- OpenLDAP
- Adding Users/Groups in OpenLDAP
- OpenLDAP Docker Image & Documentation
- OpenLDAP Doc
- Apache mod_ldap
- Apache mod_authnz_ldap
- Apache + LDAP Docker image
- OpenVPN Setup in Ubuntu
- OpenVPN + LDAP
- openvpn-auth-ldap Documentation
- Bind9 DNS
- SSH With Kerberos Authentication
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh ./get-docker.shTo install docker-compose plugin:
sudo apt-get install docker-compose-pluginor use docker compose instead.
If you want to query the LDAP server directly from your host machine, you'll need to install ldap utils
sudo apt install ldap-utils- ldap: ldap service image & configuration. Based on osixia/openldap image.
- ssh: ssh service image & configuration. Based on ubuntu image. Uses Kerberos & LDAP Authentication.
- apache: web service image & configuration. Based on php-apache image. Uses LDAP Authentication for route
/secure. - openvpn: openvpn service image & configuration. Based on ubuntu image. Uses LDAP Authentication.
- dns: dns service image & configuration. Based on internetsystemsconsortium/bind9 image.
- kdc: kdc service image & configuration. Kerberos's KDC Server.
- client: client service, used to test Kerberos authentication.
- teacher1: teacher1 service, used to test LDAP, DNS & SSH with LDAP credentials.
- student1: student1 service, used to test LDAP, DNS & SSH with LDAP credentials (Should be blocked access).
Running /setup.sh should:
- Initialize hosts file by running /setup_hosts.sh.
- Initialize docker network, to be used by all services, by running /setup_network.sh.
- Create certificates & update configuration by running /setup_pki.sh
For testing, we have 3 services representing 3 different client environments:
- Teacher1: To open environment, run /teacher1.sh
- Student1: To open environment, run /student1.sh
- Client: Used for Kerberos authentication, to open environment run /client.sh
/setup_pki.sh handles the creation of certificates & updating the required configuration folders (to provide certificates/key).
First, it'll generate a self-signed CA certificate:
openssl req -x509 -nodes \
-days 100000 -newkey rsa:2048 \
-addext "keyUsage = cRLSign, keyCertSign" \
-addext "basicConstraints = CA:TRUE" \
-keyout ./certs/ca/priv-ca.pem \
-out ./certs/ca/cert-ca.pem \
-subj "/C=TN/ST=Tunis/L=Centre Urbain/O=CA/OU=IT/CN=www.ca.tn/emailAddress=contact@ca.tn"Then it'll generate for each service (including clients) a certificate sign request, which will be signed by the CA:
# Certificate Request
openssl req -nodes \
-newkey rsa:2048 \
-addext "extendedKeyUsage = serverAuth" \
-addext "keyUsage = digitalSignature,keyEncipherment" \
-keyout ./certs/openvpn_server/priv-openvpn.pem \
-out ./certs/openvpn_server/cert-openvpn.csr \
-subj "/C=TN/ST=Tunis/L=Centre Urbain/O=OpenVPNServer/OU=Education/CN=insat.tn/emailAddress=contact@insat.tn"
# Sign & generate certificate
openssl x509 -req \
-in ./certs/openvpn_server/cert-openvpn.csr \
-CA ./certs/ca/cert-ca.pem \
-CAkey ./certs/ca/priv-ca.pem \
-CAcreateserial -CAserial serial.ca \
-out ./certs/openvpn_server/cert-openvpn.pem \
-days 365 \
-copy_extensions=copyallTo view a certificate:
openssl x509 -in cert-ca.pem -text -noout # View certTo view a certificate used by a host:
openssl s_client -connect insat.tn:636 -showcertsThe server forces client certificate check, therefore, you must use a certificate signed by the server's CA.
Configure your ldap client by adding this to your /etc/ldap.conf:
TLS_REQCERT try
TLS_CACERT /mnt/c/Users/saida/OneDrive/Documents/Github/Projet-Kerberos-GL4/ldap/certs/cert-ca.pem
TLS_CERT /mnt/c/Users/saida/OneDrive/Documents/Github/Projet-Kerberos-GL4/ldap/user/cert-c1.pem
TLS_KEY /mnt/c/Users/saida/OneDrive/Documents/Github/Projet-Kerberos-GL4/ldap/user/key-c1.pem
```
OR you can simply open a shell in [/ldap/user](./ldap/user/) directory. LDAP will automatically use `ldaprc` as a configuration file.