Installing & Configuring OpenLDAP

This procedure is targeted at the Ubuntu 12.04 LTS (Precise Pangolin) distribution. It also explains how to set up the on-line configuration (OLC) directory information tree (DIT) for dynamic configuration without needing to restart or reload the server software.

  • Install OpenLDAP and the LDAP tools packages. You will be asked to provide a base DN for the new installation, as well as an administrative password. [geshifilter-code type="bash"] apt-get install slapd ldap-utils [/geshifilter-code]
  • Edit /etc/default/slapd and change the SLAPD_SERVICES line to match the following: [geshifilter-code] SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///" [/geshifilter-code]
  • Restart the LDAP server. [geshifilter-code] service slapd restart [/geshifilter-code]
  • Create an LDIF file to activate the memberOf overlay. This overlay enables clients to determine which groups a given directory entry is a member of without having to perform an additional search, which is useful in situations such as granting access rights to resources based on group membership. The administrator only has to indicate which directory entries are members of a given group, which automatically updates each member's memberOf attribute to reflect the current membership status. [geshifilter-code] cat > /etc/ldap/backend.memberof.ldif <<EOT dn: cn=module,cn=config cn: module objectClass: olcModuleList objectClass: top olcModulePath: /usr/lib/ldap olcModuleLoad: memberof.la dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof EOT [/geshifilter-code]
  • Create an LDIF file to activate referential integrity for the memberOf attributes. This overlay is useful to ensure that when user accounts are modified or deleted from the directory, the corresponding member attribute in groups in which the user was a member is also handled accordingly. [geshifilter-code] cat > /etc/ldap/backend.refint.ldif <<EOT dn: cn=module,cn=config cn: module objectclass: olcModuleList objectclass: top olcmoduleload: refint.la olcmodulepath: /usr/lib/ldap dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {1}refint olcRefintAttribute: memberof member manager owner EOT [/geshifilter-code]
  • Create an LDIF file that will be used to enable remote access to the backend configuration. This allows configuration changes to be made from clients such as Apache Directory Studio or phpLDAPadmin that are running on a host separate from the OpenLDAP server. [geshifilter-code] cat > /etc/ldap/backend.remote_access.ldif <<EOT dn: olcDatabase={-1}frontend,cn=config changetype: modify delete: olcAccess dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootDN olcRootDN: cn=admin,cn=config dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW # Password is set to "admin" - use slappasswd to generate a new one if desired olcRootPW: {SSHA}cmaKopt8ZxsY1YvGrhhp8DyEs2itmN3w dn: olcDatabase={0}config,cn=config changetype: modify delete: olcAccess EOT [/geshifilter-code]
  • Apply the backend configurations to OpenLDAP. [geshifilter-code] ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/backend.memberof.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/backend.refint.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/backend.remote_access.ldif [/geshifilter-code]
  • Validate the configuration with the following command (when prompted, use the password that was set above for the cn=admin,cn=config administrative user). [geshifilter-code] ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W [/geshifilter-code]
  • If you wish to set up a secured LDAPS or TLS connection, the following lines add the CA certificate, server key and server certificate files to the OpenLDAP configuration. [geshifilter-code] ldapmodify -x -D cn=admin,cn=config -W -H ldapi:/// << EOT dn: cn=config add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/ssl/ldaps_cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/ssl/ldaps_key.pem EOT [/geshifilter-code]

    Interesting observation: when using a wildcard certificate that requires an accompanying intermediate bundle certificate, simply concatenating the contents of the intermediate bundle to the end of the wildcard certificate and then restarting slapd got the signing CA to be recognized by my LDAP clients.

  • Check that TLS works: [geshifilter-code] ldapsearch -x -LLL -h ldap.example.com -ZZ -b dc=example,dc=com [/geshifilter-code]

Information sources:

Tags: