26.3 Configuring an LDAP Server with YaST

Use YaST to set up an LDAP server. Typical use cases for LDAP servers include the management of user account data and the configuration of mail, DNS, and DHCP servers.

Figure 26-2 YaST LDAP Server Configuration

To set up an LDAP server for user account data, proceed as follows:

  1. Log in as root.

  2. Start YaST and select Network Services > LDAP Server.

  3. Set LDAP to be started at system boot.

  4. If the LDAP server should announce its services via SLP, check Register at an SLP Daemon.

  5. Select Configure to configure General Settings and Databases.

To configure the Global Settings of your LDAP server, proceed as follows:

  1. Accept or modify the schema files included in the server's configuration by selecting Schema Files in the left part of the dialog. The default selection of schema files applies to the server providing a source of YaST user account data.

  2. With Log Level Settings, configure the degree of logging activity (verbosity) of the LDAP server. From the predefined list, select or deselect the logging options according to your needs. The more options are enabled, the larger your log files grow.

  3. Determine the connection types the LDAP server should allow. Choose from:

    bind_v2

    This option enables connection requests (bind requests) from clients using the previous version of the protocol (LDAPv2).

    bind_anon_cred

    Normally the LDAP server denies any authentication attempts with empty credentials (DN or password). Enabling this option, however, makes it possible to connect with a password and no DN to establish an anonymous connection.

    bind_anon_dn

    Enabling this option makes it possible to connect without authentication (anonymously) using a DN but no password.

    update_anon

    Enabling this option allows non-authenticated (anonymous) update operations. Access is restricted according to ACLs and other rules (see Section 26.7.1, Global Directives in slapd.conf).

  4. To configure secure communication between client and server, proceed with TLS Settings:

    1. Set TLS Active to Yes to enable TLS and SSL encryption of the client/server communication.

    2. Click Select Certificate and determine how to obtain a valid certificate. Choose Import Certificate (import certificate from external source) or Use Common Server Certificate (use the certificate created during installation).

      • If you opted for importing a certificate, YaST prompts you to specify the exact path to its location.

      • If you opted for using the common server certificate and it has not been created during installation, it is subsequently created.

To configure the databases managed by your LDAP server, proceed as follows:

  1. Select the Databases item in the left part of the dialog.

  2. Click Add Database to add the new database.

  3. Enter the requested data:

    Base DN

    Enter the base DN of your LDAP server.

    Root DN

    Enter the DN of the administrator in charge of the server. If you check Append Base DN, only provide the cn of the administrator and the system fills in the rest automatically.

    LDAP Password

    Enter the password for the database administrator.

    Encryption

    Determine the encryption algorithm to use to secure the password of Root DN. Choose crypt, smd5, ssha, or sha. The dialog also includes a plain option to enable the use of plain text passwords, but enabling this is not recommended for security reasons. To confirm your settings and return to the previous dialog, select OK.

  4. Enable enforcement of password policies to provide extra security to your LDAP server:

    1. Select Password Policy Settings to be able to specify a password policy.

    2. Activate Hash Clear Text Passwords to have clear text passwords be hashed before they are written to the database whenever they are added or modified.

    3. Disclose Account Locked Status provides a meaningful error message to bind requests to locked accounts.

      WARNING: Locked Accounts in Security Sensitive Environments

      Do not use the Disclose Account Locked Status option if your environment is sensitive to security issues, because the Locked Account error message provides security sensitive information that can be exploited by a potential attacker.

    4. Enter the DN of the default policy object. To use a DN other than the one suggested by YaST, enter your choice. Otherwise accept the default setting.

  5. Complete the database configuration by clicking Finish.

If you have not opted for password policies, your server is ready to run at this point. If you chose to enable password policies, proceed with the configuration of the password policy in detail. If you chose a password policy object that does not yet exist, YaST creates one:

  1. Enter the LDAP server password.

  2. Configure the password change policies:

    1. Determine the number of passwords stored in the password history. Saved passwords may not be reused by the user.

    2. Determine whether users can change their password and whether they need to change their password after a reset by the administrator. Optionally require the old password for password changes.

    3. Determine whether and to what extent passwords should be subject to quality checking. Set a minimum password length that must be met before a password is valid. If you select Accept Uncheckable Passwords, users are allowed to use encrypted passwords although the quality checks cannot be performed. If you opt for Only Accept Checked Passwords only those passwords that pass the quality tests are accepted as valid.

  3. Configure the password aging policies:

    1. Determine the minimum password age (the time that needs to pass between two valid password changes) and the maximum password age.

    2. Determine the time between a password expiration warning and the actual password expiration.

    3. Set the number of postponement uses of an expired password before the password expires entirely.

  4. Configure the lockout policies:

    1. Enable password locking.

    2. Determine the number of bind failures that trigger a password lock.

    3. Determine the duration of the password lock.

    4. Determine for how long password failures are kept in the cache before they are purged.

  5. Apply your password policy settings with Accept.

To edit a previously created database, select its base DN in the tree to the left. In the right part of the window, YaST displays a dialog similar to the one used for the creation of a new database—with the main difference that the base DN entry is grayed out and cannot be changed.

After leaving the LDAP server configuration by selecting Finish, you are ready to go with a basic working configuration for your LDAP server. To fine-tune this setup, edit the file /etc/openldap/slapd.conf accordingly then restart the server.