OpenLDAP
Introduction
This document contains notes on configuring and installing OpenLDAP on Debian 6.0 (Squeeze).
Installation
Install the slapd package.
Depending on your package management settings (debconf), you may be
asked more questions. Where the default is only to ask high
priority questions, you will only be asked to specify a new admin
password. In this situation, the DNS domain name defaults to that
provided by hostname --domain for your installation. This
results in the dn for the admin user for a host name of myhost.co.uk
being of the following format:
cn=admin,dc=myhost,dc=co,dc=ukThe database backend defaults to HDB.
You can re-configure the package with:
# dpkg-reconfigure slapdWhich asks questions at the low priority level.
You should also install the ldap-utils package, although
it may be automatically installed when installing
slapd.
Configuration
Creating initial configuration using the config directory format
This section describes how to create an initial configuration from scratch, instead of using the Debian package configuration.
This has the advantage that you will have an LDIF file containing and describing the configuration, which may be useful in the future, from both a reference and recovery perspective.
If you wish to do this, choose the option not to create the initial
database and configuration during installation of the slapd
package. Alternatively, delete the configuration files and database as
appropriately in /etc/ldap/slapd.* and
/var/lib/ldap/.
However, it can be extremely difficult to determine why your
configuration fails. To add to the difficulty, line numbers in error
messages are incremented by the size of any included files. It may be
easier to start off with a working slapd.conf then convert
it. See the section below which describes how to convert it to the
config directory format. You can then save the configuration using
ldapsearch, then add appropriate comments to the
configuration file for future reference.
Create your initial configuration file using a combination of the descriptions in the OpenLDAP admin quide – Configuration Example and the example configuration file provided in the man pages for slapd-config(5).
The following is a fairly minimal example LDIF configuration file:
# Global configuration entry
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/ldap/slapd.conf
olcConfigDir: /etc/ldap/slapd.d
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
# module, config
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: back_bdb
# internal schema
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
# include schema
include: file:///etc/ldap/schema/core.ldif
include: file:///etc/ldap/schema/cosine.ldif
include: file:///etc/ldap/schema/nis.ldif
include: file:///etc/ldap/schema/inetorgperson.ldif
# global database parameters
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: to * by * read
# set a rootpw for the config database so we can bind.
# deny access to everyone else.
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by * none
olcRootDN: cn=config
olcRootPW: VerySecret
# BDB definition
dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=myhost,dc=co,dc=uk
olcRootDN: cn=admin,dc=myhost,dc=co,dc=uk
olcRootPW: SecretMake sure there are no files in the /etc/ldap/slapd.d
and /var/lib/ldap folders, so that we start of with a
completely clean database and configuration.
Once you have your configuration file, e..g
/etc/ldap/myconfig.ldif, create the initial config
directory with the following command:
$ sudo mkdir /etc/ldap/slapd.d
$ sudo chown openldap.openldap /etc/ldap/slapd.d
$ sudo chmod 750 /etc/ldap/slapd.d
$ sudo -u openldap slapadd -F /etc/ldap/slapd.d -n 0 \
-l /etc/ldap/myconfig.ldifYou can also test the config directory with the following command:
$ sudo -u openldap slaptest -u -F /etc/ldap/slapd.dIf necessary, create the /var/lib/ldap folder:
$ sudo mkdir /var/lib/ldap
$ sudo chown openldap.openldap /var/lib/ldap
$ sudo chmod 700 /var/lib/ldapThen start slapd:
$ sudo /etc/init.d/slapd startAdd the initial entry for the suffix:
$ cat << EOF | ldapmodify -a -x -D 'cn=admin,dc=myhost,dc=co,dc=uk' -w Secret
dn: dc=myhost,dc=co,dc=uk
objectClass: domain
EOFCheck you can access it:
$ ldapsearch -L -D 'cn=admin,dc=myhost,dc=co,dc=uk' -b 'dc=myhost,dc=co,dc=uk' -x -w SecretOptionally, create a role entry:
$ cat << EOF | ldapmodify -a -x -D 'cn=admin,dc=myhost,dc=co,dc=uk' -w Secret
dn: cn=test,dc=myhost,dc=co,dc=uk
objectClass: organizationalRole
cn: Test Role
EOFOptionally, delete all the objects under the suffix:
$ ldapdelete -x -D 'cn=admin,dc=myhost,dc=co,dc=uk' -w Secret\
-v -r "dc=myhost,dc=co,dc=uk"Adding another database to config directory format
Note: the database must be in a different directory to the other databases.
$ sudo mkdir /var/local/ldap
$ sudo chown openldap.openldap /var/local/ldap
$ sudo chmod 750 /var/local/ldap
$ cat << EOF | ldapmodify -a -x -D 'cn=config' -w VerySecret
dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
olcDbDirectory: /var/local/ldap
olcSuffix: dc=mynewhost,dc=co,dc=uk
olcRootDN: cn=admin,dc=mynewhost,dc=co,dc=uk
olcRootPW: Secret
EOFAdd the initial entry for the suffix:
$ cat << EOF | ldapmodify -a -x -D 'cn=admin,dc=mynewhost,dc=co,dc=uk' -w Secret
dn: dc=mynewhost,dc=co,dc=uk
objectClass: dcObject
objectClass: organization
o: Test
EOFConverting from slapd.conf to slapd.d config directory format
An existing slapd.conf file can be converted to the slapd.d config directory format. Firstly, make sure the existing slapd.conf file has a database config section by adding something similar to the following to the end of the file:
database config
rootpw VerySecretThen start slapd with both options specified:
# /etc/init.d/slapd stop
# /usr/sbin/slapd -u openldap -g openldap \
-f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d -d 255See the -F option in man slapd for full
details and Section
5.4 of the Admin guide
After converting the database, check you can access the configuration objects:
$ ldapsearch -x -b cn=config -D cn=config -WBy redirecting the output of the above command to a file, you will have your configuration saved in an LDIF format, which could be used to re-create the config directory.
The old configuration file is no longer required.
Searching
List all objects
$ ldapsearch -x -D 'cn=admin,dc=myhost,dc=co,dc=uk' -b 'dc=myhost,dc=co,dc=uk' -W '(objectclass=*)'Backup
Each database can be backed up using slapcat, optionally with slapd not running:
$ sudo -u openldap slapcat -F /etc/ldap/slapd.d -b "cn=config" -l config.ldif
$ sudo -u openldap slapcat -F /etc/ldap/slapd.d -b "dc=myhost,dc=co,dc=uk" -l myhost.ldifUse slapadd to add the entries back into the
database.
Tools
The jxplorer package provides a nice GUI LDAP
client.
Trouble Shooting
You can run slapd in debug mode with:
# /etc/init.d/slapd stop
# /usr/sbin/slapd -u openldap -g openldap -f /etc/ldap/slapd.conf -d 255Alternatively, increase the loglevel in the
configuration to 255. See man slapd.conf.
Invalid suffix in configuration
This error can be caused if the configuration doesn’t include the
schema for the attributes being used. E.g. a suffix of
“dc=fdsd,dc=co,dc=uk” may be rejected as an invalid DN. You probably
need to include some schema definitions, e.g. the following are included
in the example slapd.conf shipped with the Debian
slapd package:
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schemaThe dc attribute is defined in
core.schema.
References
– Frank Dean - 1 Jan 2012
Related Topics: DebianTips, DevelopmentSetup, LinuxDevelopment