{"id":17755,"date":"2023-07-08T00:45:44","date_gmt":"2023-07-07T21:45:44","guid":{"rendered":"https:\/\/kifarunix.com\/?p=17755"},"modified":"2024-03-10T10:27:38","modified_gmt":"2024-03-10T07:27:38","slug":"install-and-setup-openldap-server-on-debian-12","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-openldap-server-on-debian-12\/","title":{"rendered":"Install and Setup OpenLDAP Server on Debian 12"},"content":{"rendered":"\n<p>Follow through this tutorial to learn how to install and setup OpenLDAP Server on Debian 12.&nbsp;<a href=\"https:\/\/www.openldap.org\/software\/\" target=\"_blank\" rel=\"noreferrer noopener\">OpenLDAP<\/a>&nbsp;is an&nbsp;open source&nbsp;implementation of the&nbsp;<strong>L<\/strong>ightweight&nbsp;<strong>D<\/strong>irectory&nbsp;<strong>A<\/strong>ccess&nbsp;<strong>P<\/strong>rotocol, a client-server protocol for accessing directory services, specifically X.500-based directory services.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-open-ldap-server-on-debian-12\">Installing OpenLDAP Server on Debian 12<\/a><ul><li><a href=\"#run-system-update\">Run System Update<\/a><\/li><li><a href=\"#build-and-install-open-ldap-server-on-debian-12\">Build and Install OpenLDAP Server on Debian 12<\/a><ul><li><a href=\"#create-open-ldap-system-account\">Create OpenLDAP System Account<\/a><\/li><li><a href=\"#install-required-dependencies-and-build-tools\">Install Required Dependencies and Build Tools<\/a><\/li><li><a href=\"#download-open-ldap-source-code\">Download OpenLDAP Source Code<\/a><\/li><li><a href=\"#extract-the-open-ldap-source-code\">Extract the OpenLDAP Source Code<\/a><\/li><li><a href=\"#install-open-ldap-server-on-debian-12\">Install OpenLDAP Server on Debian 12<\/a><\/li><\/ul><\/li><li><a href=\"#configuring-open-ldap-on-debian-12\">Configuring OpenLDAP on Debian 12<\/a><ul><li><a href=\"#create-data-and-database-directories\">Create Data and Database Directories<\/a><\/li><li><a href=\"#update-open-ldap-service\">Update OpenLDAP Service<\/a><\/li><li><a href=\"#create-open-ldap-sudo-schema\">Create OpenLDAP SUDO Schema<\/a><\/li><li><a href=\"#update-slapd-database\">Update SLAPD Database<\/a><\/li><li><a href=\"#running-open-ldap-service\">Running OpenLDAP Service<\/a><\/li><li><a href=\"#configure-open-ldap-logging-on-debian-12\">Configure OpenLDAP Logging on Debian 12<\/a><\/li><li><a href=\"#create-open-ldap-default-root-dn\">Create OpenLDAP Default Root DN<\/a><\/li><li><a href=\"#configure-open-ldap-with-ssl-tls\">Configure OpenLDAP with SSL\/TLS<\/a><\/li><li><a href=\"#create-open-ldap-base-dn\">Create OpenLDAP Base DN<\/a><\/li><li><a href=\"#create-open-ldap-user-accounts\">Create OpenLDAP User Accounts<\/a><\/li><li><a href=\"#setting-password-for-an-ldap-user\">Setting Password for an LDAP User<\/a><\/li><li><a href=\"#create-open-ldap-bind-dn-and-bind-dn-user\">Create OpenLDAP Bind DN and Bind DN User<\/a><\/li><li><a href=\"#enable-open-ldap-password-policies\">Enable OpenLDAP Password Policies<\/a><\/li><li><a href=\"#allow-open-ldap-service-on-firewall\">Allow OpenLDAP Service on Firewall<\/a><\/li><li><a href=\"#authenticate-via-open-ldap-server\">Authenticate Via OpenLDAP Server<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-open-ldap-server-on-debian-12\">Installing OpenLDAP Server on Debian 12<\/h2>\n\n\n\n<p>The OpenLDAP suite include;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.openldap.org\/software\/man.cgi?query=slapd\" target=\"_blank\" rel=\"noreferrer noopener\">slapd<\/a>&nbsp;\u2013 stand-alone LDAP daemon (server)<\/li>\n\n\n\n<li><a href=\"https:\/\/www.openldap.org\/software\/man.cgi?query=ldap\" target=\"_blank\" rel=\"noreferrer noopener\">libraries<\/a>&nbsp;implementing the LDAP protocol, and<\/li>\n\n\n\n<li>utilities, tools, and sample clients.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"run-system-update\">Run System Update<\/h3>\n\n\n\n<p>Before you begin, ensure your system package cache is up-to-date.<\/p>\n\n\n\n<pre id=\"block-f2549898-cc5a-4438-ace1-28aabcad1789\" class=\"wp-block-preformatted\">apt update<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">apt upgrade<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"build-and-install-open-ldap-server-on-debian-12\">Build and Install OpenLDAP Server on Debian 12<\/h3>\n\n\n\n<p>The default Debian 12 repositories provides OpenLDAP 2.4.57;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt-cache policy slapd<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>slapd:\n  Installed: (none)\n  Candidate: 2.5.13+dfsg-5\n  Version table:\n     2.5.13+dfsg-5 500\n        500 http:\/\/deb.debian.org\/debian bookworm\/main amd64 Packages<\/code><\/pre>\n\n\n\n<p>As of this writing, OpenLDAP 2.6.4 is the current stable release, as per the <a href=\"https:\/\/www.openldap.org\/software\/release\/\" target=\"_blank\" rel=\"noreferrer noopener\">release page<\/a>.<\/p>\n\n\n\n<p>To ensure you run the latest version of OpenLDAP, you need then to build it from the source.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-system-account\">Create OpenLDAP System Account<\/h4>\n\n\n\n<p>Create a non-privileged system user to run OpenLDAP.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>useradd -r -M -d \/var\/lib\/openldap -s \/usr\/sbin\/nologin ldap<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-required-dependencies-and-build-tools\">Install Required Dependencies and Build Tools<\/h4>\n\n\n\n<p>There are quite a number of dependencies and build tools required for a successful build and compilation OpenLDAP from the source which can be installed by running the command below;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>apt install libsasl2-dev \\\n\tmake \\\n\tlibtool \\\n\tbuild-essential \\\n\topenssl \\\n\tlibevent-dev \\\n\tlibargon2-dev \\\n\tsudo \\\n\twget \\\n        vim \\\n\tpkg-config \\\n\twiredtiger \\\n\tlibsystemd-dev \\\n\tlibssl-dev \\\n\tlibperl-dev \\\n\tlibldap-common\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"download-open-ldap-source-code\">Download OpenLDAP Source Code<\/h4>\n\n\n\n<p>Navigate to the&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.openldap.org\/software\/download\/\" target=\"_blank\">OpenLDAP download\u2019s page<\/a>&nbsp;and grab the tarball.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>VER=2.6.4<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/www.openldap.org\/software\/download\/OpenLDAP\/openldap-release\/openldap-${VER}.tgz<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"extract-the-open-ldap-source-code\">Extract the OpenLDAP Source Code<\/h4>\n\n\n\n<p>The tarball can be extracted by running the command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tar xzf openldap-$VER.tgz<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-open-ldap-server-on-debian-12\">Install OpenLDAP Server on Debian 12<\/h4>\n\n\n\n<p>Compile and install OpenLDAP server on Debian 12 as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd openldap-$VER<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n.\/configure --prefix=\/usr --sysconfdir=\/etc --disable-static \\\n--enable-debug --with-tls=openssl --with-cyrus-sasl \\\n--enable-dynamic --enable-crypt --enable-spasswd \\\n--enable-slapd --enable-modules --enable-rlookups \\\n--enable-backends=mod --disable-sql --enable-ppolicy=mod \\\n--enable-syslog --enable-overlays=mod --with-systemd --enable-wt=no\n<\/code><\/pre>\n\n\n\n<p>If the command ends with an error, fix it before you can proceed. Otherwise, with no error, the command should end with such output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\nMaking servers\/slapd\/backends.c\n    Add config ...\n    Add ldif ...\n    Add monitor ...\nMaking servers\/slapd\/overlays\/statover.c\nPlease run \"make depend\" to build dependencies\n<\/code><\/pre>\n\n\n\n<p>Next, run the&nbsp;<code><strong>make depend<\/strong><\/code>&nbsp;command to build OpenLDAP dependencies.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>make depend<\/code><\/pre>\n\n\n\n<p>Compile OpenLDAP on Debian 12.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>make<\/code><\/pre>\n\n\n\n<p>Ensure the command completes with no error. Fix any error, if there is, before you can proceed.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>make install<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configuring-open-ldap-on-debian-12\">Configuring OpenLDAP on Debian 12<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-data-and-database-directories\">Create Data and Database Directories<\/h4>\n\n\n\n<p>Create OpenLDAP data and database directories<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir \/var\/lib\/openldap \/etc\/openldap\/slapd.d<\/code><\/pre>\n\n\n\n<p>Set the proper ownership and permissions on OpenLDAP directories and configuration files.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>chown -R ldap:ldap \/var\/lib\/openldap<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>chown root:ldap \/etc\/openldap\/slapd.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>chmod 640 \/etc\/openldap\/slapd.conf<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"update-open-ldap-service\">Update OpenLDAP Service<\/h4>\n\n\n\n<p>We will update the created OpenLDAP service file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mv \/lib\/systemd\/system\/slapd.service{,.old}<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/systemd\/system\/slapd.service << 'EOL'\n[Unit]\nDescription=OpenLDAP Server Daemon\nAfter=syslog.target network-online.target\nDocumentation=man:slapd\nDocumentation=man:slapd-mdb\n\n[Service]\nType=forking\nPIDFile=\/var\/lib\/openldap\/slapd.pid\nEnvironment=\"SLAPD_URLS=ldap:\/\/\/ ldapi:\/\/\/ ldaps:\/\/\/\"\nEnvironment=\"SLAPD_OPTIONS=-F \/etc\/openldap\/slapd.d\"\nExecStart=\/usr\/libexec\/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS\n\n[Install]\nWantedBy=multi-user.target\nEOL\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-sudo-schema\">Create OpenLDAP SUDO Schema<\/h4>\n\n\n\n<p>To configure LDAP with support&nbsp;<code>sudo<\/code>, first, install sudo-ldap package.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install sudo-ldap<\/code><\/pre>\n\n\n\n<p>You can then verify the sudo OpenLDAP.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo -V |  grep -i \"ldap\"<\/code><\/pre>\n\n\n\n<p>If sudo supports LDAP, you should see the lines below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>...\nldap.conf path: \/etc\/sudo-ldap.conf\nldap.secret path: \/etc\/ldap.secret<\/code><\/pre>\n\n\n\n<p>Check if LDAP sudo schema is available.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>find \/usr\/share\/doc\/ -iname schema.openldap<\/code><\/pre>\n\n\n\n<p>Output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/share\/doc\/sudo-ldap\/schema.OpenLDAP<\/code><\/pre>\n\n\n\n<p>Copy the&nbsp;<code>schema.OpenLDAP<\/code>&nbsp;to the schema directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/usr\/share\/doc\/sudo-ldap\/schema.OpenLDAP  \/etc\/openldap\/schema\/sudo.schema<\/code><\/pre>\n\n\n\n<p>Next, you need to create sudo schema ldif file.<\/p>\n\n\n\n<p>Run the command below to create the&nbsp;<code><strong>sudo.ldif<\/strong><\/code>&nbsp;file. (<em>We copied the default ldif file from <strong><code>\/usr\/share\/doc\/sudo-ldap\/schema.olcSudo<\/code><\/strong> and just modified it<\/em>).<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat << 'EOL' > \/etc\/openldap\/schema\/sudo.ldif\ndn: cn=sudo,cn=schema,cn=config\nobjectClass: olcSchemaConfig\ncn: sudo\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1\n    NAME 'sudoUser'\n    DESC 'User(s) who may  run sudo'\n    EQUALITY caseExactMatch\n    SUBSTR caseExactSubstringsMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2\n    NAME 'sudoHost'\n    DESC 'Host(s) who may run sudo'\n    EQUALITY caseExactIA5Match\n    SUBSTR caseExactIA5SubstringsMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.3\n    NAME 'sudoCommand'\n    DESC 'Command(s) to be executed by sudo'\n    EQUALITY caseExactIA5Match\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.4\n    NAME 'sudoRunAs'\n    DESC 'User(s) impersonated by sudo (deprecated)'\n    EQUALITY caseExactIA5Match\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5\n    NAME 'sudoOption'\n    DESC 'Options(s) followed by sudo'\n    EQUALITY caseExactIA5Match\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6\n    NAME 'sudoRunAsUser'\n    DESC 'User(s) impersonated by sudo'\n    EQUALITY caseExactMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7\n    NAME 'sudoRunAsGroup'\n    DESC 'Group(s) impersonated by sudo'\n    EQUALITY caseExactMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8\n    NAME 'sudoNotBefore'\n    DESC 'Start of time interval for which the entry is valid'\n    EQUALITY generalizedTimeMatch\n    ORDERING generalizedTimeOrderingMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )\n#\nolcattributetypes: ( 1.3.6.1.4.1.15953.9.1.9\n    NAME 'sudoNotAfter'\n    DESC 'End of time interval for which the entry is valid'\n    EQUALITY generalizedTimeMatch\n    ORDERING generalizedTimeOrderingMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )\n#\nolcattributeTypes: ( 1.3.6.1.4.1.15953.9.1.10\n    NAME 'sudoOrder'\n    DESC 'an integer to order the sudoRole entries'\n    EQUALITY integerMatch\n    ORDERING integerOrderingMatch\n    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )\n#\nolcobjectclasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL\n    DESC 'Sudoer Entries'\n    MUST ( cn )\n    MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $\n        description )\n    )\nEOL\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"update-slapd-database\">Update SLAPD Database<\/h4>\n\n\n\n<p>Edit the SLAPD LDIF file,&nbsp;<code><strong>\/etc\/openldap\/slapd.ldif<\/strong><\/code>, and update it as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mv \/etc\/openldap\/slapd.ldif{,.bak}<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/openldap\/slapd.ldif << 'EOL'\ndn: cn=config\nobjectClass: olcGlobal\ncn: config\nolcArgsFile: \/var\/lib\/openldap\/slapd.args\nolcPidFile: \/var\/lib\/openldap\/slapd.pid\n\ndn: cn=schema,cn=config\nobjectClass: olcSchemaConfig\ncn: schema\n\ndn: cn=module,cn=config\nobjectClass: olcModuleList\ncn: module\nolcModulepath: \/usr\/libexec\/openldap\nolcModuleload: back_mdb.la\nolcModuleload: ppolicy.la\n\n\ninclude: file:\/\/\/etc\/openldap\/schema\/core.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/cosine.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/nis.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/inetorgperson.ldif\ninclude: file:\/\/\/etc\/openldap\/schema\/sudo.ldif\n#include: file:\/\/\/etc\/openldap\/schema\/ppolicy.ldif\ndn: olcDatabase=frontend,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcFrontendConfig\nolcDatabase: frontend\nolcAccess: to dn.base=\"cn=Subschema\" by * read\nolcAccess: to * \n  by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n  by * none\n\ndn: olcDatabase=config,cn=config\nobjectClass: olcDatabaseConfig\nolcDatabase: config\nolcRootDN: cn=config\nolcAccess: to * \n  by dn.base=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n  by * none\nEOL\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>To update the SLAPD database from the information provided on the SLAPD LDIF file above, use&nbsp;<code><strong>slapadd<\/strong><\/code>&nbsp;command with the option&nbsp;<code><strong>-n 0<\/strong><\/code>&nbsp;which creates the first database.<\/li>\n\n\n\n<li>To specify the configuration directory,&nbsp;<strong><code>\/etc\/openldap\/slapd.d<\/code><\/strong>, use option&nbsp;<strong><code>-F<\/code><\/strong>&nbsp;and option&nbsp;<strong><code>-l<\/code><\/strong>&nbsp;to specify location of the LDIF file above.<\/li>\n<\/ul>\n\n\n\n<p>Before you can write the changes to the database, perform a dry run to see what would happen. Pass&nbsp;<strong><code>-u<\/code><\/strong>&nbsp;option to slapadd command.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slapadd -n 0 -F \/etc\/openldap\/slapd.d -l \/etc\/openldap\/slapd.ldif -u<\/code><\/pre>\n\n\n\n<p>If the command do not output any error, then all is fine.<\/p>\n\n\n\n<p>Then implement the changes if all is well.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slapadd -n 0 -F \/etc\/openldap\/slapd.d -l \/etc\/openldap\/slapd.ldif<\/code><\/pre>\n\n\n\n<p>This command creates slapd database configurations under&nbsp;<code>\/etc\/openldap\/slapd.d<\/code>&nbsp;directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls \/etc\/openldap\/slapd.d<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>'cn=config'  'cn=config.ldif'<\/code><\/pre>\n\n\n\n<p>Set the user and group ownership of the&nbsp;<code>\/etc\/openldap\/slapd.d<\/code>&nbsp;directory and the files in it to ldap user.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>chown -R ldap:ldap \/etc\/openldap\/slapd.d<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"running-open-ldap-service\">Running OpenLDAP Service<\/h4>\n\n\n\n<p>Reload systemd configurations and start OpenLDAP service.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl daemon-reload<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now slapd<\/code><\/pre>\n\n\n\n<p>Check status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status slapd<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf slapd.service - OpenLDAP Server Daemon\n     Loaded: loaded (\/etc\/systemd\/system\/slapd.service; enabled; preset: enabled)\n     Active: active (running) since Fri 2023-07-07 13:54:52 EDT; 3s ago\n       Docs: man:slapd\n             man:slapd-mdb\n    Process: 61559 ExecStart=\/usr\/libexec\/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0\/SUCCESS)\n   Main PID: 61560 (slapd)\n      Tasks: 2 (limit: 4642)\n     Memory: 5.3M\n        CPU: 29ms\n     CGroup: \/system.slice\/slapd.service\n             \u2514\u250061560 \/usr\/libexec\/slapd -u ldap -g ldap -h \"ldap:\/\/\/ ldapi:\/\/\/ ldaps:\/\/\/\" -F \/etc\/openldap\/slapd.d\n\nJul 07 13:54:52 ldapmaster.kifarunix-demo.com systemd[1]: Starting slapd.service - OpenLDAP Server Daemon...\nJul 07 13:54:52 ldapmaster.kifarunix-demo.com slapd[61559]: @(#) $OpenLDAP: slapd 2.6.4 (Jul  7 2023 12:06:42) $\n                                                                    root@debian:\/root\/openldap-2.6.4\/servers\/slapd\nJul 07 13:54:52 ldapmaster.kifarunix-demo.com slapd[61560]: slapd starting\nJul 07 13:54:52 ldapmaster.kifarunix-demo.com systemd[1]: Started slapd.service - OpenLDAP Server Daemon.\n<\/code><\/pre>\n\n\n\n<p>Confirm that the ports are  listening;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ss -altnp | grep slapd<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nLISTEN 0      2048         0.0.0.0:636       0.0.0.0:*    users:((\"slapd\",pid=60891,fd=10))\nLISTEN 0      2048         0.0.0.0:389       0.0.0.0:*    users:((\"slapd\",pid=60891,fd=7)) \nLISTEN 0      2048            [::]:636          [::]:*    users:((\"slapd\",pid=60891,fd=11))\nLISTEN 0      2048            [::]:389          [::]:*    users:((\"slapd\",pid=60891,fd=8))\n<\/pre><\/code>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-open-ldap-logging-on-debian-12\">Configure OpenLDAP Logging on Debian 12<\/h4>\n\n\n\n<p>By default, OpenLDAP logging level is set to&nbsp;<code>none<\/code>&nbsp;which is required to have high priority messages only logged.<\/p>\n\n\n\n<p>You can change this to a&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.openldap.org\/doc\/admin24\/slapdconfig.html\" target=\"_blank\">different log level<\/a>, say to&nbsp;<code>stats<\/code>&nbsp;level (logs connections\/operations\/results), run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -Q<\/code><\/pre>\n\n\n\n<p>The copy and paste the content below on the prompt to modify the log level.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: cn=config\nchangeType: modify\nreplace: olcLogLevel\nolcLogLevel: stats<\/code><\/pre>\n\n\n\n<p>Next, press&nbsp;<strong>ENTER<\/strong> <strong>twice<\/strong>.<\/p>\n\n\n\n<p>Once you see a line,&nbsp;<code><strong>modifying entry \"cn=config\"<\/strong><\/code>, then press&nbsp;<code><strong>Ctrl+d<\/strong><\/code>\/<strong>ctrl+c<\/strong>.<\/p>\n\n\n\n<p>You can as well use LDIF files to update this information if you like.<\/p>\n\n\n\n<p>To confirm the changes;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapsearch -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config \"(objectClass=olcGlobal)\" olcLogLevel -LLL -Q<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: cn=config\nolcLogLevel: stats<\/code><\/pre>\n\n\n\n<p>Journald is used for logging by default on Debian 12.<\/p>\n\n\n\n<p>To view the logs;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>journalctl -f -u slapd<\/code><\/pre>\n\n\n\n<p>Sample logs;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nJul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 fd=12 ACCEPT from PATH=\/usr\/var\/run\/ldapi (PATH=\/usr\/var\/run\/ldapi)\nJul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 op=0 BIND dn=\"\" method=163\nJul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 op=0 BIND authcid=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" authzid=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\"\nJul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 op=0 BIND dn=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" mech=EXTERNAL bind_ssf=0 ssf=71\nJul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000035 text=\nJul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 op=1 SRCH base=\"cn=config\" scope=2 deref=0 filter=\"(objectClass=olcGlobal)\"\nJul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 op=1 SRCH attr=olcLogLevel\nJul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000005 etime=0.000059 nentries=1 text=\nJul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 op=2 UNBIND\nJul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 fd=12 closed\n<\/pre><\/code>\n\n\n\n<p>If you have <a href=\"https:\/\/kifarunix.com\/enable-rsyslog-logging-on-debian-12\/\" target=\"_blank\" rel=\"noreferrer noopener\">enabled syslog logging<\/a> instead, you need to specify the log file for OpenLDAP on Rsyslog configuration. By default, OpenLDAP logs to&nbsp;<code>local4<\/code>&nbsp;facility, hence, to configure it to log to&nbsp;<code>\/var\/log\/slapd.log<\/code>&nbsp;for example, execute the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"local4.* \/var\/log\/slapd.log\" &gt;&gt; \/etc\/rsyslog.d\/51-slapd.conf<\/code><\/pre>\n\n\n\n<p>Restart Rsyslog and SLAPD service<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart rsyslog slapd<\/code><\/pre>\n\n\n\n<p>You should now be able to read the LDAP logs on,&nbsp;<code>\/var\/log\/slapd.log<\/code>.<\/p>\n\n\n\n<p>You can as well configure log rotation;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/logrotate.d\/slapd << EOL\n\/var\/log\/slapd.log\n{ \n        rotate 7\n        daily\n        missingok\n        notifempty\n        delaycompress\n        compress\n        postrotate\n                \/usr\/lib\/rsyslog\/rsyslog-rotate\n        endscript\n}\nEOL\n<\/code><\/pre>\n\n\n\n<p>Restart log rotation service;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart logrotate<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-default-root-dn\">Create OpenLDAP Default Root DN<\/h4>\n\n\n\n<p>Next, create MDB database defining the root DN as well as the access control lists.<\/p>\n\n\n\n<p>First, generate the root DN password.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slappasswd<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>New password: <strong>ENTER PASSWORD<\/strong>\nRe-enter new password: <strong>RE-ENTER PASSWORD<\/strong>\n<strong>{SSHA}7QP9kPALcQ+0RTlnc2S5dwLna3lJMwRf<\/strong><\/code><\/pre>\n\n\n\n<p>Copy and paste the password hash generated above,  <strong>{SSHA}7QP9kPALcQ+0RTlnc2S5dwLna3lJMwRf<\/strong>, as the value of&nbsp;<strong><code>olcRootPW<\/code><\/strong>&nbsp;in the Root DN ldif file below.<\/p>\n\n\n\n<p>Replace the domain components,&nbsp;<code><strong>dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong><\/code>&nbsp;with your appropriate names.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > rootdn.ldif << 'EOL'\ndn: olcDatabase=mdb,cn=config\nobjectClass: olcDatabaseConfig\nobjectClass: olcMdbConfig\nolcDatabase: mdb\nolcDbMaxSize: 42949672960\nolcDbDirectory: \/var\/lib\/openldap\nolcSuffix: dc=ldapmaster,dc=kifarunix-demo,dc=com\nolcRootDN: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\nolcRootPW: {SSHA}7QP9kPALcQ+0RTlnc2S5dwLna3lJMwRf\nolcDbIndex: uid pres,eq\nolcDbIndex: cn,sn pres,eq,approx,sub\nolcDbIndex: mail pres,eq,sub\nolcDbIndex: objectClass pres,eq\nolcDbIndex: loginShell pres,eq\nolcDbIndex: sudoUser,sudoHost pres,eq\nolcAccess: to attrs=userPassword,shadowLastChange,shadowExpire\n  by self write\n  by anonymous auth\n  by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage \n  by dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\" read\n  by * none\nolcAccess: to dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\" by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage\n  by * none\nolcAccess: to dn.subtree=\"dc=ldapmaster,dc=kifarunix-demo,dc=com\" by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage\n  by users read \n  by * none\nEOL\n<\/code><\/pre>\n\n\n\n<p>Read more about ACL on&nbsp;<a href=\"https:\/\/www.openldap.org\/doc\/admin24\/access-control.html\" target=\"_blank\" rel=\"noreferrer noopener\">OpenLDAP Access Control<\/a>.<\/p>\n\n\n\n<p>Update the slapd database with the content above;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f rootdn.ldif<\/code><\/pre>\n\n\n\n<p>Sample command output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nadding new entry \"olcDatabase=mdb,cn=config\"<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-open-ldap-with-ssl-tls\">Configure OpenLDAP with SSL\/TLS<\/h4>\n\n\n\n<p>To secure OpenLDAP communication between the client and the server, configured it to use SSL\/TLS certificates.<\/p>\n\n\n\n<p>In this guide, we are using self-signed certificates. You can choose to obtain the commercially signed and trusted certificates from your preferred CAs, for production environments.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \\\n\/etc\/ssl\/ldapserver.key -out \/etc\/ssl\/ldapserver.crt<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>chown ldap:ldap \/etc\/ssl\/{ldapserver.crt,ldapserver.key}<\/code><\/pre>\n\n\n\n<p>Update the OpenLDAP Server TLS certificates attributes.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > tls.ldif << 'EOL'\ndn: cn=config\nchangetype: modify\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: \/etc\/ssl\/ldapserver.crt\n-\nadd: olcTLSCertificateFile\nolcTLSCertificateFile: \/etc\/ssl\/ldapserver.crt\n-\nadd: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: \/etc\/ssl\/ldapserver.key\nEOL\n<\/code><\/pre>\n\n\n\n<p>Note that we have used self-signed certificate as both the certificate and the CA certificate.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f tls.ldif<\/code><\/pre>\n\n\n\n<p>You can confirm this by running;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">slapcat -b \"cn=config\" | grep olcTLS<\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>olcTLSCACertificateFile: \/etc\/ssl\/ldapserver.crt\nolcTLSCertificateFile: \/etc\/ssl\/ldapserver.crt\nolcTLSCertificateKeyFile: \/etc\/ssl\/ldapserver.key<\/code><\/pre>\n\n\n\n<p>Change the location of the CA certificate on&nbsp;<code>\/etc\/ldap\/ldap.conf<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i 's|\/etc\/ssl\/certs\/ca-certificates.crt|\/etc\/ssl\/ldapserver.crt|' \/etc\/ldap\/ldap.conf<\/code><\/pre>\n\n\n\n<p>Restart LDAP service;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart slapd<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-base-dn\">Create OpenLDAP Base DN<\/h4>\n\n\n\n<p>Next, create your base DN or search base to define your organization structure and directory.<\/p>\n\n\n\n<p>Replace the domain components and organization units accordingly.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > basedn.ldif << 'EOL'\ndn: dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: dcObject\nobjectClass: organization\nobjectClass: top\no: Kifarunix-demo\ndc: ldapmaster\n\ndn: ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: groups\n\ndn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: people\nEOL\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f basedn.ldif<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nadding new entry \"dc=ldapmaster,dc=kifarunix-demo,dc=com\"\n\nadding new entry \"ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\"\n\nadding new entry \"ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-user-accounts\">Create OpenLDAP User Accounts<\/h4>\n\n\n\n<p>You can add users to your OpenLDAP server. Create an ldif file to define your users as follows.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > users.ldif << 'EOL'\ndn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: johndoe\ncn: John\nsn: Doe\nloginShell: \/bin\/bash\nuidNumber: 10000\ngidNumber: 10000\nhomeDirectory: \/home\/johndoe\nshadowMax: 60\nshadowMin: 1\nshadowWarning: 7\nshadowInactive: 7\nshadowLastChange: 0\n\ndn: cn=johndoe,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: posixGroup\ncn: johndoe\ngidNumber: 10000\nmemberUid: johndoe\nEOL\n<\/code><\/pre>\n\n\n\n<p>Add the user to the OpenLDAP database.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f users.ldif<\/code><\/pre>\n\n\n\n<p>You can use the same template to add more users.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"setting-password-for-an-ldap-user\">Setting Password for an LDAP User<\/h4>\n\n\n\n<p>To set the password for user above, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldappasswd -H ldapi:\/\/\/ -Y EXTERNAL -S \"uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\n<p>The command prompts you to enter and confirm the password.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-bind-dn-and-bind-dn-user\">Create OpenLDAP Bind DN and Bind DN User<\/h4>\n\n\n\n<p>Bind DN user is used for performing LDAP operations such as resolving User IDs and group IDs.<\/p>\n\n\n\n<p>In this guide, we create a bind DN ou called&nbsp;<code>system<\/code>.<\/p>\n\n\n\n<p>Note the access controls associated with this Organization Unit, <strong><code>ou<\/code><\/strong>, as defined on the root DN above.<\/p>\n\n\n\n<p>List the Access control lists on the database;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config '(olcDatabase={1}mdb)' olcAccess<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ndn: olcDatabase={1}mdb,cn=config\nolcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self writ\n e by anonymous auth by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=ext\n ernal,cn=auth\" manage  by dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-de\n mo,dc=com\" read by * none\nolcAccess: {1}to dn.subtree=\"ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\"\n  by dn.subtree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" mana\n ge by * none\nolcAccess: {2}to dn.subtree=\"dc=ldapmaster,dc=kifarunix-demo,dc=com\" by dn.sub\n tree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage by user\n s read  by * none\n<\/code><\/pre>\n\n\n\n<p>Create the LDAP BindDN user password.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>slappasswd<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>New password: \nRe-enter new password: \n<strong>{SSHA}XIBMbwkTKx5o\/ExtnuwjbI\/Tiem9\/daI<\/strong><\/code><\/pre>\n\n\n\n<p>Copy and Paste the password hash value above as the value of&nbsp;<strong><code>userPassword<\/code><\/strong>&nbsp;attribute in the file below;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > bindDNuser.ldif << 'EOL'\ndn: ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: system\n\ndn: cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalRole\nobjectClass: simpleSecurityObject\ncn: readonly\nuserPassword: {SSHA}XIBMbwkTKx5o\/ExtnuwjbI\/Tiem9\/daI\ndescription: Bind DN user for LDAP Operations\nEOL\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f bindDNuser.ldif<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"enable-open-ldap-password-policies\">Enable OpenLDAP Password Policies<\/h4>\n\n\n\n<p>If you want to implement OpenLDAP password policies, read the guide below to learn how to implement password policies.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/implement-openldap-password-policies\/\" target=\"_blank\" rel=\"noreferrer noopener\">Implement OpenLDAP Password Policies<\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"allow-open-ldap-service-on-firewall\">Allow OpenLDAP Service on Firewall<\/h4>\n\n\n\n<p>If UFW is running, allow OpenLDAP (both LDAP and LDAPS) external access;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ufw allow \"LDAP\"<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">ufw allow \"LDAPS\"<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"authenticate-via-open-ldap-server\">Authenticate Via OpenLDAP Server<\/h4>\n\n\n\n<p>And that is how to install OpenLDAP Server on Debian 12.<\/p>\n\n\n\n<p>To verify that users can actually connect to the systems via the OpenLDAP server, you need to configure OpenLDAP clients on the remote systems.<\/p>\n\n\n\n<p>See the guides below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-sssd-for-ldap-authentication-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure SSSD for LDAP Authentication on Rocky Linux 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-configure-sssd-for-openldap-authentication-on-fedora-32-31-30\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Configure SSSD for OpenLDAP Authentication on Fedora 32\/31\/30<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-sssd-for-ldap-authentication-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure SSSD for LDAP Authentication on Ubuntu 20.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Follow through this tutorial to learn how to install and setup OpenLDAP Server on Debian 12.&nbsp;OpenLDAP&nbsp;is an&nbsp;open source&nbsp;implementation of the&nbsp;Lightweight&nbsp;Directory&nbsp;Access&nbsp;Protocol, a client-server protocol for accessing<\/p>\n","protected":false},"author":10,"featured_media":17759,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1099],"tags":[7023,7024,7022,248,286,1589],"class_list":["post-17755","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-directory-server","category-openldap","tag-debian-12-openldap-server","tag-install-openldap-on-linux","tag-install-openldap-server-on-debian-12","tag-ldap","tag-openldap","tag-openldap-server","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/17755"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=17755"}],"version-history":[{"count":16,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/17755\/revisions"}],"predecessor-version":[{"id":20820,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/17755\/revisions\/20820"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/17759"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=17755"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=17755"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=17755"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}