Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

Install And Configure OpenLDAP On Ubuntu Karmic Koala


The configuration of OpenLDAP got a bit (more) complicated. cn=config is still used, but when installing the packages from the repositories only a skeleton configuration of openldap is installed.

You’re not asked anymore to provide a password when the package is installed and issuing the “dpkg-reconfigure slapd” only resets openldap to the skeleton configuration. You will have to set up the openldap database, root dn and acl’s yourself using the root account (or sudo) in order to configure openldap.

Here is how I configured openldap in Karmic Koala, but I do not issue any guarantee that this setup will suit your needs or works for you as it worked for me.

There is an official statement about this (https://lists.ubuntu.com/archives/ubuntu-server/2009-August/003182.html) but the official guide on help.ubuntu.com is outdated and does not tell you how to configure openldap on Karmic Koala.

Note:

  1. This howto uses dc=example,dc=com as the tree for the openldap server. Change these to the base tree that you want to have eg: dc=yourdomain,dc=tld. You need to do this everywhere dc=example,dc=com is used. Also for the entries o=example and dc:example in the db.ldif.
  2. Hard returns in all of the provided files are needed since they mark the end of a command when being applied to the openldap server.

So here ‘s how I did it:

Step 1: install openldap and ldap-utils:

apt-get -y install slapd ldap-utils

Step 2: change into the /etc/ldap directory:

cd /etc/ldap

Step 3: add the schemas you want / need since only the core schema is added by default:

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

Step 4:  load the database backend module and create the database.

Create a file called db.ldif and paste the text below in to it:

vi db.ldif

Content of the db.ldif:

# Load dynamic backend modules
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb

# Create the database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: example
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq

Save the file and issue the following command to load the module and initialize the database:

ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif

Please note the olcRootPW: example which sets the RootPW to example. Replace example witch a password of your choice.

Step 5: create the base dn and the admin account for the openldap server.

Modify the text below to your needs and wants and generate a password for the admin account. The hash currently in this file sets the password to example.

To create crypt a password for the admin account  issue the following command:

slappasswd -h {MD5}

Type the wanted pasword twice and copy the result in to the text below.

Create the base.ldif:

vi base.ldif

Content of base.ldif:

dn: dc=example,dc=com
objectClass: dcObject
objectclass: organization
o: example.com
dc: example
description: My LDAP Root

dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {MD5}Gnmk1g3mcY6OWzJuM4rlMw==
description: LDAP administrator

Load the base dn into the database with the following command:

ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif

Step 6: modify the system acl’s

There are some acl’s set in the openldap setup that prevent phpldapadmin to interface with the directory, so we will remove them now and set openldap to the default cn=admin,cn=config. From this moment on the openldap can be configured and manipulated as before, but no longer by issuing commands like ldapadd -Y EXTERNAL -H ldapi:// -f file but rather ldapadd -x -Y EXTERNAL -H ldapi:// -D cn=admin,cn=config -W -f file.

Create a file called config.ldif and paste the text below in to it. However do not forget to replace the olcRootPW hash with the hash you created above.

vi config.ldif

Content of config.ldif:

dn: cn=config
changetype: modify
delete: olcAuthzRegexp

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcRootDN

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {MD5}Gnmk1g3mcY6OWzJuM4rlMw==

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

Load the config.ldif into the openldap server:

ldapadd -Y EXTERNAL -H ldapi:/// -f config.ldif

7: Set the ldap acl’s

Now we only need to add some acl to the directory, root has allways full read / write but this acl is the base acl that was always  shipped with opendlap.

Create a file called acl.ldif and paste the text below into it:

vi acl.ldif

Content of acl.ldif:

dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

Now load the acl into the openldap server:

ldapmodify -x -D cn=admin,cn=config -W -f acl.ldif

You should now have an openldap directory as it was shipped with Jaunty Jackalope.

Comments

comments