User accounts with OpenLDAP's central administration

Secure Connections

To prevent someone from picking up passwords transmitted in the clear from users on the network, it is important to secure the connection using TLS. In doing so, you'll create keys and certificates for the server (Listing 4) and divulge them by using an LDIF file (Listing 5):

$ ldapmodify -Y EXTERNAL -H ldapi:// -f tls.ldif

# Install Gnutls
apt-get install gnutls-bin
mkdir /etc/ldap/certs ; cd /etc/ldap/certs
# ca Key
certtool --generate-privkey --outfile ca.key
# ca certificate
certtool --generate-self-signed \ --load-privkey ca.key --outfile ca.crt
# Server key
certtool --generate-privkey --outfile \ server.key
# Server certificate
certtool --generate-certificate \ --load-privkey server.key \ --load-ca-certificate ca.crt \ --load-ca-privkey ca.key \
--outfile server.crt
chown openldap:openldap *
chmod 444 *

# tls.ldif
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/certs/ca.crt
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/certs/server.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/certs/server.key
-
# tls erzwingen
add: add: olcSecurity
olcSecurity: tls=1
-
add: olcSecurity
olcSecurity: ssf=256

Record and specify the client's CA certificate and instruct them to use TLS. You can apply the changes in /etc/nslcd.conf commenting out the option ssl , adding start_tls , and entering the path to the CA certificate behind tls_cacertfile . Once this is complete, restart Nslcd. Before the LDAP traffic can run encrypted and smoothly, the entries URI and TLS_CACERT in /etc/ldap/ldap.conf may require some attention.

Using LDAP

Once you have done this, you can take a look at the users within the selection from the first line of Listing 6. The -ZZ parameter provides encryption, -x cancels the SASL connection to a specific user, and -LLL withholds requests for comment.

$ ldapsearch -ZZ -x -LLL "uid=karl"
$ ldapsearch -DD -x -LLL objectClass=posixAccount

With the input from the first line of Listing 7, you set a new password for a user, for example, karl from the board department. If Karl then wants to change his own password, he can do so with the command from the second line.

$ ldappasswd -ZZ -D "cn=admin,dc=cubed,dc=local" "uid=karl,ou=board,dc=cubed,dc=local" -W -S
$ ldappasswd -ZZ -D "uid=karl,ou=board,dc=cubed,dc=local" -W -S

Changes take place either interactively or by means of the aforementioned LDIF files. If you would like to change just one attribute, this can be done as in Listing 8, which adds attributes such as location, mailing address, and zip code to the user information. You should always consider using LDIF files for multiple attributes and objects, especially because you can also easily iron out mistakes later on.

ldapmodify -ZZ -D "cn=admin,dc=cubed,dc=local" -W
dn: dc=cubed,dc=local
changetype: modify
add: l
l: Potsdam
-
add: postcode
postcode: 14482
-
add: postalAddress
postalAddress: New Street 9 [Ctrl]+[d]

You can get rid of messages with ldapdelete . An example query for the user karl can be seen in Listing 9.

$ ldapdelete -ZZ -D \ "cn=admin,dc=cubed,dc=local" \
"uid=karl,ou=board,dc=cubed,dc=local" -W"

If you would like to manage OpenLDAP directories via a graphical user interface, check out the LDAP Account Manager [6], GOsa [7], or JXplorer [8].