Skip to main content

How to configure LDAP in Ubuntu?



Introduction

LDAP, or Lightweight Directory Access Protocol, is a protocol for managing related information from a centralized location through the use of a file and directory hierarchy. It functions in a similar way to a relational database in certain ways and can be used to organize and store any kind of information. LDAP is commonly used for centralized authentication.

In this post, we will cover how to install and configure an OpenLDAP server and how to encrypt connections to OpenLDAP using STARTTLS to upgrade conventional connections to TLS on an Ubuntu 14.04 LTS.

Prerequisites
Setting the Hostname and FQDN
We should set up our server so that it correctly resolves its hostname and fully qualified domain name (FQDN). This will be necessary in order for our certificates to be validated by clients. We will assume that our LDAP server will be hosted on a machine with the FQDN of vive.example.com

To set the hostname, use the hostnamectl command with the set-hostname option. 
$ sudo hostnamectl set-hostname vive
Next, we need to set the FQDN.
$ sudo gedit /etc/hosts

Find the line that maps the 127.0.1.1 IP address. Change the first field after the IP 
address to the FQDN of the server, and the second field to the short hostname. For our example, it would look something like this:

/etc/hosts

Save and close the file when you are finished.
You can check that you've configured these values correctly by typing:

Installing the LDAP Server
$ sudo apt-get update
$ sudo apt-get install slapd ldap-utils

You will be asked to enter and confirm an administrator password for the administrator
LDAP account.

Reconfigure slapd
When the installation is complete, we actually need to reconfigure the LDAP package. Type the following to do:
$ sudo dpkg-reconfigure slapd

You will be asked a series of questions and answer the prompts appropriately.

Install the SSL Components
After OpenLDAP server is configured, we need to install packages to encrypt our connection. The Ubuntu OpenLDAP package is compiled against the GnuTLS SSL libraries, so we will use GnuTLS to generate our SSL credentials:
$ sudo apt-get install gnutls-bin ssl-cert

Then we can begin creating the certificates and keys needed to encrypt our connections.

Create the Certificate Templates 
To encrypt our connections, we'll need to configure a certificate authority
and use it to sign the keys for the LDAP server(s).
We will need two sets of key/certificate pairs: one is for the certificate authority itself and another one is associated with the LDAP service.

Making a directory to store the template files
$ sudo mkdir /etc/ssl/templates 

Create the CA Template 
Create ca_server.conf and open the file in your text editor: 
$ sudo gedit /etc/ssl/templates/ca_server.conf

We only need to provide a few information and specify that the certificate will be for a CA (certificate authority) by adding the ca option. We also need the cert_signing_key option to give the generated certificate the ability to sign additional certificates. We can set the cn to whatever descriptive name.

Create the LDAP Service Template
$ sudo gedit /etc/ssl/templates/ldap_server.conf

Here, we'll provide a few different pieces of information. We'll provide the name of the organization and set the tls_www_server, encryption_keyand signing_key options so that our cert has the basic functionality it needs.

The cn in this template must match the FQDN of the LDAP server. If this value does not match, the client will reject the server's certificate.








Create CA Key and Certificate
We can create our two key/certificate pairs. We need to create the certificate authority's set first.

Use the certtool utility to generate a private key. The /etc/ssl/private directory is protected from non-root users and is the appropriate location to place the private keys we will be generating. We can generate a private key and write it to a file called ca_server.key within this directory by typing:
$ sudo certtool -p --outfile /etc/ssl/private/ca_server.key

Now, we can use the private key that we just generated and the template file we created in the last section to create the certificate authority certificate. We will write this to a file in the /etc/ssl/certs directory called ca_server.pem:
$ sudo certtool -s --load-privkey /etc/ssl/private/ca_server.key --template /etc/ssl/templates/ca_server.conf --outfile /etc/ssl/certs/ca_server.pem

We now have the private key and certificate pair for our certificate authority. We can use this to sign the key that will be used to actually encrypt the LDAP session.

Create LDAP Service Key and Certificate
Next, we need to generate a private key for our LDAP server. We will again put the generated key in the /etc/ssl/private directory for security purposes and will call the file ldap_server.key for clarity.

We can generate the appropriate key by typing:
$ sudo certtool -p --sec-param high --outfile /etc/sl/private/ldap_server.key

Once we have the private key for the LDAP server, we have everything we need to generate a certificate for the server. We will need to pull in almost all of the components we've created thus far (the CA certificate and key, the LDAP server key, and the LDAP server template).

We will put the certificate in the /etc/ssl/certs directory and name it ldap_server.pem.
$ sudo certtool -c --load-privkey /etc/ssl/private/ldap_server.key --load-ca-certificate /etc/ssl/certs/ca_server.pem
--load-ca-privkey /etc/ssl/private/ca_server.key --template /etc/ssl/templates/ldap_server.conf
--outfile /etc/ssl/certs/ldap_server.pem

Give OpenLDAP Access to the LDAP Server Key
We now have all of the certificates and keys we need. However, currently, our OpenLDAP process will be unable to access its own key.

A group called ssl-cert already exists as the group-owner of the /etc/ssl/private directory. We can add the user our OpenLDAP process runs under (openldap) to this group:
$ sudo usermod -aG ssl-cert openldap

Now, our OpenLDAP user has access to the directory. We still need to give that group ownership of theldap_server.key file though so that we can allow read access. Give the ssl-cert group ownership over that file by typing:
$ sudo chown :ssl-cert /etc/ssl/private/ldap_server.key
Now, give the ssl-cert group read access to the file:
$ sudo chmod 640 /etc/ssl/private/ldap_server.key

Our OpenSSL process can now access the key file properly.

Configure OpenLDAP to Use the Certificate and Keys
We have our files and have configured access to the components correctly. Now, we need to modify our OpenLDAP configuration to use the files we've made. We will do this by creating an LDIF file with our configuration changes and loading it into our LDAP instance.

Move to your home directory and open a file called addcerts.ldif. We will put our configuration changes in this file:
$ cd ~
$ gedit addcerts.ldif

To make configuration changes, we need to target the cn=config entry of the configuration DIT. We need to specify that we are wanting to modify the attributes of the entry. Afterward we need to add the olcTLSCACertificateFile, olcCertificateFile and olcCertificateKeyFile attributes and set them to the correct file locations.
The end result will look like this:

Save and close the file when you are finished. Apply the changes to your OpenLDAP system using the ldapmodify command:
$ sudo ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif

We can reload OpenLDAP to apply the changes:
$ sudo service slapd force-reload


On the OpenLDAP Server
If you are interacting with the OpenLDAP server from the server itself, you can set up the client utilities by copying the CA certificate and adjusting the client configuration file.

First, copy the CA certificate from the /etc/ssl/certs directory to a file within the /etc/ldap directory. We will call this file ca_certs.pem. This file can be used to store all of the CA certificates that clients on this machine may wish to access. For our purposes, this will only contain a single certificate:
$ sudo cp /etc/ssl/certs/ca_server.pem /etc/ldap/ca_certs.pem

Now, we can adjust the system-wide configuration file for the OpenLDAP utilities. Open up the configuration file in your text editor:
$ sudo gedit /etc/ldap/ldap.conf

Note:
In order to use encryption, You should have in /etc/default/slapd
SLAPD_SERVICES="ldap:/// ldapi:///"
You can use "netstat -tulnp | grep <port no>" to check port is opened or closed.

Comments

Popular Posts

How to install draw.io Desktop Application on Kali Linux?

draw.io is an online diagramming open source web application which can be used as flowchart maker, network diagram software, ER diagram tool, UML diagramand more. It can be freely accessible website of draw.io or official Docker image or Desktop version for macOS, Linux & Windows. This guide includes detailed instructions about Desktop version installation on Kali Linux. Download the .deb build for draw.io sudo apt update sudo apt -y install wget curl curl -s https://api.github.com/repos/jgraph/drawio-desktop/releases/latest | grep browser_download_url | grep '\.deb' | cut -d '"' -f 4 | wget -i - Install with dpkg command sudo apt -f install ./drawio-amd64-*.de When application is installed, launch the application with following command. drawio Now application is ready to use. Click on " Create New Diagram"  to create new project or click on " Open Existing Diagram " to edit. ...

What is Honeypot?

A  honeypot is a security mechanism that creates a virtual trap to lure attackers. Simply we can say that this is a  decoy box residing inside your network demilitarized zone  (DMZ), set up by a security professional to trap or aid in locating hackers, or to draw them  away from the real target system. Since this a  decoy system , a malicious attacker might try to attack; software on  the system can log information about the attacker such as the IP address. This information  can be used to try to locate the attacker either during or after the attack. Honeypots vary based on design and deployment models, but they are all decoys intended to look like legitimate, vulnerable systems to attract cyber criminals. Type of Honeypot Production Honeypot : Used by companies and corporations for the purpose of researching the motives hackers as well ass diverting and mitigating the risk of attacks on the overall network. Research Honeypot : Used by nonprofit organi...

How to install Oracle Virtualbox in Ubuntu?

Introduction VirtualBox is a powerful free tool offered by Oracle for running an operating system on your computer virtually. In this tutorial lets learn how to install VirtualBox on Ubuntu. Installation 1. Open a terminal or press Ctrl + Alt +T 2. Enter the following command to all the packages or dependencies.      sudo apt-get update ( make sure to give the root password) 3. Run the following command to download and install Virtualbox     sudo apt-get install vrtualbox virtualbox-ext-pack That's all! VirtualBox has been successfully installed on your Ubuntu machine, and you can start using it.