Ubuntu/openldap

From r00tedvw.com wiki
Jump to: navigation, search

Performed on Ubuntu 14.04 LTS

Contents

Installing

~$ sudo apt-get update && sudo apt-get install slapd ldap-utils -y

It should ask for you to setup an administrator password.

Configuring

By default openldap does not ask you for any configuration settings when installing. You must do this afterwards which means it may not be fully functional directly have installation.

~$ sudo dpkg-reconfigure slapd
  • Omit OpenLDAP server configuration? No
  • DNS domain name? domain.com
  • Organization name? domain
  • Administrator password? setup password
  • Database backend? HDB
  • Remove the database when slapd is purged? No
  • Move old database? Yes
  • Allow LDAPv2 protocol? No

Installing phpLDAPadmin

Very useful web interface for administration

~$ sudo apt-get update && sudo apt-get install phpldapadmin -y

Modifying setup of phpLDAPadmin

By default phpLDAPadmin creates a conf configuration file under /etc/apache2/conf-available and enables it with some mod-rewrite magic so that when someone goes to domain.com/phpldapadmin it pulls the page from this conf's document root. While this way probably works for most, tweaking this to restrict access can be complicated, so I'd rather have it run on a non-standard port which i can use iptables to restrict access to.

disable conf

~$ sudo a2disconf phpldapadmin.conf

create new site conf

Instead of a conf under ~/conf-enabled I personally prefer virtual hosts to be placed under ~/sites-available.
Create a new .conf such as ldap.domain.com.conf. In this example i'm setting it as a subdomain and making apache listen on port 8080 for this virtualhost.

~$ sudo vi /etc/apache2/sites-available/ldap.domain.com.conf
<VirtualHost *:8080>
    ServerName ldap.domain.com
    ServerAdmin [email protected]
    DocumentRoot /usr/share/phpldapadmin
    ErrorLog /var/log/apache2/ldap.domain.com-error.log
    CustomLog /var/log/apache2/ldap.domain.com-access.log common
</VirtualHost>

finishing touches

  • Now use iptables to restrict access to port 8080 to only the ip addresses you'll use to manage it.
  • Make sure apache is listening on the non-standard port
  • enable the new apache site
  • restart apache (or reload)

Configure phpLDAPadmin

/etc/phpldapadmin/config.php

Adjust the following lines

~$ sudo vi /etc/phpldapadmin/config.php
$servers->setValue('server','name','ldap.domain.com');
$servers->setValue('server','host','ldap.domain.com');
$servers->setValue('server','base',array('dc=domain,dc=com'));
$servers->setValue('login','bind_id','cn=admin,dc=domain,dc=com');

Uncomment the following to prevent annoying warning messages about template files that have no impact on functionality

~$ sudo vi /etc/phpldapadmin/config.php
search for hide_template_warning
$config->custom->appearance['hide_template_warning'] = true;

usr/share/phpldapadmin/lib/TemplateRender.php

If you get an error:

Error trying to get a non-existent value (appearance, password_hash)

you can fix it by modifying line 2469 in /usr/share/phpldapadmin/lib/TemplateRender.php

$default = $this->getServer()->getValue('appearance','password_hash_custom');
FAQ

Originally I tried to set the Server base and Login Bind IDs to dc=ldap,dc=domain,dc=com. Unfortunately the admin account was already created and was listed as dc=domain,dc=com, so when i logged in without dc=ldap (wouldnt authenticate without it), I got a nice error about "This base cannot be created with PLA" in phpLDAPadmin and it refused to show me the LDAP tree. Changed the config.php file and removed both instances of dc=ldap and I could authenticate successfully with everything showing as it should.
Did not bother to look into how to change the admin account, no one will ever really see this as its just supplementing applications which can work with openLDAP on the local host.

Authentication

To setup authentication on LDAP so you can use it for other applications, do the following

~$ sudo apt-get update && sudo apt-get install -y libpam-ldap nscd
Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Ubuntu
Oracle Linux
AWS
Windows
OpenVPN
Grafana
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
MetaSploit
Zoneminder
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
Toolbox