OpenLDAP

Introduction

This document contains notes on configuring and installing OpenLDAP on Debian 6.0 (Squeeze).

Installation

Install the slapd package.

Depending on your package management settings (debconf), you may be asked more questions. Where the default is only to ask high priority questions, you will only be asked to specify a new admin password. In this situation, the DNS domain name defaults to that provided by hostname --domain for your installation. This results in the dn for the admin user for a host name of myhost.co.uk being of the following format:

    cn=admin,dc=myhost,dc=co,dc=uk

The database backend defaults to HDB.

You can re-configure the package with:

    # dpkg-reconfigure slapd

Which asks questions at the low priority level.

You should also install the ldap-utils package, although it may be automatically installed when installing slapd.

Configuration

Creating initial configuration using the config directory format

This section describes how to create an initial configuration from scratch, instead of using the Debian package configuration.

This has the advantage that you will have an LDIF file containing and describing the configuration, which may be useful in the future, from both a reference and recovery perspective.

If you wish to do this, choose the option not to create the initial database and configuration during installation of the slapd package. Alternatively, delete the configuration files and database as appropriately in /etc/ldap/slapd.* and /var/lib/ldap/.

However, it can be extremely difficult to determine why your configuration fails. To add to the difficulty, line numbers in error messages are incremented by the size of any included files. It may be easier to start off with a working slapd.conf then convert it. See the section below which describes how to convert it to the config directory format. You can then save the configuration using ldapsearch, then add appropriate comments to the configuration file for future reference.

Create your initial configuration file using a combination of the descriptions in the OpenLDAP admin quide – Configuration Example and the example configuration file provided in the man pages for slapd-config(5).

The following is a fairly minimal example LDIF configuration file:

# Global configuration entry
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/ldap/slapd.conf
olcConfigDir: /etc/ldap/slapd.d
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid

# module, config
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: back_bdb

# internal schema
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

# include schema
include: file:///etc/ldap/schema/core.ldif
include: file:///etc/ldap/schema/cosine.ldif
include: file:///etc/ldap/schema/nis.ldif
include: file:///etc/ldap/schema/inetorgperson.ldif

# global database parameters
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: to * by * read

# set a rootpw for the config database so we can bind.
# deny access to everyone else.
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to *  by * none
olcRootDN: cn=config
olcRootPW: VerySecret

# BDB definition
dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=myhost,dc=co,dc=uk
olcRootDN: cn=admin,dc=myhost,dc=co,dc=uk
olcRootPW: Secret

Make sure there are no files in the /etc/ldap/slapd.d and /var/lib/ldap folders, so that we start of with a completely clean database and configuration.

Once you have your configuration file, e..g /etc/ldap/myconfig.ldif, create the initial config directory with the following command:

    $ sudo mkdir /etc/ldap/slapd.d
    $ sudo chown openldap.openldap /etc/ldap/slapd.d
    $ sudo chmod 750 /etc/ldap/slapd.d
    $ sudo -u openldap slapadd -F /etc/ldap/slapd.d -n 0 \
    -l /etc/ldap/myconfig.ldif

You can also test the config directory with the following command:

    $ sudo -u openldap slaptest -u -F /etc/ldap/slapd.d

If necessary, create the /var/lib/ldap folder:

    $ sudo mkdir /var/lib/ldap
    $ sudo chown openldap.openldap /var/lib/ldap
    $ sudo chmod 700 /var/lib/ldap

Then start slapd:

    $ sudo /etc/init.d/slapd start

Add the initial entry for the suffix:

$ cat << EOF | ldapmodify -a -x -D 'cn=admin,dc=myhost,dc=co,dc=uk' -w Secret
dn: dc=myhost,dc=co,dc=uk
objectClass: domain
EOF

Check you can access it:

$ ldapsearch -L -D 'cn=admin,dc=myhost,dc=co,dc=uk' -b 'dc=myhost,dc=co,dc=uk' -x -w Secret

Optionally, create a role entry:

$ cat << EOF | ldapmodify -a -x -D 'cn=admin,dc=myhost,dc=co,dc=uk' -w Secret
dn: cn=test,dc=myhost,dc=co,dc=uk
objectClass: organizationalRole
cn: Test Role
EOF

Optionally, delete all the objects under the suffix:

$ ldapdelete -x -D 'cn=admin,dc=myhost,dc=co,dc=uk' -w Secret\
-v -r "dc=myhost,dc=co,dc=uk"

Adding another database to config directory format

Note: the database must be in a different directory to the other databases.

$ sudo mkdir /var/local/ldap
$ sudo chown openldap.openldap /var/local/ldap
$ sudo chmod 750 /var/local/ldap
$ cat << EOF | ldapmodify -a -x -D 'cn=config' -w VerySecret
dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
olcDbDirectory: /var/local/ldap
olcSuffix: dc=mynewhost,dc=co,dc=uk
olcRootDN: cn=admin,dc=mynewhost,dc=co,dc=uk
olcRootPW: Secret
EOF

Add the initial entry for the suffix:

$ cat << EOF | ldapmodify -a -x -D 'cn=admin,dc=mynewhost,dc=co,dc=uk' -w Secret
dn: dc=mynewhost,dc=co,dc=uk
objectClass: dcObject
objectClass: organization
o: Test
EOF

Converting from slapd.conf to slapd.d config directory format

An existing slapd.conf file can be converted to the slapd.d config directory format. Firstly, make sure the existing slapd.conf file has a database config section by adding something similar to the following to the end of the file:

    database config
    rootpw VerySecret

Then start slapd with both options specified:

    # /etc/init.d/slapd stop
    # /usr/sbin/slapd -u openldap -g openldap \
    -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d -d 255

See the -F option in man slapd for full details and Section 5.4 of the Admin guide%20file%20to%20{{cn=config}}%20format)

After converting the database, check you can access the configuration objects:

    $ ldapsearch -x -b cn=config -D cn=config -W

By redirecting the output of the above command to a file, you will have your configuration saved in an LDIF format, which could be used to re-create the config directory.

The old configuration file is no longer required.

Searching

List all objects

    $ ldapsearch -x -D 'cn=admin,dc=myhost,dc=co,dc=uk' -b 'dc=myhost,dc=co,dc=uk' -W '(objectclass=*)'

Backup

Each database can be backed up using slapcat, optionally with slapd not running:

    $ sudo -u openldap slapcat -F /etc/ldap/slapd.d -b "cn=config" -l config.ldif
    $ sudo -u openldap slapcat -F /etc/ldap/slapd.d -b "dc=myhost,dc=co,dc=uk" -l myhost.ldif

Use slapadd to add the entries back into the database.

Tools

The jxplorer package provides a nice GUI LDAP client.

Trouble Shooting

You can run slapd in debug mode with:

    # /etc/init.d/slapd stop
    # /usr/sbin/slapd -u openldap -g openldap -f /etc/ldap/slapd.conf -d 255

Alternatively, increase the loglevel in the configuration to 255. See man slapd.conf.

Invalid suffix in configuration

This error can be caused if the configuration doesn't include the schema for the attributes being used. E.g. a suffix of "dc=fdsd,dc=co,dc=uk" may be rejected as an invalid DN. You probably need to include some schema definitions, e.g. the following are included in the example slapd.conf shipped with the Debian slapd package:

    # Schema and objectClass definitions                                                           
    include         /etc/ldap/schema/core.schema
    include         /etc/ldap/schema/cosine.schema
    include         /etc/ldap/schema/nis.schema
    include         /etc/ldap/schema/inetorgperson.schema

The dc attribute is defined in core.schema.

References


-- Frank Dean - 1 Jan 2012

Related Topics: DebianTips, DevelopmentSetup, LinuxDevelopment