OpenLDAP, LDAP & Directory services are an enormous topic. Configuration is therefore complex. This page is a starting point for a basic openldap install on Archlinux and a sanity check.
For the newbies
If you are totally new to those concepts, here is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.
This part is easy:
pacman -S openldap
The openldap package basically contains two things: The LDAP server (slapd) and the LDAP client. You will probably want to run the server on your computer. After you design the directory, the server will be able to provide authentication services for LDAP clients. It is quite likely that you will run services requiring the LDAP authentication on that very computer, in which case the LDAP client will query the LDAP server from the same package.
The server (slapd)
You can start the server like any other daemon, by executing
There are three config files you must edit first, though:
You can define the access rules here, the root "user" etc. At minimum delete the default root password create a strong one:
#find the line with rootpw and delete it sed -i "/rootpw/ d" slapd.conf #add a line which includes the hashed password output from slappasswd echo "rootpw $(slappasswd)" >> slapd.conf
If you want to use SSL, you have to specify a path to your certificates here.
Very important, you define here on which port the server should listen and if you want to use SSL, you will want to use the ldaps:// URI instead of the default ldap:// You can also specify additional slapd options here.
You will need to copy the default config file and set the proper ownership.
cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG
The client is usually not such a big deal, just keep in mind that your apps that require LDAP auth use it, so if something goes wrong with LDAP, do not waste your time with the app, start debugging the client instead.
The client config file is located at /etc/openldap/ldap.conf It is actually very simple.
If you decide to use SSL:
- The protocol (ldap or ldaps) in the URI entry has to conform with the slapd configuration
- If you decide to use self-signed certificates, you have to add them to TLS_CACERT
Test your new OpenLDAP installation
This is easy, just run the command below:
ldapsearch -x -b -s base '(objectclass=*)' namingContexts
you should see some information on your database.
You now have a basic ldap installation. The step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to ldap, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, Postfix, etc).
A directory for system authentication is the LDAP Authentication article.
If you notice that slapd seems to start but then stops, you may have a permission issue with the ldap datadir. Try running:
# chown ldap:ldap /var/lib/openldap/openldap-data/*
to allow slapd write access to its data directory as the user "ldap"