Directory services administration with LDAP


Open LDAP

Install

 sudo apt-get install slapd ldap-utils

Setup

Schemas

 sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
 sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
 sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

More Schemas

If you have more schemas to convert to LDIF create a file schema_convert.conf with your schemas listed:

 include /etc/ldap/schema/core.schema
 include /etc/ldap/schema/collective.schema
 include /etc/ldap/schema/corba.schema
 include /etc/ldap/schema/cosine.schema
 include /etc/ldap/schema/duaconf.schema
 include /etc/ldap/schema/dyngroup.schema
 include /etc/ldap/schema/inetorgperson.schema
 include /etc/ldap/schema/java.schema
 include /etc/ldap/schema/misc.schema
 include /etc/ldap/schema/nis.schema
 include /etc/ldap/schema/openldap.schema
 include /etc/ldap/schema/ppolicy.schema

Then make a temporary directory to store your configuration

 mkdir /tmp/ldif_output

And finally convert them with slapcat

 slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={5}dyngroup,cn=schema,cn=config" > /tmp/cn=dyngroup.ldif

You will need to edit the resulting LDIF files so they look like this. Say /tmp/cn\=dyngroup.ldif

 dn: cn=dyngroup,cn=schema,cn=config
 ...
 cn: dyngroup

And remove the last lines:

 structuralObjectClass: olcSchemaConfig
 entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757
 creatorsName: cn=config
 createTimestamp: 20080826021140Z
 entryCSN: 20080826021140.791425Z#000000#000#000000
 modifiersName: cn=config
 modifyTimestamp: 20080826021140Z

Then you need to add the schema to the server:

 sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=dyngroup.ldif

Backend

Save this sample LDIF as backend.example.com.ldif

 # Load dynamic backend modules
 dn: cn=module{0},cn=config
 objectClass: olcModuleList
 cn: module
 olcModulepath: /usr/lib/ldap
 olcModuleload: back_hdb
 
 # Database settings
 dn: olcDatabase=hdb,cn=config
 objectClass: olcDatabaseConfig
 objectClass: olcHdbConfig
 olcDatabase: {1}hdb
 olcSuffix: dc=example,dc=com
 olcDbDirectory: /var/lib/ldap
 olcRootDN: cn=admin,dc=example,dc=com
 olcRootPW: secret
 olcDbConfig: set_cachesize 0 2097152 0
 olcDbConfig: set_lk_max_objects 1500
 olcDbConfig: set_lk_max_locks 1500
 olcDbConfig: set_lk_max_lockers 1500
 olcDbIndex: objectClass eq
 olcLastMod: TRUE
 olcDbCheckpoint: 512 30
 olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
 olcAccess: to attrs=shadowLastChange by self write by * read
 olcAccess: to dn.base="" by * read
 olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
 sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif

Frontend

Create another file frontend.example.com.ldif. Remember to change your password from "secret" to something else. Use **slappasswd** to get the encrypted version.

 # Create top-level object in domain
 dn: dc=example,dc=com
 objectClass: top
 objectClass: dcObject
 objectclass: organization
 o: Example Organization
 dc: Example
 description: LDAP Example 
 
 # Admin user.
 dn: cn=admin,dc=example,dc=com
 objectClass: simpleSecurityObject
 objectClass: organizationalRole
 cn: admin
 description: LDAP administrator
 userPassword: secret
 
 dn: ou=people,dc=example,dc=com
 objectClass: organizationalUnit
 ou: people
 
 dn: ou=groups,dc=example,dc=com
 objectClass: organizationalUnit
 ou: groups
 
 dn: uid=john,ou=people,dc=example,dc=com
 objectClass: inetOrgPerson
 objectClass: posixAccount
 objectClass: shadowAccount
 uid: john
 sn: Doe
 givenName: John
 cn: John Doe
 displayName: John Doe
 uidNumber: 1000
 gidNumber: 10000
 userPassword: password
 gecos: John Doe
 loginShell: /bin/bash
 homeDirectory: /home/john
 shadowExpire: -1
 shadowFlag: 0
 shadowWarning: 7
 shadowMin: 8
 shadowMax: 999999
 shadowLastChange: 10877
 mail: john.doe@example.com
 postalCode: 31000
 l: Toulouse
 o: Example
 mobile: +33 (0)6 xx xx xx xx
 homePhone: +33 (0)5 xx xx xx xx
 title: System Administrator
 postalAddress: 
 initials: JD
 
 dn: cn=example,ou=groups,dc=example,dc=com
 objectClass: posixGroup
 cn: example
 gidNumber: 10000
 sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif

Changes

To make changes to cn=config you can do:

 sudo ldapmodify -Y EXTERNAL -H ldapi:///
 SASL/EXTERNAL authentication started
 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 SASL SSF: 0
 dn: olcDatabase={1}hdb,cn=config
 add: olcDbIndex
 olcDbIndex: uidNumber eq
 
 modifying entry "olcDatabase={1}hdb,cn=config"

Replication

N-way multimaster

Addition Info

https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html

Advertisement