- Configure routing table with the client network topology
- Install and configure OpenLDAP, with phpLDAPadmin
- Enable SSL for phpLDAPadmin
- Enable StartTLS
sudo apt-get install slapd ldap-utils
sudo apt-get install phpldapadmin
sudo apt-get install apache2-utilssudo dpkg-reconfigure slapdAnd answer
- Omit OpenLDAP server configuration? No
- DNS domain name? Example: devops.org
- Organization name? Example: any
- Administrator password?
- Database backend? HDB
- Remove the database when slapd is purged? No
- Move old database? Yes
- Allow LDAPv2 protocol? No
Note: if
adminpasswordis changed, the configuration/etc/gitlab/gitlab.rbof Gitlab later setup, integrated with LDAP will need to change as well.
Edit /etc/phpldapadmin/config.php
$servers->setValue('server','name','LDAP @ DevOps');
$servers->setValue('server','host','172.29.167.177');
$servers->setValue('server','base',array('dc=devops,dc=org'));
$servers->setValue('login','auth_type','session');
$servers->setValue('login','bind_id','cn=admin,dc=devops,dc=org');
$servers->setValue('server','tls',false);Then restart
systemctl restart slapd
systemctl restart apache2From here, you should be able to access at http://172.29.167.177/phpldapadmin and login as cn=admin,dc=devops,dc=org with password
Carefully follow the instruction step by step at DigitalOcean: Encrypt OpenLDAP using StartTLS. I just document how I followed anyway and I use vi instead of nano
sudo hostnamectl set-hostname ldapIn my case, I use cm02 as ldap host
Edit /etc/hosts
cat /etc/hosts
# 127.0.0.1 cm02.devops.org cm02
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.29.167.171 cm01
172.29.167.177 cm02.devops.org cm02
172.29.167.178 cm03
172.29.167.179 cm04
172.29.167.180 cm05
172.29.167.181 cm06Test
The hostname or hostname -f should give positive response, like cm02 and cm02.devops.org respectively
sudo apt-get install gnutls-bin ssl-certsudo mkdir /etc/ssl/templatessudo nano /etc/ssl/templates/ca_server.confwith the content of
cn = LDAP Server CA
ca
cert_signing_keysudo nano /etc/ssl/templates/ldap_server.confwith the content of
organization = "Example Inc"
cn = cm02.devops.org
tls_www_server
encryption_key
signing_key
expiration_days = 3652where cm02.devops.org is the host with OpenLDAP installed
sudo certtool -p --outfile /etc/ssl/private/ca_server.key
sudo certtool -s --load-privkey /etc/ssl/private/ca_server.key --template /etc/ssl/templates/ca_server.conf --outfile /etc/ssl/certs/ca_server.pemsudo certtool -p --sec-param high --outfile /etc/ssl/private/ldap_server.key
sudo certtool -c --load-privkey /etc/ssl/private/ldap_server.key --load-ca-certificate /etc/ssl/certs/ca_server.pem --load-ca-privkey /etc/ssl/private/ca_server.key --template /etc/ssl/templates/ldap_server.conf --outfile /etc/ssl/certs/ldap_server.pemsudo usermod -aG ssl-cert openldap
sudo chown :ssl-cert /etc/ssl/private/ldap_server.key
sudo chmod 640 /etc/ssl/private/ldap_server.keycd ~
nano addcerts.ldifdn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca_server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap_server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap_server.keyLoad the file into slapd
sudo ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldifRestart slapd
sudo service slapd force-reloadsudo cp /etc/ssl/certs/ca_server.pem /etc/ldap/ca_certs.pem
sudo vi /etc/ldap/ldap.conf
sudo systemctl restart slapd.serviceThen specify
TLS_CACERT /etc/ldap/ca_certs.pem
TLS_REQCERT allowTLS_REQCERT allow has to be set in /etc/ldap/ldap.conf or phpLDAPadmin won't let you login. (this is missed in DigitalOcean's doc).
Test (-Z means upgrade the connection to use starttls)
ldapwhoami -H ldap:// -x -ZZThen the expected successful output is anonymous or failed like
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)If you have phpLDAPadmin installed, you'd need to edit /etc/phpldapadmin/config.php and change to
$servers->setValue('server','tls',true);$servers->setValue('server','tls',true); has to be set in /etc/phpldapadmin/config.php (this is missed in DigitalOcean's doc)
Reference > how-to-install-and-configure-openldap-and-phpldapadmin-on-an-ubuntu (over SSL)
Then restart systemctl apache2 restart. You'd be able to login https://cm02.devops.org/phpldapadmin with StartTLS enabled
Install apt-get install ldap-utils if not.
Log into the remote client as common user. Copy the CA cert from OpenLDAP server and append to ldap client ca_certs.pem file
scp root@cm02:/etc/ssl/certs/ca_server.pem ~/
cat ~/ca_server.pem | sudo tee -a /etc/ldap/ca_certs.pemwhere cm02 is OpenLDAP server
Adjust the Client Configuration
sudo nano /etc/ldap/ldap.confwith
TLS_CACERT /etc/ldap/ca_certs.pemTest and you should see anonymous
ubuntu@cm01:~$ ldapwhoami -H ldap://cm02.devops.org -x -ZZ
anonymousOn OpenLDAP server, type
sudo ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" -LLL -Q "(olcSuffix=*)" dn olcSuffixThe response should look like
dn: olcDatabase={1}hdb,cn=config
olcSuffix: dc=devops,dc=orgCreate the LDIF
nano ~/forcetls.ldifwith
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1Then load
sudo ldapmodify -H ldapi:// -Y EXTERNAL -f forcetls.ldifand restart sudo service slapd force-reload
Test
ubuntu@cm02:~$ ldapsearch -H ldap:// -x -b "dc=devops,dc=org" -LLL -Z dn
dn: dc=devops,dc=org
dn: cn=admin,dc=devops,dc=org
dn: cn=jeff yang,dc=devops,dc=org
ubuntu@cm02:~$if without -Z, the above command won't work
1. TLS_REQCERT allow has to be set in /etc/ldap/ldap.conf or phpLDAPadmin won't let you login. (this is missed in DigitalOcean's doc). The error message might be
Array
(
[class] => N/A
[function] => debug_dump
[file] => /usr/share/phpldapadmin/lib/functions.php
[line] => 700
[debug] => Array
(
[Incoming MSG] => Array
(
[title] => Could not start TLS. (DevOps LDAP @ Any)
[body] => Error: Could not start TLS. Please check your LDAP server configuration.
[type] => error
)
[existing] => Array
(
[0] => Array
(
[title] => Could not start TLS. (DevOps LDAP @ Any)
[body] => Error: Could not start TLS. Please check your LDAP server configuration.
[type] => error
)
[1] => Array
(
[title] => Authenticate to server
[body] => Successfully logged into server.
[type] => info
)
)
)
)2. $servers->setValue('server','tls',true); has to be set in /etc/phpldapadmin/config.php (this is missed in DigitalOcean's doc). The error message could be
Unable to connect to LDAP server DevOps LDAP @ Any
Error: Confidentiality required (13) for user
error Failed to Authenticate to server
Invalid Username or Password.sudo apt install gnutls-bin
certtool --certificate-info --infile /etc/ssl/certs/ca_server.pem
certtool --certificate-info --infile /etc/ssl/certs/ldap_server.pemReference > https://linux.die.net/man/1/certtool
To create a certificate request (needed when the certificate is issued by another party), run:
$ certtool --generate-request --load-privkey key.pem \
--outfile request.pemTo generate a certificate using the previous request, use the command:
$ certtool --generate-certificate --load-request request.pem \
--outfile cert.pem --load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem