Page tree
Skip to end of metadata
Go to start of metadata


Installing OpenLDAP Software

There are several options to install OpenLDAP

Install OpenLDAP Using Stock Packages

The ideal way is to install OpenLDAP using packages from your OS distribution. E.g. for Ubuntu use:

apt-get install slapd ldap-utils

The problem is that these packages may be quite outdated. E.g. Ubuntu 14.04 LTS has OpenLDAP 2.4.31 which was released in 2012. It contains some annoying bugs and we do not recommend that for production use.

Note: Ubuntu 16.04 LTS comes with OpenLDAP 2.4.42.

Install From Symas Packages

Symas Corporation is the commercial sponsor of OpenLDAP. Symas provides Silver and Gold version of OpenLDAP which can be downloaded here:

https://symas.com/downloads/

However there is a catch. The Silver version does not contain several essential overlays such as sssvlv and does not support replication. This is practically useless. The Gold version is only available under commercial subscription.

Slapdconf

TODO: install slapdconf utilities (https://github.com/Evolveum/slapdconf)

In ubuntu run the commands as root (using the ldapi:/// and EXTERNAL SASL authentication)

Setting up SSL/TLS

slapdconf set-server-prop olcTLSCACertificateFile:/etc/ldap/tls/cacert.pem
slapdconf set-server-prop olcTLSCertificateFile:/etc/ldap/tls/triglav.nlight.eu-cert.pem
slapdconf set-server-prop olcTLSCertificateKeyFile:/etc/ldap/tls/triglav.nlight.eu-privkey.pem
slapdconf set-server-prop olcTLSCipherSuite:NORMAL


Initializing OpenLDAP

The database and suffix might have been created during software installation. To check if that is the case use the following command:

$ slapdconf list-suffixes
dc=whatever,dc=com

If you are OK with the existing suffix you may skip this section. If not then you have to delete the suffix (see OpenLDAP Administraton).

Setting up logging

Add systlog configuration: /etc/rsyslog.d/40-slapd.conf

/etc/rsyslog.d/40-slapd.conf
local4.*        -/var/log/slapd.log
& ~

Set log level:

$ slapdconf set-log-level stats

Ports

Ubuntu OpenLDAP has port specification in /etc/default/slapd:

/etc/default/slapd
 SLAPD_SERVICES="ldap://0.0.0.0:1389/ ldapi:///"


Symas OpenLDAP has the specification of ports in /opt/symas/etc/openldap/symas-openldap.conf

/opt/symas/etc/openldap/symas-openldap.conf
 HOST_LIST="ldap://0.0.0.0:1389/"


Creating the Database and Suffix

On Ubuntu 16 to make the create suffix work, one has to first load the module

$ slapdconf add-module back_mdb

To create new suffix:

$ mkdir /var/lib/ldap/example
$ chown openldap:openldap /var/lib/ldap/example
$ slapdconf create-suffix dc=example,dc=com --dbDir /var/lib/ldap/example --rootPassword secret

This command creates a directory for the new database and sets correct permissions. The last line creates the database and suffix in the server.

You may need to set maximum database size:

$ slapdconf set-suffix-prop dc=example,dc=com olcDbMaxSize:100000000


Setting up Overlays

slapdconf add-module sssvlv
slapdconf add-overlay dc=example,dc=com sssvlv

Installing password policy overlay

slapdconf add-module ppolicy
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
slapdconf add-overlay dc=example,dc=com ppolicy

Installing memberof overlay

slapdconf add-module memberof
slapdconf add-overlay dc=example,dc=com memberof

Installing refint overlay to support referential integrity - this requires "<explicitReferentialIntegrity>false</explicitReferentialIntegrity>" in midPoint resource association configuration

slapdconf add-module refint
slapdconf  add-overlay dc=example,dc=com refint olcRefintConfig 'olcRefintAttribute:memberof member manager owner'


Populating the Suffix

When the suffix is created it is completely empty. Not even the base object is there. The following command creates the basic objects of the suffix:

ldapgenerate -D "cn=admin,dc=example,dc=com" -w secret -i -s dc=example,dc=com

The suffix root user must be used explicitly when creating a base object for the suffix. The EXTERNAL SASL authentication will not work here.

Setting up MidPoint Access

TODO

Creating Administrator Account

TODO

admin.ldif
dn: ou=Administrators,dc=example,dc=com
objectclass: top
objectclass: organizationalunit
ou: Administrators

dn: cn=idm,ou=Administrators,dc=example,dc=com
objectclass: top
objectclass: person
cn: idm
sn: IDM Administrator
description: Special LDAP acccount used by the IDM
  to access the LDAP data.
userPassword: {SSHA}R5KF3K4X2FX5gkWKuDxm4M6gZyO0QgNF

Make sure that the empty line is really empty and that it does not contains spaces or any white characters.


Use the following command (as root):

ldapadd -Y EXTERNAL -H ldapi:/// -f admin.ldif

Setting Up ACLs

Setup ACLs that allow access for midpoint user to the directory:

aci.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=idm,ou=Administrators,dc=example,dc=com" write by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by anonymous auth by self write by * none
olcAccess: to dn.base="" by * read
olcAccess: to dn.subtree="ou=people,dc=example,dc=com" by dn="cn=idm,ou=Administrators,dc=example,dc=com" write
olcAccess: to dn.subtree="ou=groups,dc=example,dc=com" by dn="cn=idm,ou=Administrators,dc=example,dc=com" write
olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by dn="cn=idm,ou=Administrators,dc=example,dc=com" read by self read by * none

Use the following command (as root):

ldapmodify -Y EXTERNAL -H ldapi:/// -f aci.ldif

Or you can use ldapconf to set up the ACLs:

slapdconf edit-suffix-acis dc=example,dc=com


Setting Up Limits

limits.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcLimits
olcLimits: dn.exact="cn=idm,ou=Administrators,dc=example,dc=com" size.prtotal=unlimited

Or you can use slapdconf:

slapdconf set-suffix-prop dc=example,dc=com 'olcLimits:dn.exact="cn=idm,ou=Administrators,dc=example,dc=com" size.prtotal=unlimited'


Setting up password policy

pwpolicy.ldif
dn: cn=pwpolicy,dc=example,dc=com
objectclass: pwdPolicy
objectClass: person
cn: pwpolicy
sn: pwpolicy
pwdAttribute: userPassword
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 60
ldapadd -Y EXTERNAL -H ldapi:/// -f pwpolicy.ldif
slapdconf set-overlay-prop dc=example,dc=com ppolicy olcPPolicyDefault:cn=pwpolicy,dc=example,dc=com


How to install both Ubuntu OpenLDAP and Symas OpenLDAP

  1. Install Symas OpenLDAP from Symas deb packages
  2. Initialize configuration as per Symas doc
  3. Stop slapd: /etc/init.d/solserver stop
  4. Edit /opt/symas/etc/openldap/symas-openldap.conf, change port number
  5. Edit /etc/init.d/solserver and change "Provides: slapd" to "Provides: solserver"
  6. apt-get install slapd

See Also

  • No labels