I feel like I’ve lived the Dunning-Kruger curve when working on this LDAP server, and perhaps I may still be in the Valley of Despair. I’m thinking to myself, why does LDAP have to be so absurdly fiddly when all that I require is a authentication server with a couple ACL rules!
Currently (previously?) I use a OpenLDAP Turnkey Linux solution for my LDAP server, and that has been great! I was hoping though I could get closer to raw LDAP, without having to much around with Webmin and phpLDAPAdmin.
But alas, I’ve installed a couple different servers, all largely based of simple OpenLDAP and have found to constantly fiddle and dread through documentation to perform relatively simple things.
ApacheDS and OpenLDAP
This honestly seemed to be the most promising; LDAPv3 Compliant, X500 Authentication, Kerberos Server built in, and so many other features. Written in Java, so it can basically be run on any platform. I installed Apache Directory Studio, and have been loving it. I use this to maintain the LDAP Server, it’s compatible with OpenLDAP (including my old LDAP server). It also allows for a few more options if it’s connected to ApacheDS.
There were a couple issues I ran into though. Out of the box, it didn’t appear to have the
posixAccount Object Class in the schema used to store details for UNIX accounts, which I use for Linux authentication. Not sure if this object is strictly required, but my current LDAP tree calls for this, and ApacheDS doesn’t have it…
I also couldn’t quite figure out ACL’s. There’s a quite a few documents online on how to maintain this for straight-up OpenLDAP servers, but it appears as if ApacheDS’s implementation is different, and their documentation doesn’t give me distinct clues, particularly for a novice like myself.
I will park ApacheDS and revisit it later. Still very much interested.
Turnkey Linux OpenLDAP
As I had alluded to earlier, I currently run a Turnkey Linux OpenLDAP server, which is packaged as a Linux Container available for Proxmox. It’s pretty straight forward, installs and configures everything that is required.
I’m spending too much time on just the LDAP server, and I need to move it to the new server. So I have decided to stick with Turnkey for now because it works now and it will continue to work.
I have exported my LDAP structure as an LDIF tree, and have imported it successfully into the new Turnkey OpenLDAP server (using the update function in Apache Directory Studio).
Turnkey OpenLDAP also comes with a couple ACL’s pre-configured, including an
nsspam service account that has read-only permissions to (encrypted) user passwords. That way I can use that as a bind account across services, not not risk my LDAP service being modified.
Next on the list would be WordPress sites. Migrating them should be relatively straight forward, there are guides on how to do this online.
One thing I would like to implement, particularly for servers that have ports open to the internet would be to install SELinux, and have that enforcing. We’ll see how that goes.