When setting up OpenLDAP for the first time, what are some things to keep in mind?

ldap openldap

I'm in the process of reading up on documentation and setting up OpenLDAP to handle authentication throughout my network, for email, web services, user accounts, any anything else that I could throw at it. It's not going to be anything SUPER big, but I want it to feel live, since I'm doing it in my home lab.

What are some good things to keep in mind or something to make sure I always remember when setting up OpenLDAP? Should I make sure that I always travel over SSL? Should I use Kerbeos? Anything would be appreciated to keep in mind.


A partial list in no particular order:

  • Use cn=config (see man slapd-config).
  • Set up Master-Master replication at your core.
  • Always use some sort of encryption for authentication.
  • LDAPS (port 636) is deprecated in favor of STARTTLS for LDAP.
  • SASL-GSSAPI and SASL-EXTERNAL are useful if you don't like entering passwords a lot.
  • Disable SASL mechanism you don't support.
  • Don't use the root DN when you don't have to.
  • Pay attention to your ACLs (e.g. users should not have write access to uidNumber and gidNumber).
  • ldapseach -x -H $URI is a an anonymous search. (ldapwhoami -x -H $URI).
  • Limited local replicas can be much better than nscd (self access via ldapi:///).
  • Overlay memberof is very handy for group membership.

Probably important:
Understand the documentation. It's not everything you need, but it sure helps.


SSL Libraries

Debian(and thus Ubuntu) package OpenLDAP compiled against gnuTLS instead of OpenSSL. This is fine for playing around, but gnuTLS has been significantly slower on our network. I always rebuild the Ubuntu package compiled against OpenSSL.

Other distros may do the same or different.

Kerberos

Kerberos doesn't really seem useful in my environment(~200 linux workstations, ~40 macs, nfs servers, imap, smtp, web server). None of our common client applications support kerberos authentication(Firefox, Thunderbird). It would just be used on a host level for NFS and as a PAM module for authentication. I think SSL can do just as good a job at keeping passwords secret.

If you do use kerberos, you should use Heimdal for integration with the OpenLDAP smbk5pwd overlay.

Client Libraries

The default library for nss from PADL is a bit bloated and troublesome. I recommend you try SSS or nss-pam-ldapd. They both work very well in my environment.

SSS does so much more than PADL's libraries. It includes caching, so you don't need nscd.

nss-pam-ldapd is a rewrite of the PADL libraries made to be much more efficient.

Managing your data

I am a big fan of phpLDAPAdmin. It makes it very easy to view your schemas and modify individual entries.

Other LDAP Servers

They may be slower, but they have more advanced features.

You might want to try ApacheDS since it has builtin kerberos.

Related

BackupPc fails with SIGPIPE
Need for Speed Rivals (PC) Buggy Audio
How do you deliberately wake up a monster in a den?
How to assign active skills in Wolcen?
How can I fix my Switch's resolution in docked mode?
Can I increase the power of my Garland of Greatness after the G-Lover seasion has ended?
Can you take off your custom skin's layers in Minecraft Pocket Edition?
Booting up Overwatch stuck on blank screen?
Terraria fishing rod for Android [closed]
Do I need gold medals on all missions to get 100%?
Cooling efficiency of different fliuds?
How to shoot big weapons without crouching