Difference between revisions of "LDAP server setup on linux container"

From Notes_Wiki
(Blanked the page)
Tag: Blanking
 
Line 1: Line 1:
[[Main Page|Home]] > [[Ubuntu]] > [[Ubuntu HPC setup with slurm and linux containers]] > [[Ubuntu HPC LDAP server setup on linux container]]


= LDAP Server Setup on Ubuntu 22.04 linux container =
This document provides step-by-step instructions to set up an OpenLDAP server on Ubuntu 22.04, along with configuring LDAPS (LDAP over SSL).
== 1. Set the Hostname ==
<pre>
sudo hostnamectl set-hostname slurm-ldapsrv.local
shutdown -r now
</pre>
== 2. Edit /etc/hosts ==
Add the LDAP server's IP and hostname:
<pre>
vim /etc/hosts
</pre>
Example entry:
<pre>
192.168.2.10 slurm-ldapsrv.local slurm-ldapsrv
</pre>
== 3. Install OpenLDAP Packages ==
<pre>
apt install slapd ldap-utils -y
</pre>
You will be prompted to set the admin password during the installation. Provide and confirm a strong password.
== 4. Configure OpenLDAP Server ==
Run the configuration tool:
<pre>
dpkg-reconfigure slapd
</pre>
Follow the prompts:
* Select No when asked to omit configuration.
* Enter domain name (e.g., slurm-ldapsrv.local) — this forms the base DN.
* Enter organization name (can be same as domain).
* Enter and confirm the LDAP admin password.
* Choose No when asked to remove the database when slapd is purged.
* Choose Yes to remove the old database and create a new one.
== 5. Update /etc/ldap/ldap.conf ==
<pre>
sudo nano /etc/ldap/ldap.conf
</pre>
Add or edit:
<pre>
BASE dc=slurm-ldapsrv,dc=local
URI ldap://192.168.2.10
</pre>
== 6. Start and Enable slapd ==
<pre>
systemctl Start slapd
systemctl enable slapd
</pre>
== 7. Confirm LDAP Configuration ==
<pre>
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:///
</pre>
Expected output should include:
<pre>
dn: dc=slurm-ldapsrv,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: slurm-ldapsrv.local
dc: ldap
</pre>
== 8. Populate the Directory ==
Create a file add_content.ldif:
<pre>
vim add_content.ldif
</pre>
Content:
<pre>
dn: ou=People,dc=slurm-ldapsrv,dc=local
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=slurm-ldapsrv,dc=local
objectClass: organizationalUnit
ou: Groups
dn: cn=miners,ou=Groups,dc=slurm-ldapsrv,dc=local
objectClass: posixGroup
cn: miners
gidNumber: 5000
dn: uid=john,ou=People,dc=slurm-ldapsrv,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: {CRYPT}x
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
</pre>
'''Purpose of add_content.ldif'''
After setting up and configuring your OpenLDAP server, the LDAP directory is empty except for the base DN (like dc=slurm-ldapsrv,dc=local). You need to manually create organizational units (OUs), groups, and users — and this is where the add_content.ldif file comes in.
Add the entries:
<pre>
ldapadd -x -D cn=admin,dc=slurm-ldapsrv,dc=local -W -f add_content.ldif
</pre>
= Configuring LDAPS on the current server =
== 1. Install TLS Tools ==
<pre>
apt install gnutls-bin ssl-cert
</pre>
== 2. Create CA Private Key ==
<pre>
certtool --generate-privkey --bits 4096 --outfile /etc/ssl/private/mycakey.pem
</pre>
== 3. Create CA Info Template ==
<pre>
vim /etc/ssl/ca.info
</pre>
Content:
<pre>
cn = Example Company
ca
cert_signing_key
expiration_days = 3650
</pre>
== 4. Generate Self-Signed CA Certificate ==
<pre>
certtool --generate-self-signed \ --load-privkey /etc/ssl/private/mycakey.pem \ --template /etc/ssl/ca.info \ --outfile /usr/local/share/ca-certificates/mycacert.crt
</pre>
Update trusted CA certificates:
<pre>
update-ca-certificates
</pre>
== 5. Create Server Private Key ==
<pre>
certtool --generate-privkey --bits 2048 --outfile /etc/ldap/ldap_slapd_key.pem
</pre>
== 6. Create Server Certificate Template ==
<pre>
vim /etc/ssl/ldap.info
</pre>
Content:
<pre>
organization = Example Company
cn = slurm-ldapsrv.local
tls_www_server
encryption_key
signing_key
expiration_days = 365
</pre>
== 7. Generate Server Certificate ==
<pre>
certtool --generate-certificate \ --load-privkey /etc/ldap/ldap_slapd_key.pem \ --load-ca-certificate /etc/ssl/certs/mycacert.pem \ --load-ca-privkey /etc/ssl/private/mycakey.pem \ --template /etc/ssl/ldap.info \ --outfile /etc/ldap/ldap_slapd_cert.pem
</pre>
== 8. Set Permissions ==
<pre>
chgrp openldap /etc/ldap/ldap_slapd_key.pem
chmod 0640 /etc/ldap/ldap_slapd_key.pem
</pre>
== 9. Configure slapd to Use TLS Certificates ==
Create the config file:
<pre>
vim certinfo.ldif
</pre>
Content:
<pre>
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/mycacert.pem
-
add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/ldap_slapd_cert.pem
-
add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/ldap_slapd_key.pem
</pre>
Apply with:
<pre>
ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
</pre>
== 10. Enable LDAPS in slapd Configuration ==
Edit slapd default settings:
<pre>
vim /etc/default/slapd
</pre>
Ensure this line is present:
<pre>
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
</pre>
Restart slapd:
<pre>
systemctl restart slapd
</pre>
== 11. Test TLS and LDAPS ==
Test StartTLS:
<pre>
ldapwhoami -x -ZZ -H ldap://slurm-ldapsrv.local
</pre>
Test LDAPS:
<pre>
ldapwhoami -x -H ldaps://slurm-ldapsrv.local
</pre>
== Why LDAPS Configuration is Required ==
* LDAPS encrypts LDAP traffic, protecting usernames, passwords, and queries from being intercepted.
* Without LDAPS or StartTLS, users cannot change their own passwords, as password operations require a secure connection.
* Enabling LDAPS ensures secure authentication and meets compliance and security best practices.
[[Main Page|Home]] > [[Ubuntu]] > [[Ubuntu HPC setup with slurm and linux containers]] > [[Ubuntu HPC LDAP server setup on linux container]]

Latest revision as of 12:17, 6 June 2025

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=LDAP_server_setup_on_linux_container&oldid=8814"