{"id":4104,"date":"2019-08-31T23:51:24","date_gmt":"2019-08-31T20:51:24","guid":{"rendered":"https:\/\/kifarunix.com\/?p=4104"},"modified":"2020-05-10T08:14:25","modified_gmt":"2020-05-10T05:14:25","slug":"setup-openldap-server-with-ssl-tls-on-debian-10","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/setup-openldap-server-with-ssl-tls-on-debian-10\/","title":{"rendered":"Setup OpenLDAP Server with SSL\/TLS on Debian 10"},"content":{"rendered":"\n<p>This guide will take you through how to setup OpenLDAP server with SSL\/TLS on Debian 10 Buster. <a rel=\"noreferrer noopener\" aria-label=\"OpenLDAP (opens in a new tab)\" href=\"http:\/\/www.openldap.org\/doc\/admin24\/intro.html\" target=\"_blank\">OpenLDAP<\/a> clients and servers are capable of using the&nbsp;Transport Layer Security&nbsp;(TLS) framework to provide integrity and confidentiality protections and to support LDAP authentication using the&nbsp;SASL EXTERNAL&nbsp;mechanism.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Setup OpenLDAP Server with SSL\/TLS on Debian 10<\/h2>\n\n\n\n<p>Update and upgrade your system packages<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update\napt upgrade<\/code><\/pre>\n\n\n\n<p>Install LDAP packages<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt -y install slapd ldap-utils ldapscripts<\/code><\/pre>\n\n\n\n<p>During the installation, you are prompted to set the LDAP admin password.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"664\" height=\"242\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/ldap-admin-password.png\" alt=\"\" class=\"wp-image-4105\" title=\"\"><\/figure><\/div>\n\n\n\n<p>Re-enter the password to verify it and press Enter to continue.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"990\" height=\"242\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/confirm-passwd.png\" alt=\"\" class=\"wp-image-4106\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/confirm-passwd.png 990w, https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/confirm-passwd-768x188.png 768w\" sizes=\"(max-width: 990px) 100vw, 990px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">View LDAP Database Settings<\/h3>\n\n\n\n<p>During the installation, the LDAP database is automatically setup with the distinguished name&#8217;s (DN) domain component, organization name being set based on the default system hostname. To view the SLAPD database settings, you can use the <strong>slapcat<\/strong> command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapcat<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: dc=kifarunix-demo,dc=com\nobjectClass: top\nobjectClass: dcObject\nobjectClass: organization\no: kifarunix-demo.com\ndc: kifarunix-demo\nstructuralObjectClass: organization\nentryUUID: d659c794-5ffd-1039-84a2-a3c9b919ad9c\ncreatorsName: cn=admin,dc=kifarunix-demo,dc=com\ncreateTimestamp: 20190831054217Z\nentryCSN: 20190831054217.507918Z#000000#000#000000\nmodifiersName: cn=admin,dc=kifarunix-demo,dc=com\nmodifyTimestamp: 20190831054217Z\n\ndn: cn=admin,dc=kifarunix-demo,dc=com\nobjectClass: simpleSecurityObject\nobjectClass: organizationalRole\ncn: admin\ndescription: LDAP administrator\nuserPassword:: e1NTSEF9TkpLYnEvUG1TRi9rUFdJTVlMbjF0UjF3SC9YWWV1ZUo=\nstructuralObjectClass: organizationalRole\nentryUUID: d65a43a4-5ffd-1039-84a3-a3c9b919ad9c\ncreatorsName: cn=admin,dc=kifarunix-demo,dc=com\ncreateTimestamp: 20190831054217Z\nentryCSN: 20190831054217.511167Z#000000#000#000000\nmodifiersName: cn=admin,dc=kifarunix-demo,dc=com\nmodifyTimestamp: 20190831054217Z<\/code><\/pre>\n\n\n\n<p>Based on the SLAPD database configuration output above,<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The Base DN is set to <code>dn: dc=kifarunix-demo,dc=com<\/code>.<\/li><li>The Organization name is set to <code>o: kifarunix-demo.com<\/code>.<\/li><li>The LDAP admin Base DN entry is set to <code>dn: cn=admin,dc=kifarunix-demo,dc=com<\/code>.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Change OpenLDAP Default BaseDN<\/h3>\n\n\n\n<p>If you however need the default OpenLDAP base DN, you need to reconfigure slapd package as shown below and follow through the prompts.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dpkg-reconfigure slapd<\/code><\/pre>\n\n\n\n<p>When the command runs, you are prompted on whether to omit OpenLDAP server configuration. Select <strong>No<\/strong> to have the configuration created for you.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/enable-openldap-db.png\"><img loading=\"lazy\" decoding=\"async\" width=\"837\" height=\"220\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/enable-openldap-db.png\" alt=\"Setup OpenLDAP Server with SSL\/TLS on Debian 10\" class=\"wp-image-4108\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/enable-openldap-db.png 837w, https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/enable-openldap-db-768x202.png 768w\" sizes=\"(max-width: 837px) 100vw, 837px\" \/><\/a><\/figure>\n\n\n\n<p>Next, configure your OpenLDAP server fully qualified domain name that will be used to create your Base DN.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1290\" height=\"268\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/openldap-fqdn.png\" alt=\"OpenLDAP base DN\" class=\"wp-image-4109\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/openldap-fqdn.png 1290w, https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/openldap-fqdn-768x160.png 768w\" sizes=\"(max-width: 1290px) 100vw, 1290px\" \/><\/figure>\n\n\n\n<p>Set the name of your organization. You can use the domain name.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/openldap-DN.png\"><img loading=\"lazy\" decoding=\"async\" width=\"829\" height=\"241\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/openldap-DN.png\" alt=\"OpenLDAP domain name\" class=\"wp-image-4110\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/openldap-DN.png 829w, https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/openldap-DN-768x223.png 768w\" sizes=\"(max-width: 829px) 100vw, 829px\" \/><\/a><\/figure>\n\n\n\n<p>Set and verify the Admin pass.<\/p>\n\n\n\n<p>Select the OpenLDAP database backend. <strong>MDB<\/strong> is the recommended type. Select MDB and proceed.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/openldap-db-backend.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1333\" height=\"411\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/openldap-db-backend.png\" alt=\"OpenLDAP backend database\" class=\"wp-image-4111\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/openldap-db-backend.png 1333w, https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/openldap-db-backend-768x237.png 768w\" sizes=\"(max-width: 1333px) 100vw, 1333px\" \/><\/a><\/figure>\n\n\n\n<p>Select whether you want the slapd database removed when you uninstall it.<\/p>\n\n\n\n<p>Remove old OpenLDAP database configuration files to finalize the reconfiguration. The old database is stored on <code>\/var\/backups<\/code>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/remove-old-database.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1325\" height=\"243\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/remove-old-database.png\" alt=\"\" class=\"wp-image-4112\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/remove-old-database.png 1325w, https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/08\/remove-old-database-768x141.png 768w\" sizes=\"(max-width: 1325px) 100vw, 1325px\" \/><\/a><\/figure>\n\n\n\n<p>To verify the reconfiguration, simply execute <code>slapcat<\/code> command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapcat<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: top\nobjectClass: dcObject\nobjectClass: organization\no: kifarunix-demo.com\ndc: ldapmaster\nstructuralObjectClass: organization\nentryUUID: 8086d846-602c-1039-9746-f9b0ac2d943e\ncreatorsName: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\ncreateTimestamp: 20190831111619Z\nentryCSN: 20190831111619.865416Z#000000#000#000000\nmodifiersName: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmodifyTimestamp: 20190831111619Z\n\ndn: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: simpleSecurityObject\nobjectClass: organizationalRole\ncn: admin\ndescription: LDAP administrator\nuserPassword:: e1NTSEF9dFY4Y01CRXI3OExPOFZNTnoyeGFHdGlySkxPNEQxdHM=\nstructuralObjectClass: organizationalRole\nentryUUID: 8087b7b6-602c-1039-9747-f9b0ac2d943e\ncreatorsName: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\ncreateTimestamp: 20190831111619Z\nentryCSN: 20190831111619.871279Z#000000#000#000000\nmodifiersName: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmodifyTimestamp: 20190831111619Z<\/code><\/pre>\n\n\n\n<p>You can also check LDAP Base DN using the&nbsp;<code>ldapsearch<\/code>&nbsp;command as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -H ldapi:\/\/\/ -x -LLL -s base -b \"\" namingContexts<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn:\nnamingContexts: dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/pre>\n\n\n\n<p>To view the RootDN, run the command below<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -b \"cn=config\" \"(olcRootDN=*)\"<\/code><\/pre>\n\n\n\n<p>To test the connection to LDAP server, use the <code>ldapwhoami<\/code> command as shown below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapwhoami -H ldapi:\/\/\/ -x<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>anonymous<\/code><\/pre>\n\n\n\n<p>The expected output is <code>anonymous<\/code> if the connection to LDAP server is fine since the test is run without logging in to LDAP server.<\/p>\n\n\n\n<p>To search for all the DNs based on the Base DN;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -H ldapi:\/\/\/ -x -LLL -b dc=ldapmaster,dc=kifarunix-demo,dc=com dn<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: dc=ldapmaster,dc=kifarunix-demo,dc=com\n\ndn: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Create a Base DN for Users and Groups<\/h3>\n\n\n\n<p>From the SLAPD database configuration output above, the Base DN for the OpenLDAP admin has been created. However, since we are going to manage other users apart from the LDAP administrator, you need to create a Base DN for users and groups.<\/p>\n\n\n\n<p>Therefore create an LDAP interchange format file (<code>ldif<\/code>) with the following contents and use it to create the user\/group Base DN. Be sure to replace the domain name accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim user_group_base.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nou: people\n\ndn: ou=group,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nou: group<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Add Users and Groups Base DN to SLAPD database<\/h4>\n\n\n\n<p>Once you have created an ldif file for users and groups base DN, you can populate the slapd database with this information using the <code>ldapadd<\/code> command as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -x -D cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com -W -f user_group_base.ldif<\/code><\/pre>\n\n\n\n<p>When prompted, enter the LDAP admin password set above.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Enter LDAP Password: admin password\nadding new entry \"ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"\n\nadding new entry \"ou=group,dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Create LDAP User Accounts<\/h3>\n\n\n\n<p>In order to add LDAP user accounts to LDAP Server, you need to create an LDIF file containing attributes definition for the users.<\/p>\n\n\n\n<p>To add user with a password, you need to generate the user&#8217;s password hash using the&nbsp;<code>slappasswd<\/code>&nbsp;command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slappasswd<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>New password: USER_PASS\nRe-enter new password: RE_ENTER USER_PASS\n{SSHA}sO8V\/PZsGCta6098vs2qgX767AJF3Sw7<\/code><\/pre>\n\n\n\n<p>You can as well create user password using the <code>ldappasswd<\/code> command after creating the user. See the section below on Resetting user password.<\/p>\n\n\n\n<p>Next, create new user ldif file containing attributes definition for the user as shown below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim new_user.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: mibeyam\ncn: mibeyam\ngivenName: Amos\nsn: Mibey\nuserPassword: {SSHA}sO8V\/PZsGCta6098vs2qgX767AJF3Sw7\nloginShell: \/bin\/bash\nuidNumber: 10000\ngidNumber: 10000\nhomeDirectory: \/home\/mibeyam\nshadowMax: 60\nshadowMin: 1\nshadowWarning: 7\nshadowInactive: 7\nshadowLastChange: 0\n\ndn: cn=mibeyam,ou=group,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: posixGroup\ncn: mibeyam\ngidNumber: 10000\nmemberUid: mibeyam<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Add Users to SLAPD database<\/h4>\n\n\n\n<p>Once you have created the users with their attributes in an LDIF file, you can add them to the database using the <code>ldapadd<\/code> command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -x -D cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com -W -f new_user.ldif<\/code><\/pre>\n\n\n\n<p>When prompted, enter LDAP admin password.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Enter LDAP Password: admin password\nadding new entry \"uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"\n\nadding new entry \"cn=mibeyam,ou=group,dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\n<p>To list all LDAP users under a  base DN, simply use the <code>ldapsearch<\/code> command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -x -LLL -b \"dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: top\nobjectClass: dcObject\nobjectClass: organization\no: kifarunix-demo.com\ndc: ldapmaster\n\ndn: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: simpleSecurityObject\nobjectClass: organizationalRole\ncn: admin\ndescription: LDAP administrator\n\ndn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nou: people\n\ndn: ou=group,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nou: group\n\ndn: uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: mibeyam\ncn: mibeyam\ngivenName: Amos\nsn: Mibey\nloginShell: \/bin\/bash\nuidNumber: 10000\ngidNumber: 10000\nhomeDirectory: \/home\/mibeyam\nshadowMax: 60\nshadowMin: 1\nshadowWarning: 7\nshadowInactive: 7\nshadowLastChange: 0\n\ndn: cn=mibeyam,ou=group,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: posixGroup\ncn: mibeyam\ngidNumber: 0\nmemberUid: mibeyam<\/code><\/pre>\n\n\n\n<p>To list specific attributes from the <code>objectClass<\/code>,<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -x -LLL -b \"dc=ldapmaster,dc=kifarunix-demo,dc=com\" '(objectclass=*)' uid givenName sn<\/code><\/pre>\n\n\n\n<p>This will print the user id, given names and surnames. Of course you can pass the output to text processing tools like grep to extract the attributes you need.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -x -LLL -b \"dc=ldapmaster,dc=kifarunix-demo,dc=com\" '(objectclass=*)' uid givenName sn | grep -vE 'uid=|dn:'<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>uid: mibeyam\ngivenName: Amos\nsn: Mibey\n\n\nuid: johndo\ngivenName: John\nsn: Doe<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Delete LDAP Users and Groups<\/h3>\n\n\n\n<p>To delete an LDAP user, use the <code>ldapdelete<\/code> command. For example do delete <strong>mibeyam<\/strong> user created above<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapdelete -x -W -D \"cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\" \"uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\n<p>Similarly, to delete an LDAP user group;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapdelete -x -W -D \"cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\" \"cn=mibeyam,ou=group,dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Resetting LDAP User Password<\/h3>\n\n\n\n<p>If you need to reset the user password, you can use&nbsp;<code>ldappasswd<\/code> command. For example, to reset the password for user <strong>mibeyam<\/strong>;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldappasswd -H ldapi:\/\/\/ -x -D \"cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\" -W -S \"uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\n<p>If you are connecting to LDAP server from a remote client, ensure that open OpenLDAP on firewall. If UFW is running;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw allow ldap<\/code><\/pre>\n\n\n\n<p>To connect remotely, ensure that you use the <code>-H ldap:\/\/&lt;ldap-server-IP&gt;<\/code> option. For example;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldappasswd -H ldap:\/\/192.168.56.105 -x -D \"cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\" -W -S \"uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Verify LDAP User Password<\/h3>\n\n\n\n<p>To verify that password assigned to an LDAP user is working, use the <code>ldapwhoami<\/code> command. For example to verify the password for the user <strong>mibeyam<\/strong>, <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapwhoami -vvv -h localhost -D \"uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" -x -W<\/code><\/pre>\n\n\n\n<p>If the password is correct, you will get an output similar to this;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldap_initialize( ldap:\/\/localhost )\nEnter LDAP Password: \ndn:uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\n<strong>Result: Success (0)<\/strong><\/code><\/pre>\n\n\n\n<p>To test from remote client;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapwhoami -vvv -h <strong>LDAP-SERVER-IP-OR-HOSTNAME<\/strong> -D \"uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" -x -W<\/code><\/pre>\n\n\n\n<p>Replace <strong>LDAP-SERVER-IP-OR-HOSTNAME<\/strong> with LDAP server IP or resolvable hostname.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"ldap-ssl-tls\"><a href=\"#ldap-ssl-tls\">Configure OpenLDAP with SSL\/TLS<\/a><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Generate SSL\/TLS certificates<\/h3>\n\n\n\n<p>In this guide, we are going to use self signed certificates. You can as well use commercial SSL\/TLS certificates from your trusted CA. <\/p>\n\n\n\n<p>To configure OpeLDAP server with SSL\/TLS certificate, you need a <code>CA certificate<\/code>, server <code>certificate<\/code> and <code>server certificate key<\/code> file.<\/p>\n\n\n\n<p>Create a directory to store the certificates.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>mkdir -p \/etc\/ssl\/openldap\/{private,certs,newcerts}<\/code><\/pre>\n\n\n\n<p>Once you have created the directories above, open the <code>\/usr\/lib\/ssl\/openssl.cnf<\/code> configuration file and set the directory for storing SSL\/TLS certificates and keys under the <code>[ CA_default ]<\/code> section.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/usr\/lib\/ssl\/openssl.cnf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>...\n[ CA_default ]\n\n#dir            = .\/demoCA              # Where everything is kept\n<strong>dir             = \/etc\/ssl\/openldap<\/strong>\ncerts           = $dir\/certs            # Where the issued certs are kept\ncrl_dir         = $dir\/crl              # Where the issued crl are kept\ndatabase        = $dir\/index.txt        # database index file.\n...<\/code><\/pre>\n\n\n\n<p>You also need some files for tracking the signed certificates.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"1001\" &gt; \/etc\/ssl\/openldap\/serial<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>touch \/etc\/ssl\/openldap\/index.txt<\/code><\/pre>\n\n\n\n<p>Create a CA Key file by running the command below. When prompted, enter the passphrase.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl genrsa -aes256 -out \/etc\/ssl\/openldap\/private\/cakey.pem 2048<\/code><\/pre>\n\n\n\n<p>To remove the passphrase from the CA key;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl rsa -in \/etc\/ssl\/openldap\/private\/cakey.pem -out \/etc\/ssl\/openldap\/private\/cakey.pem<\/code><\/pre>\n\n\n\n<p>Create the CA certificate. Be sure to set the common to match your server FQDN.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl req -new -x509 -days 3650 -key \/etc\/ssl\/openldap\/private\/cakey.pem -out \/etc\/ssl\/openldap\/certs\/cacert.pem<\/code><\/pre>\n\n\n\n<p>Next generate LDAP server key;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl genrsa -aes256 -out \/etc\/ssl\/openldap\/private\/ldapserver-key.key 2048<\/code><\/pre>\n\n\n\n<p>Remove assigned key passphrase.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl rsa -in \/etc\/ssl\/openldap\/private\/ldapserver-key.key -out \/etc\/ssl\/openldap\/private\/ldapserver-key.key<\/code><\/pre>\n\n\n\n<p>Generate the certificate signing request (CSR). Be sure to configure the same details as you did when generating the CA certificate file above. <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl req -new -key \/etc\/ssl\/openldap\/private\/ldapserver-key.key -out \/etc\/ssl\/openldap\/certs\/ldapserver-cert.csr<\/code><\/pre>\n\n\n\n<p>Generate the LDAP server certificate and sign it with CA key and certificate generated above.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl ca -keyfile \/etc\/ssl\/openldap\/private\/cakey.pem -cert \/etc\/ssl\/openldap\/certs\/cacert.pem -in \/etc\/ssl\/openldap\/certs\/ldapserver-cert.csr -out \/etc\/ssl\/openldap\/certs\/ldapserver-cert.crt<\/code><\/pre>\n\n\n\n<p>To verify the LDAP server againt the CA;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl verify -CAfile \/etc\/ssl\/openldap\/certs\/cacert.pem \/etc\/ssl\/openldap\/certs\/ldapserver-cert.crt<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><strong>\/etc\/ssl\/openldap\/certs\/ldapserver-cert.crt: OK<\/strong><\/code><\/pre>\n\n\n\n<p>Now, we have the CA certificate file, the server certificate and the server key file under the following respective directories.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/etc\/ssl\/openldap\/certs\/cacert.pem<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/etc\/ssl\/openldap\/certs\/ldapserver-cert.crt<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/etc\/ssl\/openldap\/private\/ldapserver-key.key<\/code><\/pre>\n\n\n\n<p>Next, set the ownership of the OpenLDAP certificates directory to <code>openldap<\/code> user.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>chown -R openldap: \/etc\/ssl\/openldap\/<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Update OpenLDAP Server TLS Certificates<\/h3>\n\n\n\n<p>Next, you need to update the OpenLDAP Server TLS certificates. Therefore, create the an LDIF file to define the TLS attributes as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim ldap-tls.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: cn=config\nchangetype: modify\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: \/etc\/ssl\/openldap\/certs\/cacert.pem\n-\nreplace: olcTLSCertificateFile\nolcTLSCertificateFile: \/etc\/ssl\/openldap\/certs\/ldapserver-cert.crt\n-\nreplace: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: \/etc\/ssl\/openldap\/private\/ldapserver-key.key\n<\/code><\/pre>\n\n\n\n<p>Replace the locations of your certificates and key files accordingly.<\/p>\n\n\n\n<p>To modify these entries on the LDAP database, use <code>ldapmodify<\/code> command as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f ldap-tls.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>SASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nmodifying entry \"cn=config\"<\/code><\/pre>\n\n\n\n<p>To verify that the files are in place;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapcat -b \"cn=config\" | grep -E \"olcTLS\"<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>olcTLSCACertificateFile: \/etc\/ssl\/openldap\/certs\/cacert.pem\nolcTLSCertificateFile: \/etc\/ssl\/openldap\/certs\/ldapserver-cert.crt\nolcTLSCertificateKeyFile: \/etc\/ssl\/openldap\/private\/ldapserver-key.key<\/code><\/pre>\n\n\n\n<p>To check the validity of the LDAP configuration, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slaptest -u<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>config file testing succeeded<\/code><\/pre>\n\n\n\n<p>Next, open the <code>\/etc\/ldap\/ldap.conf<\/code> configuration file and change the location of the CA certificate.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/ldap\/ldap.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>...\n# TLS certificates (needed for GnuTLS)\n#TLS_CACERT\t\/etc\/ssl\/certs\/ca-certificates.crt\nTLS_CACERT\t\/etc\/ssl\/openldap\/certs\/cacert.pem<\/code><\/pre>\n\n\n\n<p>Restart OpenLDAP daemon.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart slapd<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Verify TLS connectivity for LDAP<\/h3>\n\n\n\n<p>To verify OpenLDAP TLS connectivity, run the command below. If connection is fine, you should get the output, <code>anonymous<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapwhoami -H ldap:\/\/ldapmaster.kifarunix-demo.com -x -ZZ\nanonymous<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapwhoami -H ldapi:\/\/\/ -x -ZZ\nanonymous<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Disable Anonymous OpenLDAP Access<\/h3>\n\n\n\n<p>To disable anonymous OpenLDAP access such that you need to authenticate to be able to access LDAP;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim disable-anon.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: cn=config\nchangetype: modify\nadd: olcDisallows\nolcDisallows: bind_anon\n\ndn: cn=config\nchangetype: modify\nadd: olcRequires\nolcRequires: authc\n\ndn: olcDatabase={-1}frontend,cn=config\nchangetype: modify\nadd: olcRequires\nolcRequires: authc<\/code><\/pre>\n\n\n\n<p>Update slapd database;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f disable-anon.ldif<\/code><\/pre>\n\n\n\n<p>Test anonymous authentication.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapwhoami -H ldapi:\/\/\/ -x -ZZ<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ldap_bind: Inappropriate authentication (48)\n\tadditional info: anonymous bind disallowed<\/code><\/pre>\n\n\n\n<p>Test Authentication<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapwhoami -H ldapi:\/\/\/ -x -ZZ -D \"uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" -x -W<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Enter LDAP Password: \ndn:uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure OpenLDAP Logging<\/h3>\n\n\n\n<p>Configure OpenLDAP to log to a specific log file. First, enable OpenLDAP to log connections, operations, results statistics. Such logging is enable on<a href=\"https:\/\/www.openldap.org\/doc\/admin24\/slapdconfig.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" log level 256 with keyword stats (opens in a new tab)\"> log level <\/a><code><a href=\"https:\/\/www.openldap.org\/doc\/admin24\/slapdconfig.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" log level 256 with keyword stats (opens in a new tab)\">256<\/a><\/code><a href=\"https:\/\/www.openldap.org\/doc\/admin24\/slapdconfig.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" log level 256 with keyword stats (opens in a new tab)\"> with keyword <\/a><code><a href=\"https:\/\/www.openldap.org\/doc\/admin24\/slapdconfig.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" log level 256 with keyword stats (opens in a new tab)\">stats<\/a><\/code>. This can be done by modifying the <code>olcLogLevel<\/code> attribute as shown below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim enable-ldap-log.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: cn=config\nchangeType: modify\nreplace: olcLogLevel\nolcLogLevel: stats<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapmodify -Y external -H ldapi:\/\/\/ -f enable-ldap-log.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>SASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nmodifying entry \"cn=config\"<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config \"(objectClass=olcGlobal)\" olcLogLevel -LLL<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>SASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\ndn: cn=config\nolcLogLevel: stats<\/code><\/pre>\n\n\n\n<p>Configure Rsyslog to enable OpenLDAP to log to a specific file. By default, OpenLDAP logs to <code>local4<\/code> facility.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"local4.* \/var\/log\/slapd.log\" &gt;&gt; \/etc\/rsyslog.conf<\/code><\/pre>\n\n\n\n<p>Restart Rsyslog<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart rsyslog<\/code><\/pre>\n\n\n\n<p>Restart LDAP server service.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart slapd<\/code><\/pre>\n\n\n\n<p>You can now read the log file, <code>\/var\/log\/slapd.log<\/code>.<\/p>\n\n\n\n<p>So far so good, we have learnt how to setup OpenLDAP Server with SSL\/TLS on Debian 10. In our next guides, we will learn how to configure LDAP clients to authenticate via LDAP Server.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Related Tutorials<\/h4>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-configure-openldap-server-on-debian-9-stretch\/\">Install and Configure OpenLDAP Server on Debian 9 Stretch<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/configure-openldap-client-on-debian-9-stretch\/\" target=\"_blank\">Configure OpenLDAP Client on Debian 9 Stretch<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-configure-openldap-server-on-fedora-29\/\" target=\"_blank\">Install and Configure OpenLDAP server on Fedora 29<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This guide will take you through how to setup OpenLDAP server with SSL\/TLS on Debian 10 Buster. OpenLDAP clients and servers are capable of using<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[285,121,1099],"tags":[997,1100,286,1102,1101],"class_list":["post-4104","post","type-post","status-publish","format-standard","hentry","category-directory-server","category-howtos","category-openldap","tag-debian-10","tag-ldap-server","tag-openldap","tag-self-signed-ssl","tag-tls-ssl","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4104"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=4104"}],"version-history":[{"count":12,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4104\/revisions"}],"predecessor-version":[{"id":5864,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4104\/revisions\/5864"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=4104"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=4104"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=4104"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}