ldap initial configuration

A more or less initial configuration for openldap (>2.4)

# to import run:
# ldapmodify -Y EXTERNAL -H ldapi:/// -f $filename
# to verfiy run:
# ldapsearch -Y EXTERNAL -H ldapi:/// -b "olcDatabase={1}hdb,cn=config"
# to create a password:
# slappasswd -h {SSHA} -s admin

dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=de
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=de" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=de" write by * read
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=de
replace: olcRootPW
olcRootPW: {SSHA}4RHgrU6ghLqA21CNI8biQblHtEodToyd

TLS config

dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: AES128+EECDH:AES128+EDH
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/ca.crt
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/cert.crt
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/keyfile.key
add: olcTLSVerifyClient
# never - allow - try - demand
olcTLSVerifyClient: demand

openldap – tls config
openldap – access

Leave a Reply

Your email address will not be published. Required fields are marked *