LDAP Server
Installation
Install OpenLDAP:
$ aptitude install slapd
As long as the LDAP service is only used locally it doesn't need to listen to any TCP port and unix sockets can be used:
$ vi /etc/default/slapd
SLAPD_SERVICES="ldapi:///"
Install command line tools and ldapvi:
$ aptituce install ldap-tools ldapvi
Configure:
$ dpgk-reconfigure slapd
- Omit OpenLDAP server configuration?
No
- DNS domain name:
example.com
- Organization name:
example.com
- Administrator password: ...
- Confirm password: ...
- Database backend to use:
HDB
- Do you want the database to be removed when slapd is purged?
No
- Move old database?
Yes
- Allow LDAPv2 protocol?
No
Move Database to /srv
By default the database is stored in /var/lib/ldap
, but /srv/ldap
is preferred.
Backup current data:
$ slapcat > backup.ldif
Create the database directory:
$ mkdir -p /srv/ldap/example-com
$ chown -R openldap:openldap /srv/ldap
Edit the configuration:
$ ldapvi -h ldapi:/// -Y EXTERNAL -b cn=config
dn: olcDatabase={1}hdb,cn=config
olcDbDirectory: /srv/ldap/example-com
Stop the server to import the backup, start again:
$ /etc/init.d/slapd stop
$ slapadd -l backup.ldif
$ chown openldap:openldap /srv/ldap/example-com/*
$ /etc/init.d/slapd start
Cleanup old database directory:
$ rm /var/lib/ldap/*
Operation
Set Indices
Example:
$ ldapvi -h ldapi:/// -Y EXTERNAL -b cn=config
dn: olcDatabase={1}hdb,cn=config
olcDbIndex: uid pres,eq
Access Rules for root
Allow root to edit the database:
$ ldapvi -h ldapi:/// -Y EXTERNAL -b cn=config
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write ...
olcAccess: {2}to * by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write ...
Edit the Database
$ ldapvi -h ldapi:/// -Y EXTERNAL --discover
$ ldapvi -h ldapi:/// -Y EXTERNAL -b dc=example,dc=com