OpenLDAP Server

LDAP is an acronym for Lightweight Directory Access Protocol, it is a simplified version of the X.500 protocol. The directory setup in this section will be used for authentication. Nevertheless, LDAP can be used in numerous ways: authentication, shared directory (for mail clients), address book, etc.

To describe LDAP quickly, all information is stored in a tree structure. With OpenLDAP you have freedom to determine the directory arborescence (the Directory Information Tree: the DIT) yourself. We will begin with a basic tree containing two nodes below the root:

  • "People" node where your users will be stored

  • "Groups" node where your groups will be stored

Before beginning, you should determine what the root of your LDAP directory will be. By default, your tree will be determined by your Fully Qualified Domain Name (FQDN). If your domain is example.com (which we will use in this example), your root node will be dc=example,dc=com.

Installation

First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:

sudo apt-get install slapd ldap-utils

The installation process will prompt you for the LDAP directory admin password and confirmation.

After installing slapd the directory can be configured using dpkg-reconfigure:

sudo dpkg-reconfigure slapd

You will then be taken through a menu based configuration dialog allowing you to configure various slapd options. For the most part the defaults work well, but if your root node differs from the server's FQDN be sure to enter the correct name.

Populating LDAP

The directory has been created during installation and reconfiguration, and now it is time to populate it. It will be populated with a "classical" scheme that will be compatible with address book applications and with Unix Posix accounts. Posix accounts will allow authentication to various applications, such as web applications, email Mail Transfer Agent (MTA) applications, etc.

[Note]

For external applications to authenticate using LDAP they will each need to be specifically configured to do so. Refer to the individual application documentation for details.

LDAP directories can be populated with LDIF (LDAP Directory Interchange Format) files. Copy the following example LDIF file, naming it example.com.ldif, somewhere on your system:

dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups dn: uid=john,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 1000 gidNumber: 10000 userPassword: password gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: john.doe@example.com postalCode: 31000 l: Toulouse o: Example mobile: +33 (0)6 xx xx xx xx homePhone: +33 (0)5 xx xx xx xx title: System Administrator postalAddress: initials: JD dn: cn=example,ou=groups,dc=example,dc=com objectClass: posixGroup cn: example gidNumber: 10000

In this example the directory structure, a user, and a group have been setup. In other examples you might see the objectClass: top added in every entry, but that is the default behaviour so you do not have to add it explicitly.

Now, to add your entries to the LDAP directory:

  • Stop slapd:

    sudo /etc/init.d/slapd stop
  • Add the content:

    sudo slapadd -l example.com.ldif
  • Start LDAP daemon:

    sudo /etc/init.d/slapd start

We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search of the LDAP directory:

ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn dn: uid=john,ou=people,dc=example,dc=com cn: John Doe sn: Doe givenName: John

Just a quick explanation:

  • -x: will not use SASL authentication method, which is the default.

  • -LLL: disable printing LDIF schema information.

Setting up ACL

Authentication requires access to the password field, that should be not accessible by default. Another issue is that during password change using passwd, shadowLastChange needs to be accessible by authenticated users. The following code, from /etc/ldap/slapd.conf, shows the default ACL setting that permits the admin user and authenticated users access to shadowLastChange:

access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none

LDAP replication

LDAP service often quickly becomes a highly critical service in an information system: multiple systems depend on LDAP for authentication, authorization, mail, etc. It is a good idea to setup a redundant system.

Replication is achieved using the Syncrepl engine. Syncrepl allows the directory to be synced using either a push or pull based system. In a push based configuration a “primary” server will push directory updates to “secondary” servers, while a pull based approach allows replication servers to sync on a time based interval.

The following is an example of push configuration. First you need to setup the slapd provider by uncommenting the following line in /etc/ldap/slapd.conf:

rootdn "cn=admin,dc=example,dc=com"

Below the rootdn line add:

moduleload syncprov.la overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100

Now restart slapd:

sudo /etc/init.d/slapd restart

On separate OpenLDAP server configure the slapd consumer by again uncommenting the rootdn line in /etc/ldap/slapd.conf:

rootdn "cn=admin,dc=example,dc=com"

Then add the following below the rootdn entry:

syncrepl rid=123 provider=ldap://ldap01.example.com:389 type=refreshAndPersist searchbase="dc=example,dc=com" filter="(objectClass=*)" scope=sub schemachecking=off bindmethod=simple binddn="uid=john,ou=people,dc=example,dc=com" credentials=password
[Note]

This example uses the john user we created above to authenticate the sync process. Be sure to use an account with sufficient privileges. Also, replace ldap://ldap01.example.com:389 with the appropriate host name.

Now restart the consumer slapd daemon:

sudo /etc/init.d/slapd restart

If all goes well you should be able to execute the ldapsearch example from above on the server with the replicated directory.

ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn

The slapd daemon will send log information to /var/log/syslog by default. So if all does not go well check there for errors and other troubleshooting information.

Resources