Follow through this tutorial to learn how to install and setup OpenLDAP Server on Debian 12. OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol, a client-server protocol for accessing directory services, specifically X.500-based directory services.
Table of Contents
Installing OpenLDAP Server on Debian 12
The OpenLDAP suite include;
- slapd – stand-alone LDAP daemon (server)
- libraries implementing the LDAP protocol, and
- utilities, tools, and sample clients.
Run System Update
Before you begin, ensure your system package cache is up-to-date.
apt update
apt upgrade
Build and Install OpenLDAP Server on Debian 12
The default Debian 12 repositories provides OpenLDAP 2.4.57;
apt-cache policy slapdslapd:
Installed: (none)
Candidate: 2.5.13+dfsg-5
Version table:
2.5.13+dfsg-5 500
500 http://deb.debian.org/debian bookworm/main amd64 PackagesAs of this writing, OpenLDAP 2.6.4 is the current stable release, as per the release page.
To ensure you run the latest version of OpenLDAP, you need then to build it from the source.
Create OpenLDAP System Account
Create a non-privileged system user to run OpenLDAP.
useradd -r -M -d /var/lib/openldap -s /usr/sbin/nologin ldapInstall Required Dependencies and Build Tools
There are quite a number of dependencies and build tools required for a successful build and compilation OpenLDAP from the source which can be installed by running the command below;
apt install libsasl2-dev \
make \
libtool \
build-essential \
openssl \
libevent-dev \
libargon2-dev \
sudo \
wget \
vim \
pkg-config \
wiredtiger \
libsystemd-dev \
libssl-dev \
libperl-dev \
libldap-common
Download OpenLDAP Source Code
Navigate to the OpenLDAP download’s page and grab the tarball.
VER=2.6.4wget https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-${VER}.tgzExtract the OpenLDAP Source Code
The tarball can be extracted by running the command;
tar xzf openldap-$VER.tgz
Install OpenLDAP Server on Debian 12
Compile and install OpenLDAP server on Debian 12 as follows;
cd openldap-$VER
./configure --prefix=/usr --sysconfdir=/etc --disable-static \
--enable-debug --with-tls=openssl --with-cyrus-sasl \
--enable-dynamic --enable-crypt --enable-spasswd \
--enable-slapd --enable-modules --enable-rlookups \
--enable-backends=mod --disable-sql --enable-ppolicy=mod \
--enable-syslog --enable-overlays=mod --with-systemd --enable-wt=no
If the command ends with an error, fix it before you can proceed. Otherwise, with no error, the command should end with such output;
...
Making servers/slapd/backends.c
Add config ...
Add ldif ...
Add monitor ...
Making servers/slapd/overlays/statover.c
Please run "make depend" to build dependencies
Next, run the make depend command to build OpenLDAP dependencies.
make dependCompile OpenLDAP on Debian 12.
makeEnsure the command completes with no error. Fix any error, if there is, before you can proceed.
make installConfiguring OpenLDAP on Debian 12
Create Data and Database Directories
Create OpenLDAP data and database directories
mkdir /var/lib/openldap /etc/openldap/slapd.dSet the proper ownership and permissions on OpenLDAP directories and configuration files.
chown -R ldap:ldap /var/lib/openldapchown root:ldap /etc/openldap/slapd.confchmod 640 /etc/openldap/slapd.confUpdate OpenLDAP Service
We will update the created OpenLDAP service file;
mv /lib/systemd/system/slapd.service{,.old}
cat > /etc/systemd/system/slapd.service << 'EOL'
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-mdb
[Service]
Type=forking
PIDFile=/var/lib/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:/// ldaps:///"
Environment="SLAPD_OPTIONS=-F /etc/openldap/slapd.d"
ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
[Install]
WantedBy=multi-user.target
EOL
Create OpenLDAP SUDO Schema
To configure LDAP with support sudo, first, install sudo-ldap package.
apt install sudo-ldapYou can then verify the sudo OpenLDAP.
sudo -V | grep -i "ldap"If sudo supports LDAP, you should see the lines below;
...
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secretCheck if LDAP sudo schema is available.
find /usr/share/doc/ -iname schema.openldapOutput;
/usr/share/doc/sudo-ldap/schema.OpenLDAPCopy the schema.OpenLDAP to the schema directory.
cp /usr/share/doc/sudo-ldap/schema.OpenLDAP /etc/openldap/schema/sudo.schemaNext, you need to create sudo schema ldif file.
Run the command below to create the sudo.ldif file. (We copied the default ldif file from /usr/share/doc/sudo-ldap/schema.olcSudo and just modified it).
cat << 'EOL' > /etc/openldap/schema/sudo.ldif
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo (deprecated)'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8
NAME 'sudoNotBefore'
DESC 'Start of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
#
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.9
NAME 'sudoNotAfter'
DESC 'End of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
#
olcattributeTypes: ( 1.3.6.1.4.1.15953.9.1.10
NAME 'sudoOrder'
DESC 'an integer to order the sudoRole entries'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
#
olcobjectclasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $
description )
)
EOL
Update SLAPD Database
Edit the SLAPD LDIF file, /etc/openldap/slapd.ldif, and update it as follows;
mv /etc/openldap/slapd.ldif{,.bak}
cat > /etc/openldap/slapd.ldif << 'EOL'
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/lib/openldap/slapd.args
olcPidFile: /var/lib/openldap/slapd.pid
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/libexec/openldap
olcModuleload: back_mdb.la
olcModuleload: ppolicy.la
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/sudo.ldif
#include: file:///etc/openldap/schema/ppolicy.ldif
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to dn.base="cn=Subschema" by * read
olcAccess: to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=config
olcAccess: to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
EOL
- To update the SLAPD database from the information provided on the SLAPD LDIF file above, use
slapaddcommand with the option-n 0which creates the first database. - To specify the configuration directory,
/etc/openldap/slapd.d, use option-Fand option-lto specify location of the LDIF file above.
Before you can write the changes to the database, perform a dry run to see what would happen. Pass -u option to slapadd command.
slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif -uIf the command do not output any error, then all is fine.
Then implement the changes if all is well.
slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldifThis command creates slapd database configurations under /etc/openldap/slapd.d directory.
ls /etc/openldap/slapd.d'cn=config' 'cn=config.ldif'Set the user and group ownership of the /etc/openldap/slapd.d directory and the files in it to ldap user.
chown -R ldap:ldap /etc/openldap/slapd.dRunning OpenLDAP Service
Reload systemd configurations and start OpenLDAP service.
systemctl daemon-reloadsystemctl enable --now slapdCheck status;
systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/etc/systemd/system/slapd.service; enabled; preset: enabled)
Active: active (running) since Fri 2023-07-07 13:54:52 EDT; 3s ago
Docs: man:slapd
man:slapd-mdb
Process: 61559 ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 61560 (slapd)
Tasks: 2 (limit: 4642)
Memory: 5.3M
CPU: 29ms
CGroup: /system.slice/slapd.service
└─61560 /usr/libexec/slapd -u ldap -g ldap -h "ldap:/// ldapi:/// ldaps:///" -F /etc/openldap/slapd.d
Jul 07 13:54:52 ldapmaster.kifarunix-demo.com systemd[1]: Starting slapd.service - OpenLDAP Server Daemon...
Jul 07 13:54:52 ldapmaster.kifarunix-demo.com slapd[61559]: @(#) $OpenLDAP: slapd 2.6.4 (Jul 7 2023 12:06:42) $
root@debian:/root/openldap-2.6.4/servers/slapd
Jul 07 13:54:52 ldapmaster.kifarunix-demo.com slapd[61560]: slapd starting
Jul 07 13:54:52 ldapmaster.kifarunix-demo.com systemd[1]: Started slapd.service - OpenLDAP Server Daemon.
Confirm that the ports are listening;
ss -altnp | grep slapd
LISTEN 0 2048 0.0.0.0:636 0.0.0.0:* users:(("slapd",pid=60891,fd=10))
LISTEN 0 2048 0.0.0.0:389 0.0.0.0:* users:(("slapd",pid=60891,fd=7))
LISTEN 0 2048 [::]:636 [::]:* users:(("slapd",pid=60891,fd=11))
LISTEN 0 2048 [::]:389 [::]:* users:(("slapd",pid=60891,fd=8))
Configure OpenLDAP Logging on Debian 12
By default, OpenLDAP logging level is set to none which is required to have high priority messages only logged.
You can change this to a different log level, say to stats level (logs connections/operations/results), run the command below;
ldapmodify -Y EXTERNAL -H ldapi:/// -QThe copy and paste the content below on the prompt to modify the log level.
dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: statsNext, press ENTER twice.
Once you see a line, modifying entry "cn=config", then press Ctrl+d/ctrl+c.
You can as well use LDIF files to update this information if you like.
To confirm the changes;
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL -Qdn: cn=config
olcLogLevel: statsJournald is used for logging by default on Debian 12.
To view the logs;
journalctl -f -u slapdSample logs;
Jul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 fd=12 ACCEPT from PATH=/usr/var/run/ldapi (PATH=/usr/var/run/ldapi)
Jul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 op=0 BIND dn="" method=163
Jul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
Jul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71
Jul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000035 text=
Jul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 op=1 SRCH base="cn=config" scope=2 deref=0 filter="(objectClass=olcGlobal)"
Jul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 op=1 SRCH attr=olcLogLevel
Jul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000005 etime=0.000059 nentries=1 text=
Jul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 op=2 UNBIND
Jul 07 12:24:18 ldapmaster.kifarunix-demo.com slapd[60837]: conn=1001 fd=12 closed
If you have enabled syslog logging instead, you need to specify the log file for OpenLDAP on Rsyslog configuration. By default, OpenLDAP logs to local4 facility, hence, to configure it to log to /var/log/slapd.log for example, execute the command below;
echo "local4.* /var/log/slapd.log" >> /etc/rsyslog.d/51-slapd.confRestart Rsyslog and SLAPD service
systemctl restart rsyslog slapdYou should now be able to read the LDAP logs on, /var/log/slapd.log.
You can as well configure log rotation;
cat > /etc/logrotate.d/slapd << EOL
/var/log/slapd.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
EOL
Restart log rotation service;
systemctl restart logrotateCreate OpenLDAP Default Root DN
Next, create MDB database defining the root DN as well as the access control lists.
First, generate the root DN password.
slappasswdNew password: ENTER PASSWORD
Re-enter new password: RE-ENTER PASSWORD
{SSHA}7QP9kPALcQ+0RTlnc2S5dwLna3lJMwRfCopy and paste the password hash generated above, {SSHA}7QP9kPALcQ+0RTlnc2S5dwLna3lJMwRf, as the value of olcRootPW in the Root DN ldif file below.
Replace the domain components, dc=ldapmaster,dc=kifarunix-demo,dc=com with your appropriate names.
cat > rootdn.ldif << 'EOL'
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 42949672960
olcDbDirectory: /var/lib/openldap
olcSuffix: dc=ldapmaster,dc=kifarunix-demo,dc=com
olcRootDN: cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com
olcRootPW: {SSHA}7QP9kPALcQ+0RTlnc2S5dwLna3lJMwRf
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq
olcDbIndex: sudoUser,sudoHost pres,eq
olcAccess: to attrs=userPassword,shadowLastChange,shadowExpire
by self write
by anonymous auth
by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com" read
by * none
olcAccess: to dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
olcAccess: to dn.subtree="dc=ldapmaster,dc=kifarunix-demo,dc=com" by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by users read
by * none
EOL
Read more about ACL on OpenLDAP Access Control.
Update the slapd database with the content above;
ldapadd -Y EXTERNAL -H ldapi:/// -f rootdn.ldifSample command output;
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase=mdb,cn=config"Configure OpenLDAP with SSL/TLS
To secure OpenLDAP communication between the client and the server, configured it to use SSL/TLS certificates.
In this guide, we are using self-signed certificates. You can choose to obtain the commercially signed and trusted certificates from your preferred CAs, for production environments.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \
/etc/ssl/ldapserver.key -out /etc/ssl/ldapserver.crtchown ldap:ldap /etc/ssl/{ldapserver.crt,ldapserver.key}Update the OpenLDAP Server TLS certificates attributes.
cat > tls.ldif << 'EOL'
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/ldapserver.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/ldapserver.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/ldapserver.key
EOL
Note that we have used self-signed certificate as both the certificate and the CA certificate.
ldapadd -Y EXTERNAL -H ldapi:/// -f tls.ldifYou can confirm this by running;
slapcat -b "cn=config" | grep olcTLS
olcTLSCACertificateFile: /etc/ssl/ldapserver.crt
olcTLSCertificateFile: /etc/ssl/ldapserver.crt
olcTLSCertificateKeyFile: /etc/ssl/ldapserver.keyChange the location of the CA certificate on /etc/ldap/ldap.conf.
sed -i 's|/etc/ssl/certs/ca-certificates.crt|/etc/ssl/ldapserver.crt|' /etc/ldap/ldap.confRestart LDAP service;
systemctl restart slapdCreate OpenLDAP Base DN
Next, create your base DN or search base to define your organization structure and directory.
Replace the domain components and organization units accordingly.
cat > basedn.ldif << 'EOL'
dn: dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: dcObject
objectClass: organization
objectClass: top
o: Kifarunix-demo
dc: ldapmaster
dn: ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups
dn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people
EOL
ldapadd -Y EXTERNAL -H ldapi:/// -f basedn.ldifSample output;
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "dc=ldapmaster,dc=kifarunix-demo,dc=com"
adding new entry "ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com"
adding new entry "ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"Create OpenLDAP User Accounts
You can add users to your OpenLDAP server. Create an ldif file to define your users as follows.
cat > users.ldif << 'EOL'
dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: johndoe
cn: John
sn: Doe
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/johndoe
shadowMax: 60
shadowMin: 1
shadowWarning: 7
shadowInactive: 7
shadowLastChange: 0
dn: cn=johndoe,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: posixGroup
cn: johndoe
gidNumber: 10000
memberUid: johndoe
EOL
Add the user to the OpenLDAP database.
ldapadd -Y EXTERNAL -H ldapi:/// -f users.ldifYou can use the same template to add more users.
Setting Password for an LDAP User
To set the password for user above, run the command below;
ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"The command prompts you to enter and confirm the password.
Create OpenLDAP Bind DN and Bind DN User
Bind DN user is used for performing LDAP operations such as resolving User IDs and group IDs.
In this guide, we create a bind DN ou called system.
Note the access controls associated with this Organization Unit, ou, as defined on the root DN above.
List the Access control lists on the database;
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}mdb)' olcAccess
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self writ
e by anonymous auth by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=ext
ernal,cn=auth" manage by dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-de
mo,dc=com" read by * none
olcAccess: {1}to dn.subtree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com"
by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mana
ge by * none
olcAccess: {2}to dn.subtree="dc=ldapmaster,dc=kifarunix-demo,dc=com" by dn.sub
tree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by user
s read by * none
Create the LDAP BindDN user password.
slappasswdNew password:
Re-enter new password:
{SSHA}XIBMbwkTKx5o/ExtnuwjbI/Tiem9/daICopy and Paste the password hash value above as the value of userPassword attribute in the file below;
cat > bindDNuser.ldif << 'EOL'
dn: ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
objectClass: top
ou: system
dn: cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: readonly
userPassword: {SSHA}XIBMbwkTKx5o/ExtnuwjbI/Tiem9/daI
description: Bind DN user for LDAP Operations
EOL
ldapadd -Y EXTERNAL -H ldapi:/// -f bindDNuser.ldifEnable OpenLDAP Password Policies
If you want to implement OpenLDAP password policies, read the guide below to learn how to implement password policies.
Implement OpenLDAP Password Policies
Allow OpenLDAP Service on Firewall
If UFW is running, allow OpenLDAP (both LDAP and LDAPS) external access;
ufw allow "LDAP"
ufw allow "LDAPS"
Authenticate Via OpenLDAP Server
And that is how to install OpenLDAP Server on Debian 12.
To verify that users can actually connect to the systems via the OpenLDAP server, you need to configure OpenLDAP clients on the remote systems.
See the guides below;
Configure SSSD for LDAP Authentication on Rocky Linux 8
Install and Configure SSSD for OpenLDAP Authentication on Fedora 32/31/30
Please install the package libldap-common
Otherwise, the /etc/ldap/ldap.conf will not be found by default.
thanks! update made!