⇤ ← Version 1 à la date du 2019-04-28 13:15:42
1294
Commentaire:
|
1841
|
Texte supprimé. | Texte ajouté. |
Ligne 42: | Ligne 42: |
* Optionally set a password to access `cn=config` (I use Apache Directory Studio) | * Optionally set a password to access `cn=config` (I use Apache Directory Studio and shelldap) |
Ligne 54: | Ligne 54: |
=== OpenLdap + TLS with Letsencrypt certificate === We suppose you have already a letsencrypt certificat for ldap.example.com. * Connect to `cn=config` using shelldap: `shelldap --server ldapi:// --basedn cn=config -Y EXTERNAL` * Edit .: `vi .` * `olcTLSCACertificateFile` to `chain.pem` * `olcTLSCertificateFile` to `cert.pem` * `olcTLSCertificateKeyFile` to `privkey.pem` * `olcTLSVerifyClient: never` * Edit `/etc/default/slapd` et set `SLAPD_SERVICES="ldaps:/// ldapi:///"` * `service slapd restart` |
Installing OpenLdap + Heimdal Kerberos on Debian Stretch with Multiple Realm
Setting-up OpenLdap
apt install slapd
- Define the admin password
Run dpkg-reconfigure slapd et make initial config. Choose MDB as backend
In the following, we suppose you have the root dn of your db in ROOTDN. So if you choose example.com as domain in the previous set, set export ROOTDN="dc=example,dc=com"
- Disable anonymous binds et require authentication
cat <<'EOF' | ldapadd -Y EXTERNAL -H ldapi:/// dn: cn=config changetype: modify add: olcDisallows olcDisallows: bind_anon dn: cn=config changetype: modify add: olcRequires olcRequires: authc dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcRequires olcRequires: authc dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcRequires olcRequires: authc EOF
Optionally set a password to access cn=config (I use Apache Directory Studio and shelldap)
PASSWORD=$(slappasswd -c '$6$rounds=100001$%.16s') cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// dn: olcDatabase={0}config,cn=config changetype: modify replace: olcRootPW olcRootPW: $PASSWORD EOF unset PASSWORD
OpenLdap + TLS with Letsencrypt certificate
We suppose you have already a letsencrypt certificat for ldap.example.com.
Connect to cn=config using shelldap: shelldap --server ldapi:// --basedn cn=config -Y EXTERNAL
Edit .: vi .
olcTLSCACertificateFile to chain.pem
olcTLSCertificateFile to cert.pem
olcTLSCertificateKeyFile to privkey.pem
olcTLSVerifyClient: never
Edit /etc/default/slapd et set SLAPD_SERVICES="ldaps:/// ldapi:///"
service slapd restart