|
|
| (2 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| [[Main Page|Home]] > [[Ubuntu]] > [[Ubuntu HPC setup with slurm and linux containers]] > [[LDAP server setup on linux container]]
| |
|
| |
|
|
| |
|
| |
| = LDAP Server Setup on Ubuntu 22.04 linux container =
| |
|
| |
| This document provides step-by-step instructions to set up an OpenLDAP server on Ubuntu 22.04, along with configuring LDAPS (LDAP over SSL).
| |
|
| |
| == 1. Set the Hostname ==
| |
| <pre>
| |
| sudo hostnamectl set-hostname ldap.example.com
| |
| shutdown -r now
| |
| </pre>
| |
|
| |
| == 2. Edit /etc/hosts ==
| |
|
| |
| Add the LDAP server's IP and hostname:
| |
| <pre>
| |
| vim /etc/hosts
| |
| </pre>
| |
|
| |
| Example entry:
| |
| <pre>
| |
| 192.168.2.10 ldap.example.com com
| |
| </pre>
| |
|
| |
| == 3. Install OpenLDAP Packages ==
| |
| <pre>
| |
| apt install slapd ldap-utils -y
| |
| </pre>
| |
|
| |
| You will be prompted to set the admin password during the installation. Provide and confirm a strong password.
| |
|
| |
| == 4. Configure OpenLDAP Server ==
| |
|
| |
| Run the configuration tool:
| |
| <pre>
| |
| dpkg-reconfigure slapd
| |
| </pre>
| |
|
| |
| Follow the prompts:
| |
|
| |
| * Select No when asked to omit configuration.
| |
|
| |
| * Enter domain name (e.g., ldap.local) — this forms the base DN.
| |
|
| |
| * Enter organization name (can be same as domain).
| |
|
| |
| * Enter and confirm the LDAP admin password.
| |
|
| |
| * Choose No when asked to remove the database when slapd is purged.
| |
|
| |
| * Choose Yes to remove the old database and create a new one.
| |
|
| |
| == 5. Update /etc/ldap/ldap.conf ==
| |
| <pre>
| |
| sudo nano /etc/ldap/ldap.conf
| |
| </pre>
| |
|
| |
| Add or edit:
| |
| <pre>
| |
| BASE dc=ldap,dc=example,dc=com
| |
| URI ldap://192.168.2.10
| |
| </pre>
| |
|
| |
| == 6. Start and Enable slapd ==
| |
| <pre>
| |
| systemctl Start slapd
| |
| systemctl enable slapd
| |
| </pre>
| |
|
| |
| == 7. Confirm LDAP Configuration ==
| |
| <pre>
| |
| ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:///
| |
| </pre>
| |
|
| |
| Expected output should include:
| |
| <pre>
| |
| dn: dc=ldap,dc=example,dc=com
| |
| objectClass: top
| |
| objectClass: dcObject
| |
| objectClass: organization
| |
| o: ldap.example.com
| |
| dc: ldap
| |
| </pre>
| |
|
| |
| == 8. Populate the Directory ==
| |
|
| |
| Create a file add_content.ldif:
| |
| <pre>
| |
| vim add_content.ldif
| |
| </pre>
| |
|
| |
| Content:
| |
| <pre>
| |
| dn: ou=People,dc=ldap,dc=example,dc=com
| |
| objectClass: organizationalUnit
| |
| ou: People
| |
| dn: ou=Groups,dc=ldap,dc=example,dc=com
| |
| objectClass: organizationalUnit
| |
| ou: Groups
| |
| dn: cn=miners,ou=Groups,dc=ldap,dc=example,dc=com
| |
| objectClass: posixGroup
| |
| cn: miners
| |
| gidNumber: 5000
| |
| dn: uid=john,ou=People,dc=ldap,dc=example,dc=com
| |
| objectClass: inetOrgPerson
| |
| objectClass: posixAccount
| |
| objectClass: shadowAccount
| |
| uid: john
| |
| sn: Doe
| |
| givenName: John
| |
| cn: John Doe
| |
| displayName: John Doe
| |
| uidNumber: 10000
| |
| gidNumber: 5000
| |
| userPassword: {CRYPT}x
| |
| gecos: John Doe
| |
| loginShell: /bin/bash
| |
| homeDirectory: /home/john
| |
| </pre>
| |
|
| |
| '''Purpose of add_content.ldif'''
| |
|
| |
| After setting up and configuring your OpenLDAP server, the LDAP directory is empty except for the base DN (like dc=ldap,dc=example,dc=com). You need to manually create organizational units (OUs), groups, and users — and this is where the add_content.ldif file comes in.
| |
|
| |
| Add the entries:
| |
| <pre>
| |
| ldapadd -x -D cn=admin,dc=ldap,dc=example,dc=com -W -f add_content.ldif
| |
| </pre>
| |
|
| |
| = Configuring LDAPS on the current server =
| |
|
| |
| == 1. Install TLS Tools ==
| |
| <pre>
| |
| apt install gnutls-bin ssl-cert
| |
| </pre>
| |
|
| |
| == 2. Create CA Private Key ==
| |
| <pre>
| |
| certtool --generate-privkey --bits 4096 --outfile /etc/ssl/private/mycakey.pem
| |
| </pre>
| |
|
| |
| == 3. Create CA Info Template ==
| |
| <pre>
| |
| vim /etc/ssl/ca.info
| |
| </pre>
| |
|
| |
| Content:
| |
| <pre>
| |
| cn = Example Company
| |
| ca
| |
| cert_signing_key
| |
| expiration_days = 3650
| |
| </pre>
| |
|
| |
| == 4. Generate Self-Signed CA Certificate ==
| |
| <pre>
| |
| certtool --generate-self-signed \ --load-privkey /etc/ssl/private/mycakey.pem \ --template /etc/ssl/ca.info \ --outfile /usr/local/share/ca-certificates/mycacert.crt
| |
| </pre>
| |
|
| |
| Update trusted CA certificates:
| |
| <pre>
| |
| update-ca-certificates
| |
| </pre>
| |
|
| |
| == 5. Create Server Private Key ==
| |
| <pre>
| |
| certtool --generate-privkey --bits 2048 --outfile /etc/ldap/ldap_slapd_key.pem
| |
| </pre>
| |
|
| |
| == 6. Create Server Certificate Template ==
| |
| <pre>
| |
| vim /etc/ssl/ldap.info
| |
| </pre>
| |
|
| |
| Content:
| |
| <pre>
| |
| organization = Example Company
| |
| cn = ldap.example.com
| |
| tls_www_server
| |
| encryption_key
| |
| signing_key
| |
| expiration_days = 365
| |
| </pre>
| |
|
| |
| == 7. Generate Server Certificate ==
| |
| <pre>
| |
| certtool --generate-certificate \ --load-privkey /etc/ldap/ldap_slapd_key.pem \ --load-ca-certificate /etc/ssl/certs/mycacert.pem \ --load-ca-privkey /etc/ssl/private/mycakey.pem \ --template /etc/ssl/ldap.info \ --outfile /etc/ldap/ldap_slapd_cert.pem
| |
| </pre>
| |
|
| |
| == 8. Set Permissions ==
| |
| <pre>
| |
| chgrp openldap /etc/ldap/ldap_slapd_key.pem
| |
| chmod 0640 /etc/ldap/ldap_slapd_key.pem
| |
| </pre>
| |
|
| |
| == 9. Configure slapd to Use TLS Certificates ==
| |
|
| |
| Create the config file:
| |
| <pre>
| |
| vim certinfo.ldif
| |
| </pre>
| |
|
| |
| Content:
| |
| <pre>
| |
| dn: cn=config
| |
| add: olcTLSCACertificateFile
| |
| olcTLSCACertificateFile: /etc/ssl/certs/mycacert.pem
| |
| -
| |
| add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/ldap_slapd_cert.pem
| |
| -
| |
| add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/ldap_slapd_key.pem
| |
| </pre>
| |
|
| |
| Apply with:
| |
| <pre>
| |
| ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
| |
| </pre>
| |
|
| |
| == 10. Enable LDAPS in slapd Configuration ==
| |
|
| |
| Edit slapd default settings:
| |
| <pre>
| |
| vim /etc/default/slapd
| |
| </pre>
| |
|
| |
| Ensure this line is present:
| |
| <pre>
| |
| SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
| |
| </pre>
| |
|
| |
| Restart slapd:
| |
| <pre>
| |
| systemctl restart slapd
| |
| </pre>
| |
|
| |
| == 11. Test TLS and LDAPS ==
| |
|
| |
| Test StartTLS:
| |
| <pre>
| |
| ldapwhoami -x -ZZ -H ldap://ldap.example.com
| |
| </pre>
| |
|
| |
| Test LDAPS:
| |
| <pre>
| |
| ldapwhoami -x -H ldaps://ldap.example.com
| |
| </pre>
| |
|
| |
| == Why LDAPS Configuration is Required ==
| |
|
| |
| * LDAPS encrypts LDAP traffic, protecting usernames, passwords, and queries from being intercepted.
| |
|
| |
| * Without LDAPS or StartTLS, users cannot change their own passwords, as password operations require a secure connection.
| |
|
| |
| * Enabling LDAPS ensures secure authentication and meets compliance and security best practices.
| |
|
| |
| [[Main Page|Home]] > [[Ubuntu]] > [[Ubuntu HPC setup with slurm and linux containers]] > [[LDAP server setup on linux container]]
| |
