Difference between revisions of "OpenLDAP"

From ArchWiki
Jump to: navigation, search
(Create an initial, basic install page based on the other wiki pages.)
 
m (/etc/openldap/slapd.conf)
(11 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 +
[[Category:Networking]]
 
OpenLDAP, LDAP & Directory services are an enormous topic. Configuration is therefore complex. This page is a starting point for a basic openldap install on Archlinux and a sanity check.  
 
OpenLDAP, LDAP & Directory services are an enormous topic. Configuration is therefore complex. This page is a starting point for a basic openldap install on Archlinux and a sanity check.  
  
Line 4: Line 5:
 
==== References ====
 
==== References ====
  
http://aqua.subnet.at/~max/ldap/
 
 
http://www.openldap.org/doc/admin24/
 
http://www.openldap.org/doc/admin24/
  
Line 25: Line 25:
 
===== The server (slapd) =====
 
===== The server (slapd) =====
  
You can start the server like any other daemon, by executing
+
First prepare the database directory. You will need to copy the default config file and set the proper ownership.
/etc/rc.d/slapd start
+
  
There are three config files you must edit first, though:
+
WARNING!!! - The following snippet wipes out any existing ldap database.
  
 +
rm -rf /var/lib/openldap/openldap-data/*
 +
cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG
 +
chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG
 +
 +
Next we prepare slapd.conf
 
====== /etc/openldap/slapd.conf ======
 
====== /etc/openldap/slapd.conf ======
You can define the access rules here, the root "user" etc. At minimum delete the default root password create a strong one:
+
Add some typically used schemas...
 +
{{bc|
 +
include        /etc/openldap/schema/cosine.schema
 +
include        /etc/openldap/schema/nis.schema
 +
include        /etc/openldap/schema/inetorgperson.schema
 +
}}
 +
Edit the suffix. Typically this is your domain name but it does not have to be. It depends on how you use your directory. We will use 'example' for the domain name, and 'com' for the tld. Also set your ldap administrators name (we'll use 'root' here)
 +
{{bc|<nowiki>
 +
suffix    "dc=example,dc=com"
 +
rootdn    "cn=root,dc=example,dc=com"
 +
</nowiki>}}
 +
 
 +
Now we delete the default root password and create a strong one:
 
  #find the line with rootpw and delete it
 
  #find the line with rootpw and delete it
 
  sed -i "/rootpw/ d" slapd.conf
 
  sed -i "/rootpw/ d" slapd.conf
Line 37: Line 53:
 
  echo "rootpw    $(slappasswd)" >> slapd.conf
 
  echo "rootpw    $(slappasswd)" >> slapd.conf
  
If you want to use SSL, you have to specify a path to your certificates here.
+
ldap won't find things unless you index them. Read the [http://www.zytrax.com/books/ldap/ch6/#index ldap documentation] for details, you can use the following to start with. (add them to your {{ic|slapd.conf}})
 +
{{bc|
 +
index  uid            pres,eq
 +
index  mail            pres,sub,eq
 +
index  cn              pres,sub,eq
 +
index  sn              pres,sub,eq
 +
index  dc              eq
 +
}}
 +
 
 +
'''Note: '''
 +
 
 +
Don't forget to run {{ic|slapindex}} after you populate your directory. (slapd needs to be stopped to do this). Then change the ownership for all the generated files:
 +
chown ldap.ldap /var/lib/openldap/openldap-data/*
 +
 
 +
If you want to use SSL, you have to specify a path to your certificates here. See [[OpenLDAP Authentication]]
 +
 
 +
Finally you can start the slapd daemon.
 +
#systemctl start slapd
 +
 
 +
It might be possible that /run/openldap does not exist, starting the daemon won't work. Just create the directory:
 +
 
 +
#mkdir /run/openldap
  
 
====== /etc/conf.d/slapd ======
 
====== /etc/conf.d/slapd ======
Line 43: Line 80:
 
You can also specify additional slapd options here.
 
You can also specify additional slapd options here.
  
====== /var/lib/openldap/openldap-data/DB_CONFIG ======
 
You will need to copy the default config file and set the proper ownership.
 
cp /var/lib/openldap/openldap-data/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG
 
chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG
 
  
 
===== The client =====
 
===== The client =====
 
 
The client is usually not such a big deal, just keep in mind that your apps that require LDAP auth use it, so if something goes wrong with LDAP, do not waste your time with the app, start debugging the client instead.
 
The client is usually not such a big deal, just keep in mind that your apps that require LDAP auth use it, so if something goes wrong with LDAP, do not waste your time with the app, start debugging the client instead.
  
Line 65: Line 97:
  
 
you should see some information on your database.
 
you should see some information on your database.
 +
== Next Steps ==
 +
 +
You now have a basic ldap installation. The step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to ldap, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, Postfix, etc).
 +
 +
A directory for system authentication is the [[LDAP Authentication]] article.
 +
 
== Troubleshooting ==
 
== Troubleshooting ==
 
If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:
 
If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:

Revision as of 12:49, 3 November 2012

OpenLDAP, LDAP & Directory services are an enormous topic. Configuration is therefore complex. This page is a starting point for a basic openldap install on Archlinux and a sanity check.


References

http://www.openldap.org/doc/admin24/

For the newbies

If you are totally new to those concepts, here is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.

http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html


Install OpenLDAP

This part is easy:

pacman -S openldap 

The openldap package basically contains two things: The LDAP server (slapd) and the LDAP client. You will probably want to run the server on your computer. After you design the directory, the server will be able to provide authentication services for LDAP clients. It is quite likely that you will run services requiring the LDAP authentication on that very computer, in which case the LDAP client will query the LDAP server from the same package.

Configure OpenLDAP

The server (slapd)

First prepare the database directory. You will need to copy the default config file and set the proper ownership.

WARNING!!! - The following snippet wipes out any existing ldap database.

rm -rf /var/lib/openldap/openldap-data/*
cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG
chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG

Next we prepare slapd.conf

/etc/openldap/slapd.conf

Add some typically used schemas...

include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema

Edit the suffix. Typically this is your domain name but it does not have to be. It depends on how you use your directory. We will use 'example' for the domain name, and 'com' for the tld. Also set your ldap administrators name (we'll use 'root' here)

suffix     "dc=example,dc=com"
rootdn     "cn=root,dc=example,dc=com"

Now we delete the default root password and create a strong one:

#find the line with rootpw and delete it
sed -i "/rootpw/ d" slapd.conf
#add a line which includes the hashed password output from slappasswd
echo "rootpw    $(slappasswd)" >> slapd.conf

ldap won't find things unless you index them. Read the ldap documentation for details, you can use the following to start with. (add them to your slapd.conf)

index   uid             pres,eq
index   mail            pres,sub,eq
index   cn              pres,sub,eq
index   sn              pres,sub,eq
index   dc              eq

Note:

Don't forget to run slapindex after you populate your directory. (slapd needs to be stopped to do this). Then change the ownership for all the generated files:

chown ldap.ldap /var/lib/openldap/openldap-data/*

If you want to use SSL, you have to specify a path to your certificates here. See OpenLDAP Authentication

Finally you can start the slapd daemon.

#systemctl start slapd

It might be possible that /run/openldap does not exist, starting the daemon won't work. Just create the directory:

#mkdir /run/openldap
/etc/conf.d/slapd

Very important, you define here on which port the server should listen and if you want to use SSL, you will want to use the ldaps:// URI instead of the default ldap:// You can also specify additional slapd options here.


The client

The client is usually not such a big deal, just keep in mind that your apps that require LDAP auth use it, so if something goes wrong with LDAP, do not waste your time with the app, start debugging the client instead.

The client config file is located at /etc/openldap/ldap.conf It is actually very simple.

If you decide to use SSL:

  • The protocol (ldap or ldaps) in the URI entry has to conform with the slapd configuration
  • If you decide to use self-signed certificates, you have to add them to TLS_CACERT

Test your new OpenLDAP installation

This is easy, just run the command below:

ldapsearch -x -b  -s base '(objectclass=*)' namingContexts

you should see some information on your database.

Next Steps

You now have a basic ldap installation. The step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to ldap, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, Postfix, etc).

A directory for system authentication is the LDAP Authentication article.

Troubleshooting

If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:

# chown ldap:ldap /var/lib/openldap/openldap-data/*

to allow slapd write access to its data directory as the user "ldap"