Configuramos el nombre del servidor y el FQDN para que al instalar el LDAP nos cree la base inicial con el dominio deseado.

echo "192.168.18.50 ldap.example.com" | sudo tee -a /etc/hosts
hostnamectl set-hostname ldap.example.com

Instalamos openLdap y verificamos su configuracion inicial

apt -y install slapd ldap-utils
slapcat
slappasswd
ldapadd -x -D cn=admin,dc=example,dc=com -W -f (ldaporgs.ldif |ldapusers.ldif | ldapgroups.ldif) 

vim ldaporgs.ldif
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
 
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
 
vim ldapusers.ldif
dn: uid=computingforgeeks,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: computingforgeeks
sn: Wiz
userPassword: {SSHA}Zn4/E5f+Ork7WZF/alrpMuHHGufC3x0k
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/computingforgeeks
 
cat ldapgroups.ldif
dn: cn=computingforgeeks,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: computingforgeeks
gidNumber: 2000
memberUid: computingforgeeks
 
cat ldapgroups_addmember.ldif
dn: cn=computingforgeeks,ou=groups,dc=example,dc=com
changetype: modify
#add: memberUid
replace: memberUid
memberUid: carlos,pedro

Probar la conexion desde otra computadora

apt install ldap-utils
ldapsearch -h 192.168.150.1 -b "dc=prueba,dc=local" -D cn=admin,dc=prueba,dc=local -W

apt install libnss-ldapd libpam-ldap ldap-utils
auth-client-config  -t nss -p lac_ldap
pam-auth-update
systemctl restart  nscd
systemctl enable  nscd
systemctl restart nslcd
getent passwd USUARIO

/etc/pam.d/common-session
/etc/pam_ldap.conf
 
/etc/nsswitch.conf
/etc/nslcd.conf

 skel=/etc/skel umask=077

Para ver los accesos a la base de datos, debemos buscar en la configuracion del la base con:

ldapsearch -Y external -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL 

Y tendremos que ver algo como:

.
.
.
 
 
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SSHA}2PEPV+8Pltp8wS1U8nmyAlKKILCOJpuQ
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824

Para agregar algunas reglas mas debemos:

cat access.ldiff 
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn.children="dc=example,dc=com"
  by self write
  by dn.children="dc=example,dc=com" search
  by * none break
-
add: olcAccess
olcAccess: {4}to dn.children="dc=example,dc=com"
  by self write
  by anonymous auth  
  by * none break

Donde:

1. {3}to : Representa el numero de la regla(En la instalación inicial hay 3 reglas 0,1,2)
2. by self: Nos dice a quien le da permisos
3. none/search/read/write/manage : Son los permisos que damos

Aplicamos los cambios con

ldapmodify -Y external -H ldapi:/// -f access.ldiff

Para borrar agregamos el ldiff

cat access-delete.ldiff 
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {2}

Aplicamos los cambios con

ldapmodify -Y external -H ldapi:/// -f access-delete.ldiff

dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats

ldapsearch -Y external -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL 
ldapmodify -Y external -H ldapi:/// -f slapdlog.ldif

• FusionDirectory web
• phpldapadmin web
• Apache Studio de escritorio
• LDAP Account Manager web
• LDAPcherry web

FusionDirectory tiene una version libre y una verdida. La última version liberada es la version 1.3 en abril del 2019 con version de desarrollo 1.4 y último commit en https://github.com/fusiondirectory/fusiondirectory/commits/1.4-dev con fecha 18 marzo del 2022. Este programa viene debian bullseye.

LDAP Account Manager tiene la version 7.9.1 https://github.com/LDAPAccountManager lanzada el 15 de abril del 2022 con último commit el día 28 de abril del 2022. Este programa viene debian bullseye.

Por defecto se utilizaba Phpldapadmin para administración, pero debido a que no tuvo actualizaciones durante varios años, se creo un fork https://github.com/leenooks/phpLDAPadmin pero la ultima version y commit es la 1.2.6.3 en diciembre del 2021. Este programa viene debian bookworm (testing).

Ldapcherry la última version liberada es la 1.1.1 en febrero del 2019 con último commit en mayo 20 del 2020.

Por eso se sugiere usar fusiondirectory o LDAP Account Manager por que es la que esta en constante desarrollo.

Instalar ldapcherryd

# clone the repository
$ git clone https://github.com/kakwa/ldapcherry && cd ldapcherry
 
# change the directory where to put the configuration (default: /etc)
$ export SYSCONFDIR=/etc
# change the directory where to put the resource (default: /usr/share)
$ export DATAROOTDIR=/usr/share/
 
# install ldapcherry
$ apt install python-cherrypy3 python-ldap python-mako python-pretty-yaml python3-cherrypy3 python3-ldap python3-mako python3-pretty-yaml python-setuptools python3-distutils 
$ python setup.py install

# clone the repository
$ mkdir cherry && cd cherry
$ git clone https://github.com/kakwa/ldapcherry 
 
$ apt install -y python-dev python-pip libldap2-dev libsasl2-dev libssl-dev  python3-dev python3-pip build-essential python3-venv
$ python3 -m venv venv/
$ source venv/bin/activate
$ pip3 install wheel
$ pip3 install -r ldapcherry/requirements.txt
 
# change the directory where to put the configuration (default: /etc)
$ export SYSCONFDIR=/etc
# change the directory where to put the resource (default: /usr/share)
$ export DATAROOTDIR=/usr/share/
 
$ cd ldapcherry
$ python setup.py install
 
# edit configuration files
$ vi /etc/ldapcherry/ldapcherry.ini
$ vi /etc/ldapcherry/roles.yml
$ vi /etc/ldapcherry/attributes.yml
 
# launch ldapcherry
$ ../venv/bin/ldapcherryd -c /etc/ldapcherry/ldapcherry.ini -D

• https://gitlab.com/smacz/docker-ldapcherry-fork/-/blob/andrewcz-homelab-179/Dockerfile
• https://ldapcherry.readthedocs.io/en/latest/

Requisitos:

1. apache2 y
2. php

Instalando paquetes

apt install fusiondirectory fusiondirectory-plugin-audit fusiondirectory-plugin-audit-schema fusiondirectory-plugin-freeradius-schema fusiondirectory-plugin-freeradius  fusiondirectory-plugin-posix fusiondirectory-schema fusiondirectory-plugin-alias  fusiondirectory-plugin-alias-schema fusiondirectory-plugin-ldapdump fusiondirectory-plugin-ldapmanager fusiondirectory-plugin-mail fusiondirectory-plugin-mail-schema fusiondirectory-plugin-postfix fusiondirectory-plugin-postfix-schema fusiondirectory-plugin-quota fusiondirectory-plugin-quota-schema fusiondirectory-schema 

Agregando esquemas LDAP necesarios

fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/mail-fd.schema 
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/mail-fd-conf.schema
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/dns-fd.schema 
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/dns-fd-conf.schema 
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/ldapns.schema 
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/template-fd.schema 
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/core-fd.schema 
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/core-fd-conf.schema

Creando la configuración de acceso LDAP

nano /etc/fusiondirectory/fusiondirectory.conf
fusiondirectory-setup --check-config

Luego ir al http://localhost/fusiondirectory/ para configurarlo

mkdir /var/lib/ldap-dominio2
chown  openldap:openldap /var/lib/ldap-dominio2
slappasswd -h {SSHA}

# Nueva base dominio2.com
dn: olcDatabase=mdb,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbDirectory: /var/lib/ldap-dominio2
olcSuffix: dc=dominio2,dc=com
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=dominio2,dc=com
olcRootPW: {SSHA}KgqLc7eVZfkXJo3hysJJhgoifCWo3Kc2
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824

ldapmodify -Y external -H ldapi:/// -f newdatabase.ldiff
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config'

#El dominio top
dn: dc=dominio2,dc=com
changetype: add
objectClass: top
objectClass: dcObject
objectClass: organization
o: dominio2 personal
dc: dominio2
description: Dominio de dominio2
 
 
#El usuario administrador
dn: cn=admin,dc=dominio2,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: e1NTSEF9S2dxTGM3ZVZaZmtYSm8zaHlzSkpoZ29pZkNXbzNLYzI=
description: Directory Manager

ldapadd -x -D "cn=admin,dc=dominio2,dc=com" -w superclave -f  dominio2.ldiff

Generales

• https://computingforgeeks.com/how-to-install-and-configure-openldap-ubuntu-18-04/
• https://www.digitalocean.com/community/tutorials/how-to-manage-and-use-ldap-servers-with-openldap-utilities
• https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openldap-system
• https://unix.stackexchange.com/questions/362547/automating-slapd-install
• https://apassionatechie.wordpress.com/2017/12/12/automating-slapd-install/

Autenticacion PC PAM

• https://linoxide.com/linux-how-to/setup-openldap-server-authenticate-client-workstation/
• https://wiki.debian.org/LDAP/NSS
• https://www.tecmint.com/configure-ldap-client-to-connect-external-authentication/
• https://computingforgeeks.com/how-to-configure-ubuntu-18-04-ubuntu-16-04-lts-as-ldap-client/

Logs

• http://tutoriels.meddeb.net/openldap-tutorial-log/
• https://www.zytrax.com/books/ldap/ch6/#loglevel
• http://tutoriels.meddeb.net/openldap-tutorial-log/

Seguridad

• https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls
• https://computingforgeeks.com/secure-ldap-server-with-ssl-tls-on-ubuntu/

Multiple DB

• https://stackoverflow.com/questions/30898397/creating-second-database-domain-in-openldap
• https://serverfault.com/questions/828490/setting-up-multiple-domain-in-ldap-server

FusionDirectory

• https://serverfault.com/questions/818253/fusiondirectory-and-openldap-adding-an-attribute
• https://metashell.net/index.php/2015/12/10/configuring-openldap-with-fusion-directory/

Permisos:

• https://medium.com/@moep/keeping-your-sanity-while-designing-openldap-acls-9132068ed55c
• https://serverfault.com/questions/1064914/q-what-is-the-correct-way-to-add-olcaccess-rules-to-openldap
• https://openldap.org/doc/admin24/access-control.html
• https://devopsideas.com/planning-of-ldap-dit-structure-and-config-of-overlays-access-ppolicy/

Estructura

• https://serverfault.com/questions/828490/setting-up-multiple-domain-in-ldap-server
• https://serverfault.com/questions/546131/in-ldap-is-it-best-to-nest-groups-under-organizational-units-or-create-an-organi
• https://docs.informatica.com/content/dam/source/GUID-A/GUID-ACA85C10-6FE8-4E4A-8258-FDE38165C3BC/8/en/GUID-A197F875-87DE-4FDD-A54B-EE6E131B61B7-low.png
• https://stackoverflow.com/questions/18756688/what-are-cn-ou-dc-in-an-ldap-search#18756876