OpenLDAP Server

LDAP is an acronym for Lightweight Directory Access Protocol, it is a simplified version of the X.500 protocol. The directory setup in this section will be used for authentication. Nevertheless, LDAP can be used in numerous ways: authentication, shared directory (for mail clients), address book, etc.

To describe LDAP quickly, all information is stored in a tree structure. With OpenLDAP you have freedom to determine the directory arborescence (the Directory Information Tree: the DIT) yourself. We will begin with a basic tree containing two nodes below the root:

  • "People" node where your users will be stored

  • "Groups" node where your groups will be stored

Before beginning, you should determine what the root of your LDAP directory will be. By default, your tree will be determined by your Fully Qualified Domain Name (FQDN). If your domain is example.com (which we will use in this example), your root node will be dc=example,dc=com.

Installation

First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:

sudo apt-get install slapd ldap-utils

The installation process will prompt you for the LDAP directory admin password and confirmation.

After installing slapd the directory can be configured using dpkg-reconfigure:

sudo dpkg-reconfigure slapd

You will then be taken through a menu based configuration dialog allowing you to configure various slapd options. For the most part the defaults work well, but if your root node differs from the server's FQDN be sure to enter the correct name.

Populating LDAP

The directory has been created during installation and reconfiguration, and now it is time to populate it. It will be populated with a "classical" scheme that will be compatible with address book applications and with Unix Posix accounts. Posix accounts will allow authentication to various applications, such as web applications, email Mail Transfer Agent (MTA) applications, etc.

[Note]

For external applications to authenticate using LDAP they will each need to be specifically configured to do so. Refer to the individual application documentation for details.

LDAP directories can be populated with LDIF (LDAP Directory Interchange Format) files. Copy the following example LDIF file, naming it example.com.ldif, somewhere on your system:

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

dn: uid=john,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 1000
gidNumber: 10000
userPassword: password
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: [email protected]
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress: 
initials: JD

dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
gidNumber: 10000

In this example the directory structure, a user, and a group have been setup. In other examples you might see the objectClass: top added in every entry, but that is the default behaviour so you do not have to add it explicitly.

Now, to add your entries to the LDAP directory:

  • Stop slapd:

    sudo /etc/init.d/slapd stop
    
  • Add the content:

    sudo slapadd -l example.com.ldif
    
  • Start LDAP daemon:

    sudo /etc/init.d/slapd start
    

We can check that the content has been correctly added with the tools from the ldap-utils package. In order to execute a search of the LDAP directory:

ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn

dn: uid=john,ou=people,dc=example,dc=com
cn: John Doe
sn: Doe
givenName: John

Just a quick explanation:

  • -x: will not use SASL authentication method, which is the default.

  • -LLL: disable printing LDIF schema information.

Setting up ACL

Authentication requires access to the password field, that should be not accessible by default. Another issue is that during password change using passwd, shadowLastChange needs to be accessible by authenticated users. The following code, from /etc/ldap/slapd.conf, shows the default ACL setting that permits the admin user and authenticated users access to shadowLastChange:

access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=example,dc=com" write
        by anonymous auth
        by self write
        by * none

LDAP replication

LDAP service often quickly becomes a highly critical service in an information system: multiple systems depend on LDAP for authentication, authorization, mail, etc. It is a good idea to setup a redundant system.

Replication is achieved using the Syncrepl engine. Syncrepl allows the directory to be synced using either a push or pull based system. In a push based configuration a “primary” server will push directory updates to “secondary” servers, while a pull based approach allows replication servers to sync on a time based interval.

The following is an example of push configuration. First you need to setup the slapd provider by uncommenting the following line in /etc/ldap/slapd.conf:

rootdn          "cn=admin,dc=example,dc=com"

Below the rootdn line add:

moduleload  syncprov.la
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

Now restart slapd:

sudo /etc/init.d/slapd restart

On separate OpenLDAP server configure the slapd consumer by again uncommenting the rootdn line in /etc/ldap/slapd.conf:

rootdn          "cn=admin,dc=example,dc=com"

Then add the following below the rootdn entry:

syncrepl rid=123
	 provider=ldap://ldap01.example.com:389
	 type=refreshAndPersist
         searchbase="dc=example,dc=com"
         filter="(objectClass=*)"
         scope=sub
         schemachecking=off
         bindmethod=simple
         binddn="uid=john,ou=people,dc=example,dc=com"
         credentials=password
[Note]

This example uses the john user we created above to authenticate the sync process. Be sure to use an account with sufficient privileges. Also, replace ldap://ldap01.example.com:389 with the appropriate host name.

Now restart the consumer slapd daemon:

sudo /etc/init.d/slapd restart

If all goes well you should be able to execute the ldapsearch example from above on the server with the replicated directory.

ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn

The slapd daemon will send log information to /var/log/syslog by default. So if all does not go well check there for errors and other troubleshooting information.

Resources