Home
Report bugs
Screen shots
Documentation
Download
News
Autodir
- Introduction
- Interface
- Openldap configuration
- Intraperson configuration
- intraPerson Groups
- Syslog logging
- Mail groups and aliases
Table of Contents
Note
Before going to details, I assume Openldap and intraPerson installed on same Linux box.
Note
This article does not deal with installing Openldap But only with its configuration. It is because Openldap is included with almost all Linux distributions these days.
Important
It is assumed in this article that configuration is to be done on Openldap server which is not configured already for some other purpose.
Important
This article explains how to quickly setup Openldap. It is not intended to make it secure or optimized. These issues are discussed hopefully in other docs.
The first step to configure Openldap is to edit its configuration file named usually slapd.conf and mostly it can be found in /etc/openldap directory.
What follows is step by step procedure to configure Openldap.
Very loosely speaking, schema files contain information about tables and its fields and field types like in regular databases. But these files does not contain actual data to be inserted into these tables.
Openldap comes with standard schema files and these details can be found in slapd.conf. The schema section in slapd.conf looks something like this:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
Most probably your Openldap configuration file may contain more then these schema files. But what is important here is to note that slapd.conf including these files from directory /etc/openldap/schema/ and these schema files are located in /etc/openldap/schema/ directory.
intraPerson needs additional schema files that are available from the source distribution and from rpm package. They are misc.schema, samba.schema and intraperson.schema. First two may be with your Openldap installation. If this is the case, backup them and use those which come with intraPerson package.
There are two steps to adding additional schema required by intraPerson.
- Step 1
Copy schema files required by intraPerson to schema directory. From the slapd.conf file, as given above, schema directory is /etc/openldap/schema/.
- Step 2
Update slapd.conf file about these new schema files in schema directory by including lines like this:
include /etc/openldap/schema/intraperson.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/misc.schema
Now after updating slapd.conf file it should look like as below:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/intraperson.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/misc.schema
Do not get confused by these technical terms. But instead try to get your organization's web domain.
For example, it can be like linux.com or openldap.com. If you do not have any, take it as example.com.
Note
It is not necessary that you have to buy some domain name if you do not have any. Especially your use of ldap is for only internal use, if you do not have any domain name, example.com can be used for your internal use as this domain name is not allocated to any one.
Once domain name is decided you can configure suffix configuration directive as given here:
suffix "dc=example,dc=com"
Note
Please remember above configuration directive as this will be used in intraPerson configuration as well.
As Unix/Linux systems have super user called root who have unlimited powers, similarly with Openldap there is an user who generally not restricted from almost anything with Openldap server. This user is configured in slapd.conf itself.
But interesting part is, we are not restricted to choose this name. It can be any name if you like. For example, this name can be root or manager or some other name. But for this article let us assume the name as manager.
rootdn "cn=manager,dc=example,dc=com"
Note
Note that not only root user name included above, but also domain components, as we configured with suffix. Make sure both are same.
Note
Please remember above configuration directive as this will be used in intraPerson configuration as well.
Important
Always make sure there is no white space before any ldap configuration directives. This is major and single most mistake generally made when configuring ldap which simply leads to clueless misbehavior of Openldap and very difficult to troubleshoot. For example, with rootdn, always place it in left most position in configuration file.Openldap root user's password is also kept with configuration file slapd.conf. It must be encrypted for security reasons.
Before configuring this part, we need to get hash value of whatever password chosen. To do this, go to Linux root users command prompt and execute command like this.
[root@krishna root]# slappasswd
New password:
Re-enter new password:
{SSHA}fnUJYRP+/6C4wO8NWjfu9kKsfmaXssIw
Once slappasswd is executed, it asks for password twice and prints hash value of the password entered. This password is important and choose something that can not be guessed easily as this password is key to all ldap entries and passwords which are to be stored in Openldap.
Now this password hash can be entered in Openldap configuration file as below:
rootpw {SSHA}fnUJYRP+/6C4wO8NWjfu9kKsfmaXssIw
Openldap supports access control lists to secure ldap entries. I am not going to explain in detail about these acls here. But suffice to say that default acls with Openldap installation are not sufficient. For intraPerson to work, comment all default acls in Openldap configuration file and replace them with the following acl.
access to *
by self write
by * read
Important
As it is warned before this acl is not secure but it works. This is only intended for quick setup and to get taste of intraPerson. Security issues will be discussed hopefully in other docs.
With all the above configuration slapd.conf might look like this:
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/intraperson.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/misc.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
pidfile /var/run/slapd.pid
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy is:
# Allow read by all
#
# rootdn can always write!
access to *
by self write
by * read
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
rootdn "cn=manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}fnUJYRP+/6C4wO8NWjfu9kKsfmaXssIw
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
This step differs for each type of Linux distribution. For example with Fedora, Openldap can be started as:
[root@krishna ldap]# service ldap start
To make it start each time Linux box is rebooted make sure to execute this:
[root@krishna ldap]# chkconfig ldap on
After starting Openldap it is time to check whether it is working or not with help of ldap utilities that come with Openldap package itself.
These ldap utilities have their own configuration file located mostly at /etc/openldap/ldap.conf. Basic configuration looks something like this:
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=example,dc=com
Here BASE value is same as suffix configuration directive as in Openldap configuration file slapd.conf.
Openldap utility ldapsearch reads this configuration file and tries to connect to ldap server and displays whatever search results form ldap server. It is invoked as:
[root@krishna root]$ ldapsearch -H ldap://127.0.0.1:389/ -x
The -H argument tell it where to find ldap server. We are asking it to contact ldap server at 127.0.0.1 and at default port 389. If successful the output should look something like this:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
 |