[solved] Use Yunohost as a LDAP server (connect other machines to it)

Hello community.
This thread is an english version of this thread where no body respond.

First, i have no experience with LDAP.

I have some working services on some machines and i want to use the Yunohost’s LDAP for centralize access/subscribe.

It’s possible to configure the LDAP for use it with external services (nextcloud, phpbb, etc) ? :slight_smile:
If yes, do you have some tuto/informations ? :slight_smile:

1 Like

Hello, I would be curious to have the answer too, I haven’t tested so far

Hi there,

I don’t know much about LDAP, but from what I know, it’s totally doable, technically speaking. Basically all requests to LDAP servers are made to < machine >:< port >, and on Yunohost, < machine > is typically localhost. (I don’t know about the port number though but you should be able to find it in the ldap conf)

So if you wanted to have some machine accessing your LDAP base, you should tell them to contact < your.machine >:< port >. Beware to open the appropriate port in Yunohost’s firewall.

However, you should understand that you must be careful about exposing the LDAP port to the outside world. It’s okay to make machines in the same local network (which we assume you control and trust) access a central LDAP server, but it’s probably not safe to open it to the whole internet, as some data might get exposed to malicious people/bots, without password needed to access them.

Thanks for your answer :slight_smile:

By default the Yunohost LDAP server bind only on 127.0.0.1, i search how to open it on other. (edit : FALSE)
After i don’t know if the clients need can access to LDAP server or only other server (nextcloud etc). If it’s only other server i wan’t my LDAP server listen on VPN adress (10.8.0.x) :slight_smile:

ps : sorry for my bad english

Edit : ok i have open the port '(389) ine the firewall, other machine can look it via nmap.
Now in my nextcloud i need push DN User, password and “base DN” (?) i search it in config file (/etc/ldap/)
In /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif their is interessing lines:

olcSuffix: dc=yunohost,dc=org
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn.base=“cn=admin,d
> c=yunohost,dc=org” write by anonymous auth by self write by * none
olcAccess: {1}to attrs=cn,gecos,givenName,mail,maildrop,displayName,sn by d
n.base=“cn=admin,dc=yunohost,dc=org” write by self write by * read
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by dn.base=“cn=admin,dc=yunohost,dc=org” write by group
/groupOfNames/member.exact=“cn=admin,ou=groups,dc=yunohost,dc=org” write b
y * read

OK, IT’S WORK
Login : cn=admin,dc=yunohost,dc=org
Password : your admin password defined during “post-installation”

for opening, just opening 389 TCP port in your firewall (tuto in french). i write a tuto for nextcloud integration in french, i translate after and post the link

PS : install iptables-persistent have totaly crash my yunohost installation (debian jessie), anybody know how i can save iptable rull (iptables -A INPUT -p tcp --dport 389 -s 10.8.0.0/24 -j ACCEPT)?

A good idea futur feature for enforce Yunohost security in multi machines configuration can be the possibility to creat Group of User.
Example creat Nextcloud group on Yunohost LDAP and use this group in Nextcloud LDAP integration on other machine.
Too, we can only accept/block all IPv4 or IPv6 in the firewall (webui), it’s not top top (we can’t open only LAN/VPN access without use command line)

I have finish to write the tuto, i hope that help you :slight_smile:
Tutoriel in french :

3 Likes

Cool thanks for sharing

Sorry for the necro, but

@voxdemonix I know this might be a long shot, but do you still have the tutorials hosted somewhere else? Because all the links are broken.

Thank you!

Even though this post is older, I just wanted to drop an update on the topic here.

Under Yunohost v3.6 I managed the external connection as follows:

  1. in /etc/default/slapd comment out this line SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" to unbind the local binding

  2. restart the LDAP daemon with sudo systemctl restart slapd

  3. finally open the LDAP port 389 to the outside, so that external clients have access to the server: sudo yunohost firewall allow TCP 389

2 Likes

Mmmm I just tried what you recommend and it raises this error every time at every login attempt.

A more precise error :

Unable to reach LDAP server

Sorry for re-open this tickets, but the howtos @voxdemonix is not accesible . Have you got one other website with this or this intragated on yunhost faq?

I need a solution other than commenting the line in the /etc/defaults/slapd file, to be able to retrieve my users in nextcloud hosted on a secondary server