Overview
Replaced OpenLDAP with GLauth, because I was looking for minimalistic setup. I noticed a bit too late that lldap might have been a better match…
Files Created
/usr/local/bin/glauth # Binary
/etc/glauth/glauth.cfg # Configuration
/etc/systemd/system/glauth.service # Systemd service
/var/log/glauth/ # Logs (optional)
Configuration Highlights
- Domain:
dc=121013,dc=dpdns,dc=org - LDAPS Port: 636
- Certificates:
/etc/letsencrypt/live/mydomain/- cert:
fullchain.pem - key:
privkey.pem
- cert:
- Users: admin, mikael, etc , observer
- Groups: parents (5001), kids (5002), services (5003)
DN Format
GLauth uses primary group as OU:
cn=<username>,ou=<primarygroup>,dc=mydomain
Examples:
cn=admin,ou=parents,dc=mydomaincn=observer,ou=services,dc=mydomain
Essential Commands
Service Management
sudo systemctl status glauth
sudo systemctl restart glauth
sudo journalctl -u glauth -f
Testing Authentication
# Basic auth test
LDAPTLS_REQCERT=never ldapsearch -LLL -H ldaps://localhost:636 \
-D cn=admin,ou=parents,dc=mydomain \
-w password \
-x \
-b dc=mydomain \
cn=mikael
# Test TLS connection
openssl s_client -connect localhost:636 -showcerts
Generate Bcrypt Passwords
htpasswd -bnBC 10 "" password | tr -d ':' | xxd -p
Backup These Files
/etc/glauth/glauth.cfg
/etc/systemd/system/glauth.service
Certificate renewal is automatic via Let’s Encrypt, but glauth needs restart after renewal (hot-reload doesn’t work for LDAPS section).
Observer Account
Created for service integrations (e.g., Tinyauth):
- User: observer
- DN:
cn=observer,ou=services,dc=mydomain - Capability: Search-only access to entire directory
- Usage:
LDAP_BIND_DNandLDAP_BIND_PASSWORDin service configs