OpenLDAP 2.4.11

From SaruWiki
Jump to navigation Jump to search

OpenLDAP installation and configuration

Note: we're going to install OpenLDAP on our server as the local directory service, without replication, referrals or other advanced features.

Installing OpenLDAP on your Debian server is ridiculously simple. Just make sure your server is up-to-date (sudo apt-get update followed by sudo apt-get upgrade), and then install the two main components for your OpenLDAP server: 

sudo apt-get install slapd ldap-utils

The Debian configuration script will ask you for only one single thing: an administrator password. As always: generate a strong password! When you've provided the password, the LDAP database is created with the administrator name "admin" and as a base directory path, something based on your DNS name. Suppose your internal domain is "amber.lan.", then the script will generate suffix "dc=amber,dc=lan,dc=". The last, empty, domain component (dc) is caused by the trailing dot in your DNS name: the DNS root.

Since this might not always be the most convenient configuration, we recommend that you run the configuration again using dpkg-reconfigure slapd. Interestingly enough, this reconfiguration asks you many more questions. The answers could look like this: 

omit OpenLDAP config:  no
DNS domain name:       saruman.biz
Organization name:     Saruman
Administrator passwd:  wEt3udes
Database backend:      HDB
DB remove after purge: no
Move old DB:           yes
Allow LDAPv2:          no

As you can see, the reconfiguration yields much more configuration options than plain installation - although really you'll probably answer most questions with their default values anyway, with the exception of the database backend, which by default is BDB.
Anyway, the above method of configuring yields you an LDAP database with only two objects in it:

  • a single Organization (o="Saruman") with Distinguished Name dn="dc=saruman,dc=biz"
  • a single administrator with Common Name cn="admin", and dn="cn=admin,dc=saruman,dc=biz"

The database that your OpenLDAP server uses is a standard Berkeley DB (BDB) database. Now we most likely will require some other databases as well in our server setup, something modern like PostgreSQL or MySQL - so why don't we configure our OpenLDAP to use this same database as well? For the answer, see here - in short, the LDAP tree structure does not lend itself very well to inclusion in a modern relational database. Thus, we advise to stick with the Berkeley database provided with OpenLDAP.
Now, for the database backend, we have the choice between two almost identical flavours: the bdb backend is the recommended primary backend for a normal slapd database. It uses the Oracle Berkeley DB package, referred to as BDB, to store data. It makes extensive use of indexing and caching to speed data access. hdb is a variant of the bdb backend that uses a hierarchical database layout which supports subtree renames. It is otherwise identical to the bdb behavior, and all the same configuration options apply.

Installing and configuring an LDAP Account Manager

It's perfectly normal to manipulate your LDAP from the command line using LDAP utilities like ldapsearch, ldapadd, ldapdelete and ldapmodify, as well as slapcat, slappasswd etcetera. However, many people find a GUI for LDAP indispensible. If you are amongst those, then for you, my friend, the question becomes: which graphic tool do you want to use? Many people speak highly of gq, luma and phpldapadmin. We go for lam (LDAP acount Manager).
To install lam, first ensure that you have installed Apache2 and PHP5. Then we can use apt-get install ldap-account-manager. After installation, we can right away surf to http://<server-IP>/lam, where we can log in. However, note that in the upper right, there's a link LAM configuration. We'll go there first.

Under the LAM configuration page, there are two links to areas, where settings can be specified. The first one is "Edit general settings", and clicking it prompts you for a master password - by default this is "lam". Behind that password is a simple settings page, that can be filled with values like this:

  • Security settings
    • Session timeout: 15 (the amount of minutes of inactivity that's allowed before a user is logged off)
    • Allowed hosts: 192.168.67.* (the range of IP numbers from which LAM accepts connections; empty would mean "all" so we recommend limiting the scope to your internal network, or even less if possible)
Retrieved from "https://www.saruman.biz/saruwiki/index.php?title=OpenLDAP_2.4.11&oldid=1668"