Installing And Configuring OpenLDAP On Ubuntu Intrepid Ibex

Want to support HowtoForge? Become a subscriber!
 
Submitted by Miguel (Contact Author) (Forums) on Fri, 2009-01-09 14:37. :: Ubuntu

Installing And Configuring OpenLDAP On Ubuntu Intrepid Ibex

1 Preliminary note

With Ubuntu 8.10 Intrepid Ibex, the way OpenLDAP is used and configured has changed. In Intrepid, OpenLDAP is no longer configured via the slapd.conf file, but via the slapd.d directory that contains ldif files to configure OpenLDAP.

Note that if you need to add application specific shema's or others, than follow the install guide provided by the application or others. This how to only provides the means on how to configure OpenLDAP using the old style slapd.conf way.

 

2 Installing OpenLDAP

Installing OpenLDAP is easy:

apt-get install slapd ldap-utils

When prompted, enter the password you want to use for the OpenLDAP admin account.

If you don't want to configure anything else, you're up and running. However most applications and scripts require specific schemas to be loaded or other configuration to be done.

 

3 Configuring OpenLDAP

So how to we do this now? Well nothing is more easy.

You can use the default slapd.conf below as a starting point since a slapd.conf is no longer provided by the package.

Example slapd.conf file:

# This is the main slapd configuration file. See slapd.conf for more
# info on the configuration options.

#######################################################################
# Global Directives:

# Features to permit
# allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel        none

# Where the dynamically loaded modules are stored
modulepath    /usr/lib/ldap
moduleload    back_hdb

# The maximum number of entries that is returned for a search operation
sizelimit 500

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

#######################################################################
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend        hdb

#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend        <other>
database config
#######################################################################
# Specific Directives for database #1, of type hdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        hdb

# The base of your directory in database #1
suffix          "dc=yourdomain,dc=tld"

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn          "cn=admin,cn=config"

# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts.  They do NOT override existing an existing DB_CONFIG
# file.  You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.

# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0

# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.

# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500

# Indexing options for database #1
index           objectClass eq

# Save the time that the entry gets modified, for database #1
lastmod         on

# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint      512 30

# Where to store the replica logs for database #1
# replogfile    /var/lib/ldap/replog

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
# acl specific for phamm

access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=webhabitat,dc=be" write
        by anonymous auth
        by self write
        by * none

access to *
        by dn="cn=admin,dc=yourdomain,dc=tld" write
        by * read

access to dn.base="" by * read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
#        by dn="cn=admin,dc=yourdomain,dc=tld" write
#        by dnattr=owner write

#######################################################################
# Specific Directives for database #2, of type 'other' (can be hdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database        <other>

# The base of your directory for database #2
#suffix        "dc=debian,dc=org"

Change dc=yourdomain.dc=tld to  the domainname used at OpenLDAP install.

Modify the slapd.conf file according to your needs.

Next we will update the configuration of OpenLDAP.

/etc/init.d/slapd stop

Backup the current slapd.d directory.

Change to the ldap directory: 

cd /etc/ldap

Move the old slapd.d to a backup location:

mv slapd.d slapd.d.bck

Now we will create the slapd.d directory and load the config from the slapd.conf file.

mkdir slapd.d

slaptest -f slapd.conf -F slapd.d

You should see:  config file testing succeeded as result.

Next we set the ownership of the slapd.d directory to openldap.

chown -R openldap:openldap slapd.d

And now we can restart OpenLDAP.

/etc/init.d/slapd start

If you don't see any errors, OpenLDAP is up and running with the new configuration.

You can repeat these steps each time that you change the slapd.conf file in order to load the new OpenLDAP configuration.

It is in any case a good idea to have a slapd.conf file since some scripts and applications look at that file to check the OpenLDAP configuration regardless of the fact that OpenLDAP is now configured using the slapd.d directory.

 

4. If you're upgrading from Ubuntu 8.04

If you have OpenLDAP running prior to an upgrade to Ubuntu 8.10, make the following changes to your slapd.conf before attempting the upgrade:

Set the root dn to:

rootdn          "cn=admin,cn=config"

Ad add:  database config

before:

#######################################################################
# Specific Directives for database #1, of type hdb:

So it looks like:

database config
#######################################################################
# Specific Directives for database #1, of type hdb: 

I had the fortune of upgrading to 8.10 before I knew this.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by lolotux (not registered) on Fri, 2009-01-23 02:29.
Hi

I had addind freeradius.schema to my LDAP, works fine !
But I would like that "radiusCallingStationId" could be not unique.
So I modify this schema :
attributetype
   ( 1.3.6.1.4.1.3317.4.3.1.7
      NAME 'radiusCallingStationId'
      DESC ''
      EQUALITY caseIgnoreIA5Match
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
      SINGLE-VALUE
   )

to this :
attributetype
   ( 1.3.6.1.4.1.3317.4.3.1.7
      NAME 'radiusCallingStationId'
      DESC ''
      EQUALITY caseIgnoreIA5Match
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
   )

I used a second time your tuto, and the attribute stay unique !

Have you an explanation ?

By

If my english is not perfect, it's because I'm not, I'm French ! :)
Submitted by Miguel (registered user) on Fri, 2009-01-23 12:15.

J'ai aucune idée pourquoi.

I really don't have a clue. I don't use radius or the schema, so I can't tell you even if your modification of the schema is correct.

By default the schema should be replaced.

Best practice however is to start a forum topic on this. It might also be due to the radius soft you're using.

Submitted by vivikitty (not registered) on Fri, 2009-05-29 19:28.

La meilleur façon pour obtenir de l'aide, c'est de poser ta question sur le forum.

The best way to get an answer is to ask your question on the forum ;)

Vivi from live girls

Submitted by Miguel (registered user) on Fri, 2009-01-23 12:13.

J'ai aucune idée pourquoi.

I really don't have a clue. I don't use radius or the schema, so I can't tell you even if your modification of the schema is correct.

By default the schema should be replaced.

Submitted by Dervsh (not registered) on Fri, 2009-01-09 23:01.

I have to say - this howto is worth nothing.

A lot more precise is contained in Ubuntu documentation (a month ago was a draft, but steps were described well).

Unfortunately, Debian and Ubuntu versions of OpenLDAP package are compiled against GnuTLS which code is considered unsecure. Google for "GnuTLS considered harmful" to get more details.

The other thing about OpenLDAP GnuTLS based is that it is unable to handle high security protocols only. Using OpenLDAP debug functionality, we will get few errors which IRC support  proposes to solve by recompilation against OpenSSL.

 

Valuable howto about Ubuntu's OpenLDAP package would be:

1) how to compile OpenLDAP against OpenSSL instead of GnuTLS

2) how to configure it

3) how to configure TLS

4) how to configure address book for Thunderbird

 

Submitted by Chris (not registered) on Sat, 2009-01-10 05:27.
How community of you.  The dude contributes something to the community and you flame him for it.  Your post would have been fine had it been constructive.  Instead you kicked it off with an insult then provided the information.  The open source community is about ideas and building off of them.  This guy started the conversation, you could have continued and helped to provide something that someone could use.  Next time think twice before you waltz on to a thread and start patting your own back.
Submitted by GoremanX (not registered) on Fri, 2009-01-16 07:35.
The original poster may have been a little rude, but he's right. This howto was quite useless. It provides an antiquated method of configuring OpenLDAP (slapd.conf), explains nothing, and accomplishes nothing. I've been looking for information on setting up and configuring OpenLDAP for a long time, this howto didn't help me at all.
Submitted by Anonymous (not registered) on Tue, 2009-01-13 13:19.

+1

 

Submitted by about this work (not registered) on Mon, 2009-01-12 23:47.

Thanks for Your comment. You might be right, I should leave my opinion for myself, altrough an author should check Ubuntu documentation. In my opinion original howto is much more precise.

Dear Chris, I'd like to ask You to read some kernel talks. Many guys there wanted to do something. But it wasn't good enough. It just happens. A lot of code requires complete rewrite. My comment wasn't only a flame, but a description what he did wrong. It should help him do it next time much better. It will... or should make his OpenLDAP environment more secure in the future. Maybe he will read about GnuTLS flaws, maybe he will try to use strong security algoritms and will see that it will not work with anything. But - he will know why.

I'd never like to hear from the community that my code is ok, when it isn't. There is always someone who knows something better. That makes us to learn. Take care!

Submitted by Anonymous (not registered) on Wed, 2009-01-14 14:03.
agree with the guy above me, if all the guy/girl in open source community can write "little" informative howto like this, then I'm affraid open source howto website like howtoforge will be bloated with the "Not so good" howto and it will draw people away rather than interest others to come to the site and check the howto!!!
Submitted by Anonymous (not registered) on Sun, 2009-01-18 17:18.

It's nice to see that remarks about this work are made.

However here some remarks to take in mind:

- The negative remarks made are by people who do not contribute themselves ==> It is easy to make remarks, but than contribute yourselves something constructive except for flaming people

- If you know better, than write a 'How To' and contribute.

- Last but not least: If one considers that 'How To's' are written by people in their spare time and that it does not always imply that they are 'Professionals in the field' but very ofter home users that post solutions to problems that they have conquered and solved,  and are willing to share with others. Not even taking into account the many hour's and more it might have cost to do so. The least cutesy one could offer and certainly show is to stay polight and if needed provide constructive criticism and / or a helping hand.

Shame on you. Get something for free, but still have the heart to scorn those who try to make an effort and a difference.

After all, why do you visit  howtoforge.org ?

Submitted by Anonymous (not registered) on Tue, 2009-01-20 02:23.
Fact is, had I known this a few days earlier, I would not be considering restarting from scratch :)
Submitted by cool g (not registered) on Mon, 2010-03-22 16:35.

Bonsoir,

j'ai suivi  les étapes pour créer slapd.d à partir de slapd.conf mais j'ai l'erreur suivante:

bdb_db_open: warning - no DB_CONFIG file found in directory /etc/ldap/slapd.d: (2).
Expect poor performance for suffix "dc=dess,dc=sn".
bdb_db_open: database "dc=dess,dc=sn": db_open(/etc/ldap/slapd.d/id2entry.bdb) failed: No such file or directory (2).
backend_startup_one (type=bdb, suffix="dc=dess,dc=sn"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch

 je sais pas quel est le répertoire mettre pour directory.

aidez moi svp.

 

Submitted by Anonymous (not registered) on Fri, 2011-05-27 23:37.
+1 The title is: Installing And Configuring OpenLDAP On Ubuntu Intrepid Ibex. Then in the preliminary note the author states that this article is not going to talk about that, instead it will demonstrate something useless in Intrepid Ibex. wtf?