OpenLDAP is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP).
Install OpenLDAP Server
- Ensure the host name is FQDN:
ldap1:~# hostname
ldap1.dev.local
If it is not, issue the following:
echo "ldap1.dev.local" > /etc/hostname
hostname -F /etc/hostname
- Install necessary packages (during a package configuration phase set admin password and accept all default options):
apt-get -y install rsyslog slapd ldap-utils
- Setup system-wide defaults for LDAP clients (file /etc/ldap/ldap.conf):
BASE dc=dev,dc=local
URI ldap://ldap1.dev.local
- Disable ipv6 support for slapd (file /etc/default/slapd):
# Additional options to pass to slapd
SLAPD_OPTIONS="-4"
Restart slapd:
/etc/init.d/slapd restart
netstat -tunlp | grep slapd
Output:
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1557/slapd
Logging
- Create a file that enable ldap logging (file log-stats.ldif):
# Enable LDAP logging
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
-
... disable ldap logging (file log-none.ldif):
# Disable LDAP logging
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: none
-
And here is a command (changes are applied immediately, no need to restart slapd):
ldapmodify -QY EXTERNAL -H ldapi:/// -f log-stats.ldif
What to index
- Create indexes to match the actual filter terms used in search queries. Read more here. We are going to add the following indexes: uid, cn. So here is our index file (file db-index.ldif):
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uid eq
-
add: olcDbIndex
olcDbIndex: cn eq
-
add: olcDbIndex
olcDbIndex: ou eq
-
add: olcDbIndex
olcDbIndex: dc eq
-
add: olcDbIndex
olcDbIndex: uniqueMember eq
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
Apply changes:
ldapmodify -QY EXTERNAL -H ldapi:/// -f db-index.ldif
Reindex database
- Here is a simple script to reindex database (file /usr/local/sbin/slap-reindex). You do not need to run it often, that is depends how big is your database and how many changes occur, consider run it monthly:
#!/bin/sh
/etc/init.d/slapd stop > /dev/null
su openldap -c "slapindex"
/etc/init.d/slapd start > /dev/null
Simple tree structure
- Here is our simple structure:
dev.local
|--people
`--groups
-
It correspond to the following (file init-tree.ldif):
dn: ou=people,dc=dev,dc=local
ou: people
objectClass: organizationalUnit
dn: ou=groups,dc=dev,dc=local
ou: groups
objectClass: organizationalUnit
-
Add it to ldap:
ldapadd -cxWD cn=admin,dc=dev,dc=local -f init-tree.ldif
- Test if we can find it:
ldapsearch -x ou=people
Here is search result:
# extended LDIF
#
# LDAPv3
# base (default) with scope subtree
# filter: ou=people
# requesting: ALL
#
# people, dev.local
dn: ou=people,dc=dev,dc=local
ou: people
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Posts
No comments :
Post a Comment