Setting Up LDAP with FreeIPA: A Practical Guide
In the quest for a more streamlined identity management solution, I recently transitioned from OpenLDAP to FreeIPA. The decision was driven by a desire to avoid the complexities of OpenLDAP’s ldap.secret file and the intricacies of integrating Kerberos within LDAP. FreeIPA offered a more straightforward deployment path, which made the switch an easy choice.
LDAP Search Command
To interact with your LDAP server, you can use the following command to perform a basic search:
ldapsearch -x -h hrvldapp1 -b dc=jmoore53,dc=com -D 'uid=bindaccount,cn=users,cn=compat,dc=jmoore53,dc=com' -W
Setting Up FreeIPA Container
Deploying FreeIPA in a container is relatively simple, though I encountered a hiccup with cgroups on my Proxmox VM. Changing the processor configuration on the VM resolved the issue. Here’s the command I used to run the FreeIPA container:
docker run \
-p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 \
-d -h hrvldapp1.jmoore53.com \
-v /var/lib/ipa-data:/data:Z \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
-e PASSWORD=Password \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
quay.io/freeipa/freeipa-server:almalinux-9 ipa-server-install -U -r jmoore53.com --no-ntp
LDAP Login with PAM/SSSD
After setting up the server, I configured LDAP login with PAM/SSSD on other servers. Although I had to install the client manually due to a version mismatch with my Ansible setup, it was straightforward. I used:
sudo apt install freeipa-client
ipa-client-install
Configuring Nextcloud with LDAP
Setting up Nextcloud to use LDAP required some adjustments, particularly with the new bind account configuration. Here’s the LDAP configuration for Nextcloud:
BIND USER:
uid=binduser,cn=users,cn=compat,dc=cell,dc=jmoore53,dc=com
BIND_PW:
password1231231234
BASE_DN:
dc=cell,dc=jmoore53,dc=com
LDAP_QUERY_USERS:
(&(|(objectclass=person))(memberof=cn=nextcloudusers,cn=groups,cn=accounts,dc=cell,dc=jmoore53,dc=com))
LOGIN_ATTRIBUTES LDAP QUERY:
(&(&(|(objectclass=person))(memberof=cn=nextcloudusers,cn=groups,cn=accounts,dc=cell,dc=jmoore53,dc=com))(|(uid=%uid)(|(cn=%uid))))
LDAP_GROUPS:
(&(|(objectclass=ipausergroup))(|(cn=nextcloudusers)(cn=nextcloudusers)))
TURN_OFF_SSL_CERTIFICATE:
OFF