install and configure openLDAP on ubuntu
- prepare your server
- clone an ubuntu 14.04 machine -- the machine one has used for DNS is quite clean and can be cloned in the same NAT-network.
- update your system:
# apt-get update
# apt-get dist-upgrade
- install LDAP
- install ldap
# apt-get install slapd
# apt-get install ldap-utils
- test your sockets:
$ netstat -vatn | grep LISTENtcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 :::389 :::* LISTENyes, LDAP is running on port 389 in ipv4 and ipv6
- install ldap
-
glossary
LDAP: Lightweight Directory Access Protocol (open -- open source)
RTC: Runtime Configuration System
DIT: Directory Information Tree
SLAPD: Standalone L(d)AP Daemon
cn: common name
ou: organizational unit
uid: user identification
dc: domain component
dn: distinguished name
rdn: relative distinguished name
LDIF file: LDAP Data Interchange Format http://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format
SCHEMA file: The schema defines object classes. Each entry must have an objectClass attribute, containing named classes defined in the schema. The schema definition of the classes of an entry defines what kind of object the entry may represent - e.g. a person, organization or domain. The object class definitions also define the list of attributes that must contain values and the list of attributes which may contain values.
(http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#Schema)
hdb: Hierarchical variant of bdb backend
bdb: Berkeley DB transactional backend
config: Slapd configuration backend - components
- contents of slapd (2.4.28-1.1ubuntu4.4)
/usr/sbin
slapcat // slapd // slaptest // slappasswd // slapschema // slapauth
slapdn // slapindex // slapacl // sbin/slapadd
/etc/ldap/schema (ppolicy/pmi/duaconf …)
/etc/ldap/sasl2
/etc/ufw/applications.d/slapd
/etc/apparmor.d/usr.sbin.slapd
/etc/init.d/slapd
/etc/default/slapd
/var/lib/slapd
/usr/lib/x86_64-linux-gnu/libslapi-2.4.so.2.8.1
/usr/lib/ldap/*.so.2.8.1
/usr/lib/ldap/*.la
/usr/lib/ldap/*.so(.2)
- contents of ldap-utils:
/usr/binldappasswd // ldapwhoami // ldapmodrdn // ldapurl // ldapmodify // ldapsearch
- contents of slapd (2.4.28-1.1ubuntu4.4)
- RTC
Note: The default installation of OpenLDAP in recent versions of Ubuntu (from at least 10.04, Lucid Lynx) use the 'new' runtime configuration (RTC) system. Much of the information on the Internet about configuring OpenLDAP refers to modifying/etc/ldap/slapd.conf-- this information does not apply directly to the RTC.
The RTC configuration is stored in the/etc/ldap/slapd.ddirectory. The directory server's configuration can be modified by editing the files in this directory and restarting slapd, but it is also possible to modify the server configuration in real-time by changing the configuration entries inthe special RTC DIT cn=configwith the tools in the ldap-utils package (ldapadd, ldapmodify, etc. ..), just as if you were dealing with a regular DIT.
RTC Configuration Notes:- Many configuration options in the RTC system have the same name as the configuration option in slapd.conf, with an olc prefix. For example, the loglevel directive becomes olcLogLevel in the RTC system.
- The default RTC installation will create two DITs: the RTC DIT (cn=config) and a starter DIT (default: dc=nodomain).
- As of Ubuntu Natty (and possibly prior to it), the 3 basic schemas, (inetorgperson, cosine, and nis) do not have to be loaded manually, contrary to the Ubuntu Server Guide's instructions. These schemas are loaded as part of the installation process.
- Some documentation and examples in the wild assume the existence of the entry cn=admin,cn=config in the RTC DIT and use this as the root Distinguished Name (DN). However, the default installation does not create any RootDN/RootPW entries in the RTC DIT. You must use the EXTERNAL mechanism to bind and manage the RTC DIT in the default installation. To manage the RTC DIT with tools such as slapadd or ldapmodify, bind with -Y EXTERNAL -H ldapi:///:
- test if OpenLDAP/slapd is running correctly:
$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config - Initially, this command should return 10-15 entries and is a good check to make sure the installation is basically functional.
Test the above and look what happens ... (i got 1200 lines of output)
$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=configSASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 1 # extended LDIF 2 # 3 # LDAPv3 4 # base <cn=config> with scope subtree 5 # filter: (objectclass=*) 6 # requesting: ALL 7 # 8 # config 9 dn: cn=config 10 objectClass: olcGlobal 11 cn: config 12 olcArgsFile: /var/run/slapd/slapd.args 13 olcLogLevel: none 14 olcPidFile: /var/run/slapd/slapd.pid 15 olcToolThreads: 1 .... 1211 # search result 1212 search: 2 1213 result: 0 Success 1214 # numResponses: 12 1215 # numEntries: 11
Also test the following ...
$ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dndn: cn=config dn: cn=module{0},cn=config dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}nis,cn=schema,cn=config dn: cn={3}inetorgperson,cn=schema,cn=config dn: olcBackend={0}hdb,cn=config dn: olcDatabase={-1}frontend,cn=config dn: olcDatabase={0}config,cn=config dn: olcDatabase={1}hdb,cn=config
- configure your database
$ sudo dpkg-reconfigure slapd
First we deny not configuring an initial database (by saying no we indicate that we want a new database):If you enable this option, no initial configuration or database will be created for you. Omit OpenLDAP server configuration? <Yes> ** <No> **
Now we enter our DNS name linux800.net (something different from example.com)The DNS domain name is used to construct the base DN of the LDAP directory. For example, 'foo.example.org' will create the directory with 'dc=foo, dc=example, dc=org' as base DN. DNS domain name: ** linux800.net ** ** <Ok> **
Next we are asked to give a dn (distinguished name) that we will use for our organization:Please enter the name of the organization to use in the base DN of your LDAP directory. Organization name: ** linux800 ** ** <Ok> **
We are asked to enter a password for the LDAP admininistrator: (please remember your password)Please enter the password for the admin entry in your LDAP directory. Administrator password: ** gobblethegook *** ** <Ok> **
And confirm this password:Please enter the admin password for your LDAP directory again to verify that you have typed it correctly. Confirm password: ** gobblethegook ** ** <Ok> **
Next we are asked whether we want to use HDB or BDB for database. We select HDB because it gives us more versatility ...
hdb uses a hierarchical database layout which supports subtree renames. It is otherwise identical to the bdb behavior, and all the same configuration options apply. hdb: Hierarchical variant of bdb backend // bdb: Berkeley DB transactional backend.The HDB backend is recommended. HDB and BDB use similar storage formats, but HDB adds support for subtree renames. Both support the same configuration options. In either case, you should review the resulting database configuration for your needs. See /usr/share/doc/slapd/README.DB_CONFIG.gz for more details. Database backend to use: BDB ** HDB ** │ ** <Ok> **
A strange question follows: suppose your get rid of your softwareslpadwithc andapt-get purge-- if so, would you want to keep your database. And of course I would. But in this test-case, we don't care (yet), and we can answer the next question with YES :Do you want the database to be removed when slapd is purged? ** <Yes> ** <No>
Sometimes your install will see that there is another database, perhaps when you reconfigure again after making mistakes ... here we don't want to move anything, but perhaps in your situation, you would ...There are still files in /var/lib/ldap which will probably break the configuration process. If you enable this option, the maintainer scripts will move the old database files out of the way before creating a new database. Move old database? <Yes> ** <No> **
Last ... the system asks whether we want to use version 2 or version 3 of openLDAP ... we don't want to use the old version ...The obsolete LDAPv2 protocol is disabled by default in slapd. Programs and users should upgrade to LDAPv3. If you have old programs which can't use LDAPv3, you should select this option and 'allow bind_v2' will be added to your slapd.conf file. Allow LDAPv2 protocol? <Yes> ** <No> **
... and hopefully the install now creates our database ...* Stopping OpenLDAP slapd [ OK ] Moving old database directory to /var/backups: - directory unknown ... done. Creating initial configuration... done. Creating LDAP directory... done. * Starting OpenLDAP slapd - checking LDAP
ldapvi
In the CLI we have not many choices to check openLDAP.ldapviis the easiest option. We install ldapvi:
$ sudo apt-get install ldapvi
Next we useldapvito inspect the configuration we just did ... (if this is the first time you use ldapvi, the utility will first ask you about your preferred editor)
$ ldapvi --discover --host localhost# -*- coding: utf-8 -*- vim:encoding=utf-8: # http://www.lichteblau.com/ldapvi/manual#syntax 0 dc=linux800,dc=net objectClass: top objectClass: dcObject objectClass: organization o: linux800 dc: linux800 1 cn=admin,dc=linux800,dc=net objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator0 and 1 are record counters.
record 0 contains our root level: linux800.net
record 1 contains the admin user: admin@linux800.net
I’m using vim as editor, so I can skip writing any changes with:q <enter>
ldapsearch
... notice that the ldapvi syntax is easier -- put everything in one long command ...
$ ldapsearch -p 389 -h localhost -s sub "(objectclass=*)" -D "cn=admin,dc=linux800,dc=net" -w gobbledegook -b "dc=linux800,dc=net"# extended LDIF # # LDAPv3 # base <dc=linux800,dc=net> with scope subtree # filter: (objectclass=*) # requesting: ALL # # linux800.net dn: dc=linux800,dc=net objectClass: top objectClass: dcObject objectClass: organization o: linux800 dc: linux800 # admin, linux800.net dn: cn=admin,dc=linux800,dc=net objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9enByR2tOaXM5T2d3TlFhdGVwd1V1QkRqcHgxUkh3SlY= # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2-p port number
-h ipaddress or fqdn
-s search-filter
-D user
-w cleartext password
-b database
ldapsearch .. cn=config
This search will display all olcObjectIdentifiers, olcAttributeTypes, olcObjectClasses and
olcLdapSyntaxes // next it will do the same for loaded schemas // finally it will give the configuration of the databases.
$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=configSASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # config dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid ...
- whats next ...
-->>> doc LDAP2 -- page 8 -- checking ldap(4) -- phpLDAPadmin
-->>> doc LDAP(4) fusiondirectory
-->>> docs LDAP(5) and LDAP (5.1) client