https://wiki.archlinux.org/api.php?action=feedcontributions&user=Wirelessben&feedformat=atomArchWiki - User contributions [en]2024-03-29T05:37:56ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Dhcpd&diff=579682Dhcpd2019-08-13T03:37:06Z<p>Wirelessben: Grammar: added :</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:DHCP]]<br />
[[de:Dhcpd]]<br />
[[ja:Dhcpd]]<br />
[[pt:Dhcpd]]<br />
[[ru:Dhcpd]]<br />
[[zh-hans:Dhcpd]]<br />
{{Related articles start}}<br />
{{Related|dhcpcd}}<br />
{{Related articles end}}<br />
<br />
dhcpd is the [http://www.isc.org/downloads/dhcp/ Internet Systems Consortium] DHCP Server. It is useful for instance on a machine acting as a router on a LAN.<br />
<br />
{{Note|''dhcpd'' (DHCP '''(server)''' daemon) is not the same as [[dhcpcd]] (DHCP '''client''' daemon).}}<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{pkg|dhcp}} package, available in the [[official repositories]].<br />
<br />
== Usage ==<br />
<br />
''dhcpd'' includes two unit files {{ic|dhcpd4.service}} and {{ic|dhcpd6.service}}, which can be used to [[Enable|control]] the daemon. They start the daemon on ''all'' [[network interfaces]] for IPv4 and IPv6 respectively. See [[#Listening on only one interface]] for an alternative.<br />
<br />
== Configuration ==<br />
<br />
Assign a static IPv4 address to the interface you want to use (in our examples we will use {{ic|eth0}}). The first 3 bytes of this address cannot be exactly the same as those of another interface.<br />
<br />
# ip link set up dev eth0<br />
# ip addr add 139.96.30.100/24 dev eth0 # arbitrary address<br />
<br />
{{Tip|Usually, one of the next three subnets is used for private networks, which are specially reserved and won't conflict with any host in the Internet:<br />
* {{ic|192.168/16}} (subnet {{ic|192.168.0.0}}, netmask {{ic|255.255.0.0}})<br />
* {{ic|172.16/12}} (subnet {{ic|172.16.0.0}}, netmask {{ic|255.240.0.0}})<br />
* {{ic|10/8}} (for large networks; subnet {{ic|10.0.0.0}}, netmask {{ic|255.0.0.0}})<br />
See also [http://www.ietf.org/rfc/rfc1918.txt RFC 1918].}}<br />
<br />
To have your static ip assigned at boot, see [[Network configuration#Static IP address]].<br />
<br />
The default {{ic|dhcpd.conf}} contains many uncommented examples, so relocate it:<br />
<br />
# cp /etc/dhcpd.conf.example /etc/dhcpd.conf<br />
<br />
The minimal configuration file may look like:<br />
<br />
{{hc|/etc/dhcpd.conf|<br />
option domain-name-servers 8.8.8.8, 8.8.4.4;<br />
option subnet-mask 255.255.255.0;<br />
option routers 139.96.30.100;<br />
subnet 139.96.30.0 netmask 255.255.255.0 {<br />
range 139.96.30.150 139.96.30.250;<br />
}<br />
}}<br />
<br />
If you need to provide a fixed IP address for a single specific device, you can use the following syntax:<br />
<br />
{{hc|/etc/dhcpd.conf|<br />
option domain-name-servers 8.8.8.8, 8.8.4.4;<br />
option subnet-mask 255.255.255.0;<br />
option routers 139.96.30.100;<br />
subnet 139.96.30.0 netmask 255.255.255.0 {<br />
range 139.96.30.150 139.96.30.250;<br />
<br />
host macbookpro{<br />
hardware ethernet 70:56:81:22:33:44;<br />
fixed-address 139.96.30.199;<br />
}<br />
}<br />
}}<br />
<br />
{{ic|domain-name-servers}} option contains addresses of DNS servers which are supplied to clients. In our example we are using Google's public DNS servers. If you know a local DNS server (for example, provided by your ISP), you should use it. If you've configured your own DNS on a local machine, then use its address in your subnet (e. g. {{ic|139.96.30.100}} in our example).<br />
<br />
{{ic|subnet-mask}} and {{ic|routers}} defines a subnet mask and a list of available routers on the subnet. In most cases for small networks you can use {{ic|255.255.255.0}} as a mask and specify an IP address of the machine on which you're configuring DHCP server as a router.<br />
<br />
{{ic|subnet}} blocks defines options for separate subnets, which are mapped to the network interfaces on which ''dhcpd'' is running. In our example this is one subnet {{ic|139.96.30.0/24}} for single interface {{ic|eth0}}, for which we defined the range of available IP addresses. Addresses from this range will be assigned to the connecting clients.<br />
<br />
=== Listening on only one interface ===<br />
<br />
If your computer is already part of one or several networks, it could be a problem if your computer starts giving ip addresses to machines from the other networks. It can be done by either configuring dhcpd or starting it as a daemon with [[Systemd#Using units|systemctl]].<br />
<br />
==== Configuring dhcpd ====<br />
<br />
In order to exclude an interface, you must create an empty declaration for the subnet that will be configured on that interface.<br />
<br />
This is done by editing the configuration file (for example):<br />
{{hc|/etc/dhcpd.conf|<nowiki><br />
# No DHCP service in DMZ network (192.168.2.0/24)<br />
subnet 192.168.2.0 netmask 255.255.255.0 {<br />
}<br />
</nowiki>}}<br />
<br />
==== Service file ====<br />
<br />
There is no service files provided by default to use ''dhcpd'' only on one interface so you need to create one:<br />
<br />
{{hc|/etc/systemd/system/dhcpd4@.service|<nowiki><br />
[Unit]<br />
Description=IPv4 DHCP server on %I<br />
Wants=network.target<br />
After=network.target<br />
<br />
[Service]<br />
Type=forking<br />
PIDFile=/run/dhcpd4.pid<br />
ExecStart=/usr/bin/dhcpd -4 -q -pf /run/dhcpd4.pid %I<br />
KillSignal=SIGINT<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</nowiki>}}<br />
<br />
This is a template unit, which binds it to a particular interface, for example {{ic|dhcpd4@''eth0''.service}} where ''eth0'' is an interface shown with {{ic|ip link}}.<br />
<br />
Sometimes we want to wait for the network to be configured, in this case the solution is to make service waits for network-online.target instead of network.target:<br />
<br />
{{hc|/etc/systemd/system/dhcpd4@.service|<nowiki><br />
[Unit]<br />
Wants=network-online.target<br />
After=network-online.target<br />
</nowiki>}}<br />
<br />
To have this working we have to enable another service to make it work:<br />
<br />
# systemctl enable systemd-networkd-wait-online<br />
<br />
=== Use for PXE ===<br />
<br />
PXE Configuration is done with the following two options:<br />
<br />
{{hc|/etc/dhcpd.conf|<nowiki><br />
next-server 192.168.0.2;<br />
filename "/pxelinux.0";<br />
</nowiki>}}<br />
<br />
This section can either be in an entire {{ic|subnet}} or just in a {{ic|host}} definition. {{ic|next-server}} is the IP of the TFTP Server, and {{ic|filename}} is the filename of the image to boot. For more information see [[PXE]].</div>Wirelessbenhttps://wiki.archlinux.org/index.php?title=Dhcpd&diff=579681Dhcpd2019-08-13T03:34:37Z<p>Wirelessben: Grammar: "the one of next three subnets" -> "one of the next three subnets"</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:DHCP]]<br />
[[de:Dhcpd]]<br />
[[ja:Dhcpd]]<br />
[[pt:Dhcpd]]<br />
[[ru:Dhcpd]]<br />
[[zh-hans:Dhcpd]]<br />
{{Related articles start}}<br />
{{Related|dhcpcd}}<br />
{{Related articles end}}<br />
<br />
dhcpd is the [http://www.isc.org/downloads/dhcp/ Internet Systems Consortium] DHCP Server. It is useful for instance on a machine acting as a router on a LAN.<br />
<br />
{{Note|''dhcpd'' (DHCP '''(server)''' daemon) is not the same as [[dhcpcd]] (DHCP '''client''' daemon).}}<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{pkg|dhcp}} package, available in the [[official repositories]].<br />
<br />
== Usage ==<br />
<br />
''dhcpd'' includes two unit files {{ic|dhcpd4.service}} and {{ic|dhcpd6.service}}, which can be used to [[Enable|control]] the daemon. They start the daemon on ''all'' [[network interfaces]] for IPv4 and IPv6 respectively. See [[#Listening on only one interface]] for an alternative.<br />
<br />
== Configuration ==<br />
<br />
Assign a static IPv4 address to the interface you want to use (in our examples we will use {{ic|eth0}}). The first 3 bytes of this address cannot be exactly the same as those of another interface.<br />
<br />
# ip link set up dev eth0<br />
# ip addr add 139.96.30.100/24 dev eth0 # arbitrary address<br />
<br />
{{Tip|Usually, one of the next three subnets is used for private networks, which are specially reserved and won't conflict with any host in the Internet:<br />
* {{ic|192.168/16}} (subnet {{ic|192.168.0.0}}, netmask {{ic|255.255.0.0}})<br />
* {{ic|172.16/12}} (subnet {{ic|172.16.0.0}}, netmask {{ic|255.240.0.0}})<br />
* {{ic|10/8}} (for large networks; subnet {{ic|10.0.0.0}}, netmask {{ic|255.0.0.0}})<br />
See also [http://www.ietf.org/rfc/rfc1918.txt RFC 1918].}}<br />
<br />
To have your static ip assigned at boot, see [[Network configuration#Static IP address]].<br />
<br />
The default {{ic|dhcpd.conf}} contains many uncommented examples, so relocate it:<br />
<br />
# cp /etc/dhcpd.conf.example /etc/dhcpd.conf<br />
<br />
The minimal configuration file may look like:<br />
<br />
{{hc|/etc/dhcpd.conf|<br />
option domain-name-servers 8.8.8.8, 8.8.4.4;<br />
option subnet-mask 255.255.255.0;<br />
option routers 139.96.30.100;<br />
subnet 139.96.30.0 netmask 255.255.255.0 {<br />
range 139.96.30.150 139.96.30.250;<br />
}<br />
}}<br />
<br />
If you need to provide a fixed IP address for a single specific device, you can use the following syntax<br />
<br />
{{hc|/etc/dhcpd.conf|<br />
option domain-name-servers 8.8.8.8, 8.8.4.4;<br />
option subnet-mask 255.255.255.0;<br />
option routers 139.96.30.100;<br />
subnet 139.96.30.0 netmask 255.255.255.0 {<br />
range 139.96.30.150 139.96.30.250;<br />
<br />
host macbookpro{<br />
hardware ethernet 70:56:81:22:33:44;<br />
fixed-address 139.96.30.199;<br />
}<br />
}<br />
}}<br />
<br />
{{ic|domain-name-servers}} option contains addresses of DNS servers which are supplied to clients. In our example we are using Google's public DNS servers. If you know a local DNS server (for example, provided by your ISP), you should use it. If you've configured your own DNS on a local machine, then use its address in your subnet (e. g. {{ic|139.96.30.100}} in our example).<br />
<br />
{{ic|subnet-mask}} and {{ic|routers}} defines a subnet mask and a list of available routers on the subnet. In most cases for small networks you can use {{ic|255.255.255.0}} as a mask and specify an IP address of the machine on which you're configuring DHCP server as a router.<br />
<br />
{{ic|subnet}} blocks defines options for separate subnets, which are mapped to the network interfaces on which ''dhcpd'' is running. In our example this is one subnet {{ic|139.96.30.0/24}} for single interface {{ic|eth0}}, for which we defined the range of available IP addresses. Addresses from this range will be assigned to the connecting clients.<br />
<br />
=== Listening on only one interface ===<br />
<br />
If your computer is already part of one or several networks, it could be a problem if your computer starts giving ip addresses to machines from the other networks. It can be done by either configuring dhcpd or starting it as a daemon with [[Systemd#Using units|systemctl]].<br />
<br />
==== Configuring dhcpd ====<br />
<br />
In order to exclude an interface, you must create an empty declaration for the subnet that will be configured on that interface.<br />
<br />
This is done by editing the configuration file (for example):<br />
{{hc|/etc/dhcpd.conf|<nowiki><br />
# No DHCP service in DMZ network (192.168.2.0/24)<br />
subnet 192.168.2.0 netmask 255.255.255.0 {<br />
}<br />
</nowiki>}}<br />
<br />
==== Service file ====<br />
<br />
There is no service files provided by default to use ''dhcpd'' only on one interface so you need to create one:<br />
<br />
{{hc|/etc/systemd/system/dhcpd4@.service|<nowiki><br />
[Unit]<br />
Description=IPv4 DHCP server on %I<br />
Wants=network.target<br />
After=network.target<br />
<br />
[Service]<br />
Type=forking<br />
PIDFile=/run/dhcpd4.pid<br />
ExecStart=/usr/bin/dhcpd -4 -q -pf /run/dhcpd4.pid %I<br />
KillSignal=SIGINT<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</nowiki>}}<br />
<br />
This is a template unit, which binds it to a particular interface, for example {{ic|dhcpd4@''eth0''.service}} where ''eth0'' is an interface shown with {{ic|ip link}}.<br />
<br />
Sometimes we want to wait for the network to be configured, in this case the solution is to make service waits for network-online.target instead of network.target:<br />
<br />
{{hc|/etc/systemd/system/dhcpd4@.service|<nowiki><br />
[Unit]<br />
Wants=network-online.target<br />
After=network-online.target<br />
</nowiki>}}<br />
<br />
To have this working we have to enable another service to make it work:<br />
<br />
# systemctl enable systemd-networkd-wait-online<br />
<br />
=== Use for PXE ===<br />
<br />
PXE Configuration is done with the following two options:<br />
<br />
{{hc|/etc/dhcpd.conf|<nowiki><br />
next-server 192.168.0.2;<br />
filename "/pxelinux.0";<br />
</nowiki>}}<br />
<br />
This section can either be in an entire {{ic|subnet}} or just in a {{ic|host}} definition. {{ic|next-server}} is the IP of the TFTP Server, and {{ic|filename}} is the filename of the image to boot. For more information see [[PXE]].</div>Wirelessbenhttps://wiki.archlinux.org/index.php?title=LDAP_authentication&diff=574359LDAP authentication2019-05-31T12:25:21Z<p>Wirelessben: /* Fixed two typos */</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Authentication]]<br />
[[ja:LDAP 認証]]<br />
{{Related articles start}}<br />
{{Related|OpenLDAP}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
== Introduction and Concepts ==<br />
<br />
This is a guide on how to configure an Arch Linux installation to authenticate against an LDAP directory. This LDAP directory can be either local (installed on the same computer) or network (e.g. in a lab environment where central authentication is desired).<br />
<br />
The guide is divided into two parts. The first part deals with how to setup an [[OpenLDAP]] server that hosts the authentication directory. The second part deals with how to setup the NSS and PAM modules that are required for the authentication scheme to work on the client computers. If you just want to configure Arch to authenticate against an already existing LDAP server, you can skip to the [[#Client_Setup|second part]].<br />
<br />
=== NSS and PAM ===<br />
NSS (which stands for Name Service Switch) is a system mechanism to configure different sources for common configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the {{ic|passwd}} database.<br />
<br />
[[PAM]] (which stands for Pluggable Authentication Modules) is a mechanism used by Linux (and most *nixes) to extend its authentication schemes based on different plugins.<br />
<br />
So to summarize, we need to configure NSS to use the OpenLDAP server as a source for the {{ic|passwd}}, {{ic|shadow}} and other configuration databases and then configure PAM to use these sources to authenticate its users.<br />
<br />
== LDAP Server Setup ==<br />
<br />
=== Installation ===<br />
<br />
You can read about installation and basic configuration in the [[OpenLDAP]] article. After you have completed that, return here.<br />
<br />
=== Set up access controls ===<br />
<br />
To make sure that no-one can read the (encrypted) passwords from the LDAP server, but still allowing users to edit some of their own select attributes (such as own password and photo), add the following to {{ic|/etc/openldap/slapd.conf}} and restart {{ic|slapd.service}} afterwards:<br />
{{note|Alter the domain components "example" and "org" to your needs}}<br />
<br />
{{hc|slapd.conf|2=<br />
access to attrs=userPassword,givenName,sn,photo<br />
by self write<br />
by anonymous auth<br />
by dn.base="cn=Manager,dc=example,dc=org" write<br />
by * none<br />
<br />
access to *<br />
by self read <br />
by dn.base="cn=Manager,dc=example,dc=org" write<br />
by * read<br />
<br />
}}<br />
<br />
=== Populate LDAP Tree with Base Data ===<br />
<br />
Create a temporary file called {{ic|base.ldif}} with the following text.<br />
<br />
{{hc|base.ldif|<nowiki><br />
# example.org<br />
dn: dc=example,dc=org<br />
dc: example<br />
o: Example Organization<br />
objectClass: dcObject<br />
objectClass: organization<br />
<br />
# Manager, example.org<br />
dn: cn=Manager,dc=example,dc=org<br />
cn: Manager<br />
description: LDAP administrator<br />
objectClass: organizationalRole<br />
objectClass: top<br />
roleOccupant: dc=example,dc=org<br />
<br />
# People, example.org<br />
dn: ou=People,dc=example,dc=org<br />
ou: People<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
<br />
# Groups, example.org<br />
dn: ou=Group,dc=example,dc=org<br />
ou: Group<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
</nowiki>}}<br />
<br />
Add it to your OpenLDAP tree:<br />
<br />
$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f base.ldif<br />
<br />
Test to make sure the data was imported:<br />
<br />
$ ldapsearch -x -b 'dc=example,dc=org' '(objectclass=*)'<br />
<br />
=== Adding users ===<br />
To manually add a user, create an {{ic|.ldif}} file like this:<br />
{{hc|user_joe.ldif|<nowiki><br />
dn: uid=johndoe,ou=People,dc=example,dc=org<br />
objectClass: top<br />
objectClass: person<br />
objectClass: organizationalPerson<br />
objectClass: inetOrgPerson<br />
objectClass: posixAccount<br />
objectClass: shadowAccount<br />
uid: johndoe<br />
cn: John Doe<br />
sn: Doe<br />
givenName: John<br />
title: Guinea Pig<br />
telephoneNumber: +0 000 000 0000<br />
mobile: +0 000 000 0000<br />
postalAddress: AddressLine1$AddressLine2$AddressLine3<br />
userPassword: {CRYPT}xxxxxxxxxx<br />
labeledURI: https://archlinux.org/<br />
loginShell: /bin/bash<br />
uidNumber: 9999<br />
gidNumber: 9999<br />
homeDirectory: /home/johndoe/<br />
description: This is an example user<br />
</nowiki>}}<br />
<br />
The {{ic|xxxxxxxxxx}} in the {{ic|userPassword}} entry should be replaced with the value in {{ic|/etc/shadow}} or use the {{ic|slappasswd}} command. Now add the user:<br />
<br />
$ ldapadd -D "cn=Manager,dc=example,dc=org" -W -f user_joe.ldif<br />
<br />
{{Note|You can automatically migrate all of your local accounts (and groups, etc.) to the LDAP directory using PADL Software's [http://www.padl.com/OSS/MigrationTools.html Migration Tools].}}<br />
<br />
== Client Setup ==<br />
<br />
Install the OpenLDAP client as described in [[OpenLDAP]]. Make sure you can query the server with {{ic|ldapsearch}}.<br />
<br />
Next, [[install]] the {{pkg|nss-pam-ldapd}} package.<br />
<br />
=== NSS Configuration ===<br />
NSS is a system facility which manages different sources as configuration databases. For example, {{ic|/etc/passwd}} is a {{ic|file}} type source for the {{ic|passwd}} database, which stores the user accounts.<br />
<br />
Edit {{ic|/etc/nsswitch.conf}} which is the central configuration file for NSS. It tells NSS which sources to use for which system databases. We need to add the {{ic|ldap}} directive to the {{ic|passwd}}, {{ic|group}} and {{ic|shadow}} databases, so be sure your file looks like this:<br />
<br />
passwd: files ldap<br />
group: files ldap<br />
shadow: files ldap<br />
<br />
Edit {{ic|/etc/nslcd.conf}} and change the {{ic|base}} and {{ic|uri}} lines to fit your ldap server setup.<br />
<br />
Start {{ic|nslcd.service}} using systemd.<br />
<br />
You now should see your LDAP users when running {{ic|getent passwd}} on the client.<br />
<br />
=== PAM Configuration ===<br />
The basic rule of thumb for PAM configuration is to include {{ic|pam_ldap.so}} wherever {{ic|pam_unix.so}} is included. Arch moving to {{pkg|pambase}} has helped decrease the amount of edits required. For more details about configuring pam, the [https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/PAM_Configuration_Files.html RedHat Documentation] is quite good. You might also want the upstream documentation for [http://arthurdejong.org/nss-pam-ldapd nss-pam-ldapd].<br />
<br />
{{Tip|If you want to prevent UID clashes with local users on your system, you might want to include {{ic|minimum_uid&#61;10000}} or similar on the end of the {{ic|pam_ldap.so}} lines. You will have to make sure the LDAP server returns uidNumber fields that match the restriction.}}<br />
<br />
{{Note|Each facility (auth, session, password, account) forms a separate chain and the order matters. Sufficient lines will sometimes "short circuit" and skip the rest of the section, so the rule of thumb for ''auth'', ''password'', and ''account'' is ''sufficient'' lines before ''required'', but after required lines for the ''session'' section; ''optional'' can almost always go at the end. When adding your {{ic|pam_ldap.so}} lines, do not change the relative order of the other lines without good reason! Simply insert LDAP within the chain.}}<br />
<br />
First edit {{ic|/etc/pam.d/system-auth}}. This file is included in most of the other files in {{ic|pam.d}}, so changes here propagate nicely. Updates to {{pkg|pambase}} may change this file.<br />
<br />
Make {{ic|pam_ldap.so}} sufficient at the top of each section, except in the ''session'' section, where we make it optional.<br />
{{hc|/etc/pam.d/system-auth|<br />
'''auth sufficient pam_ldap.so'''<br />
auth required pam_unix.so try_first_pass nullok<br />
auth optional pam_permit.so<br />
auth required pam_env.so<br />
<br />
'''account sufficient pam_ldap.so'''<br />
account required pam_unix.so<br />
account optional pam_permit.so<br />
account required pam_time.so<br />
<br />
'''password sufficient pam_ldap.so'''<br />
password required pam_unix.so try_first_pass nullok sha512 shadow<br />
password optional pam_permit.so<br />
<br />
session required pam_limits.so<br />
session required pam_unix.so<br />
'''session optional pam_ldap.so'''<br />
session optional pam_permit.so<br />
}}<br />
<br />
Then edit both {{ic|/etc/pam.d/su}} and {{ic|/etc/pam.d/su-l}} identically. The {{ic|su-l}} file is used when the user runs {{ic|su --login}}.<br />
<br />
Make {{ic|pam_ldap.so}} sufficient at the top of each section but below {{ic|pam_rootok}}, and add {{ic|use_first_pass}} to {{ic|pam_unix}} in the ''auth'' section.<br />
{{hc|/etc/pam.d/su|<br />
#%PAM-1.0<br />
auth sufficient pam_rootok.so<br />
'''auth sufficient pam_ldap.so'''<br />
# Uncomment the following line to implicitly trust users in the "wheel" group.<br />
#auth sufficient pam_wheel.so trust use_uid<br />
# Uncomment the following line to require a user to be in the "wheel" group.<br />
#auth required pam_wheel.so use_uid<br />
auth required pam_unix.so '''use_first_pass'''<br />
'''account sufficient pam_ldap.so'''<br />
account required pam_unix.so<br />
'''session sufficient pam_ldap.so'''<br />
session required pam_unix.so<br />
}}<br />
<br />
To enable users to edit their password, edit {{ic|/etc/pam.d/passwd}}:<br />
<br />
{{hc|/etc/pam.d/passwd|2=<br />
#%PAM-1.0<br />
'''password sufficient pam_ldap.so'''<br />
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3<br />
#password required pam_unix.so sha512 shadow use_authtok<br />
password required pam_unix.so sha512 shadow nullok<br />
}}<br />
<br />
==== Create home folders at login ====<br />
<br />
If you want home folders to be created at login (eg: if you are not using NFS to store home folders), edit {{ic|/etc/pam.d/system-login}} and add {{ic|pam_mkhomedir.so}} to the ''session'' section above any "sufficient" items. This will cause home folder creation when logging in at a tty, from ssh, xdm, kdm, gdm, etc. You might choose to edit additional files in the same way, such as {{ic|/etc/pam.d/su}} and {{ic|/etc/pam.d/su-l}} to enable it for {{ic|su}} and {{ic|su --login}}. If you do not want to do this for ssh logins, edit {{ic|system-local-login}} instead of {{ic|system-login}}, etc.<br />
<br />
{{hc|/etc/pam.d/system-login|<br />
...top of file not shown...<br />
session optional pam_loginuid.so<br />
session include system-auth<br />
session optional pam_motd.so motd&#61;/etc/motd<br />
session optional pam_mail.so dir&#61;/var/spool/mail standard quiet<br />
-session optional pam_systemd.so<br />
session required pam_env.so<br />
'''session required pam_mkhomedir.so skel&#61;/etc/skel umask&#61;0022'''<br />
}}<br />
<br />
{{hc|/etc/pam.d/su-l|<br />
...top of file not shown...<br />
'''session required pam_mkhomedir.so skel&#61;/etc/skel umask&#61;0022'''<br />
session sufficient pam_ldap.so<br />
session required pam_unix.so<br />
}}<br />
<br />
==== Enable sudo ====<br />
<br />
To enable sudo from an LDAP user, edit {{ic|/etc/pam.d/sudo}}. You will also need to modify sudoers accordingly.<br />
{{hc|/etc/pam.d/sudo|<br />
#%PAM-1.0<br />
'''auth sufficient pam_ldap.so'''<br />
auth required pam_unix.so '''try_first_pass'''<br />
auth required pam_nologin.so<br />
}}<br />
<br />
You will also need to add in {{ic|/etc/openldap/ldap.conf}} the following.<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
sudoers_base ou=sudoers,dc=AFOLA<br />
}}<br />
<br />
== Online and Offline Authentication with SSSD ==<br />
<br />
SSSD is a system daemon. Its primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system. It provides PAM and NSS modules, and in the future will D-BUS based interfaces for extended user information. It provides also a better database to store local users as well as extended user data.<br />
<br />
=== General Package Details ===<br />
<br />
[[Install]] the {{pkg|sssd}} package.<br />
<br />
=== How to enable SSSD for basic Authentication ===<br />
<br />
==== 1. SSSD Configuration ====<br />
<br />
If it does not exist create {{ic|/etc/sssd/sssd.conf}}.<br />
{{hc|/etc/sssd/sssd.conf|2=<br />
[sssd]<br />
config_file_version = 2<br />
services = nss, pam<br />
domains = LDAP<br />
<br />
[domain/LDAP]<br />
cache_credentials = true<br />
enumerate = true<br />
<br />
id_provider = ldap<br />
auth_provider = ldap<br />
<br />
ldap_uri = ldap://server1.example.org, ldap://server2.example.org<br />
ldap_search_base = dc=example,dc=org<br />
ldap_id_use_start_tls = true<br />
ldap_tls_reqcert = demand<br />
ldap_tls_cacert = /etc/openldap/certs/cacerts.pem<br />
chpass_provider = ldap<br />
ldap_chpass_uri = ldap://server1.example.org<br />
entry_cache_timeout = 600<br />
ldap_network_timeout = 2<br />
ldap_group_member = uniquemember<br />
}}<br />
<br />
The above is an example only. See {{man|5|sssd.conf}} for the full details.<br />
<br />
Finally set the file permissions {{ic|chmod 600 /etc/sssd/sssd.conf}} otherwise sssd will fail to start.<br />
<br />
==== 2. NSCD Configuration ====<br />
<br />
Disable caching for passwd, group and netgroup entries in {{ic|/etc/nscd.conf}} as it will interfere with sssd caching.<br />
<br />
Keep caching enabled for hosts entries otherwise some services may fail to start.<br />
{{hc|/etc/nscd.conf|<br />
# Begin /etc/nscd.conf<br />
''[...]''<br />
enable-cache passwd '''no'''<br />
''[...]''<br />
enable-cache group '''no'''<br />
''[...]''<br />
enable-cache hosts yes<br />
''[...]''<br />
enable-cache netgroup '''no'''<br />
''[...]''<br />
# End /etc/nscd.conf<br />
}}<br />
<br />
==== 3. NSS Configuration ====<br />
<br />
Edit {{ic|/etc/nsswitch.conf}} as follows.<br />
{{hc|/etc/nsswitch.conf|<br />
# Begin /etc/nsswitch.conf<br />
<br />
passwd: files '''sss'''<br />
group: files '''sss'''<br />
shadow: files '''sss'''<br />
'''sudoers: files sss'''<br />
<br />
publickey: files<br />
<br />
hosts: files dns myhostname<br />
networks: files<br />
<br />
protocols: files<br />
services: files<br />
ethers: files<br />
rpc: files<br />
<br />
netgroup: files<br />
<br />
# End /etc/nsswitch.conf<br />
}}<br />
<br />
==== 4. PAM Configuration ====<br />
<br />
The first step is to edit {{ic|/etc/pam.d/system-auth}} as follows.<br />
{{hc|/etc/pam.d/system-auth|2=<br />
#%PAM-1.0<br />
<br />
'''auth sufficient pam_sss.so forward_pass'''<br />
auth required pam_unix.so try_first_pass nullok<br />
auth optional pam_permit.so<br />
auth required pam_env.so<br />
<br />
'''account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so'''<br />
account required pam_unix.so<br />
account optional pam_permit.so<br />
account required pam_time.so<br />
<br />
'''password sufficient pam_sss.so use_authtok'''<br />
password required pam_unix.so try_first_pass nullok sha512 shadow<br />
password optional pam_permit.so<br />
<br />
'''session required pam_mkhomedir.so skel=/etc/skel/ umask=0077'''<br />
session required pam_limits.so<br />
session required pam_unix.so<br />
'''session optional pam_sss.so'''<br />
session optional pam_permit.so<br />
}}<br />
<br />
These PAM changes will apply to fresh login. To also allow the {{ic|su}} command to authenticate through SSSD, edit {{ic|/etc/pam.d/su}}:<br />
<br />
{{hc|/etc/pam.d/su|2=<br />
#%PAM-1.0<br />
auth sufficient pam_rootok.so<br />
<br />
'''auth sufficient pam_sss.so forward_pass'''<br />
auth required pam_unix.so<br />
<br />
'''account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so'''<br />
account required pam_unix.so<br />
<br />
'''session required pam_unix.so'''<br />
session optional pam_sss.so<br />
}}<br />
<br />
===== 1. SUDO Configuration =====<br />
<br />
Edit {{ic|/etc/pam.d/sudo}} as follows.<br />
{{hc|/etc/pam.d/sudo|<br />
#%PAM-1.0<br />
'''auth sufficient pam_sss.so'''<br />
auth required pam_unix.so try_first_pass<br />
auth required pam_nologin.so<br />
}}<br />
<br />
===== 2. Password Management =====<br />
<br />
In order to enable users to change their passwords using {{ic|passwd}} edit {{ic|/etc/pam.d/passwd}} as follows.<br />
{{hc|/etc/pam.d/passwd|2=<br />
#%PAM-1.0<br />
'''password sufficient pam_sss.so'''<br />
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3<br />
#password required pam_unix.so sha512 shadow use_authtok<br />
password required pam_unix.so sha512 shadow nullok<br />
}}<br />
<br />
[[Start/enable]] the {{ic|sssd.service}} systemd unit.<br />
<br />
You should now be able to see details of your ldap users with {{ic|getent passwd <username>}} or {{ic|id <username>}}.<br />
<br />
Once you have logged in with a user the credentials will be cached and you will be able to login using the cached credentials when the ldap server is offline or unavailable.<br />
<br />
== Resources ==<br />
* [http://arthurdejong.org/nss-pam-ldapd/setup The official page of the nss-pam-ldapd packet]<br />
* [[debian:LDAP/NSS|Debian Wiki - LDAP/NSS]]<br />
* [[debian:LDAP/PAM|Debian Wiki - LDAP/PAM]]<br />
* [https://www.fatofthelan.com/technical/using-ldap-for-single-authentication/ Using LDAP for single authentication]<br />
* [http://www.cs.dixie.edu/ldap/ Heterogeneous Network Authentication Introduction]<br />
* [http://readlist.com/lists/suse.com/suse-linux-e/36/182642.html Discussion on suse's mailing lists about nss-pam-ldapd]<br />
* [https://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap-SSSD_User_Guide-Introduction.html Fedora's SSSD User Guide]</div>Wirelessbenhttps://wiki.archlinux.org/index.php?title=OpenLDAP&diff=317024OpenLDAP2014-05-28T14:00:52Z<p>Wirelessben: Clarified the language of what the server script does. Added client reminder.</p>
<hr />
<div>[[Category:Networking]]<br />
[[ru:openLDAP]]<br />
{{Related articles start}}<br />
{{Related|LDAP Authentication}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
OpenLDAP is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is optimised for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or [[LDAP Authentication|Linux system authentication]], where it replaces {{ic|/etc/passwd}}) and basically holds the user data.<br />
<br />
Commands related to OpenLDAP that begin with {{ic|ldap}} (like {{ic|ldapsearch}}) are client-side utilities, while commands that begin with {{ic|slap}} (like {{ic|slapcat}}) are server-side.<br />
<br />
Directory services are an enormous topic. Configuration can therefore be complex. This page is a starting point for a basic OpenLDAP installation and a sanity check. If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html this] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
{{Tip|The server procedure on this page — installation and configuration of OpenLDAP with TLS — can be accomplished by running [https://raw.githubusercontent.com/FOSSperts/archlinux-openldap/master/createldapserver.sh this interactive script]. You still have to configure the client.}}<br />
<br />
== Installation ==<br />
<br />
OpenLDAP contains both a LDAP server and client. Install it with the package {{Pkg|openldap}}, available in the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
=== The server ===<br />
<br />
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}<br />
<br />
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.<br />
<br />
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we'll use ''root'' here).<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it<br />
# echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf #add a line which includes the hashed password output from slappasswd<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/schema.html schemas] to the top of {{ic|slapd.conf}}:<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
}}<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/tuning.html#Indexes indexes] to the bottom of {{ic|slapd.conf}}:<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:<br />
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
{{Note|With OpenLDAP 2.4 the configuration of {{ic|slapd.conf}} is deprecated. From this version on all configuration settings are stored in {{ic|/etc/openldap/slapd.d/}}.}}<br />
<br />
To store the recent changes in {{ic|slapd.conf}} to the new {{ic|/etc/openldap/slapd.d/}} configuration settings, we have to delete the old configuration files first, do this every time you change the configuration:<br />
<br />
# rm -rf /etc/openldap/slapd.d/*<br />
<br />
<br />
(if you do not have a database yet, you might need to create one by starting and stopping the {{ic|slapd.service}} [[systemd#Using units|using systemd]] )<br />
<br />
Then we generate the new configuration with:<br />
<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/<br />
<br />
The above command has to be run every time you change {{ic|slapd.conf}}. Check if everything succeeded. Ignore message "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable". <br />
<br />
Change ownership recursively on the new files and directory in /etc/openldap/slapd.d:<br />
<br />
# chown -R ldap:ldap /etc/openldap/slapd.d<br />
<br />
{{note|Index the directory after you populate it. You should stop slapd before doing this.<br />
# slapindex<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
}}<br />
<br />
Finally, start the slapd daemon with {{ic|slapd.service}} using systemd.<br />
<br />
=== The client ===<br />
The client config file is located at {{ic|/etc/openldap/ldap.conf}}. <br />
<br />
It is quite simple: you'll only have to alter {{ic|BASE}} to reflect the suffix of the server, and {{ic|URI}} to reflect the address of the server, like:<br />
<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
BASE dc=example,dc=com<br />
URI ldap://localhost<br />
}}<br />
<br />
If you decide to use SSL:<br />
<br />
* The protocol (ldap or ldaps) in the {{ic|URI}} entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, add a {{ic|TLS_REQCERT allow}} line to {{ic|ldap.conf}}<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
$ ldapsearch -x '(objectclass=*)'<br />
<br />
Or authenticating as the rootdn (replacing {{ic|-x}} by {{ic|-D <user> -W}}), using the example configuration we had above:<br />
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'<br />
<br />
Now you should see some information about your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://web.archive.org/web/20130211222328/http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0 upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, you must have a certificate. For testing purposes, a ''self-signed'' certificate will suffice. To learn more about certificates, see [[OpenSSL]].<br />
<br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (create this directory if it doesn't exist) and secure them. <br />
{{ic|slapdcert.pem}} must be world readable because it contains the public key. {{ic|slapdkey.pem}} on the other hand should only be readable for the ldap user for security reasons:<br />
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
# chmod -R 755 /etc/openldap/ssl/<br />
# chmod 400 /etc/openldap/ssl/slapdkey.pem<br />
# chmod 444 /etc/openldap/ssl/slapdcert.pem<br />
# chown ldap /etc/openldap/ssl/slapdkey.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:-SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
Regenerate the configuration directory:<br />
# rm -rf /etc/openldap/slapd.d/* # erase old config settings<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ # generate new config directory from config file<br />
# chown -R ldap:ldap /etc/openldap/slapd.d # Change ownership recursively to ldap on the config directory<br />
<br />
==== Start slapd with SSL ====<br />
You will have to edit {{ic|slapd.service}} to change to protocol slapd listens on.<br />
<br />
First, disable {{ic|slapd.service}} if it's enabled.<br />
<br />
Then, copy the stock service to {{ic|/etc/systemd/system/}}:<br />
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/<br />
<br />
Edit it, and add change {{ic|ExecStart}} to:<br />
{{hc|/etc/systemd/system/slapd.service|<nowiki><br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"</nowiki>}}<br />
<br />
Localhost connections don't need to use SSL. So, if you want to access the server locally you should change the {{ic|ExecStart}} line to:<br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"<br />
<br />
Then reenable and start it:<br />
# systemctl daemon-reload<br />
# systemctl restart slapd.service<br />
<br />
If {{ic|slapd}} started successfully you can enable it.<br />
<br />
{{Note|If you created a self-signed certificate above, be sure to add {{ic|TLS_REQCERT allow}} to {{ic|/etc/openldap/ldap.conf}} on the client, or it won't be able connect to the server.}}<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, [[Postfix]], etc).<br />
<br />
A directory for system authentication is the [[LDAP Authentication]] article.<br />
<br />
A nice web frontend is [[phpLDAPadmin]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client Authentication Checking ===<br />
If you can't connect to your server for non-secure authentication<br />
<br />
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
and for TLS secured authentication with:<br />
<br />
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
=== LDAP Server Stops Suddenly ===<br />
<br />
If you notice that slapd seems to start but then stops, try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap".<br />
<br />
== See Also ==<br />
* [http://www.openldap.org/doc/admin24/ Official OpenLDAP Software 2.4 Administrator's Guide]<br />
* [[phpLDAPadmin]] is a web interface tool in the style of phpMyAdmin.<br />
* [[LDAP Authentication]]<br />
* {{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.</div>Wirelessbenhttps://wiki.archlinux.org/index.php?title=OpenLDAP&diff=316894OpenLDAP2014-05-27T12:16:53Z<p>Wirelessben: Undo revision 316791 by Wirelessben (talk) Daemon starting is deprecated.</p>
<hr />
<div>[[Category:Networking]]<br />
[[ru:openLDAP]]<br />
{{Related articles start}}<br />
{{Related|LDAP Authentication}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
OpenLDAP is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is optimised for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or [[LDAP Authentication|Linux system authentication]], where it replaces {{ic|/etc/passwd}}) and basically holds the user data.<br />
<br />
Commands related to OpenLDAP that begin with {{ic|ldap}} (like {{ic|ldapsearch}}) are client-side utilities, while commands that begin with {{ic|slap}} (like {{ic|slapcat}}) are server-side.<br />
<br />
Directory services are an enormous topic. Configuration can therefore be complex. This page is a starting point for a basic OpenLDAP installation and a sanity check. If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html this] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
{{Tip|The entire procedure on this page — installation and configuration of OpenLDAP with TLS — can be accomplished by running [https://raw.githubusercontent.com/FOSSperts/archlinux-openldap/master/createldapserver.sh this interactive script].}}<br />
<br />
== Installation ==<br />
<br />
OpenLDAP contains both a LDAP server and client. Install it with the package {{Pkg|openldap}}, available in the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
=== The server ===<br />
<br />
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}<br />
<br />
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.<br />
<br />
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we'll use ''root'' here).<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it<br />
# echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf #add a line which includes the hashed password output from slappasswd<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/schema.html schemas] to the top of {{ic|slapd.conf}}:<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
}}<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/tuning.html#Indexes indexes] to the bottom of {{ic|slapd.conf}}:<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:<br />
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
{{Note|With OpenLDAP 2.4 the configuration of {{ic|slapd.conf}} is deprecated. From this version on all configuration settings are stored in {{ic|/etc/openldap/slapd.d/}}.}}<br />
<br />
To store the recent changes in {{ic|slapd.conf}} to the new {{ic|/etc/openldap/slapd.d/}} configuration settings, we have to delete the old configuration files first, do this every time you change the configuration:<br />
<br />
# rm -rf /etc/openldap/slapd.d/*<br />
<br />
<br />
(if you do not have a database yet, you might need to create one by starting and stopping the {{ic|slapd.service}} [[systemd#Using units|using systemd]] )<br />
<br />
Then we generate the new configuration with:<br />
<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/<br />
<br />
The above command has to be run every time you change {{ic|slapd.conf}}. Check if everything succeeded. Ignore message "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable". <br />
<br />
Change ownership recursively on the new files and directory in /etc/openldap/slapd.d:<br />
<br />
# chown -R ldap:ldap /etc/openldap/slapd.d<br />
<br />
{{note|Index the directory after you populate it. You should stop slapd before doing this.<br />
# slapindex<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
}}<br />
<br />
Finally, start the slapd daemon with {{ic|slapd.service}} using systemd.<br />
<br />
=== The client ===<br />
The client config file is located at {{ic|/etc/openldap/ldap.conf}}. <br />
<br />
It is quite simple: you'll only have to alter {{ic|BASE}} to reflect the suffix of the server, and {{ic|URI}} to reflect the address of the server, like:<br />
<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
BASE dc=example,dc=com<br />
URI ldap://localhost<br />
}}<br />
<br />
If you decide to use SSL:<br />
<br />
* The protocol (ldap or ldaps) in the {{ic|URI}} entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, add a {{ic|TLS_REQCERT allow}} line to {{ic|ldap.conf}}<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
$ ldapsearch -x '(objectclass=*)'<br />
<br />
Or authenticating as the rootdn (replacing {{ic|-x}} by {{ic|-D <user> -W}}), using the example configuration we had above:<br />
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'<br />
<br />
Now you should see some information about your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://web.archive.org/web/20130211222328/http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0 upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, you must have a certificate. For testing purposes, a ''self-signed'' certificate will suffice. To learn more about certificates, see [[OpenSSL]].<br />
<br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (create this directory if it doesn't exist) and secure them. <br />
{{ic|slapdcert.pem}} must be world readable because it contains the public key. {{ic|slapdkey.pem}} on the other hand should only be readable for the ldap user for security reasons:<br />
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
# chmod -R 755 /etc/openldap/ssl/<br />
# chmod 400 /etc/openldap/ssl/slapdkey.pem<br />
# chmod 444 /etc/openldap/ssl/slapdcert.pem<br />
# chown ldap /etc/openldap/ssl/slapdkey.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:-SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
Regenerate the configuration directory:<br />
# rm -rf /etc/openldap/slapd.d/* # erase old config settings<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ # generate new config directory from config file<br />
# chown -R ldap:ldap /etc/openldap/slapd.d # Change ownership recursively to ldap on the config directory<br />
<br />
==== Start slapd with SSL ====<br />
You will have to edit {{ic|slapd.service}} to change to protocol slapd listens on.<br />
<br />
First, disable {{ic|slapd.service}} if it's enabled.<br />
<br />
Then, copy the stock service to {{ic|/etc/systemd/system/}}:<br />
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/<br />
<br />
Edit it, and add change {{ic|ExecStart}} to:<br />
{{hc|/etc/systemd/system/slapd.service|<nowiki><br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"</nowiki>}}<br />
<br />
Localhost connections don't need to use SSL. So, if you want to access the server locally you should change the {{ic|ExecStart}} line to:<br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"<br />
<br />
Then reenable and start it:<br />
# systemctl daemon-reload<br />
# systemctl restart slapd.service<br />
<br />
If {{ic|slapd}} started successfully you can enable it.<br />
<br />
{{Note|If you created a self-signed certificate above, be sure to add {{ic|TLS_REQCERT allow}} to {{ic|/etc/openldap/ldap.conf}} on the client, or it won't be able connect to the server.}}<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, [[Postfix]], etc).<br />
<br />
A directory for system authentication is the [[LDAP Authentication]] article.<br />
<br />
A nice web frontend is [[phpLDAPadmin]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client Authentication Checking ===<br />
If you can't connect to your server for non-secure authentication<br />
<br />
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
and for TLS secured authentication with:<br />
<br />
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
=== LDAP Server Stops Suddenly ===<br />
<br />
If you notice that slapd seems to start but then stops, try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap".<br />
<br />
== See Also ==<br />
* [http://www.openldap.org/doc/admin24/ Official OpenLDAP Software 2.4 Administrator's Guide]<br />
* [[phpLDAPadmin]] is a web interface tool in the style of phpMyAdmin.<br />
* [[LDAP Authentication]]<br />
* {{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.</div>Wirelessbenhttps://wiki.archlinux.org/index.php?title=OpenLDAP&diff=316791OpenLDAP2014-05-26T19:46:45Z<p>Wirelessben: /* The server: Cleaned up wording, as "slapd.service" is already in the command. */</p>
<hr />
<div>[[Category:Networking]]<br />
[[ru:openLDAP]]<br />
{{Related articles start}}<br />
{{Related|LDAP Authentication}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
OpenLDAP is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is optimised for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or [[LDAP Authentication|Linux system authentication]], where it replaces {{ic|/etc/passwd}}) and basically holds the user data.<br />
<br />
Commands related to OpenLDAP that begin with {{ic|ldap}} (like {{ic|ldapsearch}}) are client-side utilities, while commands that begin with {{ic|slap}} (like {{ic|slapcat}}) are server-side.<br />
<br />
Directory services are an enormous topic. Configuration can therefore be complex. This page is a starting point for a basic OpenLDAP installation and a sanity check. If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html this] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
{{Tip|The entire procedure on this page — installation and configuration of OpenLDAP with TLS — can be accomplished by running [https://raw.githubusercontent.com/FOSSperts/archlinux-openldap/master/createldapserver.sh this interactive script].}}<br />
<br />
== Installation ==<br />
<br />
OpenLDAP contains both a LDAP server and client. Install it with the package {{Pkg|openldap}}, available in the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
=== The server ===<br />
<br />
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}<br />
<br />
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.<br />
<br />
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we'll use ''root'' here).<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it<br />
# echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf #add a line which includes the hashed password output from slappasswd<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/schema.html schemas] to the top of {{ic|slapd.conf}}:<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
}}<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/tuning.html#Indexes indexes] to the bottom of {{ic|slapd.conf}}:<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:<br />
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
{{Note|With OpenLDAP 2.4 the configuration of {{ic|slapd.conf}} is deprecated. From this version on all configuration settings are stored in {{ic|/etc/openldap/slapd.d/}}.}}<br />
<br />
To store the recent changes in {{ic|slapd.conf}} to the new {{ic|/etc/openldap/slapd.d/}} configuration settings, we have to delete the old configuration files first, do this every time you change the configuration:<br />
<br />
# rm -rf /etc/openldap/slapd.d/*<br />
<br />
<br />
(if you do not have a database yet, you might need to create one by starting and stopping the {{ic|slapd.service}} [[systemd#Using units|using systemd]] )<br />
<br />
Then we generate the new configuration with:<br />
<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/<br />
<br />
The above command has to be run every time you change {{ic|slapd.conf}}. Check if everything succeeded. Ignore message "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable". <br />
<br />
Change ownership recursively on the new files and directory in /etc/openldap/slapd.d:<br />
<br />
# chown -R ldap:ldap /etc/openldap/slapd.d<br />
<br />
{{note|Index the directory after you populate it. You should stop slapd before doing this.<br />
# slapindex<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
}}<br />
<br />
Finally, start the slapd daemon using systemd:<br />
<br />
# systemctl start slapd.service<br />
<br />
=== The client ===<br />
The client config file is located at {{ic|/etc/openldap/ldap.conf}}. <br />
<br />
It is quite simple: you'll only have to alter {{ic|BASE}} to reflect the suffix of the server, and {{ic|URI}} to reflect the address of the server, like:<br />
<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
BASE dc=example,dc=com<br />
URI ldap://localhost<br />
}}<br />
<br />
If you decide to use SSL:<br />
<br />
* The protocol (ldap or ldaps) in the {{ic|URI}} entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, add a {{ic|TLS_REQCERT allow}} line to {{ic|ldap.conf}}<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
$ ldapsearch -x '(objectclass=*)'<br />
<br />
Or authenticating as the rootdn (replacing {{ic|-x}} by {{ic|-D <user> -W}}), using the example configuration we had above:<br />
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'<br />
<br />
Now you should see some information about your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://web.archive.org/web/20130211222328/http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0 upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, you must have a certificate. For testing purposes, a ''self-signed'' certificate will suffice. To learn more about certificates, see [[OpenSSL]].<br />
<br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (create this directory if it doesn't exist) and secure them. <br />
{{ic|slapdcert.pem}} must be world readable because it contains the public key. {{ic|slapdkey.pem}} on the other hand should only be readable for the ldap user for security reasons:<br />
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
# chmod -R 755 /etc/openldap/ssl/<br />
# chmod 400 /etc/openldap/ssl/slapdkey.pem<br />
# chmod 444 /etc/openldap/ssl/slapdcert.pem<br />
# chown ldap /etc/openldap/ssl/slapdkey.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:-SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
Regenerate the configuration directory:<br />
# rm -rf /etc/openldap/slapd.d/* # erase old config settings<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ # generate new config directory from config file<br />
# chown -R ldap:ldap /etc/openldap/slapd.d # Change ownership recursively to ldap on the config directory<br />
<br />
==== Start slapd with SSL ====<br />
You will have to edit {{ic|slapd.service}} to change to protocol slapd listens on.<br />
<br />
First, disable {{ic|slapd.service}} if it's enabled.<br />
<br />
Then, copy the stock service to {{ic|/etc/systemd/system/}}:<br />
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/<br />
<br />
Edit it, and add change {{ic|ExecStart}} to:<br />
{{hc|/etc/systemd/system/slapd.service|<nowiki><br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"</nowiki>}}<br />
<br />
Localhost connections don't need to use SSL. So, if you want to access the server locally you should change the {{ic|ExecStart}} line to:<br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"<br />
<br />
Then reenable and start it:<br />
# systemctl daemon-reload<br />
# systemctl restart slapd.service<br />
<br />
If {{ic|slapd}} started successfully you can enable it.<br />
<br />
{{Note|If you created a self-signed certificate above, be sure to add {{ic|TLS_REQCERT allow}} to {{ic|/etc/openldap/ldap.conf}} on the client, or it won't be able connect to the server.}}<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, [[Postfix]], etc).<br />
<br />
A directory for system authentication is the [[LDAP Authentication]] article.<br />
<br />
A nice web frontend is [[phpLDAPadmin]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client Authentication Checking ===<br />
If you can't connect to your server for non-secure authentication<br />
<br />
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
and for TLS secured authentication with:<br />
<br />
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
=== LDAP Server Stops Suddenly ===<br />
<br />
If you notice that slapd seems to start but then stops, try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap".<br />
<br />
== See Also ==<br />
* [http://www.openldap.org/doc/admin24/ Official OpenLDAP Software 2.4 Administrator's Guide]<br />
* [[phpLDAPadmin]] is a web interface tool in the style of phpMyAdmin.<br />
* [[LDAP Authentication]]<br />
* {{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.</div>Wirelessbenhttps://wiki.archlinux.org/index.php?title=OpenLDAP&diff=316789OpenLDAP2014-05-26T19:41:34Z<p>Wirelessben: /* Configuration: Added code to start slapd. */</p>
<hr />
<div>[[Category:Networking]]<br />
[[ru:openLDAP]]<br />
{{Related articles start}}<br />
{{Related|LDAP Authentication}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
OpenLDAP is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is optimised for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or [[LDAP Authentication|Linux system authentication]], where it replaces {{ic|/etc/passwd}}) and basically holds the user data.<br />
<br />
Commands related to OpenLDAP that begin with {{ic|ldap}} (like {{ic|ldapsearch}}) are client-side utilities, while commands that begin with {{ic|slap}} (like {{ic|slapcat}}) are server-side.<br />
<br />
Directory services are an enormous topic. Configuration can therefore be complex. This page is a starting point for a basic OpenLDAP installation and a sanity check. If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html this] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
{{Tip|The entire procedure on this page — installation and configuration of OpenLDAP with TLS — can be accomplished by running [https://raw.githubusercontent.com/FOSSperts/archlinux-openldap/master/createldapserver.sh this interactive script].}}<br />
<br />
== Installation ==<br />
<br />
OpenLDAP contains both a LDAP server and client. Install it with the package {{Pkg|openldap}}, available in the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
=== The server ===<br />
<br />
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}<br />
<br />
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.<br />
<br />
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we'll use ''root'' here).<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it<br />
# echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf #add a line which includes the hashed password output from slappasswd<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/schema.html schemas] to the top of {{ic|slapd.conf}}:<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
}}<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/tuning.html#Indexes indexes] to the bottom of {{ic|slapd.conf}}:<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:<br />
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
{{Note|With OpenLDAP 2.4 the configuration of {{ic|slapd.conf}} is deprecated. From this version on all configuration settings are stored in {{ic|/etc/openldap/slapd.d/}}.}}<br />
<br />
To store the recent changes in {{ic|slapd.conf}} to the new {{ic|/etc/openldap/slapd.d/}} configuration settings, we have to delete the old configuration files first, do this every time you change the configuration:<br />
<br />
# rm -rf /etc/openldap/slapd.d/*<br />
<br />
<br />
(if you do not have a database yet, you might need to create one by starting and stopping the {{ic|slapd.service}} [[systemd#Using units|using systemd]] )<br />
<br />
Then we generate the new configuration with:<br />
<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/<br />
<br />
The above command has to be run every time you change {{ic|slapd.conf}}. Check if everything succeeded. Ignore message "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable". <br />
<br />
Change ownership recursively on the new files and directory in /etc/openldap/slapd.d:<br />
<br />
# chown -R ldap:ldap /etc/openldap/slapd.d<br />
<br />
{{note|Index the directory after you populate it. You should stop slapd before doing this.<br />
# slapindex<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
}}<br />
<br />
Finally, start the slapd daemon with {{ic|slapd.service}} using systemd:<br />
<br />
# systemctl start slapd.service<br />
<br />
=== The client ===<br />
The client config file is located at {{ic|/etc/openldap/ldap.conf}}. <br />
<br />
It is quite simple: you'll only have to alter {{ic|BASE}} to reflect the suffix of the server, and {{ic|URI}} to reflect the address of the server, like:<br />
<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
BASE dc=example,dc=com<br />
URI ldap://localhost<br />
}}<br />
<br />
If you decide to use SSL:<br />
<br />
* The protocol (ldap or ldaps) in the {{ic|URI}} entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, add a {{ic|TLS_REQCERT allow}} line to {{ic|ldap.conf}}<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
$ ldapsearch -x '(objectclass=*)'<br />
<br />
Or authenticating as the rootdn (replacing {{ic|-x}} by {{ic|-D <user> -W}}), using the example configuration we had above:<br />
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'<br />
<br />
Now you should see some information about your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://web.archive.org/web/20130211222328/http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0 upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, you must have a certificate. For testing purposes, a ''self-signed'' certificate will suffice. To learn more about certificates, see [[OpenSSL]].<br />
<br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (create this directory if it doesn't exist) and secure them. <br />
{{ic|slapdcert.pem}} must be world readable because it contains the public key. {{ic|slapdkey.pem}} on the other hand should only be readable for the ldap user for security reasons:<br />
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
# chmod -R 755 /etc/openldap/ssl/<br />
# chmod 400 /etc/openldap/ssl/slapdkey.pem<br />
# chmod 444 /etc/openldap/ssl/slapdcert.pem<br />
# chown ldap /etc/openldap/ssl/slapdkey.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:-SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
Regenerate the configuration directory:<br />
# rm -rf /etc/openldap/slapd.d/* # erase old config settings<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ # generate new config directory from config file<br />
# chown -R ldap:ldap /etc/openldap/slapd.d # Change ownership recursively to ldap on the config directory<br />
<br />
==== Start slapd with SSL ====<br />
You will have to edit {{ic|slapd.service}} to change to protocol slapd listens on.<br />
<br />
First, disable {{ic|slapd.service}} if it's enabled.<br />
<br />
Then, copy the stock service to {{ic|/etc/systemd/system/}}:<br />
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/<br />
<br />
Edit it, and add change {{ic|ExecStart}} to:<br />
{{hc|/etc/systemd/system/slapd.service|<nowiki><br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"</nowiki>}}<br />
<br />
Localhost connections don't need to use SSL. So, if you want to access the server locally you should change the {{ic|ExecStart}} line to:<br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"<br />
<br />
Then reenable and start it:<br />
# systemctl daemon-reload<br />
# systemctl restart slapd.service<br />
<br />
If {{ic|slapd}} started successfully you can enable it.<br />
<br />
{{Note|If you created a self-signed certificate above, be sure to add {{ic|TLS_REQCERT allow}} to {{ic|/etc/openldap/ldap.conf}} on the client, or it won't be able connect to the server.}}<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, [[Postfix]], etc).<br />
<br />
A directory for system authentication is the [[LDAP Authentication]] article.<br />
<br />
A nice web frontend is [[phpLDAPadmin]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client Authentication Checking ===<br />
If you can't connect to your server for non-secure authentication<br />
<br />
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
and for TLS secured authentication with:<br />
<br />
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
=== LDAP Server Stops Suddenly ===<br />
<br />
If you notice that slapd seems to start but then stops, try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap".<br />
<br />
== See Also ==<br />
* [http://www.openldap.org/doc/admin24/ Official OpenLDAP Software 2.4 Administrator's Guide]<br />
* [[phpLDAPadmin]] is a web interface tool in the style of phpMyAdmin.<br />
* [[LDAP Authentication]]<br />
* {{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.</div>Wirelessbenhttps://wiki.archlinux.org/index.php?title=OpenLDAP&diff=316639OpenLDAP2014-05-25T14:36:10Z<p>Wirelessben: Added link to automated installation and configuration script.</p>
<hr />
<div>[[Category:Networking]]<br />
[[ru:openLDAP]]<br />
{{Related articles start}}<br />
{{Related|LDAP Authentication}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
OpenLDAP is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is optimised for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or [[LDAP Authentication|Linux system authentication]], where it replaces {{ic|/etc/passwd}}) and basically holds the user data.<br />
<br />
Commands related to OpenLDAP that begin with {{ic|ldap}} (like {{ic|ldapsearch}}) are client-side utilities, while commands that begin with {{ic|slap}} (like {{ic|slapcat}}) are server-side.<br />
<br />
Directory services are an enormous topic. Configuration can therefore be complex. This page is a starting point for a basic OpenLDAP installation and a sanity check. If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html this] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
{{Note|The entire procedure on this page -- installation and configuration of OpenLDAP with TLS -- can be accomplished by running [https://raw.githubusercontent.com/FOSSperts/archlinux-openldap/master/createldapserver.sh this interactive script].}}<br />
<br />
== Installation ==<br />
<br />
OpenLDAP contains both a LDAP server and client. Install it with the package {{Pkg|openldap}}, available in the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
=== The server ===<br />
<br />
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}<br />
<br />
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.<br />
<br />
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we'll use ''root'' here).<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it<br />
# echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf #add a line which includes the hashed password output from slappasswd<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/schema.html schemas] to the top of {{ic|slapd.conf}}:<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
}}<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/tuning.html#Indexes indexes] to the bottom of {{ic|slapd.conf}}:<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:<br />
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
{{Note|With OpenLDAP 2.4 the configuration of {{ic|slapd.conf}} is deprecated. From this version on all configuration settings are stored in {{ic|/etc/openldap/slapd.d/}}.}}<br />
<br />
To store the recent changes in {{ic|slapd.conf}} to the new {{ic|/etc/openldap/slapd.d/}} configuration settings, we have to delete the old configuration files first, do this every time you change the configuration:<br />
<br />
# rm -rf /etc/openldap/slapd.d/*<br />
<br />
<br />
(if you do not have a database yet, you might need to create one by starting and stopping the {{ic|slapd.service}} [[systemd#Using units|using systemd]] )<br />
<br />
Then we generate the new configuration with:<br />
<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/<br />
<br />
The above command has to be run every time you change {{ic|slapd.conf}}. Check if everything succeeded. Ignore message "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable". <br />
<br />
Change ownership recursively on the new files and directory in /etc/openldap/slapd.d:<br />
<br />
# chown -R ldap:ldap /etc/openldap/slapd.d<br />
<br />
{{note|Index the directory after you populate it. You should stop slapd before doing this.<br />
# slapindex<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
}}<br />
<br />
Finally, start the slapd daemon with {{ic|slapd.service}} using systemd.<br />
<br />
=== The client ===<br />
The client config file is located at {{ic|/etc/openldap/ldap.conf}}. <br />
<br />
It is quite simple: you'll only have to alter {{ic|BASE}} to reflect the suffix of the server, and {{ic|URI}} to reflect the address of the server, like:<br />
<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
BASE dc=example,dc=com<br />
URI ldap://localhost<br />
}}<br />
<br />
If you decide to use SSL:<br />
<br />
* The protocol (ldap or ldaps) in the {{ic|URI}} entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, add a {{ic|TLS_REQCERT allow}} line to {{ic|ldap.conf}}<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
$ ldapsearch -x '(objectclass=*)'<br />
<br />
Or authenticating as the rootdn (replacing {{ic|-x}} by {{ic|-D <user> -W}}), using the example configuration we had above:<br />
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'<br />
<br />
Now you should see some information about your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://web.archive.org/web/20130211222328/http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0 upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, you must have a certificate. For testing purposes, a ''self-signed'' certificate will suffice. To learn more about certificates, see [[OpenSSL]].<br />
<br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (create this directory if it doesn't exist) and secure them. <br />
{{ic|slapdcert.pem}} must be world readable because it contains the public key. {{ic|slapdkey.pem}} on the other hand should only be readable for the ldap user for security reasons:<br />
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
# chmod -R 755 /etc/openldap/ssl/<br />
# chmod 400 /etc/openldap/ssl/slapdkey.pem<br />
# chmod 444 /etc/openldap/ssl/slapdcert.pem<br />
# chown ldap /etc/openldap/ssl/slapdkey.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:-SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
Regenerate the configuration directory:<br />
# rm -rf /etc/openldap/slapd.d/* # erase old config settings<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ # generate new config directory from config file<br />
# chown -R ldap:ldap /etc/openldap/slapd.d # Change ownership recursively to ldap on the config directory<br />
<br />
==== Start slapd with SSL ====<br />
You will have to edit {{ic|slapd.service}} to change to protocol slapd listens on.<br />
<br />
First, disable {{ic|slapd.service}} if it's enabled.<br />
<br />
Then, copy the stock service to {{ic|/etc/systemd/system/}}:<br />
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/<br />
<br />
Edit it, and add change {{ic|ExecStart}} to:<br />
{{hc|/etc/systemd/system/slapd.service|<nowiki><br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"</nowiki>}}<br />
<br />
Localhost connections don't need to use SSL. So, if you want to access the server locally you should change the {{ic|ExecStart}} line to:<br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"<br />
<br />
Then reenable and start it:<br />
# systemctl daemon-reload<br />
# systemctl restart slapd.service<br />
<br />
If {{ic|slapd}} started successfully you can enable it.<br />
<br />
{{Note|If you created a self-signed certificate above, be sure to add {{ic|TLS_REQCERT allow}} to {{ic|/etc/openldap/ldap.conf}} on the client, or it won't be able connect to the server.}}<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, [[Postfix]], etc).<br />
<br />
A directory for system authentication is the [[LDAP Authentication]] article.<br />
<br />
A nice web frontend is [[phpLDAPadmin]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client Authentication Checking ===<br />
If you can't connect to your server for non-secure authentication<br />
<br />
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
and for TLS secured authentication with:<br />
<br />
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
=== LDAP Server Stops Suddenly ===<br />
<br />
If you notice that slapd seems to start but then stops, try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap".<br />
<br />
== See Also ==<br />
* [http://www.openldap.org/doc/admin24/ Official OpenLDAP Software 2.4 Administrator's Guide]<br />
* [[phpLDAPadmin]] is a web interface tool in the style of phpMyAdmin.<br />
* [[LDAP Authentication]]<br />
* {{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.</div>Wirelessbenhttps://wiki.archlinux.org/index.php?title=OpenLDAP&diff=315106OpenLDAP2014-05-14T12:28:37Z<p>Wirelessben: /* LDAP Server Stops Suddenly */</p>
<hr />
<div>[[Category:Networking]]<br />
[[ru:openLDAP]]<br />
{{Related articles start}}<br />
{{Related|LDAP Authentication}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
OpenLDAP is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is optimised for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or [[LDAP Authentication|Linux system authentication]], where it replaces {{ic|/etc/passwd}}) and basically holds the user data.<br />
<br />
Commands related to OpenLDAP that begin with {{ic|ldap}} (like {{ic|ldapsearch}}) are client-side utilities, while commands that begin with {{ic|slap}} (like {{ic|slapcat}}) are server-side.<br />
<br />
Directory services are an enormous topic. Configuration can therefore be complex. This page is a starting point for a basic OpenLDAP installation and a sanity check. If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html this] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
== Installation ==<br />
<br />
OpenLDAP contains both a LDAP server and client. Install it with the package {{Pkg|openldap}}, available in the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
=== The server ===<br />
<br />
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}<br />
<br />
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.<br />
<br />
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we'll use ''root'' here).<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it<br />
# echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf #add a line which includes the hashed password output from slappasswd<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/schema.html schemas] to the top of {{ic|slapd.conf}}:<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
}}<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/tuning.html#Indexes indexes] to the bottom of {{ic|slapd.conf}}:<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:<br />
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
{{Note|With OpenLDAP 2.4 the configuration of {{ic|slapd.conf}} is deprecated. From this version on all configuration settings are stored in {{ic|/etc/openldap/slapd.d/}}.}}<br />
<br />
To store the recent changes in {{ic|slapd.conf}} to the new {{ic|/etc/openldap/slapd.d/}} configuration settings, we have to delete the old configuration files first:<br />
<br />
# rm -rf /etc/openldap/slapd.d/*<br />
<br />
<br />
(if you do not have a database yet, you might need to create one by starting and stopping the {{ic|slapd.service}} [[systemd#Using units|using systemd]] )<br />
<br />
Then we generate the new configuration with:<br />
<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/<br />
<br />
The above command has to be run every time you change {{ic|slapd.conf}}. Check if everything succeeded. Ignore message "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable". <br />
<br />
Change ownership recursively on the new files and directory in /etc/openldap/slapd.d:<br />
<br />
# chown -R ldap:ldap /etc/openldap/slapd.d<br />
<br />
{{note|Index the directory after you populate it. You should stop slapd before doing this.<br />
# slapindex<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
}}<br />
<br />
Finally, start the slapd daemon with {{ic|slapd.service}} using systemd.<br />
<br />
=== The client ===<br />
The client config file is located at {{ic|/etc/openldap/ldap.conf}}. <br />
<br />
It is quite simple: you'll only have to alter {{ic|BASE}} to reflect the suffix of the server, and {{ic|URI}} to reflect the address of the server, like:<br />
<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
BASE dc=example,dc=com<br />
URI ldap://localhost<br />
}}<br />
<br />
If you decide to use SSL:<br />
<br />
* The protocol (ldap or ldaps) in the {{ic|URI}} entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, add a {{ic|TLS_REQCERT allow}} line to {{ic|ldap.conf}}<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
$ ldapsearch -x '(objectclass=*)'<br />
<br />
Or authenticating as the rootdn (replacing {{ic|-x}} by {{ic|-D <user> -W}}), using the example configuration we had above:<br />
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'<br />
<br />
Now you should see some information about your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://web.archive.org/web/20130211222328/http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0 upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, you must have a certificate. For testing purposes, a ''self-signed'' certificate will suffice. To learn more about certificates, see [[OpenSSL]].<br />
<br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (create this directory if it doesn't exist) and secure them. <br />
{{ic|slapdcert.pem}} must be world readable because it contains the public key. {{ic|slapdkey.pem}} on the other hand should only be readable for the ldap user for security reasons:<br />
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
# chmod -R 755 /etc/openldap/ssl/<br />
# chmod 400 /etc/openldap/ssl/slapdkey.pem<br />
# chmod 444 /etc/openldap/ssl/slapdcert.pem<br />
# chown ldap /etc/openldap/ssl/slapdkey.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:-SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
Regenerate the configuration directory:<br />
# rm -rf /etc/openldap/slapd.d/* # erase old config settings<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ # generate new config directory from config file<br />
# chown -R ldap:ldap /etc/openldap/slapd.d # Change ownership recursively to ldap on the config directory<br />
<br />
==== Start slapd with SSL ====<br />
You will have to edit {{ic|slapd.service}} to change to protocol slapd listens on.<br />
<br />
First, disable {{ic|slapd.service}} if it's enabled.<br />
<br />
Then, copy the stock service to {{ic|/etc/systemd/system/}}:<br />
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/<br />
<br />
Edit it, and add change {{ic|ExecStart}} to:<br />
{{hc|/etc/systemd/system/slapd.service|<nowiki><br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"</nowiki>}}<br />
<br />
Localhost connections don't need to use SSL. So, if you want to access the server locally you should change the {{ic|ExecStart}} line to:<br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"<br />
<br />
Then reenable and start it:<br />
# systemctl daemon-reload<br />
# systemctl restart slapd.service<br />
<br />
If {{ic|slapd}} started successfully you can enable it.<br />
<br />
{{Note|If you created a self-signed certificate above, be sure to add {{ic|TLS_REQCERT allow}} to {{ic|/etc/openldap/ldap.conf}} on the client, or it won't be able connect to the server.}}<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, [[Postfix]], etc).<br />
<br />
A directory for system authentication is the [[LDAP Authentication]] article.<br />
<br />
A nice web frontend is [[phpLDAPadmin]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client Authentication Checking ===<br />
If you can't connect to your server for non-secure authentication<br />
<br />
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
and for TLS secured authentication with:<br />
<br />
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
=== LDAP Server Stops Suddenly ===<br />
<br />
If you notice that slapd seems to start but then stops, try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap".<br />
<br />
== See Also ==<br />
* [http://www.openldap.org/doc/admin24/ Official OpenLDAP Software 2.4 Administrator's Guide]<br />
* [[phpLDAPadmin]] is a web interface tool in the style of phpMyAdmin.<br />
* [[LDAP Authentication]]<br />
* {{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.</div>Wirelessbenhttps://wiki.archlinux.org/index.php?title=OpenLDAP&diff=315105OpenLDAP2014-05-14T12:25:16Z<p>Wirelessben: /* LDAP Server Stops Suddenly: corrected typo. */</p>
<hr />
<div>[[Category:Networking]]<br />
[[ru:openLDAP]]<br />
{{Related articles start}}<br />
{{Related|LDAP Authentication}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
OpenLDAP is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is optimised for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or [[LDAP Authentication|Linux system authentication]], where it replaces {{ic|/etc/passwd}}) and basically holds the user data.<br />
<br />
Commands related to OpenLDAP that begin with {{ic|ldap}} (like {{ic|ldapsearch}}) are client-side utilities, while commands that begin with {{ic|slap}} (like {{ic|slapcat}}) are server-side.<br />
<br />
Directory services are an enormous topic. Configuration can therefore be complex. This page is a starting point for a basic OpenLDAP installation and a sanity check. If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html this] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
== Installation ==<br />
<br />
OpenLDAP contains both a LDAP server and client. Install it with the package {{Pkg|openldap}}, available in the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
=== The server ===<br />
<br />
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}<br />
<br />
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.<br />
<br />
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we'll use ''root'' here).<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it<br />
# echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf #add a line which includes the hashed password output from slappasswd<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/schema.html schemas] to the top of {{ic|slapd.conf}}:<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
}}<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/tuning.html#Indexes indexes] to the bottom of {{ic|slapd.conf}}:<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:<br />
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
{{Note|With OpenLDAP 2.4 the configuration of {{ic|slapd.conf}} is deprecated. From this version on all configuration settings are stored in {{ic|/etc/openldap/slapd.d/}}.}}<br />
<br />
To store the recent changes in {{ic|slapd.conf}} to the new {{ic|/etc/openldap/slapd.d/}} configuration settings, we have to delete the old configuration files first:<br />
<br />
# rm -rf /etc/openldap/slapd.d/*<br />
<br />
<br />
(if you do not have a database yet, you might need to create one by starting and stopping the {{ic|slapd.service}} [[systemd#Using units|using systemd]] )<br />
<br />
Then we generate the new configuration with:<br />
<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/<br />
<br />
The above command has to be run every time you change {{ic|slapd.conf}}. Check if everything succeeded. Ignore message "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable". <br />
<br />
Change ownership recursively on the new files and directory in /etc/openldap/slapd.d:<br />
<br />
# chown -R ldap:ldap /etc/openldap/slapd.d<br />
<br />
{{note|Index the directory after you populate it. You should stop slapd before doing this.<br />
# slapindex<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
}}<br />
<br />
Finally, start the slapd daemon with {{ic|slapd.service}} using systemd.<br />
<br />
=== The client ===<br />
The client config file is located at {{ic|/etc/openldap/ldap.conf}}. <br />
<br />
It is quite simple: you'll only have to alter {{ic|BASE}} to reflect the suffix of the server, and {{ic|URI}} to reflect the address of the server, like:<br />
<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
BASE dc=example,dc=com<br />
URI ldap://localhost<br />
}}<br />
<br />
If you decide to use SSL:<br />
<br />
* The protocol (ldap or ldaps) in the {{ic|URI}} entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, add a {{ic|TLS_REQCERT allow}} line to {{ic|ldap.conf}}<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
$ ldapsearch -x '(objectclass=*)'<br />
<br />
Or authenticating as the rootdn (replacing {{ic|-x}} by {{ic|-D <user> -W}}), using the example configuration we had above:<br />
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'<br />
<br />
Now you should see some information about your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://web.archive.org/web/20130211222328/http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0 upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, you must have a certificate. For testing purposes, a ''self-signed'' certificate will suffice. To learn more about certificates, see [[OpenSSL]].<br />
<br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (create this directory if it doesn't exist) and secure them. <br />
{{ic|slapdcert.pem}} must be world readable because it contains the public key. {{ic|slapdkey.pem}} on the other hand should only be readable for the ldap user for security reasons:<br />
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
# chmod -R 755 /etc/openldap/ssl/<br />
# chmod 400 /etc/openldap/ssl/slapdkey.pem<br />
# chmod 444 /etc/openldap/ssl/slapdcert.pem<br />
# chown ldap /etc/openldap/ssl/slapdkey.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:-SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
Regenerate the configuration directory:<br />
# rm -rf /etc/openldap/slapd.d/* # erase old config settings<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ # generate new config directory from config file<br />
# chown -R ldap:ldap /etc/openldap/slapd.d # Change ownership recursively to ldap on the config directory<br />
<br />
==== Start slapd with SSL ====<br />
You will have to edit {{ic|slapd.service}} to change to protocol slapd listens on.<br />
<br />
First, disable {{ic|slapd.service}} if it's enabled.<br />
<br />
Then, copy the stock service to {{ic|/etc/systemd/system/}}:<br />
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/<br />
<br />
Edit it, and add change {{ic|ExecStart}} to:<br />
{{hc|/etc/systemd/system/slapd.service|<nowiki><br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"</nowiki>}}<br />
<br />
Localhost connections don't need to use SSL. So, if you want to access the server locally you should change the {{ic|ExecStart}} line to:<br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"<br />
<br />
Then reenable and start it:<br />
# systemctl daemon-reload<br />
# systemctl restart slapd.service<br />
<br />
If {{ic|slapd}} started successfully you can enable it.<br />
<br />
{{Note|If you created a self-signed certificate above, be sure to add {{ic|TLS_REQCERT allow}} to {{ic|/etc/openldap/ldap.conf}} on the client, or it won't be able connect to the server.}}<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, [[Postfix]], etc).<br />
<br />
A directory for system authentication is the [[LDAP Authentication]] article.<br />
<br />
A nice web frontend is [[phpLDAPadmin]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client Authentication Checking ===<br />
If you can't connect to your server for non-secure authentication<br />
<br />
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
and for TLS secured authentication with:<br />
<br />
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
=== LDAP Server Stops Suddenly ===<br />
<br />
If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap"<br />
<br />
== See Also ==<br />
* [http://www.openldap.org/doc/admin24/ Official OpenLDAP Software 2.4 Administrator's Guide]<br />
* [[phpLDAPadmin]] is a web interface tool in the style of phpMyAdmin.<br />
* [[LDAP Authentication]]<br />
* {{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.</div>Wirelessbenhttps://wiki.archlinux.org/index.php?title=OpenLDAP&diff=315081OpenLDAP2014-05-14T04:45:20Z<p>Wirelessben: /* Configure slapd for SSL */</p>
<hr />
<div>[[Category:Networking]]<br />
[[ru:openLDAP]]<br />
{{Related articles start}}<br />
{{Related|LDAP Authentication}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
OpenLDAP is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is optimised for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or [[LDAP Authentication|Linux system authentication]], where it replaces {{ic|/etc/passwd}}) and basically holds the user data.<br />
<br />
Commands related to OpenLDAP that begin with {{ic|ldap}} (like {{ic|ldapsearch}}) are client-side utilities, while commands that begin with {{ic|slap}} (like {{ic|slapcat}}) are server-side.<br />
<br />
Directory services are an enormous topic. Configuration can therefore be complex. This page is a starting point for a basic OpenLDAP installation and a sanity check. If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html this] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
== Installation ==<br />
<br />
OpenLDAP contains both a LDAP server and client. Install it with the package {{Pkg|openldap}}, available in the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
=== The server ===<br />
<br />
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}<br />
<br />
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.<br />
<br />
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we'll use ''root'' here).<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it<br />
# echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf #add a line which includes the hashed password output from slappasswd<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/schema.html schemas] to the top of {{ic|slapd.conf}}:<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
}}<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/tuning.html#Indexes indexes] to the bottom of {{ic|slapd.conf}}:<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:<br />
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
{{Note|With OpenLDAP 2.4 the configuration of {{ic|slapd.conf}} is deprecated. From this version on all configuration settings are stored in {{ic|/etc/openldap/slapd.d/}}.}}<br />
<br />
To store the recent changes in {{ic|slapd.conf}} to the new {{ic|/etc/openldap/slapd.d/}} configuration settings, we have to delete the old configuration files first:<br />
<br />
# rm -rf /etc/openldap/slapd.d/*<br />
<br />
<br />
(if you do not have a database yet, you might need to create one by starting and stopping the {{ic|slapd.service}} [[systemd#Using units|using systemd]] )<br />
<br />
Then we generate the new configuration with:<br />
<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/<br />
<br />
The above command has to be run every time you change {{ic|slapd.conf}}. Check if everything succeeded. Ignore message "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable". <br />
<br />
Change ownership recursively on the new files and directory in /etc/openldap/slapd.d:<br />
<br />
# chown -R ldap:ldap /etc/openldap/slapd.d<br />
<br />
{{note|Index the directory after you populate it. You should stop slapd before doing this.<br />
# slapindex<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
}}<br />
<br />
Finally, start the slapd daemon with {{ic|slapd.service}} using systemd.<br />
<br />
=== The client ===<br />
The client config file is located at {{ic|/etc/openldap/ldap.conf}}. <br />
<br />
It is quite simple: you'll only have to alter {{ic|BASE}} to reflect the suffix of the server, and {{ic|URI}} to reflect the address of the server, like:<br />
<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
BASE dc=example,dc=com<br />
URI ldap://localhost<br />
}}<br />
<br />
If you decide to use SSL:<br />
<br />
* The protocol (ldap or ldaps) in the {{ic|URI}} entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, add a {{ic|TLS_REQCERT allow}} line to {{ic|ldap.conf}}<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
$ ldapsearch -x '(objectclass=*)'<br />
<br />
Or authenticating as the rootdn (replacing {{ic|-x}} by {{ic|-D <user> -W}}), using the example configuration we had above:<br />
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'<br />
<br />
Now you should see some information about your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://web.archive.org/web/20130211222328/http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0 upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, you must have a certificate. For testing purposes, a ''self-signed'' certificate will suffice. To learn more about certificates, see [[OpenSSL]].<br />
<br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (create this directory if it doesn't exist) and secure them. <br />
{{ic|slapdcert.pem}} must be world readable because it contains the public key. {{ic|slapdkey.pem}} on the other hand should only be readable for the ldap user for security reasons:<br />
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
# chmod -R 755 /etc/openldap/ssl/<br />
# chmod 400 /etc/openldap/ssl/slapdkey.pem<br />
# chmod 444 /etc/openldap/ssl/slapdcert.pem<br />
# chown ldap /etc/openldap/ssl/slapdkey.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:-SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
Regenerate the configuration directory:<br />
# rm -rf /etc/openldap/slapd.d/* # erase old config settings<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ # generate new config directory from config file<br />
# chown -R ldap:ldap /etc/openldap/slapd.d # Change ownership recursively to ldap on the config directory<br />
<br />
==== Start slapd with SSL ====<br />
You will have to edit {{ic|slapd.service}} to change to protocol slapd listens on.<br />
<br />
First, disable {{ic|slapd.service}} if it's enabled.<br />
<br />
Then, copy the stock service to {{ic|/etc/systemd/system/}}:<br />
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/<br />
<br />
Edit it, and add change {{ic|ExecStart}} to:<br />
{{hc|/etc/systemd/system/slapd.service|<nowiki><br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"</nowiki>}}<br />
<br />
Localhost connections don't need to use SSL. So, if you want to access the server locally you should change the {{ic|ExecStart}} line to:<br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"<br />
<br />
Then reenable and start it:<br />
# systemctl daemon-reload<br />
# systemctl restart slapd.service<br />
<br />
If {{ic|slapd}} started successfully you can enable it.<br />
<br />
{{Note|If you created a self-signed certificate above, be sure to add {{ic|TLS_REQCERT allow}} to {{ic|/etc/openldap/ldap.conf}} on the client, or it won't be able connect to the server.}}<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, [[Postfix]], etc).<br />
<br />
A directory for system authentication is the [[LDAP Authentication]] article.<br />
<br />
A nice web frontend is [[phpLDAPadmin]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client Authentication Checking ===<br />
If you can't connect to your server for non-secure authentication<br />
<br />
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
and for TLS secured authentication with:<br />
<br />
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
=== LDAP Sserver Stops Suddenly ===<br />
<br />
If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap"<br />
<br />
== See Also ==<br />
* [http://www.openldap.org/doc/admin24/ Official OpenLDAP Software 2.4 Administrator's Guide]<br />
* [[phpLDAPadmin]] is a web interface tool in the style of phpMyAdmin.<br />
* [[LDAP Authentication]]<br />
* {{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.</div>Wirelessbenhttps://wiki.archlinux.org/index.php?title=OpenLDAP&diff=315080OpenLDAP2014-05-14T04:43:14Z<p>Wirelessben: /* Configure slapd for SSL: Added explicit commands for regenerating /etc/openldap/slapd.d/ */</p>
<hr />
<div>[[Category:Networking]]<br />
[[ru:openLDAP]]<br />
{{Related articles start}}<br />
{{Related|LDAP Authentication}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
OpenLDAP is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is optimised for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or [[LDAP Authentication|Linux system authentication]], where it replaces {{ic|/etc/passwd}}) and basically holds the user data.<br />
<br />
Commands related to OpenLDAP that begin with {{ic|ldap}} (like {{ic|ldapsearch}}) are client-side utilities, while commands that begin with {{ic|slap}} (like {{ic|slapcat}}) are server-side.<br />
<br />
Directory services are an enormous topic. Configuration can therefore be complex. This page is a starting point for a basic OpenLDAP installation and a sanity check. If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html this] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
== Installation ==<br />
<br />
OpenLDAP contains both a LDAP server and client. Install it with the package {{Pkg|openldap}}, available in the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
=== The server ===<br />
<br />
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}<br />
<br />
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.<br />
<br />
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we'll use ''root'' here).<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it<br />
# echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf #add a line which includes the hashed password output from slappasswd<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/schema.html schemas] to the top of {{ic|slapd.conf}}:<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
}}<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/tuning.html#Indexes indexes] to the bottom of {{ic|slapd.conf}}:<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:<br />
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
{{Note|With OpenLDAP 2.4 the configuration of {{ic|slapd.conf}} is deprecated. From this version on all configuration settings are stored in {{ic|/etc/openldap/slapd.d/}}.}}<br />
<br />
To store the recent changes in {{ic|slapd.conf}} to the new {{ic|/etc/openldap/slapd.d/}} configuration settings, we have to delete the old configuration files first:<br />
<br />
# rm -rf /etc/openldap/slapd.d/*<br />
<br />
<br />
(if you do not have a database yet, you might need to create one by starting and stopping the {{ic|slapd.service}} [[systemd#Using units|using systemd]] )<br />
<br />
Then we generate the new configuration with:<br />
<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/<br />
<br />
The above command has to be run every time you change {{ic|slapd.conf}}. Check if everything succeeded. Ignore message "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable". <br />
<br />
Change ownership recursively on the new files and directory in /etc/openldap/slapd.d:<br />
<br />
# chown -R ldap:ldap /etc/openldap/slapd.d<br />
<br />
{{note|Index the directory after you populate it. You should stop slapd before doing this.<br />
# slapindex<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
}}<br />
<br />
Finally, start the slapd daemon with {{ic|slapd.service}} using systemd.<br />
<br />
=== The client ===<br />
The client config file is located at {{ic|/etc/openldap/ldap.conf}}. <br />
<br />
It is quite simple: you'll only have to alter {{ic|BASE}} to reflect the suffix of the server, and {{ic|URI}} to reflect the address of the server, like:<br />
<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
BASE dc=example,dc=com<br />
URI ldap://localhost<br />
}}<br />
<br />
If you decide to use SSL:<br />
<br />
* The protocol (ldap or ldaps) in the {{ic|URI}} entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, add a {{ic|TLS_REQCERT allow}} line to {{ic|ldap.conf}}<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
$ ldapsearch -x '(objectclass=*)'<br />
<br />
Or authenticating as the rootdn (replacing {{ic|-x}} by {{ic|-D <user> -W}}), using the example configuration we had above:<br />
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'<br />
<br />
Now you should see some information about your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://web.archive.org/web/20130211222328/http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0 upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, you must have a certificate. For testing purposes, a ''self-signed'' certificate will suffice. To learn more about certificates, see [[OpenSSL]].<br />
<br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (create this directory if it doesn't exist) and secure them. <br />
{{ic|slapdcert.pem}} must be world readable because it contains the public key. {{ic|slapdkey.pem}} on the other hand should only be readable for the ldap user for security reasons:<br />
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
# chmod -R 755 /etc/openldap/ssl/<br />
# chmod 400 /etc/openldap/ssl/slapdkey.pem<br />
# chmod 444 /etc/openldap/ssl/slapdcert.pem<br />
# chown ldap /etc/openldap/ssl/slapdkey.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:-SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
Regenerate config directory<br />
# rm -rf /etc/openldap/slapd.d/* # erase old config settings<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ # generate new config directory from config file<br />
# chown -R ldap:ldap /etc/openldap/slapd.d # Change ownership recursively to ldap on the config directory<br />
<br />
==== Start slapd with SSL ====<br />
You will have to edit {{ic|slapd.service}} to change to protocol slapd listens on.<br />
<br />
First, disable {{ic|slapd.service}} if it's enabled.<br />
<br />
Then, copy the stock service to {{ic|/etc/systemd/system/}}:<br />
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/<br />
<br />
Edit it, and add change {{ic|ExecStart}} to:<br />
{{hc|/etc/systemd/system/slapd.service|<nowiki><br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"</nowiki>}}<br />
<br />
Localhost connections don't need to use SSL. So, if you want to access the server locally you should change the {{ic|ExecStart}} line to:<br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"<br />
<br />
Then reenable and start it:<br />
# systemctl daemon-reload<br />
# systemctl restart slapd.service<br />
<br />
If {{ic|slapd}} started successfully you can enable it.<br />
<br />
{{Note|If you created a self-signed certificate above, be sure to add {{ic|TLS_REQCERT allow}} to {{ic|/etc/openldap/ldap.conf}} on the client, or it won't be able connect to the server.}}<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, [[Postfix]], etc).<br />
<br />
A directory for system authentication is the [[LDAP Authentication]] article.<br />
<br />
A nice web frontend is [[phpLDAPadmin]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client Authentication Checking ===<br />
If you can't connect to your server for non-secure authentication<br />
<br />
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
and for TLS secured authentication with:<br />
<br />
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
=== LDAP Sserver Stops Suddenly ===<br />
<br />
If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap"<br />
<br />
== See Also ==<br />
* [http://www.openldap.org/doc/admin24/ Official OpenLDAP Software 2.4 Administrator's Guide]<br />
* [[phpLDAPadmin]] is a web interface tool in the style of phpMyAdmin.<br />
* [[LDAP Authentication]]<br />
* {{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.</div>Wirelessbenhttps://wiki.archlinux.org/index.php?title=OpenLDAP&diff=314366OpenLDAP2014-05-10T15:03:58Z<p>Wirelessben: /* The server: added the systemd command to start slapd. */</p>
<hr />
<div>[[Category:Networking]]<br />
[[ru:openLDAP]]<br />
{{Related articles start}}<br />
{{Related|LDAP Authentication}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
OpenLDAP is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is optimised for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or [[LDAP Authentication|Linux system authentication]], where it replaces {{ic|/etc/passwd}}) and basically holds the user data.<br />
<br />
Commands related to OpenLDAP that begin with {{ic|ldap}} (like {{ic|ldapsearch}}) are client-side utilities, while commands that begin with {{ic|slap}} (like {{ic|slapcat}}) are server-side.<br />
<br />
Directory services are an enormous topic. Configuration can therefore be complex. This page is a starting point for a basic OpenLDAP installation and a sanity check. If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html this] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
== Installation ==<br />
<br />
OpenLDAP contains both a LDAP server and client. Install it with the package {{Pkg|openldap}}, available in the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
=== The server ===<br />
<br />
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}<br />
<br />
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.<br />
<br />
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we'll use ''root'' here).<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it<br />
# echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf #add a line which includes the hashed password output from slappasswd<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/schema.html schemas] to the top of {{ic|slapd.conf}}:<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
}}<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/tuning.html#Indexes indexes] to the bottom of {{ic|slapd.conf}}:<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:<br />
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
{{Note|With OpenLDAP 2.4 the configuration of {{ic|slapd.conf}} is deprecated. From this version on all configuration settings are stored in {{ic|/etc/openldap/slapd.d/}}.}}<br />
<br />
To store the recent changes in {{ic|slapd.conf}} to the new {{ic|/etc/openldap/slapd.d/}} configuration settings, we have to delete the old configuration files first:<br />
<br />
# rm -rf /etc/openldap/slapd.d/*<br />
<br />
<br />
(if you do not have a database yet, you might need to create one by starting and stopping the {{ic|slapd.service}} [[systemd#Using units|using systemd]] )<br />
<br />
Then we generate the new configuration with:<br />
<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/<br />
<br />
The above command has to be run every time you change {{ic|slapd.conf}}. Check if everything succeeded. Ignore message "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable". <br />
<br />
Change ownership recursively on the new files and directory in /etc/openldap/slapd.d:<br />
<br />
# chown -R ldap:ldap /etc/openldap/slapd.d<br />
<br />
{{note|Index the directory after you populate it. You should stop slapd before doing this.<br />
# slapindex<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
}}<br />
<br />
Finally, start the slapd daemon with {{ic|slapd.service}} using systemd.<br />
<br />
# systemctl start slapd<br />
<br />
=== The client ===<br />
The client config file is located at {{ic|/etc/openldap/ldap.conf}}. <br />
<br />
It is quite simple: you'll only have to alter {{ic|BASE}} to reflect the suffix of the server, and {{ic|URI}} to reflect the address of the server, like:<br />
<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
BASE dc=example,dc=com<br />
URI ldap://localhost<br />
}}<br />
<br />
If you decide to use SSL:<br />
<br />
* The protocol (ldap or ldaps) in the {{ic|URI}} entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, add a {{ic|TLS_REQCERT allow}} line to {{ic|ldap.conf}}<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
$ ldapsearch -x '(objectclass=*)'<br />
<br />
Or authenticating as the rootdn (replacing {{ic|-x}} by {{ic|-D <user> -W}}), using the example configuration we had above:<br />
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'<br />
<br />
Now you should see some information about your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://web.archive.org/web/20130211222328/http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0 upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, you must have a certificate. For testing purposes, a ''self-signed'' certificate will suffice. To learn more about certificates, see [[OpenSSL]].<br />
<br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (create this directory if it doesn't exist) and secure them. <br />
{{ic|slapdcert.pem}} must be world readable because it contains the public key. {{ic|slapdkey.pem}} on the other hand should only be readable for the ldap user for security reasons:<br />
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
# chmod -R 755 /etc/openldap/ssl/<br />
# chmod 400 /etc/openldap/ssl/slapdkey.pem<br />
# chmod 444 /etc/openldap/ssl/slapdcert.pem<br />
# chown ldap /etc/openldap/ssl/slapdkey.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:-SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
==== Start slapd with SSL ====<br />
You will have to edit {{ic|slapd.service}} to change to protocol slapd listens on.<br />
<br />
First, disable {{ic|slapd.service}} if it's enabled.<br />
<br />
Then, copy the stock service to {{ic|/etc/systemd/system/}}:<br />
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/<br />
<br />
Edit it, and add change {{ic|ExecStart}} to:<br />
{{hc|/etc/systemd/system/slapd.service|<nowiki><br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"</nowiki>}}<br />
<br />
Localhost connections don't need to use SSL. So, if you want to access the server locally you should change the {{ic|ExecStart}} line to:<br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"<br />
<br />
Then reenable and start it:<br />
# systemctl daemon-reload<br />
# systemctl restart slapd.service<br />
<br />
If {{ic|slapd}} started successfully you can enable it.<br />
<br />
{{Note|If you created a self-signed certificate above, be sure to add {{ic|TLS_REQCERT allow}} to {{ic|/etc/openldap/ldap.conf}} on the client, or it won't be able connect to the server.}}<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, [[Postfix]], etc).<br />
<br />
A directory for system authentication is the [[LDAP Authentication]] article.<br />
<br />
A nice web frontend is [[phpLDAPadmin]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client Authentication Checking ===<br />
If you can't connect to your server for non-secure authentication<br />
<br />
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
and for TLS secured authentication with:<br />
<br />
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
=== LDAP Sserver Stops Suddenly ===<br />
<br />
If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap"<br />
<br />
== See Also ==<br />
* [http://www.openldap.org/doc/admin24/ Official OpenLDAP Software 2.4 Administrator's Guide]<br />
* [[phpLDAPadmin]] is a web interface tool in the style of phpMyAdmin.<br />
* [[LDAP Authentication]]<br />
* {{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.</div>Wirelessbenhttps://wiki.archlinux.org/index.php?title=OpenLDAP&diff=313848OpenLDAP2014-05-07T14:26:16Z<p>Wirelessben: /* The server: Corrected slapd.config to slapd.conf, and changed slapd-config to /etc/openldap/slapd.d/ */</p>
<hr />
<div>[[Category:Networking]]<br />
[[ru:openLDAP]]<br />
{{Related articles start}}<br />
{{Related|LDAP Authentication}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
OpenLDAP is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is optimised for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or [[LDAP Authentication|Linux system authentication]], where it replaces {{ic|/etc/passwd}}) and basically holds the user data.<br />
<br />
Commands related to OpenLDAP that begin with {{ic|ldap}} (like {{ic|ldapsearch}}) are client-side utilities, while commands that begin with {{ic|slap}} (like {{ic|slapcat}}) are server-side.<br />
<br />
Directory services are an enormous topic. Configuration can therefore be complex. This page is a starting point for a basic OpenLDAP installation and a sanity check. If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html this] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
== Installation ==<br />
<br />
OpenLDAP contains both a LDAP server and client. Install it with the package {{Pkg|openldap}}, available in the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
=== The server ===<br />
<br />
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}<br />
<br />
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.<br />
<br />
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we'll use ''root'' here).<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it<br />
# echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf #add a line which includes the hashed password output from slappasswd<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/schema.html schemas] to the top of {{ic|slapd.conf}}:<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
}}<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/tuning.html#Indexes indexes] to the bottom of {{ic|slapd.conf}}:<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:<br />
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
{{Note|With OpenLDAP 2.4 the configuration of {{ic|slapd.conf}} is deprecated. From this version on all configuration settings are stored in {{ic|/etc/openldap/slapd.d/}}.}}<br />
<br />
To store the recent changes in {{ic|slapd.conf}} to the new {{ic|/etc/openldap/slapd.d/}} configuration settings, we have to delete the old configuration files first:<br />
<br />
# rm -rf /etc/openldap/slapd.d/*<br />
<br />
<br />
(if you do not have a database yet, you might need to create one by starting and stopping the {{ic|slapd.service}} [[systemd#Using units|using systemd]] )<br />
<br />
Then we generate the new configuration with:<br />
<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/<br />
<br />
The above command has to be run every time you change {{ic|slapd.conf}}. Check if everything succeeded. Ignore message "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable". <br />
<br />
Change ownership recursively on the new files and directory in /etc/openldap/slapd.d:<br />
<br />
# chown -R ldap:ldap /etc/openldap/slapd.d<br />
<br />
{{note|Index the directory after you populate it. You should stop slapd before doing this.<br />
# slapindex<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
}}<br />
<br />
Finally, start the slapd daemon with {{ic|slapd.service}} using systemd.<br />
<br />
=== The client ===<br />
The client config file is located at {{ic|/etc/openldap/ldap.conf}}. <br />
<br />
It is quite simple: you'll only have to alter {{ic|BASE}} to reflect the suffix of the server, and {{ic|URI}} to reflect the address of the server, like:<br />
<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
BASE dc=example,dc=com<br />
URI ldap://localhost<br />
}}<br />
<br />
If you decide to use SSL:<br />
<br />
* The protocol (ldap or ldaps) in the {{ic|URI}} entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, add a {{ic|TLS_REQCERT allow}} line to {{ic|ldap.conf}}<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
$ ldapsearch -x '(objectclass=*)'<br />
<br />
Or authenticating as the rootdn (replacing {{ic|-x}} by {{ic|-D <user> -W}}), using the example configuration we had above:<br />
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'<br />
<br />
Now you should see some information about your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://web.archive.org/web/20130211222328/http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0 upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, you must have a certificate. For testing purposes, a ''self-signed'' certificate will suffice. To learn more about certificates, see [[OpenSSL]].<br />
<br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (create this directory if it doesn't exist) and secure them. <br />
{{ic|slapdcert.pem}} must be world readable because it contains the public key. {{ic|slapdkey.pem}} on the other hand should only be readable for the ldap user for security reasons:<br />
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
# chmod -R 755 /etc/openldap/ssl/<br />
# chmod 400 /etc/openldap/ssl/slapdkey.pem<br />
# chmod 444 /etc/openldap/ssl/slapdcert.pem<br />
# chown ldap /etc/openldap/ssl/slapdkey.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:-SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
==== Start slapd with SSL ====<br />
You will have to edit {{ic|slapd.service}} to change to protocol slapd listens on.<br />
<br />
First, disable {{ic|slapd.service}} if it's enabled.<br />
<br />
Then, copy the stock service to {{ic|/etc/systemd/system/}}:<br />
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/<br />
<br />
Edit it, and add change {{ic|ExecStart}} to:<br />
{{hc|/etc/systemd/system/slapd.service|<nowiki><br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"</nowiki>}}<br />
<br />
Localhost connections don't need to use SSL. So, if you want to access the server locally you should change the {{ic|ExecStart}} line to:<br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"<br />
<br />
Then reenable and start it:<br />
# systemctl daemon-reload<br />
# systemctl restart slapd.service<br />
<br />
If {{ic|slapd}} started successfully you can enable it.<br />
<br />
{{Note|If you created a self-signed certificate above, be sure to add {{ic|TLS_REQCERT allow}} to {{ic|/etc/openldap/ldap.conf}} on the client, or it won't be able connect to the server.}}<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, [[Postfix]], etc).<br />
<br />
A directory for system authentication is the [[LDAP Authentication]] article.<br />
<br />
A nice web frontend is [[phpLDAPadmin]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client Authentication Checking ===<br />
If you can't connect to your server for non-secure authentication<br />
<br />
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
and for TLS secured authentication with:<br />
<br />
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
=== LDAP Sserver Stops Suddenly ===<br />
<br />
If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap"<br />
<br />
== See Also ==<br />
* [http://www.openldap.org/doc/admin24/ Official OpenLDAP Software 2.4 Administrator's Guide]<br />
* [[phpLDAPadmin]] is a web interface tool in the style of phpMyAdmin.<br />
* [[LDAP Authentication]]<br />
* {{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.</div>Wirelessbenhttps://wiki.archlinux.org/index.php?title=OpenLDAP&diff=313023OpenLDAP2014-05-02T12:40:30Z<p>Wirelessben: /* OpenLDAP over TLS: Moved "chown -R /etc/openldap/slapd.d" to The Server section. */</p>
<hr />
<div>[[Category:Networking]]<br />
[[ru:openLDAP]]<br />
{{Related articles start}}<br />
{{Related|LDAP Authentication}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
OpenLDAP is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is optimised for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or [[LDAP Authentication|Linux system authentication]], where it replaces {{ic|/etc/passwd}}) and basically holds the user data.<br />
<br />
Commands related to OpenLDAP that begin with {{ic|ldap}} (like {{ic|ldapsearch}}) are client-side utilities, while commands that begin with {{ic|slap}} (like {{ic|slapcat}}) are server-side.<br />
<br />
Directory services are an enormous topic. Configuration can therefore be complex. This page is a starting point for a basic OpenLDAP installation and a sanity check. If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html this] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
== Installation ==<br />
<br />
OpenLDAP contains both a LDAP server and client. Install it with the package {{Pkg|openldap}}, available in the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
=== The server ===<br />
<br />
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}<br />
<br />
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.<br />
<br />
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we'll use ''root'' here).<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it<br />
# echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf #add a line which includes the hashed password output from slappasswd<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/schema.html schemas] to the top of {{ic|slapd.conf}}:<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
}}<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/tuning.html#Indexes indexes] to the bottom of {{ic|slapd.conf}}:<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:<br />
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
{{Note|With OpenLDAP 2.4 the configuration of {{ic|slapd.config}} is deprecated. From this version on all configuration settings are stored in {{ic|/etc/openldap/slapd.d/}}.}}<br />
<br />
To store the recent changes in {{ic|slapd.conf}} to the new {{ic|slapd-config}} configuration settings, we have to delete the old configuration files first:<br />
<br />
# rm -rf /etc/openldap/slapd.d/*<br />
<br />
<br />
(if you do not have a database yet, you might need to create one by starting and stopping the {{ic|slapd.service}} [[systemd#Using units|using systemd]] )<br />
<br />
# systemctl start slapd<br />
# systemctl stop slapd<br />
<br />
Then we generate the new configuration with:<br />
<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/<br />
<br />
The above command has to be run every time you change {{ic|slapd.conf}}. Check if everything succeeded. Ignore message "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable". <br />
<br />
Change ownership recursively on the new files and directory in /etc/openldap/slapd.d:<br />
<br />
# chown -R ldap:ldap /etc/openldap/slapd.d<br />
<br />
{{note|Index the directory after you populate it. You should stop slapd before doing this.<br />
# slapindex<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
}}<br />
<br />
Finally, start the slapd daemon:<br />
<br />
# systemctl start slapd<br />
<br />
=== The client ===<br />
The client config file is located at {{ic|/etc/openldap/ldap.conf}}. <br />
<br />
It is quite simple: you'll only have to alter {{ic|BASE}} to reflect the suffix of the server, and {{ic|URI}} to reflect the address of the server, like:<br />
<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
BASE dc=example,dc=com<br />
URI ldap://localhost<br />
}}<br />
<br />
If you decide to use SSL:<br />
<br />
* The protocol (ldap or ldaps) in the {{ic|URI}} entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, add a {{ic|TLS_REQCERT allow}} line to {{ic|ldap.conf}}<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
$ ldapsearch -x '(objectclass=*)'<br />
<br />
Or authenticating as the rootdn (replacing {{ic|-x}} by {{ic|-D <user> -W}}), using the example configuration we had above:<br />
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'<br />
<br />
Now you should see some information about your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://web.archive.org/web/20130211222328/http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0 upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, you must have a certificate. For testing purposes, a ''self-signed'' certificate will suffice. To learn more about certificates, see [[OpenSSL]].<br />
<br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (create this directory if it doesn't exist) and secure them. <br />
{{ic|slapdcert.pem}} must be world readable because it contains the public key. {{ic|slapdkey.pem}} on the other hand should only be readable for the ldap user for security reasons:<br />
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
# chmod -R 744 /etc/openldap/ssl/<br />
# chmod 400 /etc/openldap/ssl/slapdkey.pem<br />
# chmod 444 /etc/openldap/ssl/slapdcert.pem<br />
# chown ldap /etc/openldap/ssl/slapdkey.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:-SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
==== Start slapd with SSL ====<br />
You will have to edit {{ic|slapd.service}} to change to protocol slapd listens on.<br />
<br />
First, disable {{ic|slapd.service}} if it's enabled.<br />
<br />
systemctl stop slapd.service<br />
<br />
Then, copy the stock service to {{ic|/etc/systemd/system/}}:<br />
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/<br />
<br />
Edit it, and add change {{ic|ExecStart}} to:<br />
{{hc|/etc/systemd/system/slapd.service|<nowiki><br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"</nowiki>}}<br />
<br />
Localhost connections don't need to use SSL. So, if you want to access the server locally you should change the {{ic|ExecStart}} line to:<br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"<br />
<br />
Then reenable and start it:<br />
# systemctl daemon-reload<br />
# systemctl restart slapd.service<br />
<br />
If {{ic|slapd}} started successfully you can enable it with:<br />
# systemctl enable slapd.service<br />
<br />
{{Note|If you created a self-signed certificate above, be sure to add {{ic|TLS_REQCERT allow}} to {{ic|/etc/openldap/ldap.conf}} on the client, or it won't be able connect to the server.}}<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, [[Postfix]], etc).<br />
<br />
A directory for system authentication is the [[LDAP Authentication]] article.<br />
<br />
A nice web frontend is [[phpLDAPadmin]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client Authentication Checking ===<br />
If you can't connect to your server for non-secure authentication<br />
<br />
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
and for TLS secured authentication with:<br />
<br />
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
=== LDAP Sserver Stops Suddenly ===<br />
<br />
If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap"<br />
<br />
== See Also ==<br />
* [http://www.openldap.org/doc/admin24/ Official OpenLDAP Software 2.4 Administrator's Guide]<br />
* [[phpLDAPadmin]] is a web interface tool in the style of phpMyAdmin.<br />
* [[LDAP Authentication]]<br />
* {{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.</div>Wirelessbenhttps://wiki.archlinux.org/index.php?title=OpenLDAP&diff=313010OpenLDAP2014-05-02T12:18:46Z<p>Wirelessben: /* Added "chown -R ldap:ldap /etc/openldap/slapd.d". Added explicit starts and stops via systemd, in the right order. */</p>
<hr />
<div>[[Category:Networking]]<br />
[[ru:openLDAP]]<br />
{{Related articles start}}<br />
{{Related|LDAP Authentication}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
OpenLDAP is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is optimised for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or [[LDAP Authentication|Linux system authentication]], where it replaces {{ic|/etc/passwd}}) and basically holds the user data.<br />
<br />
Commands related to OpenLDAP that begin with {{ic|ldap}} (like {{ic|ldapsearch}}) are client-side utilities, while commands that begin with {{ic|slap}} (like {{ic|slapcat}}) are server-side.<br />
<br />
Directory services are an enormous topic. Configuration can therefore be complex. This page is a starting point for a basic OpenLDAP installation and a sanity check. If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html this] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.<br />
<br />
== Installation ==<br />
<br />
OpenLDAP contains both a LDAP server and client. Install it with the package {{Pkg|openldap}}, available in the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
=== The server ===<br />
<br />
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}<br />
<br />
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.<br />
<br />
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we'll use ''root'' here).<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it<br />
# echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf #add a line which includes the hashed password output from slappasswd<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/schema.html schemas] to the top of {{ic|slapd.conf}}:<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
}}<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/tuning.html#Indexes indexes] to the bottom of {{ic|slapd.conf}}:<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:<br />
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
{{Note|With OpenLDAP 2.4 the configuration of {{ic|slapd.config}} is deprecated. From this version on all configuration settings are stored in {{ic|/etc/openldap/slapd.d/}}.}}<br />
<br />
To store the recent changes in {{ic|slapd.conf}} to the new {{ic|slapd-config}} configuration settings, we have to delete the old configuration files first:<br />
<br />
# rm -rf /etc/openldap/slapd.d/*<br />
<br />
<br />
(if you do not have a database yet, you might need to create one by starting and stopping the {{ic|slapd.service}} [[systemd#Using units|using systemd]] )<br />
<br />
# systemctl start slapd<br />
# systemctl stop slapd<br />
<br />
Then we generate the new configuration with:<br />
<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/<br />
<br />
The above command has to be run every time you change {{ic|slapd.conf}}. Check if everything succeeded. Ignore message "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable". <br />
<br />
Change ownership recursively on the new files and directory in /etc/openldap/slapd.d:<br />
<br />
# chown -R ldap:ldap /etc/openldap/slapd.d<br />
<br />
{{note|Index the directory after you populate it. You should stop slapd before doing this.<br />
# slapindex<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
}}<br />
<br />
Finally, start the slapd daemon:<br />
<br />
# systemctl start slapd<br />
<br />
=== The client ===<br />
The client config file is located at {{ic|/etc/openldap/ldap.conf}}. <br />
<br />
It is quite simple: you'll only have to alter {{ic|BASE}} to reflect the suffix of the server, and {{ic|URI}} to reflect the address of the server, like:<br />
<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
BASE dc=example,dc=com<br />
URI ldap://localhost<br />
}}<br />
<br />
If you decide to use SSL:<br />
<br />
* The protocol (ldap or ldaps) in the {{ic|URI}} entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, add a {{ic|TLS_REQCERT allow}} line to {{ic|ldap.conf}}<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
$ ldapsearch -x '(objectclass=*)'<br />
<br />
Or authenticating as the rootdn (replacing {{ic|-x}} by {{ic|-D <user> -W}}), using the example configuration we had above:<br />
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'<br />
<br />
Now you should see some information about your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://web.archive.org/web/20130211222328/http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0 upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, you must have a certificate. For testing purposes, a ''self-signed'' certificate will suffice. To learn more about certificates, see [[OpenSSL]].<br />
<br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (create this directory if it doesn't exist) and secure them. <br />
{{ic|slapdcert.pem}} must be world readable because it contains the public key. {{ic|slapdkey.pem}} on the other hand should only be readable for the ldap user for security reasons:<br />
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
# chmod -R 744 /etc/openldap/ssl/<br />
# chmod 400 /etc/openldap/ssl/slapdkey.pem<br />
# chmod 444 /etc/openldap/ssl/slapdcert.pem<br />
# chown ldap /etc/openldap/ssl/slapdkey.pem<br />
<br />
The {{ic|/etc/openldap/slapd.d}} folder and it's files should be owned by {{ic|ldap}} user and group:<br />
# chown -R ldap:ldap /etc/openldap/slapd.d/<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:-SSLv2<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
==== Start slapd with SSL ====<br />
You will have to edit {{ic|slapd.service}} to change to protocol slapd listens on.<br />
<br />
First, disable {{ic|slapd.service}} if it's enabled.<br />
<br />
systemctl stop slapd.service<br />
<br />
Then, copy the stock service to {{ic|/etc/systemd/system/}}:<br />
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/<br />
<br />
Edit it, and add change {{ic|ExecStart}} to:<br />
{{hc|/etc/systemd/system/slapd.service|<nowiki><br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"</nowiki>}}<br />
<br />
Localhost connections don't need to use SSL. So, if you want to access the server locally you should change the {{ic|ExecStart}} line to:<br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"<br />
<br />
Then reenable and start it:<br />
# systemctl daemon-reload<br />
# systemctl restart slapd.service<br />
<br />
If {{ic|slapd}} started successfully you can enable it with:<br />
# systemctl enable slapd.service<br />
<br />
{{Note|If you created a self-signed certificate above, be sure to add {{ic|TLS_REQCERT allow}} to {{ic|/etc/openldap/ldap.conf}} on the client, or it won't be able connect to the server.}}<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, [[Postfix]], etc).<br />
<br />
A directory for system authentication is the [[LDAP Authentication]] article.<br />
<br />
A nice web frontend is [[phpLDAPadmin]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client Authentication Checking ===<br />
If you can't connect to your server for non-secure authentication<br />
<br />
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
and for TLS secured authentication with:<br />
<br />
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
=== LDAP Sserver Stops Suddenly ===<br />
<br />
If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap"<br />
<br />
== See Also ==<br />
* [http://www.openldap.org/doc/admin24/ Official OpenLDAP Software 2.4 Administrator's Guide]<br />
* [[phpLDAPadmin]] is a web interface tool in the style of phpMyAdmin.<br />
* [[LDAP Authentication]]<br />
* {{AUR|apachedirectorystudio2}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.</div>Wirelessbenhttps://wiki.archlinux.org/index.php?title=MariaDB&diff=251735MariaDB2013-03-23T23:24:54Z<p>Wirelessben: my.cnf comes with networking enabled by default. Changed "Enable remote access" section to "Disable remote access".</p>
<hr />
<div>[[Category:Database management systems]]<br />
[[cs:MySQL]]<br />
[[de:MySQL]]<br />
[[es:MySQL]]<br />
[[fr:MySQL]]<br />
[[it:MySQL]]<br />
[[sr:MySQL]]<br />
[[tr:MySQL]]<br />
[[zh-CN:MySQL]]<br />
MySQL is a widely spread, multi-threaded, multi-user SQL database. For more information about features, see the [http://www.mysql.com/ official homepage].<br />
== Installation ==<br />
[[pacman|Install]] the {{Pkg|mysql}} package from the [[Official Repositories|official repositories]].<br />
<br />
After installing MySQL, start the ''mysqld'' [[Daemons|daemon]].<br />
<br />
Run the setup script and restart the daemon afterwards:<br />
# mysql_secure_installation<br />
# systemctl restart mysqld<br />
<br />
== Configuration ==<br />
Once you have started the MySQL server, you probably want to add a root account in order to maintain your MySQL users and databases. This can be done manually or automatically, as mentioned by the output of the above script. Either run the commands to set a password for the root account, or run the secure installation script.<br />
<br />
You now should be able to do further configuration using your favorite interface. For example you can use MySQL's command line tool to log in as root into your MySQL server:<br />
$ mysql -p -u root<br />
<br />
=== Disable remote access ===<br />
The MySQL server is accessible from the network by default. If mysql is only needed for the localhost, you can improve security by not listening on TCP port 3306. To refuse remote connections, uncomment the following line in {{ic|/etc/mysql/my.cnf}}:<br />
skip-networking<br />
<br />
You will still be able to log in from the localhost.<br />
<br />
=== Enable auto-completion ===<br />
The MySQL client completion feature is disabled by default. To enable it system-wide edit {{ic|/etc/mysql/my.cnf}}, and replace {{ic|no-auto-rehash}} by {{ic|auto-rehash}}. Completion will be enabled next time you run the MySQL client. Please note that enabling this feature can make the client initialization longer.<br />
<br />
== Upgrading ==<br />
You might consider running this command after you have upgraded MySQL and started it:<br />
# mysql_upgrade -u root -p<br />
<br />
== Backup ==<br />
The database can be dumped to a file for easy backup. The following shell script will do this for you, creating a {{ic|db_backup.gz}} file in the same directory as the script, containing your database dump:<br />
<br />
{{bc|1=<br />
#!/bin/bash<br />
<br />
THISDIR=`dirname $(readlink -f "$0")`<br />
<br />
mysqldump --single-transaction --flush-logs --master-data=2 --all-databases \<br />
<nowiki>|</nowiki> gzip > $THISDIR/db_backup.gz<br />
echo 'purge master logs before date_sub(now(), interval 7 day);' <nowiki>|</nowiki> mysql<br />
}}<br />
<br />
See also the official [http://dev.mysql.com/doc/refman/5.6/en/mysqldump.html mysqldump page in the MySQL manual].<br />
<br />
== Troubleshooting ==<br />
=== MySQL daemon cannot start ===<br />
If you see something like this:<br />
:: Starting MySQL [FAIL]<br />
and there is no entry in the log files, you might want to check the permissions of files in the directories {{ic|/var/lib/mysql}} and {{ic|/var/lib/mysql/mysql}}. If the owner of files in these directories is not {{ic|mysql:mysql}}, you should do the following:<br />
# chown mysql:mysql /var/lib/mysql -R<br />
If you run into permission problems despite having followed the above, ensure that your {{ic|my.cnf}} is copied to {{ic|/etc/}}:<br />
# cp /etc/mysql/my.cnf /etc/my.cnf<br />
Now try and start the daemon.<br />
<br />
If you get these messages in your {{ic|/var/lib/mysql/hostname.err}}<br />
[ERROR] Can't start server : Bind on unix socket: Permission denied<br />
[ERROR] Do you already have another mysqld server running on socket: /var/run/mysqld/mysqld.sock ?<br />
[ERROR] Aborting<br />
The permissions of {{ic|/var/run/mysqld}} could be the culprit.<br />
# chown mysql:mysql /var/run/mysqld -R<br />
<br />
If you run mysqld and the following error appears:<br />
Fatal error: Can’t open and lock privilege tables: Table ‘mysql.host’ doesn’t exist<br />
Run the following command from the /usr directory to install the default tables:<br />
# cd /usr<br />
# mysql_install_db --user=mysql --ldata=/var/lib/mysql/<br />
<br />
=== Unable to run mysql_upgrade because MySQL cannot start ===<br />
Try run MySQL in safemode:<br />
# mysqld_safe --datadir=/var/lib/mysql/<br />
And then run:<br />
# mysql_upgrade -u root -p<br />
<br />
=== Reset the root password ===<br />
Stop the ''mysqld'' [[Daemons|daemon]].<br />
# mysqld_safe --skip-grant-tables &<br />
Connect to the mysql server<br />
# mysql -u root mysql<br />
Change root password:<br />
mysql> UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';<br />
mysql> FLUSH PRIVILEGES;<br />
mysql> exit<br />
Start the ''mysqld'' daemon.<br />
<br />
== See also ==<br />
* [[MariaDB]]<br />
* [[LAMP]] - Arch wiki article covering the setup of a LAMP server (Linux Apache MySQL PHP)<br />
* http://www.mysql.com/<br />
* Front-ends: {{AUR|mysql-gui-tools}} {{AUR|mysql-workbench}}</div>Wirelessben