Thursday, December 23, 2010

Debian OpenLDAP

OpenLDAP is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP).

Install OpenLDAP Server

  1. Ensure the host name is FQDN:
    ldap1:~# hostname
    If it is not, issue the following:
    echo "" > /etc/hostname
    hostname -F /etc/hostname
  2. Install necessary packages (during a package configuration phase set admin password and accept all default options):
    apt-get -y install rsyslog slapd ldap-utils
  3. Setup system-wide defaults for LDAP clients (file /etc/ldap/ldap.conf):
    BASE    dc=dev,dc=local
    URI     ldap://
  4. Disable ipv6 support for slapd (file /etc/default/slapd):
    # Additional options to pass to slapd
    Restart slapd:
    /etc/init.d/slapd restart
    netstat -tunlp | grep slapd
    tcp        0      0   *               LISTEN      1557/slapd


  1. Create a file that enable ldap logging (file log-stats.ldif):
    # Enable LDAP logging
    dn: cn=config
    changetype: modify
    replace: olcLogLevel
    olcLogLevel: stats
  2. ... disable ldap logging (file log-none.ldif):
    # Disable LDAP logging
    dn: cn=config
    changetype: modify
    replace: olcLogLevel
    olcLogLevel: none
  3. And here is a command (changes are applied immediately, no need to restart slapd):
    ldapmodify -QY EXTERNAL -H ldapi:/// -f log-stats.ldif

What to index

  1. Create indexes to match the actual filter terms used in search queries. Read more here. We are going to add the following indexes: uid, cn. So here is our index file (file db-index.ldif):
    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    add: olcDbIndex
    olcDbIndex: uid eq
    add: olcDbIndex
    olcDbIndex: cn eq
    add: olcDbIndex
    olcDbIndex: ou eq
    add: olcDbIndex
    olcDbIndex: dc eq
    add: olcDbIndex
    olcDbIndex: uniqueMember eq
    add: olcDbIndex
    olcDbIndex: uidNumber eq
    add: olcDbIndex
    olcDbIndex: gidNumber eq
    Apply changes:
    ldapmodify -QY EXTERNAL -H ldapi:/// -f db-index.ldif

Reindex database

  1. Here is a simple script to reindex database (file /usr/local/sbin/slap-reindex). You do not need to run it often, that is depends how big is your database and how many changes occur, consider run it monthly:
    /etc/init.d/slapd stop > /dev/null
    su openldap -c "slapindex"
    /etc/init.d/slapd start > /dev/null

Simple tree structure

  1. Here is our simple structure:
  2. It correspond to the following (file init-tree.ldif):
    dn: ou=people,dc=dev,dc=local
    ou: people
    objectClass: organizationalUnit
    dn: ou=groups,dc=dev,dc=local
    ou: groups
    objectClass: organizationalUnit
  3. Add it to ldap:
    ldapadd -cxWD cn=admin,dc=dev,dc=local -f init-tree.ldif
  4. Test if we can find it:
    ldapsearch -x ou=people
    Here is search result:
    # extended LDIF
    # LDAPv3
    # base  (default) with scope subtree
    # filter: ou=people
    # requesting: ALL
    # people, dev.local
    dn: ou=people,dc=dev,dc=local
    ou: people
    objectClass: organizationalUnit
    # search result
    search: 2
    result: 0 Success
    # numResponses: 2
    # numEntries: 1

No comments :

Post a Comment