OpenLDAP

Information related to OpenLDAP and the TurnKey Linux OpenLDAP appliance.

MemberOf config for OpenLDAP

These resources have been tested and confirmed working on v14.2 TurnKey OpenLDAP appliance. Hopefully it remains relevant to v15.x/v16.x as well.

OpenLDAP official docs:
Reverse Group Membership Maintenance

Maarten De Paepe's blog:
How to enable MemberOf using OpenLDAP

OpenLDAP integration with other appliances

[undated - unsure if still relevant?!]

Note: settings in red must be changed according to your setup.

  • OpenLDAP
    • Log into phpLDAPadmin as administrative user
    • Create new user account (PosixAccount) in Users OU
    • Add mail attribute to new account
  • Redmine
    • Log into Redmine as administrative user
    • Click administration -> LDAP authentication
    • Click new authentication mode
      • Name: TurnKey OpenLDAP
      • Host: ldap.turnkeylinux.org
      • Port: 389 (LDAPS not checked) || 636 (LDAPS checked)
      • Base DN: ou=Users,dc=turnkeylinux,dc=org
      • On the fly user creation: (checked)
         
      • Login: uid
      • First name: givenName
      • Last name: sn
      • Email: mail
    • Click save
    • Click test
    • Logout
       
    • Log in as the user created in OpenLDAP
    • Smile...

 

 

Comments

Luis F. Gonzalez's picture

Ok - what is Redmine supposed to be?

Jeremy Davis's picture

By default, our OpenLDAP implmentation shoudl be somewhat locked down, but unfortunately, I'm no expert on OpenLDAP, so I can't directly help.

Having said that, a quick google turned up a couple of posts that may be relevant:

https://unix.stackexchange.com/questions/255061/enable-anonymous-bind-in-openldap

https://serverfault.com/questions/748758/enable-anonymous-bind-in-openldap/748904#748904

https://stackoverflow.com/questions/50497256/how-to-re-enable-anonymous-login-in-openldap

http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-BindPW.html#LIMITANON

Also, it's worth keeping in mind that TurnKey v15.x is based on Debian 9/Stretch (v14.x was based on 8/Jessie). Our OpenLDAP applaince has OpenLDAP (slapd) 2.4.44 installed from the Debian repos. So the Debian wiki pages may also be of assistance:

https://wiki.debian.org/LDAP

There is also the OpenLDAP 2.4 Admin guide, specifically the "Authentication Methods" section in the "Security Considerations" page which might also give you some pointers.

Good luck with it all, and please post back with anything of interest that you find.

Jeremy Davis's picture

Thanks Matthew! I'm sure other s will find that useful!

Please excuse my ignorance (I'm not particularly familiar with OpenLDAP) but does this make sense to include by default? Is there a downside to including it OOTB? If so, perhaps scripting it (so users could just run that) is another option?