Go back ⮌

OpenLDAP

LDAP is short for Lightweight Directory Access Protocol. It is based on X.500 standard. Think of it as you would think about Active Directory. We will use it for holding information on various users and their groups. Directly after installation we will reconfigure package. This step is usually quiet during installation.

apt update
apt install slapd ldap-utils
dpkg-reconfigure slapd

Obviously do not omit server configuration. Enter domain, organization name, password. For database backend I was suggested MDB, so let’s use it. If you want to allow purge to delete database, go ahead. Move old databases. In general, just read whatever is written on screen, think about it for a moment or two and you should be good.

ufw allow 389/tcp #ldap
ufw allow 636/tcp #ldaps

Right now LDAP uses plaintext to send and receive data. It is highly recommended that we encrypt it somehow. OpenLDAP uses its own user and will not have access to letsencrypt certificates by default. First we will create new group, then we will chown letsencrypt directory to that group and at last, we will add openldap user to fresh group.

addgroup letsencrypt
chown -R root:letsencrypt /etc/letsencrypt
chmod 750 /etc/letsencrypt /etc/letsencrypt/archive /etc/letsencrypt/keys /etc/letsencrypt/live
adduser openldap letsencrypt

If you have AppArmor running then edit slapd profile and add lines:

  /etc/letsencrypt/ r,
  /etc/letsencrypt/** r,

OK, OpenLDAP can now read certificate files but still have no idea that it should use them. We should edit default slapd configuration located in /etc/default/slapd:

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

Somewhere create new file. We will call it certs.ldif. Write in it:

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/letsencrypt/live/www.example.com/fullchain.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/letsencrypt/live/www.example.com/cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/letsencrypt/live/www.example.com/privkey.pem

Now use this file.

ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
ldapwhoami -H ldap://example.com -x -ZZ

We can verify our configuration with file /etc/ldap/slapd.d/cn=config.ldif. Additionally you can use second command listed above to verify if secure connection works (it should print “anonymous”). If everything is fine then we can congratulate ourselves. Now what is left is populating the directory.