpenLDAP can now read certificate files but still have no idea that it should use them. We should edit default slapd configuration located in
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
Somewhere create new file. We will call it
certs.ldif. Write in it:
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/letsencrypt/live/www.example.com/fullchain.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/letsencrypt/live/www.example.com/cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/letsencrypt/live/www.example.com/privkey.pem
Now use this file.
ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif ldapwhoami -H ldap://example.com -x -ZZ
We can verify our configuration with file
/etc/ldap/slapd.d/cn=config.ldif. Additionally you can use second command listed above to verify if secure connection works (it should print “anonymous”). If everything is fine then we can congratulate ourselves. Now what is left is populating the directory.