• Bez kategorii

Installation and configuration of OpenLDAP

Installation and basic configuration of LDAP directory service (OpenLDAP) on Ubuntu:

sudo aptitude install slapd ldap-utils

This description is based on HowtoForge document for Karmic Koala. I used to be to configure of OpenLDAP in slapd.conf file, but this is old method. Here we have possibility to modify LDAP configuration without restart of LDAP server.

cd /etc/ldap

At first I suggest you to add some schemas, which contains objectclasses and attributes useful later:

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

If you have problem with addition of above because of insufficient permissions then switch to root with sudo su - or sudo -i

Now you need to load database module and create database, BerkeleyDB (bdb or hdb) is a good choice. Create db.ldif file which contains:


# Load dynamic backend modules
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb

# Create the database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: example
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq

You need to replace example.com with your own domain name of course, and you need to provide own password in olcRootPW attribute

Save this file as db.ldif and initialize module and database in LDAP:

ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif

Now we will create base DN and administrator account. To generate crypted password you can use slappasswd command. Content of our base.ldif:


dn: dc=example,dc=com
objectClass: dcObject
objectclass: organization
o: example.com
dc: example
description: My LDAP Root

dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {MD5}Gnmk1g3mcY6OWzJuM4rlMw==
description: LDAP administrator

And again, all occurences of example.com, example and com you need to replace with your domain name. If your domain has more than two parts, you can add another domain component (dc=…)

Save base.ldif file, and add to LDAP:

ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif

we can skip this part with ACL modification for now, but we need to secure passwords:

vi acl.ldif

Content of acl.ldif file:


dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

Note: in HowtoForge tutorial line changetype: modify is omitted, without this addition:

ldapadd -Y EXTERNAL -H ldapi:/// -f acl.ldif

probably will give you this message:

ldap_add: Undefined attribute type (17)
        additional info: add: attribute type undefined

so I put this line in my description.

We have basic LDAP configuration set, now we need a tool for managing LDAP and entries.

Personally I use two utilities: Eclipse or Apache Directory Studio as client side, and phpLDAPadmin as server side.

I think that phpLDAPadmin (PLA in short) is good enough for start. Eclipse with LDAP module is worth installing when you need to operate on directory directly from client. PLA is server side tool, so you only need http(s) access.

There is package for Ubuntu, so installation of PLA is easy. If you have HTTP server running, you only need to do:

sudo aptitude install phpldapadmin

After installation you should achieve PLA interface on: http://example.com/phpldapadmin (you need to change example.com to your domain name of course).

PLA configuration file is in /etc/phpldapadmin/config.php, and default configuration point to localhost as LDAP server. This is proper setting for most of configurations, but you need to change other settings:

$servers->setValue('server','base',array('dc=example,dc=com'));
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');

First line is base DN, because PLA can not always get it properly. In second line we set default login name to avoid entering it each time. From my experience I recommend you also to switch off custom templates. You will see the difference after switching:

/* Just show your custom templates. */
$config->custom->appearance['custom_templates_only'] = true;

It is time to log in to phpLDAPadmin and look over directory. For those, which do not have experience with directory service I suggest to look on schema and inetOrgPerson object class. This class is often used for address book building.

Installation and configuration of OpenLDAP

Installation and basic configuration of LDAP directory service (OpenLDAP) on Ubuntu:

sudo aptitude install slapd ldap-utils

This description is based on HowtoForge document for Karmic Koala. I used to be to configure of OpenLDAP in slapd.conf file, but this is old method. Here we have possibility to modify LDAP configuration without restart of LDAP server.

cd /etc/ldap

At first I suggest you to add some schemas, which contains objectclasses and attributes useful later:

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

If you have problem with addition of above because of insufficient permissions then switch to root with sudo su - or sudo -i

Now you need to load database module and create database, BerkeleyDB (bdb or hdb) is a good choice. Create db.ldif file which contains:


# Load dynamic backend modules
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb

# Create the database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: example
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq

You need to replace example.com with your own domain name of course, and you need to provide own password in olcRootPW attribute

Save this file as db.ldif and initialize module and database in LDAP:

ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif

Now we will create base DN and administrator account. To generate crypted password you can use slappasswd command. Content of our base.ldif:


dn: dc=example,dc=com
objectClass: dcObject
objectclass: organization
o: example.com
dc: example
description: My LDAP Root

dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {MD5}Gnmk1g3mcY6OWzJuM4rlMw==
description: LDAP administrator

And again, all occurences of example.com, example and com you need to replace with your domain name. If your domain has more than two parts, you can add another domain component (dc=…)

Save base.ldif file, and add to LDAP:

ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif

we can skip this part with ACL modification for now, but we need to secure passwords:

vi acl.ldif

Content of acl.ldif file:


dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

Note: in HowtoForge tutorial line changetype: modify is omitted, without this addition:

ldapadd -Y EXTERNAL -H ldapi:/// -f acl.ldif

probably will give you this message:

ldap_add: Undefined attribute type (17)
        additional info: add: attribute type undefined

so I put this line in my description.

We have basic LDAP configuration set, now we need a tool for managing LDAP and entries.

Personally I use two utilities: Eclipse or Apache Directory Studio as client side, and phpLDAPadmin as server side.

I think that phpLDAPadmin (PLA in short) is good enough for start. Eclipse with LDAP module is worth installing when you need to operate on directory directly from client. PLA is server side tool, so you only need http(s) access.

There is package for Ubuntu, so installation of PLA is easy. If you have HTTP server running, you only need to do:

sudo aptitude install phpldapadmin

After installation you should achieve PLA interface on: http://example.com/phpldapadmin (you need to change example.com to your domain name of course).

PLA configuration file is in /etc/phpldapadmin/config.php, and default configuration point to localhost as LDAP server. This is proper setting for most of configurations, but you need to change other settings:

$servers->setValue('server','base',array('dc=example,dc=com'));
$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');

First line is base DN, because PLA can not always get it properly. In second line we set default login name to avoid entering it each time. From my experience I recommend you also to switch off custom templates. You will see the difference after switching:

/* Just show your custom templates. */
$config->custom->appearance['custom_templates_only'] = true;

It is time to log in to phpLDAPadmin and look over directory. For those, which do not have experience with directory service I suggest to look on schema and inetOrgPerson object class. This class is often used for address book building.

Możesz również polubić…

Leave a Reply

Witryna wykorzystuje Akismet, aby ograniczyć spam. Dowiedz się więcej jak przetwarzane są dane komentarzy.