MV

Monday, July 25, 2011

Configuring OpenLDAP on Ubuntu Server

This message shows you how an easy setup of OpenLDAP. I configured this to test a new ejabberd clustering setup using Ubuntu Servers. So I decided why not to integrate OpenLDAP with the ejabberd cluster, which is likely a more useful setup.

Most of the documentation is taken from https://help.ubuntu.com/community/OpenLDAPServer.

Setup:
Simple Dual-core server 1024 MB RAM, running Ubuntu Server 9.04.
Make sure that you are connected to the Internet and that you are logged on as
root.

Installing the necessary packages:
* Install the following packages:
** slapd: ldap server daemon
** ldap-utils: ldap utilities
** db4.2-util: ?, not sure if this one is necessary

When installing these packages you will be asked for a password for the LDAP
directory administrator, which is not the root password of the server on which
you're installing OpenLDAP.

Reconfigure the LDAP tree:

$ dpkg-reconfigure slapd
Omit OpenLDAP server configuration? ... No
DNS domain name: ... example.com
Name of your organization: ... Whatever & Co
Admin Password: ******
Confirm Password: ******
OK
BDB
Do you want your database to be removed when slapd is purged? ... No
Move old database? ... Yes
Allow LDAPv2 Protocol? ... No


Check if ldap works:

$ ldapsearch -x -b dc=example,dc=com


Generate an encrypted password with slappasswd:

$ slappasswd
New password:
Re-enter password:
{SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m


This example shows what happens when using "secret" for the password, but your
result may vary!

Create the file /etc/ldap/slapd.conf and add the following content:


suffix "dc=example,dc=com"
directory "/var/lib/ldap"
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m


As root password use the generated password with the slappasswd tool.

Edit the file /etc/ldap/ldap.conf and uncomment the following line:


BASE dc=example,dc=com


Restart the LDAP service:

/etc/init.d/slapd restart


Populating the LDAP Tree
------------------------
Now that your LDAP directory is ready, you can start populating it. This will
be a 'classical' entry intended to be very compatible with Unix accounts
(posix), directories (like addressbooks), and classical accounts (for web
applications). But really it's just a starting point.

An LDAP directory can be fed with a ldif file ("ldap directory interchange
format" file). Create this file init.ldif somewhere on your system:


dn: dc=example,dc=com
objectClass: dcObject
objectClass: organizationalUnit
dc: example
ou: Example Dot Com

dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

dn: uid=loboloco,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: loboloco
sn: Loco
givenName: Lobo
cn: Lobo Loco
displayName: Lobo Loco
uidNumber: 1000
gidNumber: 10000
userPassword:
gecos: Lobo Loco
loginShell: /bin/bash
homeDirectory: /home/lobo
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: lobo.loco@example.com
postalCode: 31000
l: Brussels
o: Example
mobile: +32 (0)3 xxx xx xx
homePhone: +32 (0)475 xxx xxx
title: System Administrator
postalAddress:
initials: LL

dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
memberUid: loboloco
gidNumber: 10000

dn: cn=example2,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example2
gidNumber: 10001


In the example above, the directory structure, a user and group have been
defined. In other examples you might see the objectClass: top added in every
entry, but that is default behavior so you don't have to add it explicitly.

As with the LDAP root password, these passwords can be generated with
slappasswd using the MD5 or CRYPT hashing scheme. See man slappasswd).


Examples slappasswd:
(http://www.zytrax.com/books/ldap/ch14/)
Generate an SSHA password suitable for use as rootpw (in slapd.conf) or for use in a LDIF file for userPassword or authPassword attributes.


# no options required
slappasswd

# prompts twice for password string and then outputs
{SSHA}kjhfhfehflejhfvlldkl

# save to a file using normal re-direction
slapppasswd > /tmp/slappassword

# generate {SSHA} encoding of password secret
slappasswd -s secret

# generate {MD5) encoding of password secret
slappasswd -s secret -h {MD5}


To place the output in LDIF or slapd.conf, save to a file and copy, paste to
relevant file if GUI editing tools are being used. If vi is being used,
navigate to location in file where password is to be inserted then use :r
!slappasswd [opts] - this runs the command and inserts stdout into editing file at last cursor position. Alternatively save the output of slappasswd to a file, navigate to insert location in vi and execute :r /path/to/file - inserts file
contents into last cursor location.

When you're done, write and close the file.

Now, add your entries to the LDAP:

stop LDAP daemon: /etc/init.d/slapd stop

delete the content that was automatically added at installation:
rm -rf /var/lib/ldap/*

add the new content: slapadd -l init.ldif

correct permissions on the database:
chown -R openldap:openldap /var/lib/ldap

start LDAP daemon: /etc/init.d/slapd start

Your LDAP Server is up and running.

No comments:

Post a Comment