Getting OpenLDAP Running
Since getting OpenLDAP was a bit of a struggle I thought I would take the time to document the process I went through to make things smoother should I need to do this again. This post draws heavily on some existing documents listed here:
- OpenLDAP 2.4 Administrator’s Guide
- Gentoo Linux Centralized Authentication Using OpenLDAP
- Ubuntu Linux OpenLDAP Server
Prerequisites
cyrus-sasl 2.1.27-r2
Use Flags:
(authdaemond berkdb kerberos openldap pam ssl urandom -gdbm -java -ldapdb -libressl -mysql -postgres -sample -selinux -sqlite -srp -static-libs ABI_MIPS=”-n32 -n64 -o32” ABI_RISCV=”-lp64 -lp64d” ABI_S390=”-32 -64” ABI_X86=”64 -32 -x32” ELIBC=”-FreeBSD”)
Install the software:
sudo emerge -v cyrus-sasl
sudo systemctl enable saslauthd
sudo systemctl start saslauthd
Status of the saslauthd
service should look something like this:
● saslauthd.service - SASL Authentication Daemon
Loaded: loaded (/lib/systemd/system/saslauthd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2019-11-19 17:05:49 CST; 1 day 10h ago
Process: 1095380 ExecStart=/usr/sbin/saslauthd $SASLAUTHD_OPTS (code=exited, status=0/SUCCESS)
Main PID: 1095381 (saslauthd)
Tasks: 5
Memory: 3.7M
CPU: 64ms
openldap 2.4.46
Use Flags:
(crypt gnutls ipv6 kerberos kinit perl samba sasl ssl syslog tcpd -berkdb -cxx -debug -experimental -iodbc -libressl -minimal -odbc -overlays -pbkdf2 -selinux -sha2 -slp -smbkrb5passwd -static-libs -test ABI_MIPS=”-n32 -n64 -o32” ABI_RISCV=”-lp64 -lp64d” ABI_S390=”-32 -64” ABI_X86=”64 -32 -x32”)
Install the software:
sudo emerge -v openldap
Gather facts:
In the example files that follow, you’ll need to replace <MY-DOMAIN>
and <COM>
with the appropriate domain components of your domain name. For example if your domain is genfic.org replace <MY-DOMAIN>
with genfic and <COM>
with org. You will also need to replace <ROOTDN-PASSWORD>
with the output from slappasswd
. For example the following:
slappasswd
New password:
Re-enter new password:
{SSHA}pY3qXBdn54YVuCo7ZlBqylcyn3TeGoSb
indicates <ROOTDN-PASSWORD>
be replaced with {SSHA}pY3qXBdn54YVuCo7ZlBqylcyn3TeGoSb.
Using the facts from above modify slapd.ldif to suit your needs:
/etc/openldap/slapd.ldif
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
#
#
# Define global ACLs to disable default read access.
#
olcArgsFile: /run/openldap/slapd.args
olcPidFile: /run/openldap/slapd.pid
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 64-bit encryption for simple bind
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
#
# Load dynamic backend modules:
#
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap/openldap
olcModuleload: back_mdb.so
#olcModuleload: back_bdb.la
#olcModuleload: back_hdb.la
#olcModuleload: back_ldap.la
#olcModuleload: back_passwd.la
#olcModuleload: back_shell.la
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
#######################################################################
# LMDB database definitions
#######################################################################
#
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=<MY-DOMAIN>,dc=<COM>
olcRootDN: cn=Manager,dc=<MY-DOMAIN>,dc=<COM>
olcRootPW: <ROOTDN-PASSWORD>
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
olcDbDirectory: /var/lib/openldap-data
# Indices to maintain
olcDbIndex: objectClass eq
In addition to the entering the appropriate replacements for <MY-DOMAIN>
, <COM>
and <ROOTDN-PASSWORD>
, I made a few more modifications to the default slapd.ldif file provided by openldap install.
These changes may not be appropriate for your setup and if you are unsure, it is best to stay with the default settings provided by openldap until you are sure.
#
olcArgsFile: /var/lib/run/slapd.args
olcPidFile: /var/lib/run/slapd.pid
#
was altered to use better path for Gentoo:
#
olcArgsFile: /run/openldap/slapd.args
olcPidFile: /run/openldap/slapd.pid
#
#
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib64/openldap/openldap
#olcModuleload: back_bdb.la
was altered to load MDB back end:
#
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap/openldap
olcModuleload: back_mdb.so
#olcModuleload: back_bdb.la
cn: schema
include: file:///etc/openldap/schema/core.ldif
was altered to load additional schema:
cn: schema
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
As before and in all example files that follow, be sure to change <MY-DOMAIN>
and <COM>
to match your own settings.
/etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=<MY-DOMAIN>,dc=<COM>
URI ldap://ldap. <MY-DOMAIN>.<COM> ldap://ldap.<MY-DOMAIN>.<COM>:666 ldapi:///
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
Create Initial Database
Run the following command to create the initial database from your customized slapd.ldif file.
su root -c 'slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif'
Ideally, the out put will look something like the following:
Password:
_#################### 100.00% eta none elapsed none fast!
Closing DB...
IMPORTANT: The database, when successfully created following the steps in this post, will belong to root user. In order for the slapd service to work, the account the service runs as will need to be given access to the database. On Gentoo, the account used is ldap and the command to give access is:
sudo chown -R ldap /etc/openldap/slapd.d
Start the slapd Service
sudo systemctl enable slapd
sudo systemctl start slapd
Should all go well the status of the slapd service should look something like this:
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/slapd.service.d
└─00gentoo.conf
Active: active (running) since Thu 2019-11-21 07:19:13 CST; 10s ago
Process: 3504483 ExecStartPre=/usr/sbin/slaptest -Q -u $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
Process: 3504484 ExecStart=/usr/lib64/openldap/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/>
Main PID: 3504485 (slapd)
Tasks: 2
Memory: 3.3M
CPU: 28ms
CGroup: /system.slice/slapd.service
Testing Basic Functionality
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
The output returned should look like the following, albeit reflecting the values used to replace <MY-DOMAIN>
and <COM>
throughout this post on the namingContexts:
line.
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: dc=genfic,dc=org
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Conclusion
This post has come to an end. There is still much more to be done to get OpenLDAP further configured and useful, but that will have to wait for another time. Please note that while this post gets slapd service up and running, it also leaves no account with access to change the configuration of the database, which is something you will eventually need to do, so granting that access should be among your first next steps with OpenLDAP.