Difference between revisions of "OpenLDAP"
(→Required) |
(→slapd.conf) |
||
(44 intermediate revisions by 5 users not shown) | |||
Line 8: | Line 8: | ||
{{Package-Introduction|The OpenLDAP package provides an open source implementation of the Lightweight Directory Access Protocol.|http://www.openldap.org/}} | {{Package-Introduction|The OpenLDAP package provides an open source implementation of the Lightweight Directory Access Protocol.|http://www.openldap.org/}} | ||
+ | |||
+ | {{Note|This page contains instructions to compile a OpenLDAP Server, Most of the time it is only the client libraries that are required, you can find this information on the [[OpenLDAP-Client]] page.}} | ||
== Dependencies == | == Dependencies == | ||
Line 13: | Line 15: | ||
=== Required === | === Required === | ||
* [[Berkeley DB]] or [[GDBM]] | * [[Berkeley DB]] or [[GDBM]] | ||
− | |||
− | |||
=== Recommended === | === Recommended === | ||
* [[CyrusSASL]] | * [[CyrusSASL]] | ||
* [[OpenSSL]] | * [[OpenSSL]] | ||
+ | |||
=== Optional === | === Optional === | ||
* [[TCP Wrappers]] | * [[TCP Wrappers]] | ||
* [[unixODBC]] | * [[unixODBC]] | ||
− | |||
* [[GNU Pth]] | * [[GNU Pth]] | ||
* [[OpenSLP]] | * [[OpenSLP]] | ||
Line 36: | Line 36: | ||
Compile the package: | Compile the package: | ||
− | ./configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/ | + | sed -i 's@\(^STRIP = \).*@\1 @' build/top.mk && |
− | + | CPPFLAGS="-D_GNU_SOURCE" ./configure --prefix=/usr --sysconfdir=/etc \ | |
− | + | --libexecdir=/usr/lib/openldap --localstatedir=/srv/ldap --disable-debug \ | |
− | + | --enable-dynamic --enable-crypt --enable-modules --enable-wrappers \ | |
+ | --enable-bdb=mod --enable-hdb=mod --enable-ldap=mod \ | ||
+ | --enable-monitor=mod --enable-perl=mod --enable-relay=mod \ | ||
+ | --enable-dyngroup=mod --enable-dynlist=mod --enable-memberof=mod \ | ||
+ | --enable-ppolicy=mod --enable-valsort=mod && | ||
+ | make depend && | ||
make | make | ||
Line 45: | Line 50: | ||
make install && | make install && | ||
− | + | ln -sv ../lib/openldap/slapd /usr/sbin/slapd && | |
install -dv -m755 /usr/share/doc/openldap-{{OpenLDAP-Version}}/{drafts,guide,rfc} && | install -dv -m755 /usr/share/doc/openldap-{{OpenLDAP-Version}}/{drafts,guide,rfc} && | ||
install -v -m644 doc/drafts/* /usr/share/doc/openldap-{{OpenLDAP-Version}}/drafts && | install -v -m644 doc/drafts/* /usr/share/doc/openldap-{{OpenLDAP-Version}}/drafts && | ||
Line 57: | Line 62: | ||
Compile the package: | Compile the package: | ||
− | CC="gcc ${BUILD32}" ./configure --prefix=/usr --sysconfdir=/etc \ | + | sed -i 's@\(^STRIP = \).*@\1 @' build/top.mk && |
− | -- | + | CC="gcc ${BUILD32}" CPPFLAGS="-D_GNU_SOURCE" ./configure --prefix=/usr --sysconfdir=/etc \ |
− | + | --libexecdir=/usr/lib/openldap --localstatedir=/srv/ldap --disable-debug \ | |
− | --enable-ldap --enable- | + | --enable-dynamic --enable-crypt --enable-modules --enable-wrappers \ |
− | --enable-ppolicy --enable-valsort && | + | --enable-bdb=mod --enable-hdb=mod --enable-ldap=mod \ |
+ | --enable-monitor=mod --enable-perl=mod --enable-relay=mod \ | ||
+ | --enable-dyngroup=mod --enable-dynlist=mod --enable-memberof=mod \ | ||
+ | --enable-ppolicy=mod --enable-valsort=mod && | ||
+ | make depend && | ||
make | make | ||
Install the package | Install the package | ||
− | make install | + | make install |
− | |||
=== N32 === | === N32 === | ||
Line 73: | Line 81: | ||
Compile the package: | Compile the package: | ||
− | CC="gcc ${BUILDN32}" ./configure --prefix=/usr --sysconfdir=/etc -- | + | sed -i 's@\(^STRIP = \).*@\1 @' build/top.mk && |
− | + | CC="gcc ${BUILDN32}" CPPFLAGS="-D_GNU_SOURCE" ./configure --prefix=/usr --sysconfdir=/etc \ | |
− | -- | + | --libexecdir=/usr/lib/openldap --localstatedir=/srv/ldap --disable-debug \ |
− | --enable-ldap --enable- | + | --enable-dynamic --enable-crypt --enable-modules --enable-wrappers \ |
− | --enable-ppolicy --enable-valsort && | + | --enable-bdb=mod --enable-hdb=mod --enable-ldap=mod \ |
+ | --enable-monitor=mod --enable-perl=mod --enable-relay=mod \ | ||
+ | --enable-dyngroup=mod --enable-dynlist=mod --enable-memberof=mod \ | ||
+ | --enable-ppolicy=mod --enable-valsort=mod && | ||
+ | make depend && | ||
make | make | ||
Install the package | Install the package | ||
− | make install | + | make install |
− | |||
=== 64Bit === | === 64Bit === | ||
Line 89: | Line 100: | ||
Compile the package: | Compile the package: | ||
− | CC="gcc ${BUILD64}" ./configure --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64 \ | + | sed -i 's@\(^STRIP = \).*@\1 @' build/top.mk && |
− | --localstatedir=/srv/ldap -- | + | CC="gcc ${BUILD64}" CPPFLAGS="-D_GNU_SOURCE" ./configure --prefix=/usr \ |
− | -- | + | --sysconfdir=/etc --libdir=/usr/lib64 --libexecdir=/usr/lib/openldap \ |
− | --enable-ldap --enable- | + | --localstatedir=/srv/ldap --disable-debug \ |
− | --enable-ppolicy --enable-valsort && | + | --enable-dynamic --enable-crypt --enable-modules --enable-wrappers \ |
+ | --enable-bdb=mod --enable-hdb=mod --enable-ldap=mod \ | ||
+ | --enable-monitor=mod --enable-perl=mod --enable-relay=mod \ | ||
+ | --enable-dyngroup=mod --enable-dynlist=mod --enable-memberof=mod \ | ||
+ | --enable-ppolicy=mod --enable-valsort=mod && | ||
+ | make depend && | ||
make | make | ||
Line 99: | Line 115: | ||
make install && | make install && | ||
− | + | ln -sv ../lib/openldap/slapd /usr/sbin/slapd && | |
install -dv -m755 /usr/share/doc/openldap-{{OpenLDAP-Version}}/{drafts,guide,rfc} && | install -dv -m755 /usr/share/doc/openldap-{{OpenLDAP-Version}}/{drafts,guide,rfc} && | ||
install -v -m644 doc/drafts/* /usr/share/doc/openldap-{{OpenLDAP-Version}}/drafts && | install -v -m644 doc/drafts/* /usr/share/doc/openldap-{{OpenLDAP-Version}}/drafts && | ||
install -v -m644 doc/rfc/* /usr/share/doc/openldap-{{OpenLDAP-Version}}/rfc && | install -v -m644 doc/rfc/* /usr/share/doc/openldap-{{OpenLDAP-Version}}/rfc && | ||
cp -Rv doc/guide/* /usr/share/doc/openldap-{{OpenLDAP-Version}}/guide | cp -Rv doc/guide/* /usr/share/doc/openldap-{{OpenLDAP-Version}}/guide | ||
+ | |||
+ | == Configuring == | ||
+ | |||
+ | The information in the sections below are based off information from the following pages: | ||
+ | |||
+ | http://www.bayour.com/LDAPv3-HOWTO.html | ||
+ | http://aput.net/~jheiss/krbldap/ | ||
+ | |||
+ | === Additional Steps with Kerberos === | ||
+ | |||
+ | If you plan on using LDAP with Kerberos you will need to create the LDAP Service Principle in the Kerberos database. You will also want to create a keytab for LDAP and LDAP alone. | ||
+ | |||
+ | kadmin.local -q "addprinc -randkey ldap/'''''<fqdn of ldap server>'''''@'''''<REALMNAME.COM>'''''" && | ||
+ | kadmin.local -q "ktadd -k /etc/openldap/slapd.keytab ldap/'''''<fqdn of ldap server>'''''@'''''<REALMNAME.COM>'''''" && | ||
+ | chmod 600 /etc/openldap/slapd.keytab | ||
+ | |||
+ | You will also need to add the LDAP Service Principle to the system keytab aswell: | ||
+ | |||
+ | kadmin.local -q "ktadd -k /etc/krb5.keytab ldap/'''''<fqdn of ldap server>'''''@'''''<REALMNAME.COM>'''''" && | ||
+ | chmod 600 /etc/krb5.keytab | ||
+ | |||
+ | The '''''slapd''''' binary in /usr/sbin should be a symlink. Remove it and put a wrapper script that will point ldap at the proper keytab in its place: | ||
+ | |||
+ | rm /usr/sbin/slapd && | ||
+ | cat > /usr/sbin/slapd << "EOF" | ||
+ | #!/bin/sh | ||
+ | # Kerberos Wrapper Script for Slapd | ||
+ | if [ -f /etc/openldap/ldap.keytab ]; then | ||
+ | env KRB5_KTNAME=/etc/openldap/slapd.keytab /usr/lib/openldap/slapd "$@" | ||
+ | else | ||
+ | /usr/lib/openldap/slapd "$@" | ||
+ | fi | ||
+ | EOF | ||
+ | |||
+ | chmod +x /usr/sbin/slapd | ||
+ | |||
+ | You also will want to create a user specifically for managing the ldap directory: | ||
+ | |||
+ | kadmin.local -q "addprinc ldapadm@'''''<REALMNAME.COM>'''''" | ||
+ | |||
+ | === slapd.conf === | ||
+ | |||
+ | If you download the following schema files to the ldap schema directory you can remove the comments on the corresponding lines: | ||
+ | |||
+ | http://cross-lfs.org/~jciccone/ldap-schemas/krb5-kdc.schema | ||
+ | http://cross-lfs.org/~jciccone/ldap-schemas/sudo.schema | ||
+ | |||
+ | Creating a basic slapd configuration file: | ||
+ | |||
+ | cat > /etc/openldap/slapd.conf << "EOF" | ||
+ | # Begin /etc/openldap/slapd.conf | ||
+ | |||
+ | # Schema Definitions | ||
+ | include /etc/openldap/schema/core.schema | ||
+ | include /etc/openldap/schema/cosine.schema | ||
+ | include /etc/openldap/schema/inetorgperson.schema | ||
+ | include /etc/openldap/schema/nis.schema | ||
+ | #include /etc/openldap/schema/sudo.schema | ||
+ | include /etc/openldap/schema/misc.schema | ||
+ | #include /etc/openldap/schema/krb5-kdc.schema | ||
+ | |||
+ | # The location of the PID file | ||
+ | pidfile /srv/ldap/run/slapd.pid | ||
+ | |||
+ | # List of arguments that will be passed to the server | ||
+ | argsfile /srv/ldap/run/slapd.args | ||
+ | |||
+ | # Load dynamic backend modules: | ||
+ | modulepath /usr/lib/openldap/openldap | ||
+ | moduleload back_bdb.la | ||
+ | #moduleload back_ldap.la | ||
+ | #moduleload back_ldbm.la | ||
+ | #moduleload back_passwd.la | ||
+ | #moduleload back_shell.la | ||
+ | |||
+ | # Use crypt to hash the passwords | ||
+ | password-hash {crypt} | ||
+ | |||
+ | # If you wish to use cyrus-sasl to bind to | ||
+ | # Kerberos uncomment and configure the | ||
+ | # following lines | ||
+ | #sasl-realm '''''<REALMNAME.COM>''''' | ||
+ | #sasl-host '''''<FQDN OF SASL SERVER>''''' | ||
+ | #sasl-secprops none | ||
+ | |||
+ | # Map the kerberos principals to actual ldap entities. | ||
+ | #authz-policy from | ||
+ | #authz-regexp | ||
+ | "^uid=([^,]+),cn='''''<realm>''''',cn=gssapi,cn=auth" | ||
+ | "uid=$1,ou=people,'''''<BASE DN>'''''" | ||
+ | |||
+ | # Define SSL and TLS properties (optional) | ||
+ | #TLSCertificateFile /etc/ssl/ldap.pem | ||
+ | #TLSCertificateKeyFile /etc/openldap/ldap-key.pem | ||
+ | #TLSCACertificateFile /etc/ssl/ldap.pem | ||
+ | |||
+ | ####################################################################### | ||
+ | # Access Lists | ||
+ | ####################################################################### | ||
+ | |||
+ | access to attrs=userPassword | ||
+ | by dn="cn=Manager,'''''<BASE DN>'''''" write | ||
+ | # by dn="uid=ldapadm,ou=people,'''''<BASE DN>'''''" write | ||
+ | by dn="uid=root,ou=people,'''''<BASE DN>'''''" write | ||
+ | by self write | ||
+ | by anonymous auth | ||
+ | by * none | ||
+ | |||
+ | access to attrs=gecos,description,loginShell | ||
+ | by self write | ||
+ | |||
+ | access to * | ||
+ | by dn="cn=Manager,'''''<BASE DN>'''''" write | ||
+ | # by dn="uid=ldapadm,ou=people,'''''<BASE DN>'''''" write | ||
+ | by dn="uid=root,ou=people,'''''<BASE DN>'''''" write | ||
+ | by * read | ||
+ | by * search | ||
+ | |||
+ | ####################################################################### | ||
+ | # BDB database definitions | ||
+ | ####################################################################### | ||
+ | |||
+ | database bdb | ||
+ | suffix "'''''<BASEDN>'''''" | ||
+ | |||
+ | # By Default the rootdn always has complete access to the entire ldap directory regardless of ACLs | ||
+ | # It is for this reason that after the database is populated, you disable the rootdn by either | ||
+ | # removing or commenting out the following 2 lines. | ||
+ | rootdn "cn=Manager,'''''<BASEDN>'''''" | ||
+ | rootpw '''''<password hash>''''' | ||
+ | |||
+ | directory "/srv/ldap/openldap-data" | ||
+ | |||
+ | # Indexes | ||
+ | index default pres,eq | ||
+ | index objectClass,uid,uidnumber,gidnumber,cn | ||
+ | index mail eq | ||
+ | |||
+ | # End /etc/openldap/slapd.conf | ||
+ | EOF | ||
+ | |||
+ | When creating the configuration file above replace ''<BASEDN>'' with your Base DN. eg. ''dc=cross-lfs,dc=org''. | ||
+ | |||
+ | You can generate a password hash for the rootdn with the following command: | ||
+ | |||
+ | slappasswd -h {SHA} | ||
+ | |||
+ | === Bootscript === | ||
+ | |||
+ | Install the init script included in the [[bootscripts]] package. | ||
+ | |||
+ | make install-openldap1 | ||
+ | |||
+ | {{Note|The bootscript '''openldap1''' only starts slapd. '''openldap2''' starts slapd and slurpd.}} | ||
+ | |||
+ | === Populating the Directory === | ||
+ | |||
+ | Before continuing with the following, start the ldap service: | ||
+ | |||
+ | /etc/rc.d/init.d/openldap start | ||
+ | |||
+ | Creating an initial LDIF: | ||
+ | |||
+ | cat > entries.ldif << "EOF" | ||
+ | # Organization for Example Corporation | ||
+ | dn: '''''<BASEDN>''''' | ||
+ | objectClass: dcObject | ||
+ | objectClass: organization | ||
+ | dc: '''''example''''' | ||
+ | o: '''''Example Corporation''''' | ||
+ | description: '''''The Example Corperation''''' | ||
+ | |||
+ | # Organizational Role for Directory Manager | ||
+ | dn: cn=Manager,'''''<BASEDN>''''' | ||
+ | objectClass: organizationalRole | ||
+ | cn: Manager | ||
+ | description: Directory Manager | ||
+ | EOF | ||
+ | |||
+ | Adding the entries into the LDAP directory: | ||
+ | |||
+ | ldapadd -f entries.ldif -x -D "cn=Manager,'''''<BASEDN>'''''" -W | ||
+ | |||
+ | === ldap.conf === | ||
+ | |||
+ | Create a basic ldap.conf: | ||
+ | |||
+ | cat > /etc/openldap/ldap.conf << "EOF" | ||
+ | # Begin /etc/openldap/ldap.conf | ||
+ | |||
+ | BASE '''''<BASE DN>''''' | ||
+ | URI ldap://'''''<fqdn of ldap server>''''' | ||
+ | |||
+ | #SASL_MECH GSSAPI | ||
+ | #SASL_REALM '''''<REALM>''''' | ||
+ | #SASL_SECPROPS none | ||
+ | |||
+ | # End /etc/openldap/ldap.conf | ||
+ | EOF | ||
+ | |||
+ | === Where to go from here? === | ||
+ | |||
+ | Configuring clients to authenticate against LDAP, and possibly Kerberos | ||
+ | |||
+ | The [[nss_ldap]] page contains information on creating some base OUs (Organizational Units) and starting to create your users and groups. | ||
+ | |||
+ | [[Category:Servers]] |
Latest revision as of 17:24, 22 March 2009
Download Source: | ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.19.tgz |
---|
Contents
Introduction to OpenLDAP
The OpenLDAP package provides an open source implementation of the Lightweight Directory Access Protocol.
Project Homepage: http://www.openldap.org/
Dependencies
Required
- Berkeley DB or GDBM
Recommended
Optional
Configuration Information
If you really want to build OpenLDAP with GNU Database Manager instead of Berkeley DB, add the following flags to configure script:
--disable-bdb --disable-hdb --with-ldbm-api=gdbm
Non-Multilib
Compile the package:
sed -i 's@\(^STRIP = \).*@\1 @' build/top.mk && CPPFLAGS="-D_GNU_SOURCE" ./configure --prefix=/usr --sysconfdir=/etc \ --libexecdir=/usr/lib/openldap --localstatedir=/srv/ldap --disable-debug \ --enable-dynamic --enable-crypt --enable-modules --enable-wrappers \ --enable-bdb=mod --enable-hdb=mod --enable-ldap=mod \ --enable-monitor=mod --enable-perl=mod --enable-relay=mod \ --enable-dyngroup=mod --enable-dynlist=mod --enable-memberof=mod \ --enable-ppolicy=mod --enable-valsort=mod && make depend && make
Install the package
make install && ln -sv ../lib/openldap/slapd /usr/sbin/slapd && install -dv -m755 /usr/share/doc/openldap-2.4.19/{drafts,guide,rfc} && install -v -m644 doc/drafts/* /usr/share/doc/openldap-2.4.19/drafts && install -v -m644 doc/rfc/* /usr/share/doc/openldap-2.4.19/rfc && cp -Rv doc/guide/* /usr/share/doc/openldap-2.4.19/guide
Multilib
32Bit
Compile the package:
sed -i 's@\(^STRIP = \).*@\1 @' build/top.mk && CC="gcc ${BUILD32}" CPPFLAGS="-D_GNU_SOURCE" ./configure --prefix=/usr --sysconfdir=/etc \ --libexecdir=/usr/lib/openldap --localstatedir=/srv/ldap --disable-debug \ --enable-dynamic --enable-crypt --enable-modules --enable-wrappers \ --enable-bdb=mod --enable-hdb=mod --enable-ldap=mod \ --enable-monitor=mod --enable-perl=mod --enable-relay=mod \ --enable-dyngroup=mod --enable-dynlist=mod --enable-memberof=mod \ --enable-ppolicy=mod --enable-valsort=mod && make depend && make
Install the package
make install
N32
Compile the package:
sed -i 's@\(^STRIP = \).*@\1 @' build/top.mk && CC="gcc ${BUILDN32}" CPPFLAGS="-D_GNU_SOURCE" ./configure --prefix=/usr --sysconfdir=/etc \ --libexecdir=/usr/lib/openldap --localstatedir=/srv/ldap --disable-debug \ --enable-dynamic --enable-crypt --enable-modules --enable-wrappers \ --enable-bdb=mod --enable-hdb=mod --enable-ldap=mod \ --enable-monitor=mod --enable-perl=mod --enable-relay=mod \ --enable-dyngroup=mod --enable-dynlist=mod --enable-memberof=mod \ --enable-ppolicy=mod --enable-valsort=mod && make depend && make
Install the package
make install
64Bit
Compile the package:
sed -i 's@\(^STRIP = \).*@\1 @' build/top.mk && CC="gcc ${BUILD64}" CPPFLAGS="-D_GNU_SOURCE" ./configure --prefix=/usr \ --sysconfdir=/etc --libdir=/usr/lib64 --libexecdir=/usr/lib/openldap \ --localstatedir=/srv/ldap --disable-debug \ --enable-dynamic --enable-crypt --enable-modules --enable-wrappers \ --enable-bdb=mod --enable-hdb=mod --enable-ldap=mod \ --enable-monitor=mod --enable-perl=mod --enable-relay=mod \ --enable-dyngroup=mod --enable-dynlist=mod --enable-memberof=mod \ --enable-ppolicy=mod --enable-valsort=mod && make depend && make
Install the package
make install && ln -sv ../lib/openldap/slapd /usr/sbin/slapd && install -dv -m755 /usr/share/doc/openldap-2.4.19/{drafts,guide,rfc} && install -v -m644 doc/drafts/* /usr/share/doc/openldap-2.4.19/drafts && install -v -m644 doc/rfc/* /usr/share/doc/openldap-2.4.19/rfc && cp -Rv doc/guide/* /usr/share/doc/openldap-2.4.19/guide
Configuring
The information in the sections below are based off information from the following pages:
http://www.bayour.com/LDAPv3-HOWTO.html http://aput.net/~jheiss/krbldap/
Additional Steps with Kerberos
If you plan on using LDAP with Kerberos you will need to create the LDAP Service Principle in the Kerberos database. You will also want to create a keytab for LDAP and LDAP alone.
kadmin.local -q "addprinc -randkey ldap/<fqdn of ldap server>@<REALMNAME.COM>" && kadmin.local -q "ktadd -k /etc/openldap/slapd.keytab ldap/<fqdn of ldap server>@<REALMNAME.COM>" && chmod 600 /etc/openldap/slapd.keytab
You will also need to add the LDAP Service Principle to the system keytab aswell:
kadmin.local -q "ktadd -k /etc/krb5.keytab ldap/<fqdn of ldap server>@<REALMNAME.COM>" && chmod 600 /etc/krb5.keytab
The slapd binary in /usr/sbin should be a symlink. Remove it and put a wrapper script that will point ldap at the proper keytab in its place:
rm /usr/sbin/slapd && cat > /usr/sbin/slapd << "EOF" #!/bin/sh # Kerberos Wrapper Script for Slapd if [ -f /etc/openldap/ldap.keytab ]; then env KRB5_KTNAME=/etc/openldap/slapd.keytab /usr/lib/openldap/slapd "$@" else /usr/lib/openldap/slapd "$@" fi EOF
chmod +x /usr/sbin/slapd
You also will want to create a user specifically for managing the ldap directory:
kadmin.local -q "addprinc ldapadm@<REALMNAME.COM>"
slapd.conf
If you download the following schema files to the ldap schema directory you can remove the comments on the corresponding lines:
http://cross-lfs.org/~jciccone/ldap-schemas/krb5-kdc.schema http://cross-lfs.org/~jciccone/ldap-schemas/sudo.schema
Creating a basic slapd configuration file:
cat > /etc/openldap/slapd.conf << "EOF" # Begin /etc/openldap/slapd.conf # Schema Definitions include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema #include /etc/openldap/schema/sudo.schema include /etc/openldap/schema/misc.schema #include /etc/openldap/schema/krb5-kdc.schema # The location of the PID file pidfile /srv/ldap/run/slapd.pid # List of arguments that will be passed to the server argsfile /srv/ldap/run/slapd.args # Load dynamic backend modules: modulepath /usr/lib/openldap/openldap moduleload back_bdb.la #moduleload back_ldap.la #moduleload back_ldbm.la #moduleload back_passwd.la #moduleload back_shell.la # Use crypt to hash the passwords password-hash {crypt} # If you wish to use cyrus-sasl to bind to # Kerberos uncomment and configure the # following lines #sasl-realm <REALMNAME.COM> #sasl-host <FQDN OF SASL SERVER> #sasl-secprops none # Map the kerberos principals to actual ldap entities. #authz-policy from #authz-regexp "^uid=([^,]+),cn=<realm>,cn=gssapi,cn=auth" "uid=$1,ou=people,<BASE DN>" # Define SSL and TLS properties (optional) #TLSCertificateFile /etc/ssl/ldap.pem #TLSCertificateKeyFile /etc/openldap/ldap-key.pem #TLSCACertificateFile /etc/ssl/ldap.pem ####################################################################### # Access Lists ####################################################################### access to attrs=userPassword by dn="cn=Manager,<BASE DN>" write # by dn="uid=ldapadm,ou=people,<BASE DN>" write by dn="uid=root,ou=people,<BASE DN>" write by self write by anonymous auth by * none access to attrs=gecos,description,loginShell by self write access to * by dn="cn=Manager,<BASE DN>" write # by dn="uid=ldapadm,ou=people,<BASE DN>" write by dn="uid=root,ou=people,<BASE DN>" write by * read by * search ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "<BASEDN>" # By Default the rootdn always has complete access to the entire ldap directory regardless of ACLs # It is for this reason that after the database is populated, you disable the rootdn by either # removing or commenting out the following 2 lines. rootdn "cn=Manager,<BASEDN>" rootpw <password hash> directory "/srv/ldap/openldap-data" # Indexes index default pres,eq index objectClass,uid,uidnumber,gidnumber,cn index mail eq # End /etc/openldap/slapd.conf EOF
When creating the configuration file above replace <BASEDN> with your Base DN. eg. dc=cross-lfs,dc=org.
You can generate a password hash for the rootdn with the following command:
slappasswd -h {SHA}
Bootscript
Install the init script included in the bootscripts package.
make install-openldap1
Populating the Directory
Before continuing with the following, start the ldap service:
/etc/rc.d/init.d/openldap start
Creating an initial LDIF:
cat > entries.ldif << "EOF" # Organization for Example Corporation dn: <BASEDN> objectClass: dcObject objectClass: organization dc: example o: Example Corporation description: The Example Corperation # Organizational Role for Directory Manager dn: cn=Manager,<BASEDN> objectClass: organizationalRole cn: Manager description: Directory Manager EOF
Adding the entries into the LDAP directory:
ldapadd -f entries.ldif -x -D "cn=Manager,<BASEDN>" -W
ldap.conf
Create a basic ldap.conf:
cat > /etc/openldap/ldap.conf << "EOF" # Begin /etc/openldap/ldap.conf BASE <BASE DN> URI ldap://<fqdn of ldap server> #SASL_MECH GSSAPI #SASL_REALM <REALM> #SASL_SECPROPS none # End /etc/openldap/ldap.conf EOF
Where to go from here?
Configuring clients to authenticate against LDAP, and possibly Kerberos
The nss_ldap page contains information on creating some base OUs (Organizational Units) and starting to create your users and groups.