OpenLDAP
Introduction
This document contains notes on configuring and installing OpenLDAP on Debian 6.0 (Squeeze).
Installation
Install the slapd
package.
Depending on your package management settings (debconf), you may be asked more
questions. Where the default is only to ask high
priority questions, you
will only be asked to specify a new admin password. In this situation, the
DNS domain name defaults to that provided by hostname --domain
for your
installation. This results in the dn for the admin user for a host name of
myhost.co.uk being of the following format:
cn=admin,dc=myhost,dc=co,dc=uk
The database backend defaults to HDB.
You can re-configure the package with:
# dpkg-reconfigure slapd
Which asks questions at the low
priority level.
You should also install the ldap-utils
package, although it may be
automatically installed when installing slapd
.
Configuration
Creating initial configuration using the config directory format
This section describes how to create an initial configuration from scratch, instead of using the Debian package configuration.
This has the advantage that you will have an LDIF file containing and describing the configuration, which may be useful in the future, from both a reference and recovery perspective.
If you wish to do this, choose the option not to create the initial database
and configuration during installation of the slapd
package. Alternatively,
delete the configuration files and database as appropriately in
/etc/ldap/slapd.*
and /var/lib/ldap/
.
However, it can be extremely difficult to determine why your configuration
fails. To add to the difficulty, line numbers in error messages are
incremented by the size of any included files. It may be easier to start off
with a working slapd.conf
then convert it. See the section below which
describes how to convert it to the config directory format. You can then save
the configuration using ldapsearch
, then add appropriate comments to the
configuration file for future reference.
Create your initial configuration file using a combination of the descriptions in the OpenLDAP admin quide – Configuration Example and the example configuration file provided in the man pages for slapd-config(5).
The following is a fairly minimal example LDIF configuration file:
# Global configuration entry
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/ldap/slapd.conf
olcConfigDir: /etc/ldap/slapd.d
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
# module, config
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: back_bdb
# internal schema
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
# include schema
include: file:///etc/ldap/schema/core.ldif
include: file:///etc/ldap/schema/cosine.ldif
include: file:///etc/ldap/schema/nis.ldif
include: file:///etc/ldap/schema/inetorgperson.ldif
# global database parameters
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: to * by * read
# set a rootpw for the config database so we can bind.
# deny access to everyone else.
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by * none
olcRootDN: cn=config
olcRootPW: VerySecret
# BDB definition
dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=myhost,dc=co,dc=uk
olcRootDN: cn=admin,dc=myhost,dc=co,dc=uk
olcRootPW: Secret
Make sure there are no files in the /etc/ldap/slapd.d
and /var/lib/ldap
folders, so that we start of with a completely clean database and
configuration.
Once you have your configuration file, e..g /etc/ldap/myconfig.ldif
, create
the initial config directory with the following command:
$ sudo mkdir /etc/ldap/slapd.d
$ sudo chown openldap.openldap /etc/ldap/slapd.d
$ sudo chmod 750 /etc/ldap/slapd.d
$ sudo -u openldap slapadd -F /etc/ldap/slapd.d -n 0 \
-l /etc/ldap/myconfig.ldif
You can also test the config directory with the following command:
$ sudo -u openldap slaptest -u -F /etc/ldap/slapd.d
If necessary, create the /var/lib/ldap
folder:
$ sudo mkdir /var/lib/ldap
$ sudo chown openldap.openldap /var/lib/ldap
$ sudo chmod 700 /var/lib/ldap
Then start slapd:
$ sudo /etc/init.d/slapd start
Add the initial entry for the suffix:
$ cat << EOF | ldapmodify -a -x -D 'cn=admin,dc=myhost,dc=co,dc=uk' -w Secret
dn: dc=myhost,dc=co,dc=uk
objectClass: domain
EOF
Check you can access it:
$ ldapsearch -L -D 'cn=admin,dc=myhost,dc=co,dc=uk' -b 'dc=myhost,dc=co,dc=uk' -x -w Secret
Optionally, create a role entry:
$ cat << EOF | ldapmodify -a -x -D 'cn=admin,dc=myhost,dc=co,dc=uk' -w Secret
dn: cn=test,dc=myhost,dc=co,dc=uk
objectClass: organizationalRole
cn: Test Role
EOF
Optionally, delete all the objects under the suffix:
$ ldapdelete -x -D 'cn=admin,dc=myhost,dc=co,dc=uk' -w Secret\
-v -r "dc=myhost,dc=co,dc=uk"
Adding another database to config directory format
Note: the database must be in a different directory to the other databases.
$ sudo mkdir /var/local/ldap
$ sudo chown openldap.openldap /var/local/ldap
$ sudo chmod 750 /var/local/ldap
$ cat << EOF | ldapmodify -a -x -D 'cn=config' -w VerySecret
dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
olcDbDirectory: /var/local/ldap
olcSuffix: dc=mynewhost,dc=co,dc=uk
olcRootDN: cn=admin,dc=mynewhost,dc=co,dc=uk
olcRootPW: Secret
EOF
Add the initial entry for the suffix:
$ cat << EOF | ldapmodify -a -x -D 'cn=admin,dc=mynewhost,dc=co,dc=uk' -w Secret
dn: dc=mynewhost,dc=co,dc=uk
objectClass: dcObject
objectClass: organization
o: Test
EOF
Converting from slapd.conf to slapd.d config directory format
An existing slapd.conf file can be converted to the slapd.d config directory format. Firstly, make sure the existing slapd.conf file has a database config section by adding something similar to the following to the end of the file:
database config
rootpw VerySecret
Then start slapd with both options specified:
# /etc/init.d/slapd stop
# /usr/sbin/slapd -u openldap -g openldap \
-f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d -d 255
See the -F
option in man slapd
for full details and
Section 5.4 of the Admin guide%20file%20to%20{{cn=config}}%20format)
After converting the database, check you can access the configuration objects:
$ ldapsearch -x -b cn=config -D cn=config -W
By redirecting the output of the above command to a file, you will have your configuration saved in an LDIF format, which could be used to re-create the config directory.
The old configuration file is no longer required.
Searching
List all objects
$ ldapsearch -x -D 'cn=admin,dc=myhost,dc=co,dc=uk' -b 'dc=myhost,dc=co,dc=uk' -W '(objectclass=*)'
Backup
Each database can be backed up using slapcat, optionally with slapd not running:
$ sudo -u openldap slapcat -F /etc/ldap/slapd.d -b "cn=config" -l config.ldif
$ sudo -u openldap slapcat -F /etc/ldap/slapd.d -b "dc=myhost,dc=co,dc=uk" -l myhost.ldif
Use slapadd
to add the entries back into the database.
Tools
The jxplorer
package provides a nice GUI LDAP client.
Trouble Shooting
You can run slapd in debug mode with:
# /etc/init.d/slapd stop
# /usr/sbin/slapd -u openldap -g openldap -f /etc/ldap/slapd.conf -d 255
Alternatively, increase the loglevel
in the configuration to 255. See
man slapd.conf
.
Invalid suffix in configuration
This error can be caused if the configuration doesn't include the schema for
the attributes being used. E.g. a suffix of "dc=fdsd,dc=co,dc=uk" may be
rejected as an invalid DN. You probably need to include some schema definitions,
e.g. the following are included in the example slapd.conf
shipped with the
Debian slapd
package:
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
The dc
attribute is defined in core.schema
.
References
-- Frank Dean - 1 Jan 2012
Related Topics: DebianTips, DevelopmentSetup, LinuxDevelopment