{"id":924,"date":"2018-05-22T13:16:47","date_gmt":"2018-05-22T10:16:47","guid":{"rendered":"https:\/\/helia.ee\/koolitus\/?page_id=924"},"modified":"2018-05-22T14:22:32","modified_gmt":"2018-05-22T11:22:32","slug":"debian-openldap-and-phpldapadmin-on-ubuntu-16-04","status":"publish","type":"page","link":"https:\/\/helia.ee\/koolitus\/?page_id=924","title":{"rendered":"Debian &#8211; OpenLDAP and phpLDAPadmin on Ubuntu 16.04"},"content":{"rendered":"<div class=\"section-content section-content-growable content Tutorial-content\">\n<div class=\"container tutorial-header\">\n<h1 class=\"content-title Tutorial-header\">How To Install and Configure OpenLDAP and phpLDAPadmin on Ubuntu 16.04<\/h1>\n<\/div>\n<div class=\"content-body tutorial-content\" data-growable-markdown=\"\">\n<h3 id=\"introduction\">Introduction<\/h3>\n<p>Lightweight Directory Access Protocol (LDAP) is a standard protocol designed to manage and access hierarchical directory information over a network. It can be used to store any kind of information, though it is most often used as a centralized authentication system or for corporate email and phone directories.<\/p>\n<p>In this guide, we will discuss how to install and configure the OpenLDAP server on Ubuntu 16.04. We will then install phpLDAPadmin, a web interface for viewing and manipulating LDAP information. We will secure the web interface and the LDAP service with SSL certificates from Let&#8217;s Encrypt, a provider of free and automated certificates.<\/p>\n<div data-unique=\"prerequisites\"><\/div>\n<h2 id=\"prerequisites\">Prerequisites<\/h2>\n<p>Before starting this tutorial, you should have an Ubuntu 16.04 server set up with Apache and PHP. You can follow our tutorial <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu-16-04\">How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu 16.04<\/a>, skipping Step 2 as we will not need the MySQL database server.<\/p>\n<p>Additionally, since we will be entering passwords into the web interface, we should secure Apache with SSL encryption. Read <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04\">How To Secure Apache with Let&#8217;s Encrypt on Ubuntu 16.04<\/a> to download and configure free SSL certificates. You will need a domain name to complete this step. We will use these same certificates to provide secure LDAP connections as well.<\/p>\n<p><span class=\"note\"><strong>Note:<\/strong> the Let&#8217;s Encrypt tutorial assumes that your server is accessible to the public internet. If that&#8217;s not the case, you&#8217;ll have to use a different certificate provider or perhaps your organization&#8217;s own certificate authority. Either way, you should be able to complete the tutorial with minimal changes, mostly regarding the paths or filenames of the certificates.<br \/>\n<\/span><\/p>\n<div data-unique=\"step-1-\u2014-installing-and-configuring-the-ldap-server\"><\/div>\n<h2 id=\"step-1-\u2014-installing-and-configuring-the-ldap-server\">Step 1 \u2014 Installing and Configuring the LDAP Server<\/h2>\n<p>Our first step is to install the LDAP server and some associated utilities. Luckily, the packages we need are all available in Ubuntu&#8217;s default repositories.<\/p>\n<p>Log into your server. Since this is our first time using <code>apt-get<\/code> in this session, we&#8217;ll refresh our local package index, then install the packages we want:<\/p>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo apt-get update<\/li>\n<li class=\"line\">sudo apt-get install slapd ldap-utils<\/li>\n<\/ul>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<p>During the installation, you will be asked to select and confirm an administrator password for LDAP. You can enter anything here, because you&#8217;ll have the opportunity to update it in just a moment.<\/p>\n<p>Even though we just installed the package, we&#8217;re going to go right ahead and reconfigure it. The <code>slapd<\/code> package has the ability to ask a lot of important configuration questions, but by default they are skipped over in the installation process. We gain access to all of the prompts by telling our system to reconfigure the package:<\/p>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo dpkg-reconfigure slapd<\/li>\n<\/ul>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<p>There are quite a few new questions to answer in this process. We will be accepting most of the defaults. Let&#8217;s go through the questions:<\/p>\n<ul>\n<li>Omit OpenLDAP server configuration? <span class=\"highlight\">No<\/span><\/li>\n<li>DNS domain name?\n<ul>\n<li>This option will determine the base structure of your directory path. Read the message to understand exactly how this will be implemented. You can actually select whatever value you&#8217;d like, even if you don&#8217;t own the actual domain. However, this tutorial assumes you have a proper domain name for the server, so you should use that. We&#8217;ll use <strong>example.com<\/strong> throughout the tutorial.<\/li>\n<\/ul>\n<\/li>\n<li>Organization name?\n<ul>\n<li>For this guide, we will be using <strong>example<\/strong> as the name of our organization. You may choose anything you feel is appropriate.<\/li>\n<\/ul>\n<\/li>\n<li>Administrator password? <span class=\"highlight\">enter a secure password twice<\/span><\/li>\n<li>Database backend? <span class=\"highlight\">MDB<\/span><\/li>\n<li>Remove the database when slapd is purged? <span class=\"highlight\">No<\/span><\/li>\n<li>Move old database? <span class=\"highlight\">Yes<\/span><\/li>\n<li>Allow LDAPv2 protocol? <span class=\"highlight\">No<\/span><\/li>\n<\/ul>\n<p>At this point, your LDAP server is configured and running. Open up the LDAP port on your firewall so external clients can connect:<\/p>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo ufw allow ldap<\/li>\n<\/ul>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<p>Let&#8217;s test our LDAP connection with <code>ldapwhoami<\/code>, which should return the username we&#8217;re connected as:<\/p>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<ul class=\"prefixed\">\n<li class=\"line\">ldapwhoami -H ldap:\/\/ -x<\/li>\n<\/ul>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<pre class=\"code-pre \"><code><\/code><\/pre>\n<div class=\"secondary-code-label \" title=\"Output\">Output<\/div>\n<pre class=\"code-pre \"><code>anonymous\r\n<\/code><\/pre>\n<p><code>anonymous<\/code> is the result we&#8217;re expecting, since we ran <code>ldapwhoami<\/code> without logging in to the LDAP server. This means the server is running and answering queries. Next we&#8217;ll set up a web interface to manage LDAP data.<\/p>\n<div data-unique=\"step-2-\u2014-installing-and-configuring-the-phpldapadmin-web-interface\"><\/div>\n<h2 id=\"step-2-\u2014-installing-and-configuring-the-phpldapadmin-web-interface\">Step 2 \u2014 Installing and Configuring the phpLDAPadmin Web Interface<\/h2>\n<p>Although it is very possible to administer LDAP through the command line, most users will find it easier to use a web interface. We&#8217;re going to install phpLDAPadmin, a PHP application which provides this functionality.<\/p>\n<p>The Ubuntu repositories contain a phpLDAPadmin package. You can install it with <code>apt-get<\/code>:<\/p>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo apt-get install phpldapadmin<\/li>\n<\/ul>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<p>This will install the application, enable the necessary Apache configurations, and reload Apache.<\/p>\n<p>The web server is now configured to serve the application, but we need to make some additional changes. We need to configure phpLDAPadmin to use our domain, and to not autofill the LDAP login information.<\/p>\n<p>Begin by opening the main configuration file with root privileges in your text editor:<\/p>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo nano \/etc\/phpldapadmin\/config.php<\/li>\n<\/ul>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<p>Look for the line that starts with <code>$servers-&gt;setValue('server','name'<\/code>. In <code>nano<\/code> you can search for a string by typing <code>CTRL-W<\/code>, then the string, then <code>ENTER<\/code>. Your cursor will be placed on the correct line.<\/p>\n<p>This line is a display name for your LDAP server, which the web interface uses for headers and messages about the server. Choose anything appropriate here:<\/p>\n<div class=\"code-label \" title=\"\/etc\/phpldapadmin\/config.php\">\/etc\/phpldapadmin\/config.php<\/div>\n<pre class=\"code-pre \"><code>$servers-&gt;setValue('server','name','<span class=\"highlight\">Example LDAP<\/span>');\r\n<\/code><\/pre>\n<p>Next, move down to the <code>$servers-&gt;setValue('server','base'<\/code> line. This config tells phpLDAPadmin what the root of the LDAP hierarchy is. This is based on the value we typed in when reconfiguring the <code>slapd<\/code> package. In our example we selected <code>example.com<\/code> and we need to translate this into LDAP syntax by putting each domain component (everything not a dot) into a <code>dc=<\/code> notation:<\/p>\n<div class=\"code-label \" title=\"\/etc\/phpldapadmin\/config.php\">\/etc\/phpldapadmin\/config.php<\/div>\n<pre class=\"code-pre \"><code>$servers-&gt;setValue('server','base', array('<span class=\"highlight\">dc=example,dc=com<\/span>'));\r\n<\/code><\/pre>\n<p>Now find the login <code>bind_id<\/code> configuration line and comment it out with a <code>#<\/code> at the beginning of the line:<\/p>\n<div class=\"code-label \" title=\"\/etc\/phpldapadmin\/config.php\">\/etc\/phpldapadmin\/config.php<\/div>\n<pre class=\"code-pre \"><code><span class=\"highlight\">#<\/span>$servers-&gt;setValue('login','bind_id','cn=admin,dc=example,dc=com');\r\n<\/code><\/pre>\n<p>This option pre-populates the admin login details in the web interface. This is information we shouldn&#8217;t share if our phpLDAPadmin page is publicly accessible.<\/p>\n<p>The last thing that we need to adjust is a setting that controls the visibility of some phpLDAPadmin warning messages. By default the application will show quite a few warning messages about template files. These have no impact on our current use of the software. We can hide them by searching for the <code>hide_template_warning<\/code> parameter, uncommenting the line that contains it, and setting it to <strong>true<\/strong>:<\/p>\n<div class=\"code-label \" title=\"\/etc\/phpldapadmin\/config.php\">\/etc\/phpldapadmin\/config.php<\/div>\n<pre class=\"code-pre \"><code>$config-&gt;custom-&gt;appearance['hide_template_warning'] = <span class=\"highlight\">true<\/span>;\r\n<\/code><\/pre>\n<p>This is the last thing that we need to adjust. Save and close the file to finish. We don&#8217;t need to restart anything for the changes to take effect.<\/p>\n<p>Next we&#8217;ll log into phpLDAPadmin.<\/p>\n<div data-unique=\"step-3-\u2014-logging-into-the-phpldapadmin-web-interface\"><\/div>\n<h2 id=\"step-3-\u2014-logging-into-the-phpldapadmin-web-interface\">Step 3 \u2014 Logging into the phpLDAPadmin Web Interface<\/h2>\n<p>Having made the necessary configuration changes to phpLDAPadmin, we can now begin to use it. Navigate to the application in your web browser. Be sure to substitute your domain for the highlighted area below:<\/p>\n<pre class=\"code-pre \"><code>https:\/\/<span class=\"highlight\">example.com<\/span>\/phpldapadmin\r\n<\/code><\/pre>\n<p>The phpLDAPadmin landing page will load. Click on the <strong>login<\/strong> link in the left-hand menu on the page. A login form will be presented:<\/p>\n<p class=\"growable\"><img decoding=\"async\" src=\"https:\/\/assets.digitalocean.com\/articles\/install-openldap\/phpldapadmin-login-screen.png\" alt=\"phpLDAPadmin Login Page\" \/><\/p>\n<p>The <strong>Login DN<\/strong> is the username that you will be using. It contains the account name as a <code>cn=<\/code> section, and the domain name you selected for the server broken into <code>dc=<\/code> sections as described in previous steps. The default admin account that we set up during install is called <strong>admin<\/strong>, so for our example we would type in the following:<\/p>\n<pre class=\"code-pre \"><code>cn=admin,<span class=\"highlight\">dc=example,dc=com<\/span>\r\n<\/code><\/pre>\n<p>After entering the appropriate string for your domain, type in the admin password you created during configuration, then click the <strong>Authenticate<\/strong> button.<\/p>\n<p>You will be taken to the main interface:<\/p>\n<p class=\"growable\"><img decoding=\"async\" src=\"https:\/\/assets.digitalocean.com\/articles\/install-openldap\/phpldapadmin-interface.png\" alt=\"phpLDAPadmin main page\" \/><\/p>\n<p>At this point, you are logged into the phpLDAPadmin interface. You have the ability to add users, organizational units, groups, and relationships.<\/p>\n<p>LDAP is flexible in how you can structure your data and directory hierarchies. You can create whatever kind of structure you&#8217;d like and also create rules for how they interact.<\/p>\n<p>Since this process is the same on Ubuntu 16.04 as it was on previous versions, you can follow the steps laid out in the <em>Add Organizational Units, Groups, and Users<\/em> section of the <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-install-and-configure-a-basic-ldap-server-on-an-ubuntu-12-04-vps#add-organizational-units-groups-and-users\">LDAP installation article for Ubuntu 12.04<\/a>.<\/p>\n<p>Those steps will work well on this installation of phpLDAPadmin, so follow along to get some practice working with the interface and learning how to structure your data.<\/p>\n<p>Now that we&#8217;ve logged in and familiarized ourselves with the web interface, let&#8217;s take a moment to provide more security to our LDAP server.<\/p>\n<div data-unique=\"step-4-\u2013-configuring-starttls-ldap-encryption\"><\/div>\n<h2 id=\"step-4-\u2013-configuring-starttls-ldap-encryption\">Step 4 \u2013 Configuring StartTLS LDAP Encryption<\/h2>\n<p>Although we&#8217;ve encrypted our web interface, external LDAP clients are still connecting to the server and passing information around in plain text. Let&#8217;s use our Let&#8217;s Encrypt SSL certificates to add encryption to our LDAP server.<\/p>\n<h3 id=\"copying-the-let-39-s-encrypt-certificates\">Copying the Let&#8217;s Encrypt Certificates<\/h3>\n<p>Because the <code>slapd<\/code> daemon runs as the user <strong>openldap<\/strong>, and Let&#8217;s Encrypt certificates can only be read by the <strong>root<\/strong> user, we&#8217;ll need make a few adjustments to allow <code>slapd<\/code> access to the certificates. We&#8217;ll create a short script that will copy the certificates to <code>\/etc\/ssl\/<\/code>, the standard system directory for SSL certificates and keys. The reason we&#8217;re making a script to do this, instead of just entering the commands manually, is that we&#8217;ll need to repeat this process automatically whenever the Let&#8217;s Encrypt certificates are renewed. We&#8217;ll update the <code>certbot<\/code> cron job later to enable this.<\/p>\n<p>First, open a new text file for the shell script:<\/p>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo nano \/usr\/local\/bin\/renew.sh<\/li>\n<\/ul>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<p>This will open a blank text file. Paste in the following script. Be sure to update the <code>SITE=<span class=\"highlight\">example.com<\/span><\/code> portion to reflect where your Let\u2019s Encrypt certificates are stored. You can find the correct value by listing out the certificate directory with <code>sudo ls \/etc\/letsencrypt\/live<\/code>.<\/p>\n<div class=\"code-label \" title=\"\/usr\/local\/bin\/renew.sh\">\/usr\/local\/bin\/renew.sh<\/div>\n<pre class=\"code-pre \"><code>#!\/bin\/sh\r\n\r\nSITE=<span class=\"highlight\">example.com<\/span>\r\n\r\n# move to the correct let's encrypt directory\r\ncd \/etc\/letsencrypt\/live\/$SITE\r\n\r\n# copy the files\r\ncp cert.pem \/etc\/ssl\/certs\/$SITE.cert.pem\r\ncp fullchain.pem \/etc\/ssl\/certs\/$SITE.fullchain.pem\r\ncp privkey.pem \/etc\/ssl\/private\/$SITE.privkey.pem\r\n\r\n# adjust permissions of the private key\r\nchown :ssl-cert \/etc\/ssl\/private\/$SITE.privkey.pem\r\nchmod 640 \/etc\/ssl\/private\/$SITE.privkey.pem\r\n\r\n# restart slapd to load new certificates\r\nsystemctl restart slapd\r\n<\/code><\/pre>\n<p>This script moves into the Let&#8217;s Encrypt certificate directory, copies files over to <code>\/etc\/ssl<\/code>, then updates the private key&#8217;s permissions to make it readable by the system&#8217;s <strong>ssl-cert<\/strong> group. It also restarts <code>slapd<\/code>, which will ensure that new certificates are loaded when this script is run from our <code>certbot<\/code> renewal cron job.<\/p>\n<p>Save and close the file, then make it executable:<\/p>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo chmod u+x \/usr\/local\/bin\/renew.sh<\/li>\n<\/ul>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<p>Then run the script with <code>sudo<\/code>:<\/p>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo \/usr\/local\/bin\/renew.sh<\/li>\n<\/ul>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<p>Verify that the script worked by listing out the new files in <code>\/etc\/ssl<\/code>:<\/p>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo su -c &#8216;ls -al \/etc\/ssl\/{certs,private}\/<span class=\"highlight\">example.com<\/span>*&#8217;<\/li>\n<\/ul>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<p>The <code>sudo<\/code> command above is a little different than normal. The <code>su -c '<span class=\"highlight\">. . .<\/span>'<\/code> portion wraps the whole <code>ls<\/code> command in a <strong>root<\/strong> shell before executing it. If we didn&#8217;t do this, the <code>*<\/code> wildcard filename expansion would run with your non-sudo user&#8217;s permissions, and it would fail because <code>\/etc\/ssl\/private<\/code> is not readable by your user.<\/p>\n<p><code>ls<\/code> will print details about the three files. Verify that the ownership and permissions look correct:<\/p>\n<pre class=\"code-pre \"><code><\/code><\/pre>\n<div class=\"secondary-code-label \" title=\"Output\">Output<\/div>\n<pre class=\"code-pre \"><code>-rw-r--r-- 1 root root     1793 May 31 13:58 \/etc\/ssl\/certs\/<span class=\"highlight\">example.com<\/span>.cert.pem\r\n-rw-r--r-- 1 root root     3440 May 31 13:58 \/etc\/ssl\/certs\/<span class=\"highlight\">example.com<\/span>.fullchain.pem\r\n-rw-r----- 1 root ssl-cert 1704 May 31 13:58 \/etc\/ssl\/private\/<span class=\"highlight\">example.com<\/span>.privkey.pem\r\n<\/code><\/pre>\n<p>Next we&#8217;ll automate this with <code>certbot<\/code>.<\/p>\n<h3 id=\"updating-the-certbot-renewal-cron-job\">Updating the Certbot Renewal Cron Job<\/h3>\n<p>We need to update our <code>certbot<\/code> cron job to run this script whenever the certificates are updated:<\/p>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo crontab -e<\/li>\n<\/ul>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<p>You should already have a <code>certbot renew<\/code> line. Add the highlighted portion below:<\/p>\n<div class=\"code-label \" title=\"crontab\">crontab<\/div>\n<pre class=\"code-pre \"><code>15 3 * * * \/usr\/bin\/certbot renew --quiet <span class=\"highlight\">--renew-hook \/usr\/local\/bin\/renew.sh<\/span>\r\n<\/code><\/pre>\n<p>Save and close the crontab. Now, whenever <code>certbot<\/code> renews the certificates, our script will be run to copy the files, adjust permissions, and restart the <code>slapd<\/code> server.<\/p>\n<h3 id=\"configuring-slapd-to-offer-secure-connections\">Configuring slapd to Offer Secure Connections<\/h3>\n<p>We need to add the <strong>openldap<\/strong> user to the <strong>ssl-cert<\/strong> group so <code>slapd<\/code> can read the private key:<\/p>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo usermod -aG ssl-cert openldap<\/li>\n<\/ul>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<p>Restart <code>slapd<\/code> so it picks up the new group:<\/p>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo systemctl restart slapd<\/li>\n<\/ul>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<p>Finally, we need to configure <code>slapd<\/code> to actually use these certificates and keys. To do this we put all of our config changes in an <em>LDIF<\/em> file \u2014 which stands for LDAP data interchange format \u2014 and then load the changes into our LDAP server with the <code>ldapmodify<\/code> command.<\/p>\n<p>Open up a new LDIF file:<\/p>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<ul class=\"prefixed\">\n<li class=\"line\">cd ~<\/li>\n<li class=\"line\">nano ssl.ldif<\/li>\n<\/ul>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<p>This will open a blank file. Paste the following into the file, updating the filenames to reflect your domain:<\/p>\n<div class=\"code-label \" title=\"ssl.ldif\">ssl.ldif<\/div>\n<pre class=\"code-pre \"><code>dn: cn=config\r\nchangetype: modify\r\nadd: olcTLSCACertificateFile\r\nolcTLSCACertificateFile: \/etc\/ssl\/certs\/<span class=\"highlight\">example.com<\/span>.fullchain.pem\r\n-\r\nadd: olcTLSCertificateFile\r\nolcTLSCertificateFile: \/etc\/ssl\/certs\/<span class=\"highlight\">example.com<\/span>.cert.pem\r\n-\r\nadd: olcTLSCertificateKeyFile\r\nolcTLSCertificateKeyFile: \/etc\/ssl\/private\/<span class=\"highlight\">example.com<\/span>.privkey.pem\r\n<\/code><\/pre>\n<p>Save and close the file, then apply the changes with <code>ldapmodify<\/code>:<\/p>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo ldapmodify -H ldapi:\/\/ -Y EXTERNAL -f ssl.ldif<\/li>\n<\/ul>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<pre class=\"code-pre \"><code><\/code><\/pre>\n<div class=\"secondary-code-label \" title=\"Output\">Output<\/div>\n<pre class=\"code-pre \"><code>SASL\/EXTERNAL authentication started\r\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\r\nSASL SSF: 0\r\nmodifying entry \"cn=config\"\r\n<\/code><\/pre>\n<p>We don&#8217;t need to reload <code>slapd<\/code> to load the new certificates, this happened automatically when we updated the config with <code>ldapmodify<\/code>. Run the <code>ldapwhoami<\/code> command one more time, to verify. This time we need to use the proper hostname and add the <code>-ZZ<\/code> option to force a secure connection:<\/p>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<ul class=\"prefixed\">\n<li class=\"line\">ldapwhoami -H ldap:\/\/<span class=\"highlight\">example.com<\/span> -x -ZZ<\/li>\n<\/ul>\n<pre class=\"code-pre command\"><code><\/code><\/pre>\n<p>We need the full hostname when using a secure connection because the client will check to make sure that the hostname matches the hostname on the certificate. This prevents man-in-the-middle attacks where an attacker could intercept your connection and impersonate your server.<\/p>\n<p>The <code>ldapwhoami<\/code> command should return <code>anonymous<\/code>, with no errors. We&#8217;ve successfully encrypted our LDAP connection.<\/p>\n<div data-unique=\"conclusion\"><\/div>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>In this tutorial we installed and configured the OpenLDAP <code>slapd<\/code> server, and the LDAP web interface phpLDAPadmin. We also set up encryption on both servers, and updated <code>certbot<\/code> to automatically handle <code>slapd<\/code>&#8216;s Let&#8217;s Encrypt certificate renewal process.<\/p>\n<p>The system that we have set up is quite flexible and you will be able to design your own organizational schema and manage groups of resources as your needs demand. For further information on managing LDAP, including more command line tools and techniques, read our tutorial <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-manage-and-use-ldap-servers-with-openldap-utilities\">How To Manage and Use LDAP Servers with OpenLDAP Utilities<\/a>. For more in-depth information about securing an LDAP server, including how to force all clients to use secure connections, read <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-encrypt-openldap-connections-using-starttls\">How To Encrypt OpenLDAP Connections Using STARTTLS<\/a>.<\/p>\n<\/div>\n<\/div>\n<div class=\"tutorial-footer\">\n<div class=\"tutorial-footer-details\">\n<div class=\"postable-info-bar-container\">\n<div class=\"postable-info-bar\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>How To Install and Configure OpenLDAP and phpLDAPadmin on Ubuntu 16.04 Introduction Lightweight Directory Access Protocol (LDAP) is a standard protocol designed to manage and access hierarchical directory information over a network. It can be used to store any kind of information, though it is most often used as a centralized authentication system or for [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":621,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-924","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/924","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=924"}],"version-history":[{"count":1,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/924\/revisions"}],"predecessor-version":[{"id":925,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/924\/revisions\/925"}],"up":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/621"}],"wp:attachment":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}