LDAP/Fusiondirectory setup
In this guide we will be setting up LDAP (openldap) along with the FusionDirectory web management tool.
Preparations
- Install Debian jessie (Ubuntu 16.04 should work too) on your server or VM
-
Setup the DNS records in your DNS servers:
ldap.example.com. 3599 IN A 1.1.1.1NOTE: replace 1.1.1.1 with you actual internal or external IP
-
Allow ssh and web services on firewall:
apt -y install ufw ufw allow 22/tcp ufw allow 80/tcp ufw allow 443/tcp ufw enableNOTE: It may be a good idea to change the default ssh port from 22 to something less predictable
Setup LDAP
- Setup ldap.example.com in /etc/hosts:
127.0.2.1 ldap.example.com ldap
-
Install OpenLDAP and FusionDirectory
apt -y install slapdEnter and verify the administrator password for slapd.
-
Create An Internal Certificate Authority for Example LTD:
- First install gnutls-bin:
apt -y install gnutls-bin - Create the key for the internal CA for example.com:
certtool --generate-privkey --outfile example.com-rootCA.key - Create a certificate for our internal CA:
- First install gnutls-bin:
certtool --generate-self-signed --load-privkey example.com-rootCA.key --outfile example.com-rootCA.crt
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Common name: Example LTD Internal ROOT CA
UID:
Organizational unit name: IT
Organization name: Example LTD
Locality name: Limassol
State or province name: Limassol
Country name (2 chars): CY
Enter the subject's domain component (DC):
This field should not be used in new certificates.
E-mail: admins@example.com
Enter the certificate's serial number in decimal (default: 6295758616856773074):
The certificate will expire in (days): 7300
Activation/Expiration time.
The certificate will expire in (days): 7300
Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint): -1
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N):
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N):
Will the certificate be used to sign code? (y/N):
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used for time stamping? (y/N):
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 575f071b0d5a41d2
Validity:
Not Before: Mon Jun 13 19:19:27 UTC 2016
Not After: Sun Jun 08 19:20:00 UTC 2036
Subject: CN=Example LTD Internal ROOT CA,OU=IT,O=Example LTD,L=Limassol,ST=Limassol,C=CY,EMAIL=admins@example.com
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
Modulus (bits 2048):
00:c0:75:c8:02:05:d0:0c:67:af:ac:0c:80:53:bf:cd
a3:80:76:cf:3e:14:19:99:5c:24:b4:fc:b0:42:8d:5a
03:5d:04:a5:85:c7:fe:e3:d4:30:6c:4c:26:90:76:c5
3e:a0:dc:a7:53:a7:eb:13:60:78:44:b3:0a:b2:77:0c
46:19:96:ea:d2:46:82:9c:11:2c:a5:e2:a1:57:38:f4
8e:4d:74:4f:f9:41:dd:11:f4:c2:f5:9f:b7:9a:93:7d
a7:f8:f3:dd:2e:08:6a:25:75:79:f3:63:e5:09:1f:bd
6a:38:45:85:f0:63:54:c0:08:68:41:15:66:a4:e3:84
49:7e:e5:c5:c7:6c:d3:c7:be:d5:5a:df:1a:1d:55:f8
35:73:bb:e3:ea:f7:66:af:d9:09:72:ca:17:5f:80:09
99:6a:49:e3:8b:f2:72:56:ac:f8:ba:60:49:d5:80:2a
07:e6:17:88:86:e4:3c:89:cd:af:2b:66:a1:af:53:f4
66:21:30:a3:22:af:a9:11:6e:98:e0:f7:6d:ef:8a:32
e9:0b:a4:82:7b:7b:db:2d:90:8e:bd:e4:54:04:a4:52
e8:cf:f6:2e:9b:97:46:ab:cb:38:06:23:33:db:42:0c
25:41:5a:d7:02:15:07:c6:e8:86:0b:a6:d7:7d:81:16
bd
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Purpose (not critical):
Time stamping.
Key Usage (critical):
Certificate signing.
Subject Key Identifier (not critical):
7a596f6dea4080e89c9e78a698d7126cd63dafa7
Other Information:
Public Key ID:
7a596f6dea4080e89c9e78a698d7126cd63dafa7
Public key's random art:
+--[ RSA 2048]----+
| |
| . . |
| . . . |
| o . . |
| . .+. S o |
| =o..o. + . . |
| o.o= .oo . o o |
| oo+. .o o o |
|o... E+ .o |
+-----------------+
Is the above information ok? (y/N): y
Signing certificate...
-
Add the Example LTD Internal ROOT CA as trusted in ca-certificates:
mkdir /usr/share/ca-certificates/extra cp example.com-rootCA.crt /usr/share/ca-certificates/extra dpkg-reconfigure ca-certificatesAdd the extra/example.com-rootCA.crt CA as a trusted CA.
- Configure slapd:
dpkg-reconfigure slapd- Omit OpenLDAP server configuration? No
- DNS domain name: example.com
- Organization name: Example LTD
- Administrator password: ***************
- Verify password: *************
- Database backend to use: MDB
- Do you want the database to be removed when slapd is purged? No
- Move old database? Yes
- Allow LDAPv2 protocol? No
-
Configure TLS on LDAP:
-
Create a key for ldap.example.com:
certtool --generate-privkey --outfile ldap.example.com.key Generating a 2048 bit RSA private key... - Create a certificate for ldap.example.com:
certtool --generate-certificate --load-privkey ldap.example.com.key --outfile ldap.example.com.crt --load-ca-certificate example.com-rootCA.crt --load-ca-privkey example.com-rootCA.key
Generating a signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Common name: ldap.example.com
UID:
Organizational unit name: IT
Organization name: Example LTD
Locality name: Limassol
State or province name: Limassol
Country name (2 chars): CY
Enter the subject's domain component (DC):
This field should not be used in new certificates.
E-mail: admins@example.com
Enter the certificate's serial number in decimal (default: 6295762607454361711):
Activation/Expiration time.
The certificate will expire in (days): 3650
Extensions.
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N):
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Will the certificate be used for signing (required for TLS)? (Y/n):
Will the certificate be used for encryption (not required for TLS)? (Y/n):
X.509 Certificate Information:
Version: 3
Serial Number (hex): 575f0abc2f81186f
Validity:
Not Before: Mon Jun 13 19:35:45 UTC 2016
Not After: Thu Jun 11 19:36:29 UTC 2026
Subject: CN=ldap.example.com,OU=IT,O=Example LTD,L=Limassol,ST=Limassol,C=CY,EMAIL=admins@example.com
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
Modulus (bits 2048):
00:d0:15:8e:02:90:5f:4a:9f:90:ea:1e:35:e6:4b:eb
a9:8c:e5:bf:68:ec:83:0e:49:5b:d1:f0:08:4b:ac:b0
31:d2:e0:a7:eb:18:d3:ee:b8:38:b7:c4:0a:cc:97:cc
b6:ac:2d:29:c8:a8:c4:7c:cc:f1:36:5a:e9:6b:52:f5
1e:e5:4f:90:67:34:1f:8c:a8:17:72:ee:40:87:ba:ae
8b:f8:4f:f8:be:51:ee:ea:d5:e4:17:63:79:22:41:c0
19:43:33:55:bb:46:80:5c:b8:16:18:fa:fb:17:58:c2
ed:d2:14:10:3b:57:5d:de:7f:29:ab:66:c2:81:87:05
f7:b7:27:78:a9:c0:8e:4f:1c:3f:66:6f:dd:43:26:9f
84:59:fb:c7:21:3c:62:4f:8d:4a:25:ab:7e:f0:5f:7e
df:97:f7:79:f8:c7:2d:c8:5a:7a:de:ea:5b:c7:bd:e9
12:17:56:d3:47:ff:eb:fa:b5:6f:d9:56:8f:c7:e8:7a
46:92:75:cc:ff:de:0e:88:49:7d:d7:dd:6e:8d:3f:57
fa:0a:7a:3b:80:ec:0e:10:dd:70:d5:9a:8d:91:ce:72
44:06:21:d2:9d:e9:b8:91:13:68:4c:fc:e2:bb:4d:a8
97:ed:e9:a4:98:5d:e7:c0:ef:3e:9d:30:28:de:bd:10
01
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Usage (critical):
Digital signature.
Key encipherment.
Subject Key Identifier (not critical):
6d8a173de01efa11a892dda76ccd7abc609a2707
Authority Key Identifier (not critical):
7a596f6dea408aa89c9e78a698d7126cd63dafa7
Other Information:
Public Key ID:
6d8a173de01efa00a892dda67ccd7abc609a2707
Public key's random art:
+--[ RSA 2048]----+
| |
| |
| . |
| . + |
| A = |
| +Y= . |
| oo+kk+ |
| iii==o* |
| .=B**o. |
+-----------------+
Is the above information ok? (y/N): y
Signing certificate...
-
Enable LDAPS in /etc/default/slapd:
SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"- Copy the ldap.example.com certficate and apply permissions
mkdir /etc/ldap/ssl cp ldap.example.com.crt /etc/ldap/ssl cp ldap.example.com.key /etc/ldap/ssl chown -R openldap:openldap /etc/ldap/ssl / - Create an olcSSL.ldif file:
- Copy the ldap.example.com certficate and apply permissions
mkdir /etc/ldap/custom_ldifs/
cd /etc/ldap/custom_ldifs/<br />
cat > olcSSL.ldif < < EOF
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.example.com.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/ldap.example.com.crt
EOF
- Import the TLS configuration:
ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif
Verify with:
slapcat -n0 | grep -i tls
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
olcTLSCertificateFile: /etc/ldap/ssl/ldap.example.com.crt
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.example.com.key
- Restart and verify slapd:
systemctl restart slapd netstat -lnptu | grep slapd tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 27665/slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 27665/slapd tcp6 0 0 :::636 :::* LISTEN 27665/slapd tcp6 0 0 :::389 :::* LISTEN 27665/slapd
Setup Apache
- Install Apache with PHP:
apt -y install apache2 libapache2-mod-php5 php5-ldap php5-mcrypt php5-intl php-pear
Setup Let’s Encrypt:
NOTE: this step is only necessary if you have a public facing ldap.example.com service
- Setup Debian jessie backports:
cat >> /etc/apt/sources.list < < EOF
# jessie backports
deb http://ftp.debian.org/debian jessie-backports main
deb-src http://ftp.debian.org/debian jessie-backports main
EOF
- Run
apt update - Install Let’s Encrypt utility, certbot:
apt -y install python-certbot-apache -t jessie-backports - Generate a certificate for all the domain ldap.example.com:
certbot run -d ldap.example.comIn the TUI add the admins@example.com email and agree to the ToS. Use 000-default.conf for now.
Download and trust all Let’s Encrypt Root and Intermediate CA certificates:
wget https://letsencrypt.org/certs/isrgrootx1.pem
for i in {1..4}; do wget https://letsencrypt.org/certs/lets-encrypt-x$i-cross-signed.pem; done
cp *.pem /usr/share/ca-certificates/extra/
for f in *.pem; do cp -- "$f" "/usr/share/ca-certificates/extra/${f%.pem}.crt"; done
dpkg-reconfigure ca-certificates # Select all the newlly added CA certs
Setup FusionDirectory
- Setup Fusiondirectory Repo:
gpg --keyserver keys.gnupg.net --recv-key 62B4981F gpg --export -a "Fusiondirectory Archive Manager <contact @fusiondirectory.org>" > FD-archive-key apt-key add FD-archive-key echo '# fusiondirectory repository' > /etc/apt/sources.list.d/fusiondirectory.list echo 'deb http://repos.fusiondirectory.org/debian-jessie jessie main' >> /etc/apt/sources.list.d/fusiondirectory.list echo 'deb-src http://repos.fusiondirectory.org/debian-jessie jessie main' >> /etc/apt/sources.list.d/fusiondirectory.list apt update - Install FusionDirectory:
apt -y install fusiondirectory fusiondirectory-schema - Insert core FusionDirectory schemas into *slapd
fusiondirectory-insert-schemaVerify:
fusiondirectory-insert-schema -l core cosine nis inetorgperson samba core-fd core-fd-conf ldapns recovery-fd - Create a Fusiondirectory Apache vhost (/etc/apache2/sites-available/ldap.example.com.conf):
<virtualhost *:80> ServerName ldap.example.com Redirect "/" "https://ldap.example.com/" ErrorLog ${APACHE_LOG_DIR}/ldap-error.log CustomLog ${APACHE_LOG_DIR}/ldap-access.log combined </virtualhost> <ifmodule mod_ssl.c> <virtualhost *:443> ServerName ldap.example.com ServerAdmin webmaster@example.com DocumentRoot /usr/share/fusiondirectory/html ErrorLog ${APACHE_LOG_DIR}/ldap-error.log CustomLog ${APACHE_LOG_DIR}/ldap-access.log combined SSLEngine on SSLCertificateFile /etc/letsencrypt/live/ldap.example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/ldap.example.com/privkey.pem <filesmatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </filesmatch> <directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </directory> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown <ifmodule mod_php5.c> <location></location> php_admin_flag engine on php_admin_flag register_globals off php_admin_flag allow_call_time_pass_reference off php_admin_flag expose_php off php_admin_flag zend.ze1_compatibility_mode off php_admin_flag register_long_arrays off php_admin_value upload_tmp_dir /var/spool/fusiondirectory/ php_admin_value session.cookie_lifetime 0 #Include /etc/fusiondirectory/fusiondirectory.secrets </ifmodule> <directory /usr/share/fusiondirectory/html></directory> Order Allow,Deny # Insert your public IPs here Allow from 2.2.2.2 Allow from 2.2.2.3 </virtualhost> </ifmodule> - Enable mod_ssl, ldap.example.com and disable 000-default and default-ssl:
a2enmod ssl a2ensite ldap.example.com a2dissite default-ssl a2dissite 000-default systemctl restart apache2 - Setup FusionDirectory:
- Install optional prerequisities:
apt -y install php-mdb2 - Point your Browser to:
https://ldap.example.com/ - Create a temporary token for the setup (taken from the first setup webpage):
echo -n r9l1srnu0rvdeca4k826nq4e05 > /var/cache/fusiondirectory/fusiondirectory.authClick ‘Next’
-
In the ‘Language setup’ select ‘English’ and press ‘Next’.
-
If everything is ‘OK'(Green) on the ‘Installation check’ click ‘Next’
-
On the ‘LDAP connection setup’:
- Location name: default
- Connection URI: ldap://ldap.example.com:389
- TLS connection: Yes
- Admin DN: cn=admin(,dc=example,dc=com)
- Admin password: *************************
- LDAP schema check:
- Enable schema validation when logging in: Yes
- Keep defaults in ‘Look and feel’ except ‘Timezone’:
- Timezone: America/Los_Angeles
- Keep all the defaults in ‘Password settings’ except this:
- Password minimum length: 8
- In the ‘SSL’ field use these:
- Key path: /etc/ldap/ssl/ldap.example.com.key
- Certificate path: /etc/ldap/ssl/ldap.example.com.crt
- CA certificate path: /etc/ssl/certs/ca-certificates.crt
Click ‘Next’ when done.
-
In the ‘LDAP inspection’ page:
- Press ‘Migrate’ (twice) in the ‘Inspecting object classes in root object’ option
-
Press ‘Create’ in the ‘Checking for super administrator’ option’, fill the fields, and ‘Apply’ when done:
- User ID: ldapadmin
- Password: ***************
- Password (again): ***************
- In the ‘Checking for default ACL roles and groups’ field, press ‘Migrate’
- Install optional prerequisities:
-
From the ‘Finish – write the configuration file’, download the configuration file on your PC
-
Copy the configuration file from your PC to ldap.example.com:
scp fusiondirectory.conf root@ldap.example.com:/etc/fusiondirectory - Apply the correct permissions to the /etc/fusiondirectory/fusiondirectory.conf file:
fusiondirectory-setup --check-config
Checking FusionDirectory's config file
/etc/fusiondirectory/fusiondirectory.conf exists…
/etc/fusiondirectory/fusiondirectory.conf is not set properly, do you want to fix it ?: [Yes/No]?
y
- Click ‘Next’ when done.
Use encrypted passwords in fusiondirectory.conf:
- Enable the headers module in Apache:
a2enmod headers systemctl restart apache2 - Encrypt passwords in fusiondirectory.conf:
fusiondirectory-setup --encrypt-passwords - Uncomment the following line in /etc/apache2/sites-available/ldap.example.com.conf:
Include /etc/fusiondirectory/fusiondirectory.secrets - Restart Apache:
systemctl restart apache2 - If everything works as expected remove /etc/fusiondirectory/fusiondirectory.conf.orig
rm /etc/fusiondirectory/fusiondirectory.conf.orig
- After everything is set, login as ldapadmin
- Go to ‘Configuration’
- Press the ‘Edit’ button at the bottom of the page
- Un-tick the ‘Strict naming policy’ option and save.
Installing essential FusionDirectory plugins
- Setup LDAP related plugins:
apt -y install fusiondirectory-plugin-ldapdump fusiondirectory-plugin-ldapmanager - Setup the DSA plugin for managing service accounts:
apt -y install fusiondirectory-plugin-dsa fusiondirectory-plugin-dsa-schema fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/dsa-fd-conf.schema- Allow the service accounts to read and write the password. First create the ACL definition:
cat > /etc/ldap/custom_ldifs/service_accounts_acl.ldif < < EOF
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: {0}to dn.subtree="dc=example,dc=com" attrs=userPassword
by self write
by dn.base="cn=admin,dc=example,dc=com" write
by dn.children="ou=dsa,dc=example,dc=com" write
by anonymous auth
by * none
-
add: olcAccess
olcAccess: {1}to dn.subtree="ou=people,dc=example,dc=com"
by self read
by dn.base="uid=test.user,ou=people,dc=example,dc=com" write
by dn.base="cn=admin,dc=example,dc=com" write
by dn.children="ou=dsa,dc=example,dc=com" read
by anonymous auth
by * none
-
add: olcAccess
olcAccess: {2}to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=example,dc=com" write
by * none
-
add: olcAccess
olcAccess: {3}to dn.subtree="dc=example,dc=com"
by self read
by dn.base="cn=admin,dc=example,dc=com" write
by dn.children="ou=dsa,dc=example,dc=com" write
by * none
-
add: olcAccess
olcAccess: {4}to dn.base=""
by * none
EOF
NOTE: Add two spaces before each ‘by‘ in the ldif above or you will spend endless hours in troubleshooting!
- Apply the ACL
ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/custom_ldifs/service_accounts_acl.ldif- Setup the Systems plugin:
apt -y install fusiondirectory-plugin-systems fusiondirectory-plugin-systems-schema fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/service-fd.schema fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/systems-fd-conf.schema fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/systems-fd.schema- Setup a new server:
- Name: ldap.example.com
- Description: Communications Server
- Location: My Datacenter
- Base: /
-
IP-address: 10.134.31.94
- MAC-address: 04:01:05:d6:63:02
-
From the ‘Services’ tab setup an LDAP service on the ldap.example.com server
You are finished. You can now start connecting services to your LDAP setup like mail or asterisk.
References
- https://documentation.fusiondirectory.org/en/start</contact>