Tuesday, March 3, 2015

Openldap 2.4 on Centos 7 using mdb

A bit confusing to set up especially for people used to the older slapd.conf. This is not used, do not try to set it, it will be ignored.

My setup uses the new back-end mdb.

The very basics is to install the server and client libraries (yum install openldap openldap-clients)

Configuration is stored under /etc/openldap/slapd.d/. You can view the contents but do not edit the files directly.

Remove the default configuration rm -rf /etc/openldap/slapd.d/*

Create a file for the initial configuration, let's say main.ldif:

#global configuration
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
structuralObjectClass: olcGlobal
entryUUID: 0ca4a796-53e8-1034-90ac-5fa43e938d62
creatorsName: cn=config
createTimestamp: 20150228225117Z
entryCSN: 20150228225117.358858Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20150228225117Z

# Load the mdb backend
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: back_mdb

# Load external definitions
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

# You may want to add more, make sure to satisfy any dependencies though
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/openldap.ldif

# front end db
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to * by * read
olcSizelimit: size.soft=10000 size.hard=1000000
olcTimelimit: time.soft=300 time.hard=3600

# configuration db, we define a separate RootDN and passwd, use this one to change the config
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=Manager,cn=config
# generate a password by running slappasswd
olcMonitoring: FALSE
olcAccess: to * by * none
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
olcAccess: to dn.subtree="cn=monitor"
  by dn.exact="cn=Manager,cn=config" read
  by dn.exact="cn=Manager,dc=example,dc=com" read
  by * none
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcMonitoring: TRUE
olcDbMaxSize: 42949672960
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=Manager,dc=example,dc=com
# generate a password by running slappasswd
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq

# Tuning, not sure what these do maybe test them
#olcDbConfig: set_cachesize 0 2097152 0
#olcDbConfig: set_lk_max_objects 1500
#olcDbConfig: set_lk_max_locks 1500
#olcDbConfig: set_lk_max_lockers 1500
#olcLastMod: TRUE
#olcMonitoring: TRUE
#olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword
   by self write
   by anonymous auth
   by dn.base="cn=Manager,dc=example,dc=com" write
   by * none
olcAccess: to attrs=shadowLastChange
   by self write
   by * read
olcAccess: to *
   by dn.exact="cn=Manager,dc=example,dc=com" write
   by * read
Now add it to the configuration:

cat main.ldif | slapadd -v -F /etc/openldap/slapd.d -n 0

Start the server:

systemctl start slapd

Add a root object:

ldapadd -h localhost -D "cn=Manager,dc=example,dc=com" -w YOURPASSWORDHERE <<EOF
dn: dc=example,dc=com
objectClass: dcobject
o: Your organization's name

You should now install phpldapadmin or a client of your liking to add more data. A note for phpldapadmin, if you want to connect as the manager you should edit the configuration (/usr/share/phpldapadmin/config/config.php) and make sure


is set. The default seems to be 'uid' which does not work with our manager definition.

To add to the configuration, for instance to define a custom object, attributes and so on you should use an LDAP client,  with the base dn cn=config and the user/pass combination specified for the config database, in our example user name is  cn=Manager,cn=config.

Useful links (somewhat contradicted info though):
  1. http://www.server-world.info/en/note?os=CentOS_7&p=openldap 
  2. http://www.nies.ch/doc/openldap-replication.en.php 
  3. Fixes for the OpenLDAP example config and deployment tips
  4. Admin Guide (clearly not uptodate, still useful though)
Post a Comment