{"id":230,"date":"2010-12-01T23:11:14","date_gmt":"2010-12-01T22:11:14","guid":{"rendered":""},"modified":"2011-03-17T10:42:19","modified_gmt":"2011-03-17T08:42:19","slug":"installation-and-configuration-openldap","status":"publish","type":"post","link":"https:\/\/drfugazi.eu.org\/en\/installation-and-configuration-openldap\/","title":{"rendered":"Installation and configuration of OpenLDAP"},"content":{"rendered":"

Installation and basic configuration of LDAP directory service (OpenLDAP) on Ubuntu:<\/h3>\n
sudo aptitude install slapd ldap-utils<\/code><\/pre>\n
This description is based on HowtoForge<\/a> document for Karmic Koala. I used to be to configure of OpenLDAP in slapd.conf<\/code> file, but this is old method. Here we have possibility to modify LDAP configuration without restart of LDAP server.<\/h3>\n
cd \/etc\/ldap<\/code><\/pre>\n
At first I suggest you to add some schemas, which contains objectclasses and attributes useful later:<\/h3>\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f \/etc\/ldap\/schema\/cosine.ldif\r\nldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f \/etc\/ldap\/schema\/inetorgperson.ldif\r\nldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f \/etc\/ldap\/schema\/nis.ldif<\/code><\/pre>\n
If you have problem with addition of above because of insufficient permissions then switch to root with sudo su -<\/code> or sudo -i<\/code><\/p>\n
<\/p>\n
Now you need to load database module and create database, BerkeleyDB (bdb or hdb) is a good choice. Create db.ldif<\/code> file which contains:<\/h3>\n
\r\n# Load dynamic backend modules\r\ndn: cn=module{0},cn=config\r\nobjectClass: olcModuleList\r\ncn: module\r\nolcModulepath: \/usr\/lib\/ldap\r\nolcModuleload: {0}back_hdb\r\n\r\n# Create the database\r\ndn: olcDatabase={1}hdb,cn=config\r\nobjectClass: olcDatabaseConfig\r\nobjectClass: olcHdbConfig\r\nolcDatabase: {1}hdb\r\nolcDbDirectory: \/var\/lib\/ldap\r\nolcSuffix: dc=example,dc=com\r\nolcRootDN: cn=admin,dc=example,dc=com\r\nolcRootPW: example\r\nolcDbConfig: {0}set_cachesize 0 2097152 0\r\nolcDbConfig: {1}set_lk_max_objects 1500\r\nolcDbConfig: {2}set_lk_max_locks 1500\r\nolcDbConfig: {3}set_lk_max_lockers 1500\r\nolcLastMod: TRUE\r\nolcDbCheckpoint: 512 30\r\nolcDbIndex: uid pres,eq\r\nolcDbIndex: cn,sn,mail pres,eq,approx,sub\r\nolcDbIndex: objectClass eq\r\n<\/code><\/pre>\n
You need to replace example.com<\/code> with your own domain name of course, and you need to provide own password in olcRootPW<\/code> attribute<\/p>\n
Save this file as db.ldif<\/code> and initialize module and database in LDAP:<\/h3>\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f db.ldif<\/code><\/pre>\n
Now we will create base DN and administrator account. To generate crypted password you can use slappasswd<\/code> command. Content of our base.ldif<\/code>:<\/h3>\n
\r\ndn: dc=example,dc=com\r\nobjectClass: dcObject\r\nobjectclass: organization\r\no: example.com\r\ndc: example\r\ndescription: My LDAP Root\r\n\r\ndn: cn=admin,dc=example,dc=com\r\nobjectClass: simpleSecurityObject\r\nobjectClass: organizationalRole\r\ncn: admin\r\nuserPassword: {MD5}Gnmk1g3mcY6OWzJuM4rlMw==\r\ndescription: LDAP administrator\r\n<\/code><\/pre>\n
And again, all occurences of example.com<\/code>, example<\/code> and com<\/code> you need to replace with your domain name. If your domain has more than two parts, you can add another domain component<\/code> (dc=…)<\/p>\n
Save base.ldif<\/code> file, and add to LDAP:<\/h3>\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f base.ldif<\/code><\/pre>\n
we can skip this part with ACL modification for now, but we need to secure passwords:<\/h3>\n
vi acl.ldif<\/code><\/pre>\n
Content of acl.ldif<\/code> file:<\/p>\n
\r\ndn: olcDatabase={1}hdb,cn=config\r\nchangetype: modify\r\nadd: olcAccess\r\nolcAccess: to attrs=userPassword,shadowLastChange by dn=\"cn=admin,dc=example,dc=com\" write by anonymous auth by self write by * none\r\nolcAccess: to dn.base=\"\" by * read\r\nolcAccess: to * by dn=\"cn=admin,dc=example,dc=com\" write by * read\r\n<\/code><\/pre>\n
Note: in HowtoForge tutorial line changetype: modify<\/code> is omitted, without this addition:<\/p>\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f acl.ldif<\/code><\/pre>\n
probably will give you this message:<\/p>\n
ldap_add: Undefined attribute type (17)\r\n        additional info: add: attribute type undefined<\/code><\/pre>\n
so I put this line in my description.<\/p>\n
We have basic LDAP configuration set, now we need a tool for managing LDAP and entries.<\/h3>\n
Personally I use two utilities: Eclipse<\/a> or Apache Directory Studio<\/a> as client side, and phpLDAPadmin<\/a> as server side.<\/p>\n
I think that phpLDAPadmin (PLA in short) is good enough for start. Eclipse with LDAP module is worth installing when you need to operate on directory directly from client. PLA is server side tool, so you only need http(s) access.<\/p>\n
There is package for Ubuntu, so installation of PLA is easy. If you have HTTP server running, you only need to do:<\/p>\n
sudo aptitude install phpldapadmin<\/code><\/pre>\n
After installation you should achieve PLA interface on: http:\/\/example.com\/phpldapadmin (you need to change example.com to your domain name of course).<\/p>\n
PLA configuration file is in \/etc\/phpldapadmin\/config.php<\/code>, and default configuration point to localhost<\/code> as LDAP server. This is proper setting for most of configurations, but you need to change other settings:<\/p>\n
$servers->setValue('server','base',array('dc=example,dc=com'));\r\n$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');<\/code><\/pre>\n
First line is base DN, because PLA can not always get it properly. In second line we set default login name to avoid entering it each time. From my experience I recommend you also to switch off custom templates. You will see the difference after switching:<\/p>\n
\/* Just show your custom templates. *\/\r\n$config->custom->appearance['custom_templates_only'] = true;<\/code><\/pre>\n
It is time to log in to phpLDAPadmin and look over directory. For those, which do not have experience with directory service I suggest to look on schema and inetOrgPerson object class. This class is often used for address book building.<\/h3>\n","protected":false},"excerpt":{"rendered":"
Installation and basic configuration of LDAP directory service (OpenLDAP) on Ubuntu:<\/h3>\n
sudo aptitude install slapd ldap-utils<\/code><\/pre>\n
This description is based on HowtoForge<\/a> document for Karmic Koala. I used to be to configure of OpenLDAP in slapd.conf<\/code> file, but this is old method. Here we have possibility to modify LDAP configuration without restart of LDAP server.<\/h3>\n
cd \/etc\/ldap<\/code><\/pre>\n
At first I suggest you to add some schemas, which contains objectclasses and attributes useful later:<\/h3>\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f \/etc\/ldap\/schema\/cosine.ldif\r\nldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f \/etc\/ldap\/schema\/inetorgperson.ldif\r\nldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f \/etc\/ldap\/schema\/nis.ldif<\/code><\/pre>\n
If you have problem with addition of above because of insufficient permissions then switch to root with sudo su -<\/code> or sudo -i<\/code><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[],"tags":[22,45],"jetpack_publicize_connections":[],"acf":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7M9Tz-3I","jetpack-related-posts":[{"id":328,"url":"https:\/\/drfugazi.eu.org\/en\/installation-and-configuration-openldap\/","url_meta":{"origin":230,"position":0},"title":"Installation and configuration of OpenLDAP","author":"","date":"Wednesday December  1st, 2010","format":false,"excerpt":"Installation and basic configuration of LDAP directory service (OpenLDAP) on Ubuntu: sudo aptitude install slapd ldap-utils This description is based on HowtoForge document for Karmic Koala. I used to be to configure of OpenLDAP in slapd.conf file, but this is old method. Here we have possibility to modify LDAP configuration\u2026","rel":"","context":"Similar post","block_context":{"text":"Similar post","link":""},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":228,"url":"https:\/\/drfugazi.eu.org\/en\/instalacja-i-konfiguracja-openldap\/","url_meta":{"origin":230,"position":1},"title":"Instalacja i konfiguracja OpenLDAP","author":"drfugazi","date":"Monday November 22nd, 2010","format":false,"excerpt":"Instalacja i podstawowa konfiguracja us\u0142ugi katalogowej LDAP (OpenLDAP) na Ubuntu: drfugazi@charr:~% sudo aptitude install slapd ldap-utils Opis wzorowany jest na angielskim opisie dla Karmic Koala na HowtoForge. Ja jestem przyzwyczajony do konfigurowania LDAPa w pliku slapd.conf, ale to stara szko\u0142a. Tutaj dostajemy mo\u017cliwo\u015b\u0107 dynamicznej konfiguracji bez konieczno\u015bci restartu serwera LDAP.\u2026","rel":"","context":"In \"Konfiguracja\"","block_context":{"text":"Konfiguracja","link":"https:\/\/drfugazi.eu.org\/en\/tag\/konfiguracja\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":332,"url":"https:\/\/drfugazi.eu.org\/en\/instalacja-i-konfiguracja-openldap\/","url_meta":{"origin":230,"position":2},"title":"Instalacja i konfiguracja OpenLDAP","author":"","date":"Monday November 22nd, 2010","format":false,"excerpt":"Instalacja i podstawowa konfiguracja us\u0142ugi katalogowej LDAP (OpenLDAP) na Ubuntu: drfugazi@charr:~% sudo aptitude install slapd ldap-utils Opis wzorowany jest na angielskim opisie dla Karmic Koala na HowtoForge. Ja jestem przyzwyczajony do konfigurowania LDAPa w pliku slapd.conf, ale to stara szko\u0142a. Tutaj dostajemy mo\u017cliwo\u015b\u0107 dynamicznej konfiguracji bez konieczno\u015bci restartu serwera LDAP.\u2026","rel":"","context":"Similar post","block_context":{"text":"Similar post","link":""},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":239,"url":"https:\/\/drfugazi.eu.org\/en\/schema-conversion-ldap-ldif\/","url_meta":{"origin":230,"position":3},"title":"Schema conversion – LDAP to LDIF","author":"drfugazi","date":"Tuesday March 15th, 2011","format":false,"excerpt":"The power of directory service is possibility to define your own object classes, attributes, rules and so on. It also allows grouping it in schemas, which you can add to LDAP configuration. As for now most of schemas, which you can find in Internet is organized into blocks, which contains\u2026","rel":"","context":"In \"OpenLDAP\"","block_context":{"text":"OpenLDAP","link":"https:\/\/drfugazi.eu.org\/en\/tag\/openldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":329,"url":"https:\/\/drfugazi.eu.org\/en\/schema-conversion-ldap-ldif\/","url_meta":{"origin":230,"position":4},"title":"Schema conversion – LDAP to LDIF","author":"","date":"Tuesday March 15th, 2011","format":false,"excerpt":"The power of directory service is possibility to define your own object classes, attributes, rules and so on. It also allows grouping it in schemas, which you can add to LDAP configuration. As for now most of schemas, which you can find in Internet is organized into blocks, which contains\u2026","rel":"","context":"Similar post","block_context":{"text":"Similar post","link":""},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":229,"url":"https:\/\/drfugazi.eu.org\/en\/konwersja-schematu-do-ldif\/","url_meta":{"origin":230,"position":5},"title":"Kowersja schematu LDAP do LDIF","author":"drfugazi","date":"Saturday November 27th, 2010","format":false,"excerpt":"Pot\u0119g\u0105 us\u0142ugi katalogowej LDAP jest mo\u017cliwo\u015b\u0107 definiowania w\u0142asnych atrybut\u00f3w, klas obiekt\u00f3w, regu\u0142 itp. i grupowania ich w tzw. schematy, kt\u00f3re mo\u017cna dodawa\u0107 do konfiguracji. Na dzie\u0144 dzisiejszy jednak wi\u0119kszo\u015b\u0107 schemat\u00f3w, kt\u00f3re znajdziecie w sieci jest zorganizowana w bloki zawieraj\u0105ce definicje atrybut\u00f3w i klas obiekt\u00f3w, wygl\u0105da to mniej wi\u0119cej tak: definicja\u2026","rel":"","context":"In \"Konfiguracja\"","block_context":{"text":"Konfiguracja","link":"https:\/\/drfugazi.eu.org\/en\/tag\/konfiguracja\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/230"}],"collection":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/comments?post=230"}],"version-history":[{"count":0,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/230\/revisions"}],"wp:attachment":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/media?parent=230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/categories?post=230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/tags?post=230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}