Plepe's Blog

A few things to memorize about installing OpenLDAP with Samba and LAM:

Enable SSL

# File: ldap-ssl.ldif
# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap-ssl.ldif
dn: cn=config
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/server.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/server.crt
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/DigiCertCA.crt

Make sure that OpenLDAP is allowed to read those files. Additionally, apparmor denied access to these files, so I had to allow this specifically for slapd.

After this, I updated the value SLAPD_SERVICES in /etc/default/slapd: SLAPD_SERVICES=“ldapi:/// ldaps:///“

Deny anonymous access

# File: ldap-ssl.ldif
# ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap-ssl.ldif
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

I created an additional organisational unit ou=services,dc=example,dc=com where all services are listed. This is also a great way of documenting which services exist in the network.

Secure access to sambaNTPassword (in the default installation, only access to userPassword is secured):

# File: updateOlcAcess.ldif
# ldapmodify -Y EXTERNAL -H ldapi:/// -f updateOlcAccess.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,sambaNTPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange,sambaPwdLastSet by self write by * read
olcAccess: {2}to * by * read

Allow ‚otherMailbox‘ values

We want to save additional mail addresses (e.g. when we want to reach the user privately). For this we use the ‚otherMailbox‘ attribute, which is not available in the normal schemas. We use extensibleObject for this:

# File: otherMailbox.ldif
dn: cn=user,ou=people,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: extensibleObject
-
add: otherMailbox
otherMailbox: user@external.com

This entry was posted on Freitag, Oktober 18th, 2019 at 13:52 and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.