home       inleiding       sysadmin       services       links       bash       werk       nothing      

install and configure openLDAP on ubuntu

  1. prepare your server
     
    • clone an ubuntu 14.04 machine -- the machine one has used for DNS is quite clean and can be cloned in the same NAT-network.
    • update your system:
      # apt-get update
      # apt-get dist-upgrade
       
  2. install LDAP
     
    • install ldap
      # apt-get install slapd
      # apt-get install ldap-utils
       
    • test your sockets:
      $ netstat -vatn | grep LISTEN
      tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
      tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN     
      tcp6       0      0 :::22                   :::*                    LISTEN     
      tcp6       0      0 :::389                  :::*                    LISTEN 

      yes, LDAP is running on port 389 in ipv4 and ipv6
       

  3. glossary
     
    LDAP: Lightweight Directory Access Protocol (open -- open source)
    RTC: Runtime Configuration System
    DIT: Directory Information Tree
    SLAPD: Standalone L(d)AP Daemon
    cn: common name
    ou: organizational unit
    uid: user identification
    dc: domain component
    dn: distinguished name
    rdn: relative distinguished name
    LDIF file: LDAP Data Interchange Format http://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format
    SCHEMA file: The schema defines object classes. Each entry must have an objectClass attribute, containing named classes defined in the schema. The schema definition of the classes of an entry defines what kind of object the entry may represent - e.g. a person, organization or domain. The object class definitions also define the list of attributes that must contain values and the list of attributes which may contain values.
    (http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol#Schema)
    hdb: Hierarchical variant of bdb backend
    bdb: Berkeley DB transactional backend
    config: Slapd configuration backend

  4. components
     
    • contents of slapd (2.4.28-1.1ubuntu4.4)
      /usr/sbin
      slapcat // slapd // slaptest // slappasswd // slapschema // slapauth
      slapdn // slapindex // slapacl // sbin/slapadd
      /etc/ldap/schema (ppolicy/pmi/duaconf …)
      /etc/ldap/sasl2
      /etc/ufw/applications.d/slapd
      /etc/apparmor.d/usr.sbin.slapd
      /etc/init.d/slapd
      /etc/default/slapd
      /var/lib/slapd
      /usr/lib/x86_64-linux-gnu/libslapi-2.4.so.2.8.1
      /usr/lib/ldap/*.so.2.8.1
      /usr/lib/ldap/*.la
      /usr/lib/ldap/*.so(.2)
       
    • contents of ldap-utils:
      /usr/bin ldappasswd // ldapwhoami // ldapmodrdn // ldapurl // ldapmodify // ldapsearch ldapcompare // ldapdelete // ldapexop // ldapadd``
       
  5. RTC
     
    Note: The default installation of OpenLDAP in recent versions of Ubuntu (from at least 10.04, Lucid Lynx) use the 'new' runtime configuration (RTC) system. Much of the information on the Internet about configuring OpenLDAP refers to modifying /etc/ldap/slapd.conf -- this information does not apply directly to the RTC.
     
    The RTC configuration is stored in the /etc/ldap/slapd.d directory. The directory server's configuration can be modified by editing the files in this directory and restarting slapd, but it is also possible to modify the server configuration in real-time by changing the configuration entries in the special RTC DIT cn=config with the tools in the ldap-utils package (ldapadd, ldapmodify, etc. ..), just as if you were dealing with a regular DIT.
     
    RTC Configuration Notes:
    • Many configuration options in the RTC system have the same name as the configuration option in slapd.conf, with an olc prefix. For example, the loglevel directive becomes olcLogLevel in the RTC system.
    • The default RTC installation will create two DITs: the RTC DIT (cn=config) and a starter DIT (default: dc=nodomain).
    • As of Ubuntu Natty (and possibly prior to it), the 3 basic schemas, (inetorgperson, cosine, and nis) do not have to be loaded manually, contrary to the Ubuntu Server Guide's instructions. These schemas are loaded as part of the installation process.
    • Some documentation and examples in the wild assume the existence of the entry cn=admin,cn=config in the RTC DIT and use this as the root Distinguished Name (DN). However, the default installation does not create any RootDN/RootPW entries in the RTC DIT. You must use the EXTERNAL mechanism to bind and manage the RTC DIT in the default installation. To manage the RTC DIT with tools such as slapadd or ldapmodify, bind with -Y EXTERNAL -H ldapi:///:
    • test if OpenLDAP/slapd is running correctly:
      $ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
    • Initially, this command should return 10-15 entries and is a good check to make sure the installation is basically functional.
       
      Test the above and look what happens ... (i got 1200 lines of output)
       
      $ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
      SASL/EXTERNAL authentication started
      SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
      SASL SSF: 0
      1    # extended LDIF
      2    #
      3    # LDAPv3
      4    # base <cn=config> with scope subtree
      5    # filter: (objectclass=*)
      6    # requesting: ALL
       7    #
       8    # config
      9    dn: cn=config
      10    objectClass: olcGlobal
      11    cn: config
      12    olcArgsFile: /var/run/slapd/slapd.args
      13    olcLogLevel: none
      14    olcPidFile: /var/run/slapd/slapd.pid
      15    olcToolThreads: 1
      ....
      1211    # search result
      1212    search: 2
      1213    result: 0 Success
      1214    # numResponses: 12
      1215    # numEntries: 11

       
      Also test the following ...
       
      $ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn

      dn: cn=config
      dn: cn=module{0},cn=config
      dn: cn=schema,cn=config
      dn: cn={0}core,cn=schema,cn=config
      dn: cn={1}cosine,cn=schema,cn=config
      dn: cn={2}nis,cn=schema,cn=config
      dn: cn={3}inetorgperson,cn=schema,cn=config
      dn: olcBackend={0}hdb,cn=config
      dn: olcDatabase={-1}frontend,cn=config
      dn: olcDatabase={0}config,cn=config
      dn: olcDatabase={1}hdb,cn=config

       

  6. configure your database
     
    $ sudo dpkg-reconfigure slapd
     
    First we deny not configuring an initial database (by saying no we indicate that we want a new database):
    If you enable this option, no initial configuration or database 
    will be created for you. 
    Omit OpenLDAP server configuration?     
                     <Yes>                          ** <No> **  

     
    Now we enter our DNS name linux800.net (something different from example.com)

    The DNS domain name is used to construct the base DN of the LDAP directory. For example, 'foo.example.org' will create the directory 
    with 'dc=foo, dc=example, dc=org' as base DN.
    DNS domain name:
     
    ** linux800.net **
                                   **   <Ok>  **

     
    Next we are asked to give a dn (distinguished name) that we will use for our organization:

    Please enter the name of the organization to use in the base DN of your LDAP directory.
    Organization name:
     
    ** linux800 **
                              **    <Ok>    **

     
    We are asked to enter a password for the LDAP admininistrator: (please remember your password)

    Please enter the password for the admin entry in your LDAP directory.
    Administrator password: 
     
    **   gobblethegook   ***
                                   **   <Ok>   **

     
    And confirm this password:

    Please enter the admin password for your LDAP directory again to verify that you have typed it correctly.
    Confirm password: 
     
    **   gobblethegook   **
                                   **   <Ok>   **

     
    Next we are asked whether we want to use HDB or BDB for database. We select HDB because it gives us more versatility ...
    hdb uses a hierarchical database layout which supports subtree renames. It is otherwise identical to the bdb behavior, and all the same configuration options apply. hdb: Hierarchical variant of bdb backend // bdb: Berkeley DB transactional backend.

    The HDB backend is recommended. HDB and BDB use similar storage formats, but HDB adds support for subtree renames. Both support the same configuration options.
    In either case, you should review the resulting database configuration for your needs. See /usr/share/doc/slapd/README.DB_CONFIG.gz for more details.                                      
     
    Database backend to use: 
         BDB
    **   HDB   **                                                 │    
                                 **   <Ok>   **

     
    A strange question follows: suppose your get rid of your software slpad withc and apt-get purge -- if so, would you want to keep your database. And of course I would. But in this test-case, we don't care (yet), and we can answer the next question with YES :

    Do you want the database to be removed when slapd is purged?
           **   <Yes>   **                <No> 

     
    Sometimes your install will see that there is another database, perhaps when you reconfigure again after making mistakes ... here we don't want to move anything, but perhaps in your situation, you would ...

    There are still files in /var/lib/ldap which will probably break the configuration process. If you enable this option, the maintainer scripts will move the old database files out of the way before creating a new database.                                                                            
     
    Move old database? 
                   <Yes>              **   <No>   **

     
    Last ... the system asks whether we want to use version 2 or version 3 of openLDAP ... we don't want to use the old version ...

    The obsolete LDAPv2 protocol is disabled by default in slapd. Programs and users should upgrade to LDAPv3.  If you have old programs which can't use LDAPv3, you should select this option and 'allow bind_v2' will be added to your slapd.conf file.
     
    Allow LDAPv2 protocol?
                    <Yes>              **   <No>   **

     
     
    ... and hopefully the install now creates our database ...

    * Stopping OpenLDAP slapd                         [ OK ]
    Moving old database directory to /var/backups: - directory unknown ... done.
    Creating initial configuration... done.
    Creating LDAP directory... done.
    * Starting OpenLDAP slapd    

     

  7. checking LDAP
     
    • ldapvi
       
      In the CLI we have not many choices to check openLDAP. ldapvi is the easiest option. We install ldapvi:
       
      $ sudo apt-get install ldapvi
       
      Next we use ldapvi to inspect the configuration we just did ... (if this is the first time you use ldapvi, the utility will first ask you about your preferred editor)
       
      $ ldapvi --discover --host localhost
      # -*- coding: utf-8 -*- vim:encoding=utf-8:
      # http://www.lichteblau.com/ldapvi/manual#syntax
       
      0 dc=linux800,dc=net
      objectClass: top
      objectClass: dcObject
      objectClass: organization
      o: linux800
      dc: linux800
       
      1 cn=admin,dc=linux800,dc=net
      objectClass: simpleSecurityObject
      objectClass: organizationalRole
      cn: admin
      description: LDAP administrator

      0 and 1 are record counters.
      record 0 contains our root level: linux800.net
      record 1 contains the admin user: admin@linux800.net
       
      I’m using vim as editor, so I can skip writing any changes with :q <enter>
       

    • ldapsearch
       
      ... notice that the ldapvi syntax is easier -- put everything in one long command ...
       
      $ ldapsearch -p 389 -h localhost -s sub "(objectclass=*)" -D "cn=admin,dc=linux800,dc=net" -w gobbledegook -b "dc=linux800,dc=net"
      # extended LDIF
      #
      # LDAPv3
      # base <dc=linux800,dc=net> with scope subtree
      # filter: (objectclass=*)
      # requesting: ALL
      #
       
      # linux800.net
      dn: dc=linux800,dc=net
      objectClass: top
      objectClass: dcObject
      objectClass: organization
      o: linux800
      dc: linux800
       
      # admin, linux800.net
      dn: cn=admin,dc=linux800,dc=net
      objectClass: simpleSecurityObject
      objectClass: organizationalRole
      cn: admin
      description: LDAP administrator
      userPassword:: e1NTSEF9enByR2tOaXM5T2d3TlFhdGVwd1V1QkRqcHgxUkh3SlY=
       
      # search result
      search: 2
      result: 0 Success
       
      # numResponses: 3
      # numEntries: 2

      -p port number
      -h ipaddress or fqdn
      -s search-filter
      -D user
      -w cleartext password
      -b database
       

    • ldapsearch .. cn=config
       
      This search will display all olcObjectIdentifiers, olcAttributeTypes, olcObjectClasses and
      olcLdapSyntaxes // next it will do the same for loaded schemas // finally it will give the configuration of the databases.
       
      $ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
      SASL/EXTERNAL authentication started
      SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
      SASL SSF: 0
      # extended LDIF
      #
      # LDAPv3
      # base <cn=config> with scope subtree
      # filter: (objectclass=*)
      # requesting: ALL
      #
       
      # config
      dn: cn=config
      objectClass: olcGlobal
      cn: config
      olcArgsFile: /var/run/slapd/slapd.args
      olcLogLevel: none
      olcPidFile: /var/run/slapd/slapd.pid
      ...

       

  8. whats next ...
    -->>> doc LDAP2 -- page 8 -- checking ldap(4) -- phpLDAPadmin
    -->>> doc LDAP(4) fusiondirectory
    -->>> docs LDAP(5) and LDAP (5.1) client