Install a LDAP Server

I use OpenLDAP, of course 😉

To install it:

aptitude install ldap-server
 Note: selecting "slapd" instead of the
 virtual package "ldap-server"
 The following NEW packages will be installed:
 libodbc1{a} libperl5.14{a} libslp1{a} slapd
 0 packages upgraded, 4 newly installed, 0 to remove and 7 not upgraded.
 Need to get 2,072 kB of archives. After unpacking 4,899 kB will be used.
 Do you want to continue? [Y/n/?] Y

To configure it:

dpkg-reconfigure slapd
Omit OpenLDAP server configuration? No
DNS domain name: example.com
Organization name: example.com
Administrator password: <PASSWORD>
Confirm password: <PASSWORD>
Database backend to use: HDB
Do you want the database to be removed when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No

Now, modify ldap configuration:

vi  /etc/ldap/ldap.conf
# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=example,dc=com
URI     ldap://192.168.12.100

BASE: Specifies the default base DN to use when performing ldap operations ie what you want

URI: Your server name or IP. You can add “:port” at the end of IP/name to change the default port (389 for ldap://, 636 for ldaps://)

Restart the ldap server:

/etc/init.d/slapd restart

Test it:

To test our server, we must install ldap tools:

aptitude install ldap-utils

Then, run the ldapsearch tool or slapcat:

ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

All things sound good 🙂

Now, time to set up a bit more:

Missing slapd.conf?

Since version 2.4.23-3 the configuration of OpenLDAP has been changed to /etc/ldap/slapd.d by default. The OpenLDAP packages in Debian provide an automatic migration to the new configuration style. With the new configuration style it is possible to change values on the fly without restarting slapd. Changes are made through the use of ldif files and ldap{add,modify}. In Debian you can use the following command to search the configuration:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

To modify configuration use the command:

ldapmodify -Y EXTERNAL -H ldapi:/// -f <file.ldif>

For configuration options see the several manpages that exist or the documentation provided upstream.

The use of slapd.conf remains possible (optional).

 

Indexes:

For better performance do more indexing than the default.

With slapd.conf, modify /etc/ldap/slapd.conf to contain the following:

index   objectClass             eq
index   cn                      pres,sub,eq
index   sn                      pres,sub,eq
index   uid                     pres,sub,eq
index   displayName             pres,sub,eq
index   default                 sub
index   uidNumber               eq
index   gidNumber               eq
index   mail,givenName          eq,subinitial
index   dc                      eq

After any new indexes have been defined or other major database changes have been made (e.g. slapadd was used) it is best to recreate the indexes. Note that you should stop slapd before recreating the indexes and should fix the permissions afterward (no needed with Debian Wheezy).

 /etc/init.d/slapd stop
 slapindex
 chown -R openldap:openldap /var/lib/ldap
 /etc/init.d/slapd start

With cn=config

Create a LDIF file : olcDbIndex.ldif

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

Use ldapmodify to add this settings to the ldap :

ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcDbIndex.ldif

Don’t forget the – ! After the execution, slapd will launch a internal task to create indexes. Don’t stop slapd during this indexation.

 

Access control

…..

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.