Differences

This shows you the differences between two versions of the page.

configure_openldap [2006/10/21 12:39]
alban created
configure_openldap [2006/10/21 12:43] (current)
alban
Line 1: Line 1:
 +====== Configure OpenLDAP ======
 +[[wp>OpenLDAP]] is a free [[wp>Lightweight Directory Access Protocol]]. These are some notes about its installation.
 +
 +===== Installation =====
 +
 +Under [[Debian]], you need to install these following packages :
 +
 +  sudo apt-get install slapd ldap-utils
 +
 +===== Configuration =====
 +
 +Modify ''/etc/ldap/slapd.conf'' to have these similar configuration :
 +
 +  suffix      "dc=example,dc=com"
 +  rootdn      "dc=example,dc=com"
 +  rootpw      password
 +  index       objectClass eq
 +
 +You can change ''dc=example,dc=com'' as you wish, according to your hostname for example.
 +The debian installer should have done it for you.
 +
 +===== Directory Layout =====
 +
 +In this example, the directory layout is defined into a ldif file. This file is used in argument of the ''ldapadd'' command.
 +
 +Create a file named ''directory.ldif'' like this one:
 +
 +  dn: dc=example,dc=com
 +  objectClass:    top
 +  objectClass:    dcObject
 +  objectClass:    organization
 +  dc: example
 +  o: Society, Inc.
 +  
 +  dn: ou=people,dc=example,dc=com
 +  objectClass:    top
 +  objectClass:    organizationalUnit
 +  ou: people
 +
 +Then add the directory layout with:
 +
 +  ldapadd -D 'dc=example,dc=com' -f directory.ldif -W -x
 +
 +Password asked is the password corresponding to ''rootpw'' in your ''sladp.conf''.
 +Now, you can check if it's has been done:
 +
 +  ldapsearch -b 'dc=example,dc=com' 'objectclass=*' -x
 +
 +If everything went well, you should see something like that:
 +
 +  search: 2
 +  result: 0 Success
 +
 +===== Contacts Attributes =====
 +
 +Create a file named ''contact.ldif'' like this one :
 +
 +  dn: cn=John Doe,ou=people,dc=example,dc=com
 +  objectClass: top
 +  objectClass: person
 +  objectClass: organizationalPerson
 +  objectClass: inetOrgPerson
 +  cn: John Doe
 +  gn: John
 +  sn: Doe
 +  mail: john.doe@example.com
 +  physicalDeliveryOfficeName: Society, Inc.
 +  postalAddress: 5, rue de Vaugirard
 +  l: Paris
 +  ou: people
 +  st: Ile de France
 +  postalCode: 75000
 +  telephoneNumber: 555-555-5551
 +  facsimileTelephoneNumber: 555-555-5552
 +  mobile: 555-555-5553
 +  homePhone: 555-555-5554
 +
 +Then add your contacts with:
 +
 +  ldapadd -D 'dc=example,dc=com' -f contact.ldif -W -x
 +
 +Check if all went well :
 +
 +  ldapsearch -b 'ou=people,dc=example,dc=com' '(objectclass=*)' -x
 +
 +===== Secure LDAP =====
 +
 +If you are using a debian woody, you will need to recompile openldap with the TLS support.
 +To make SSL/TLS works, you will need to create certificats and other SSL stuff:
 +
 +  /usr/lib/ssl/misc/CA.sh -newca
 +
 +Check that ''Common Name'' for your certificate is corresponding to your ldap server domain name or hostname.
 +This command have create a certificate, you find it in the /demoCA/ directory.
 +
 +Now, we generate a cert request and private key for the server ::
 +
 +  openssl req -new -nodes -keyout newreq.pem -out newreq.pem
 +  /usr/lib/ssl/misc/CA.sh -sign
 +
 +Then copy this security stuff like that:
 +
 +  cp demoCA/cacert.pem /etc/ssl/certs/ldap.cert
 +  mv newcert.pem /etc/ssl/certs/ldap.csr
 +  mv newreq.pem /etc/ssl/certs/ldap.key
 +  chmod 600 /etc/ssl/certs/ldap.key
 +
 +Then add to your ''/etc/ldap/sladp.conf'':
 +
 +  TLSCipherSuite  HIGH:MEDIUM:+SSLv2:+SSLv3:RSA
 +  TLSCertificateFile /etc/ssl/certs/ldap.csr
 +  TLSCertificateKeyFile /etc/ssl/certs/ldap.key
 +  TLSCACertificateFile /etc/ssl/certs/ldap.cert
 +  TLSVerifyClient allow
 +
 +And this to the ''/etc/ldap/ldap.conf'':
 +
 +  TLS_CACERT /etc/ssl/certs/ldap.cert
 +  TLS_REQCERT allow
 +
 +Then modify the ''/etc/init.d/sladp'' script like this (replace the command by this in the script):
 +
 +  start-stop-daemon --start --quiet [..] --exec /usr/sbin/slapd -- -h "ldap://0.0.0.0 ldaps://0.0.0.0" [..]
 +
 +In a newer version of the script in Debian Sarge you will have trouble to replace the command as you won't be able to find it. As the newer version is more generic it's enough to put the line:
 +
 +  SLAPD_SERVICES="ldap:/// ldaps:///"
 +
 +or alternatively:
 +
 +  SLAPD_SERVICES="ldap://yourhost:389/ ldaps://yourhost:636/"
 +
 +somewhere at the begining of the script.
 +
 +And then restart your openldap server:
 +
 +  sudo /etc/init.d/slapd restart
 +
 +===== Client Configuration =====
 +
 +{{ :thunderbird-directory_server_properties.png|Thunderbird - Directory Server Properties}}
 +
 +We are going to configure [[http://www.mozilla.org/products/thunderbird/|thunderbird 0.6]] to access our ldap directory.
 +
 +  * First, go to **Tools > Options > Composition**.
 +  * Then select : **Directory Server** and click on **Edit Directories** and on the **Add** button.
 +  * Select or not **Use secure connection**, if you run an secure ldap or not.
 +
 +You can verify that the connection work, only by writing a new mail and typing, in the ''To:'' Fields, the beginning of the name of one your contact.
 +
 +Then you should get a list of person corresponding taken from the ldap directory.  
 +
 +{{ :thunderbird-address_autocompletion.png |Thunderbird - Address Autocompletion}}
 +
 +===== Links =====
 +
 +  * [[http://www.onlamp.com/pub/a/onlamp/2003/03/27/ldap_ab.html?page=1|Building an Address Book with OpenLDAP]]
 +  * [[http://www.openldap.org/faq/data/cache/185.html|How do I use TLS/SSL?]]
 +  * [[http://research.imb.uq.edu.au/~l.rathbone/ldap/|Authentication using LDAP]]
 +  * [[http://www.bayour.com/LDAPv3-HOWTO.html|OpenLDAP, OpenSSL, SASL and KerberosV HOWTO]]
 
configure_openldap.txt · Last modified: 2006/10/21 12:43 by alban
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Run by Debian Driven by DokuWiki