Network Security Wiki

LDAP

Revision as of 12:40, 14 March 2019 by Amanjosan2008 (talk | contribs) (→‎phpLDAPadmin)


Install OpenLDAP Server

Source: linuxbabe.com

  • Install Stand-Alone LDAP Daemon:
sudo apt install slapd ldap-utils
  • Set a password for the admin entry in the LDAP directory
  • Check out status of slapd
systemctl status slapd
  • Basic Post-Installation Configuration:
sudo dpkg-reconfigure slapd

Omit LDAP server configuration: NO
DNS domain name: Enter your domain name: testlab.com
Organization name: TestLab
Administrator password: Enter the same password set during installation
Database backend: MDB:
   BDB (Berkeley Database) is slow and cumbersome. It is deprecated and support will be dropped in future OpenLDAP releases. 
   HDB (Hierarchical Database) is a variant of the BDB backend and will also be deprecated.
   MDB reads are 5-20x faster than BDB. Writes are 2-5x faster. And it consumes 1/4 as much RAM as BDB.
Do you want the database to be removed when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No
   The latest version of LDAP is LDAP v.3, developed in 1997. LDAPv2 is obsolete.
  • Configuring the LDAP Clients:
sudo nano /etc/ldap/ldap.conf

Need to specify two parameters: 

Base DN 
URI of our OpenLDAP server

Copy and paste the following text at the end of the file: 

BASE     dc=testlab,dc=com
URI      ldap://localhost
  • If you used a subdomain when configuring OpenLDAP server, then you need to add the subdomain here like so
BASE      dc=subdomain,dc=testlab,dc=com
ldap://localhost
  • Testing OpenLDAP Server:
ldapsearch -x

Indicates that OpenLDAP server is working: 

Result: 0 Success

If you get the following line, then it’s not working: 

result: 32 No such object

phpLDAPadmin WebUI

  • Install the Package:
sudo apt install phpldapadmin
  • If you use Apache Web Server, it will create a config file:
/etc/apache2/conf-enabled/phpldapadmin.conf
  • Access web interface at:
http://your-server-ip/phpldapadmin

To enable HTTPS, you can obtain and install a free TLS certificate issued from Let’s Encrypt.

  • Configuring phpLDAPadmin:
sudo nano /etc/phpldapadmin/config.php

Since OpenLDAP and phpLDAPadmin are running on the same machine, configure phpLDAPadmin to connect to localhost on the default LDAP port 389 without SSL/TLS encryption.

Line 293 specifies that phpLDAPadmin will connect to localhost. 

$servers->setValue('server','host','127.0.0.1');

Line 296 is commented out by default, which means the standard port 389 will be used. 

// $servers->setValue('server','port',389);

Line 335 is commented out by default, which means TLS encryption is not enabled. 

// $servers->setValue('server','tls',false);

Then go to line 300. 

$servers->setValue('server','base',array('dc=example,dc=com'));

Change it to: 

$servers->setValue('server','base',array());

This will let phpLDAPadmin automatically detect the base DN of your OpenLDAP server. Next, you can disable anonymous login. Go to line 453. 

// $servers->setValue('login','anon_bind',true);

By default, anonymous login is enabled. To disable it, you need to remove the comment character (the two slashes) and change true to false. 

$servers->setValue('login','anon_bind',false);

You will probably want to disable template warnings because these warnings are annoying and unimportant. Go to line 161. 

// $config->custom->appearance['hide_template_warning'] = false;

Remove the comment character and change false to true. 

$config->custom->appearance['hide_template_warning'] = true;

Save and close the file.

StartTLS LDAP Encryption

Retrieved from "https://aman.awiki.org/wiki/LDAP?oldid=3196"