15

I'm trying to set up a test openldap server, having not worked with openldap before. I'm using the standard openldap-servers package on a redhat based machine (using Oracle Linux). I've installed the packages, and started the server.

I now have no idea how to actually get the server to do something useful; I can't browse to it using luma ('No such object' when trying to access the top-level entry), the openldap docs are obtuse as to how you actually get a server to a basic working confuration, and all the information online is for the old slapd.conf file rather the new slapd.d and cn=config.

How do I get a vanilla packaged openldap install working where I can browse to the root dn in luma?

thecoop
  • 287
  • 1
  • 2
  • 7

2 Answers2

21

I feel your pain.

Try this (it's tested on Scientific Linux 6.5, so it should work on OL as well):

  • Install OpenLDAP servers: yum install openldap-servers openldap-clients)
  • start slapd: service slapd start (and maybe chkconfig slapd on)
  • Create passwords for cn=config and your normal LDAP admin user with slappasswd. Note the output of this.
  • Create an LDIF file with the following content: 
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}TXcmvaldskl312012cKsPK1cY2321+aj

dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}TXcmvaldskl312012cKsPK1cY2321+aj
-
replace: olcRootDN
olcRootDN: cn=admin,dc=your,dc=base,dc=com
-
replace: olcSuffix
olcSuffix: dc=your,dc=base,dc=com
  • The values for olcRootPW should be replaced with the output of slappaswd your noted earlier.
  • Naturally, olcSuffix and olcRootDN should be adapted to your new base DN.

  • Feed all this to the LDAP server with the following command:

    ldapmodify -a -Q -Y EXTERNAL -H ldapi:/// -f yourfile.ldif

Afer that, you should be able to connect to both cn=config and dc=your,dc=base,dc=com via LDAP.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • 8
    Thanks, this is like nightmare for beginer. There is config, but in the first lines of slap.d/* - DO NOT EDIT, while all howto/getting started/guides tell about "open config in your favorite editor" – fghj Jul 28 '14 at 11:53
10

Before you start the OpenLDAP server, you need to set up a few things first.

Basic configuration

You need to set up a root user and password, along with defining your base DN. In slapd.conf, look for the lines following lines, and set them to the values you want.

suffix "dc=example,dc=com"
rootdn "cn=root,dc=example,dc=com"

Usually your base DN (defined as suffix in the file) is the components of your domain name, separated with commas and prefixed with dc=. So, serverfault.com might become dc=serverfault,dc=com. Your rootdn must be under that suffix.

You also need to change the line that defines the root password. You can set it to a plaintext value, or use slappasswd to create a hash. You then need to put either the plaintext value or the hashed value out of slappasswd in a line that looks like this:

rootpw myultrasecurepassword

Schemas

It is a good idea at this point to start thinking about the schemas you want to use. A schema defines the attributes an object can have, so you need to include the schemas that contain the attributes you need. These schemas are included at the top of slapd.conf, and the ones here are usually the absolute basic schemas you will need:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema

These paths are the ones used in Arch Linux, so you may need to adjust them to fit Oracle Linux.

About slapd.conf vs slapd.d

OpenLDAP has switched from offline configuration (done in slapd.conf) to online configuration, storing data in a special cn=config tree found in slapd.d. Modifying the ldif files in slapd.d is a painful process however, so it is much easier to edit slapd.conf as above, then convert that into the new slapd.d format.

First, remove everything in slapd.d. Next, run the following command, making sure to adjust the paths to Oracle Linux:

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/

Then just set the owner to your LDAP user and group on that directory recursively, and you should be ready to go. This needs to be done every time you edit slapd.conf - just remember to stop the OpenLDAP server before doing it!

Initial run

Before you can actually use the directory, you need to create the base DN (and root user). Create an .ldif file, containing lines similar to the following:

dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: example.com
dc: example

dn: cn=root,dc=example,dc=com
objectclass: organizationalRole
cn: root

Now start the OpenLDAP server. We just need to push that information into the LDAP directory:

ldapadd -D "cn=root,dc=example,dc=com" -W -f initial.ldif

Obviously change the root DN and ldif filename to match what you have.

You should now have a working LDAP directory set up and ready to be populated!

The Arch Linux wiki is a great source of information about this topic - see https://wiki.archlinux.org/index.php/OpenLDAP and https://wiki.archlinux.org/index.php/LDAP_Authentication if you want to know more.

Robin McCorkell
  • 273
  • 1
  • 10
  • Most of this is already done by the package manager and continuing to manage the configuration via `slapd.conf` and `slaptest` while the server is stopped beats the purpose of the online config. – Sven Apr 09 '14 at 14:49
  • 2
    For an initial configuration `slapd.conf` works just fine, and is certainly more intuitive than editing `slapd.d` directly. I don't know how much of the directory is done by the package manager in Oracle Linux, but if the OP couldn't access the base DN then it can't have been enough – Robin McCorkell Apr 09 '14 at 15:19
  • 1
    The accepted answer has the information I needed, but the info on creating the initial objects was useful too – thecoop Apr 10 '14 at 14:24