LDAP Server

Installation

Install OpenLDAP:

$ aptitude install slapd

As long as the LDAP service is only used locally it doesn't need to listen to any TCP port and unix sockets can be used:

$ vi /etc/default/slapd
SLAPD_SERVICES="ldapi:///"

Install command line tools and ldapvi:

$ aptituce install ldap-tools ldapvi

Configure:

$ dpgk-reconfigure slapd

Move Database to /srv

By default the database is stored in /var/lib/ldap, but /srv/ldap is preferred.

Backup current data:

$ slapcat > backup.ldif

Create the database directory:

$ mkdir -p /srv/ldap/example-com
$ chown -R openldap:openldap /srv/ldap

Edit the configuration:

$ ldapvi -h ldapi:/// -Y EXTERNAL -b cn=config
dn: olcDatabase={1}hdb,cn=config
olcDbDirectory: /srv/ldap/example-com

Stop the server to import the backup, start again:

$ /etc/init.d/slapd stop
$ slapadd -l backup.ldif 
$ chown openldap:openldap /srv/ldap/example-com/*
$ /etc/init.d/slapd start

Cleanup old database directory:

$ rm /var/lib/ldap/*

Operation

Set Indices

Example:

$ ldapvi -h ldapi:/// -Y EXTERNAL -b cn=config
dn: olcDatabase={1}hdb,cn=config
olcDbIndex: uid pres,eq

Access Rules for root

Allow root to edit the database:

$ ldapvi -h ldapi:/// -Y EXTERNAL -b cn=config
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write ...
olcAccess: {2}to * by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write ...

Edit the Database

$ ldapvi -h ldapi:/// -Y EXTERNAL --discover
$ ldapvi -h ldapi:/// -Y EXTERNAL -b dc=example,dc=com