Configure OpenLDAP

OpenLDAP is a free Lightweight Directory Access Protocol. These are some notes about its installation.

Installation

Under Debian, you need to install these following packages :

sudo apt-get install slapd ldap-utils

Configuration

Modify /etc/ldap/slapd.conf to have these similar configuration :

suffix      "dc=example,dc=com"
rootdn      "dc=example,dc=com"
rootpw      password
index       objectClass eq

You can change dc=example,dc=com as you wish, according to your hostname for example. The debian installer should have done it for you.

Directory Layout

In this example, the directory layout is defined into a ldif file. This file is used in argument of the ldapadd command.

Create a file named directory.ldif like this one:

dn: dc=example,dc=com
objectClass:    top
objectClass:    dcObject
objectClass:    organization
dc: example
o: Society, Inc.
 
dn: ou=people,dc=example,dc=com
objectClass:    top
objectClass:    organizationalUnit
ou: people

Then add the directory layout with:

ldapadd -D 'dc=example,dc=com' -f directory.ldif -W -x

Password asked is the password corresponding to rootpw in your sladp.conf. Now, you can check if it's has been done:

ldapsearch -b 'dc=example,dc=com' 'objectclass=*' -x

If everything went well, you should see something like that:

search: 2
result: 0 Success

Contacts Attributes

Create a file named contact.ldif like this one :

dn: cn=John Doe,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: John Doe
gn: John
sn: Doe
mail: john.doe@example.com
physicalDeliveryOfficeName: Society, Inc.
postalAddress: 5, rue de Vaugirard
l: Paris
ou: people
st: Ile de France
postalCode: 75000
telephoneNumber: 555-555-5551
facsimileTelephoneNumber: 555-555-5552
mobile: 555-555-5553
homePhone: 555-555-5554

Then add your contacts with:

ldapadd -D 'dc=example,dc=com' -f contact.ldif -W -x

Check if all went well :

ldapsearch -b 'ou=people,dc=example,dc=com' '(objectclass=*)' -x

Secure LDAP

If you are using a debian woody, you will need to recompile openldap with the TLS support. To make SSL/TLS works, you will need to create certificats and other SSL stuff:

/usr/lib/ssl/misc/CA.sh -newca

Check that Common Name for your certificate is corresponding to your ldap server domain name or hostname. This command have create a certificate, you find it in the /demoCA/ directory.

Now, we generate a cert request and private key for the server ::

openssl req -new -nodes -keyout newreq.pem -out newreq.pem
/usr/lib/ssl/misc/CA.sh -sign

Then copy this security stuff like that:

cp demoCA/cacert.pem /etc/ssl/certs/ldap.cert
mv newcert.pem /etc/ssl/certs/ldap.csr
mv newreq.pem /etc/ssl/certs/ldap.key
chmod 600 /etc/ssl/certs/ldap.key

Then add to your /etc/ldap/sladp.conf:

TLSCipherSuite  HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
TLSCertificateFile /etc/ssl/certs/ldap.csr
TLSCertificateKeyFile /etc/ssl/certs/ldap.key
TLSCACertificateFile /etc/ssl/certs/ldap.cert
TLSVerifyClient allow

And this to the /etc/ldap/ldap.conf:

TLS_CACERT /etc/ssl/certs/ldap.cert
TLS_REQCERT allow

Then modify the /etc/init.d/sladp script like this (replace the command by this in the script):

start-stop-daemon --start --quiet [..] --exec /usr/sbin/slapd -- -h "ldap://0.0.0.0 ldaps://0.0.0.0" [..]

In a newer version of the script in Debian Sarge you will have trouble to replace the command as you won't be able to find it. As the newer version is more generic it's enough to put the line:

SLAPD_SERVICES="ldap:/// ldaps:///"

or alternatively:

SLAPD_SERVICES="ldap://yourhost:389/ ldaps://yourhost:636/"

somewhere at the begining of the script.

And then restart your openldap server:

sudo /etc/init.d/slapd restart

Client Configuration

Thunderbird - Directory Server Properties

We are going to configure thunderbird 0.6 to access our ldap directory.

  • First, go to Tools > Options > Composition.
  • Then select : Directory Server and click on Edit Directories and on the Add button.
  • Select or not Use secure connection, if you run an secure ldap or not.

You can verify that the connection work, only by writing a new mail and typing, in the To: Fields, the beginning of the name of one your contact.

Then you should get a list of person corresponding taken from the ldap directory.

Thunderbird - Address Autocompletion

Links

 
configure_openldap.txt · Last modified: 2006/10/21 12:43 by alban
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Run by Debian Driven by DokuWiki