Skip to content

Instantly share code, notes, and snippets.

@hranicka

hranicka/openldap.md

Last active November 27, 2019 10:16
Show Gist options
  • Save hranicka/b7e15b4be0299884e233626148136859 to your computer and use it in GitHub Desktop.
Save hranicka/b7e15b4be0299884e233626148136859 to your computer and use it in GitHub Desktop.
Download ZIP
OpenLDAP Installation
Raw
openldap.md

Configure firewall

apt-get install ufw
ufw allow ssh
ufw allow http
ufw allow https
ufw allow ldap
ufw allow ldaps
ufw enable

Install ldap deamon

apt-get install slapd ldap-utils
dpkg-reconfigure slapd
ldapwhoami -H ldap:// -x

Install ldap GUI (phpldapadmin)

Apache + php

apt-get install apache2
a2enmod rewrite
a2enmod ssl

apt-get install php php-ldap php-xml php-ldap php-xml php-mbstring

Install phpldapadmin

cd /var/www
wget -O phpLDAPadmin-1.2.5.tar.gz https://github.com/leenooks/phpLDAPadmin/archive/1.2.5.tar.gz
tar xzf phpLDAPadmin-1.2.5.tar.gz
rm phpLDAPadmin-1.2.5.tar.gz
mv phpLDAPadmin-1.2.5 phpldapadmin
cd phpldapadmin/config
cp config.php.example config.php

Configure phpldapadmin

Change the following data to correspond with yours:

# /var/www/phpldapadmin/config/config.php
$servers->setValue('server','name','My LDAP Server');
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');

Configure apache

# /etc/apache2/sites-available/100-phpldapadmin.conf
Alias /admin /var/www/phpldapadmin/htdocs

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName phpldapadmin
    ServerAlias ldap.example.com
    DocumentRoot /var/www/phpldapadmin/htdocs
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

a2ensite 100-phpldapadmin.conf
a2dissite 000-default.conf
systemctl reload apache2

Check ldap (unsecured)

ldapwhoami -H ldap://ldap.example.com -x

You should see anonymous.

Also visit http://ldap.example.com in your browser.

TLS

Let's Encrypt

add-apt-repository ppa:certbot/certbot
apt install python-certbot-apache
certbot --apache -d ldap.example.com

Certbox configures Apache to serve you the web via HTTPS (if you enable it when asked).

Visit https://ldap.example.com in your browser.

Allow OpenLDAP to use LE certificates

useradd letsencrypt
chown openldap:letsencrypt /etc/letsencrypt/ -R
usermod -a -G letsencrypt openldap

Allow secure LDAP

# ~/ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/letsencrypt/live/ldap.example.com/fullchain.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/letsencrypt/live/ldap.example.com/cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/letsencrypt/live/ldap.example.com/privkey.pem

ldapmodify -H ldapi:// -Y EXTERNAL -f ssl.ldif
Allow listening on port 636 (ldaps:///)
# /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
Troubleshooting

If you see error following error:

ldap_modify: Other (e.g., implementation specific) error (80)

ensure openldap group has access to certificate files.

And ensure it's not blocked by apparmor:

# /etc/apparmor.d/usr.sbin.slapd
/etc/letsencrypt/archive/ldap.example.com/* r,

service apparmor restart

And repeat ldapmodify.

Check ldap (secured)

ldapwhoami -H ldap://ldap.example.com -x -ZZ

You should see anonymous.

Service for update/reset user passwords

cd /var/www
wget -O ltb-project-self-service-password-1.3.tar.gz http://ltb-project.org/archives/ltb-project-self-service-password-1.3.tar.gz
tar xzf ltb-project-self-service-password-1.3.tar.gz
rm ltb-project-self-service-password-1.3.tar.gz
mv ltb-project-self-service-password-1.3 self-service-password

# /etc/apache2/sites-available/050-self-service-password.conf
Alias /ssp /var/www/self-service-password

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName self-service-password
    ServerAlias ldap.example.com
    DocumentRoot /var/www/self-service-password
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    DirectoryIndex index.php
    AddDefaultCharset UTF-8
    <Directory /var/www/self-service-password>
        AllowOverride None
        Require all granted
    </Directory>

    <Directory /var/www/self-service-password/scripts>
        AllowOverride None
        Require all denied
    </Directory>
</VirtualHost>

a2ensite 050-self-service-password.conf
service apache2 reload

Configure ssp

# /var/www/self-service-password/conf/config.inc.php
$keyphrase = "<some long secret cipher text>";

Gitlab ldap

ldapsearch -H ldaps://ldap.example.com:636 -D "userid=gitlab,ou=apps,dc=example,dc=com" -w secret -b "ou=users,dc=example,dc=com" "(gidNumber=500)"

# /etc/gitlab/gitlab.rb
gitlab_rails['ldap_enabled'] = true

###! **remember to close this block with 'EOS' below**
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
   main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'LDAP'
     host: 'ldap.example.com'
     port: 636 # default: 389
     uid: 'uid' # default: 'sAMAccountName'
     bind_dn: 'userid=gitlab,ou=apps,dc=example,dc=com'
     password: 'secret'
     encryption: 'simple_tls' # default: 'plain' # "start_tls" or "simple_tls" or "plain"
     verify_certificates: true
     smartcard_auth: false
     active_directory: false # default: true
     allow_username_or_email_login: true # default: false
     lowercase_usernames: true # default: false
     block_auto_created_users: false
     base: 'ou=users,dc=example,dc=com'
     user_filter: '(gidNumber=500)' # 500=devs

#     ## EE only
#     group_base: ''
#     admin_group: ''
#     sync_ssh_keys: false
EOS

gitlab-ctl reconfigure
gitlab-rake gitlab:ldap:check

Disallow anonymous bind (access)

# ~/disable_anon.ldif
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
-

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

ldapmodify -H ldapi:// -Y EXTERNAL -f disable_anon.ldif

Multiple groups (memberOf overlay)

https://tylersguides.com/guides/openldap-memberof-overlay/#configuration_tag

# ~/memberof_1-enable.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof.la

# ~/memberof_2-apply.ldif
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: memberof
olcMemberOfRefint: TRUE

ldapmodify -H ldapi:// -Y EXTERNAL -f memberof_1-enable.ldif
ldapadd -H ldapi:// -Y EXTERNAL -f memberof_2-apply.ldif
ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=admin)" -b dc=example,dc=com memberOf

Gitlab using memberOf filter

# /etc/gitlab/gitlab.rb
user_filter: '(memberOf=cn=developers,dc=example,dc=com)'

ACL

https://medium.com/@moep/keeping-your-sanity-while-designing-openldap-acls-9132068ed55c

https://unix.stackexchange.com/questions/11549/howto-set-access-control-lists-acls-in-openldap

https://www.openldap.org/doc/admin24/access-control.html

ldapsearch  -Y EXTERNAL -H ldapi:/// -b cn=config dn | grep -i database
ldapsearch  -Y EXTERNAL -H ldapi:/// -b cn=config 'olcDatabase={1}mdb' | grep olcAccess

Make a superuser

# ~/admin_access.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to * by dn="cn=admin,dc=example,dc=com" manage by * break

ldapmodify -Y EXTERNAL -H ldapi:/// -f admin_access.ldif

Make write access to a group (memberOf)

# ~/jira_admin_access.ldif`
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn="cn=atlassian-users,ou=groups,dc=example,dc=com" by set="[cn=atlassian-admins,ou=groups,dc=example,dc=com]/member & user" write by * read

ldapmodify -Y EXTERNAL -H ldapi:/// -f jira_admin_access.ldif
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment