Installing OpenLdap + Heimdal Kerberos on Debian Stretch with Multiple Realm
Setting-up OpenLdap
apt install slapd
- Define the admin password
Run dpkg-reconfigure slapd et make initial config. Choose MDB as backend
In the following, we suppose you have the root dn of your db in ROOTDN. So if you choose example.com as domain in the previous set, set export ROOTDN="dc=example,dc=com"
- Disable anonymous binds et require authentication
cat <<'EOF' | ldapadd -Y EXTERNAL -H ldapi:/// dn: cn=config changetype: modify add: olcDisallows olcDisallows: bind_anon dn: cn=config changetype: modify add: olcRequires olcRequires: authc dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcRequires olcRequires: authc dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcRequires olcRequires: authc EOF
Optionally set a password to access cn=config (I use Apache Directory Studio and shelldap)
PASSWORD=$(slappasswd -c '$6$rounds=100001$%.16s') cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// dn: olcDatabase={0}config,cn=config changetype: modify replace: olcRootPW olcRootPW: $PASSWORD EOF unset PASSWORD
OpenLdap + TLS with Letsencrypt certificate
We suppose you have already a letsencrypt certificat for ldap.example.com.
Connect to cn=config using shelldap: shelldap --server ldapi:// --basedn cn=config -Y EXTERNAL
Edit .: vi .
olcTLSCACertificateFile to chain.pem
olcTLSCertificateFile to cert.pem
olcTLSCertificateKeyFile to privkey.pem
olcTLSVerifyClient: never
Edit /etc/default/slapd et set SLAPD_SERVICES="ldaps:/// ldapi:///"
service slapd restart