First of all, install the ldap server daemon (slapd) on the server ; install the following packages: slapd and ldap-utils.

Enter your domain as asked and the password that you want for the directory administrator.

Only few changes will be operated on the default configuration. First set the root password in the configuration file (instead of in the directory) by editing the file /etc/ldap/slapd.conf.

Don't use a cleartext password however. To generate an encrypted password first use slappasswd yourpasswd

$ slappasswd New password: Re-enter password: {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m

This example shows what happens when using the string "secret" as the password. (By nature of the SSHA encryption scheme, your result will vary.)

Now edit /etc/ldap/slapd.conf and copy paste the generated string.

# Make sure you edit or add these directives after the first 'database' directive. suffix "dc=example,dc=com" directory "/var/lib/ldap" rootdn "cn=admin,dc=example,dc=com" rootpw {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m

The directory has been created at the installation, now it is time to populate. It will be populated with a "classical" entry that will be compatible with directory (for example for a shared directory), with classical accounts (for a web application) and with Unix accounts (posix).

LDAP directory can be fed with a ldif file (ldif means ldap directory interchange format). Generate this example text file init.ldif somewhere on your system:

dn: dc=example,dc=com objectClass: dcObject objectClass: organizationalUnit dc: example ou: Example Dot Com dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups dn: uid=john,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 1000 gidNumber: 10000 userPassword: password gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: john.doe@example.com postalCode: 31000 l: Toulouse o: Example mobile: +33 (0)6 xx xx xx xx homePhone: +33 (0)5 xx xx xx xx title: System Administrator postalAddress: initials: JD dn: cn=example,ou=groups,dc=example,dc=com objectClass: posixGroup cn: example gidNumber: 10000

In the example above, the directory structure, a user and group have been setup. In other example you might see the objectClass: top added in every entry, but that is default behaviour so you don't have to add it explicitely.

Now, add your entries to the LDAP :

We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search in the LDAP directory :

ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn dn: uid=john,ou=people,dc=example,dc=com cn: John Doe sn: Doe givenName: John

Just a quick explanation :

Authentication requires access to password field, that should be not accessible by default. Annother issue is that during password change using passwd shadowLastChange needs to be accessible as well. Following code shows example ACL setting that permits access to shadowLastChange:

access to attr=shadowLastChange by dn="cn=manager,dc=example,dc=com" write by self write by * read

LDAP service often quickly becomes a highly critical service in an information system: all is depending of LDAP: autentication, authorization, mail system, etc. It is a good idea to setup a redundant system. It is easy to setup, and here is a quick howto.

Replication will be based here on a master-slave relation. Before implementing LDAP replication consider the following steps:

You will have to remember that modifications should ALWAYS be done on the master. If you modify the slave, they will get lost.