Tuesday, March 3, 2015

Openldap 2.4 on Centos 7 using mdb

A bit confusing to set up especially for people used to the older slapd.conf. This is not used, do not try to set it, it will be ignored.

My setup uses the new back-end mdb.

The very basics is to install the server and client libraries (yum install openldap openldap-clients)

Configuration is stored under /etc/openldap/slapd.d/. You can view the contents but do not edit the files directly.

Remove the default configuration rm -rf /etc/openldap/slapd.d/*

Create a file for the initial configuration, let's say main.ldif:

#global configuration
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
structuralObjectClass: olcGlobal
entryUUID: 0ca4a796-53e8-1034-90ac-5fa43e938d62
creatorsName: cn=config
createTimestamp: 20150228225117Z
entryCSN: 20150228225117.358858Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20150228225117Z


# Load the mdb backend
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: back_mdb


# Load external definitions
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema


# You may want to add more, make sure to satisfy any dependencies though
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/openldap.ldif


# front end db
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to * by * read
olcSizelimit: size.soft=10000 size.hard=1000000
olcTimelimit: time.soft=300 time.hard=3600


# configuration db, we define a separate RootDN and passwd, use this one to change the config
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=Manager,cn=config
# generate a password by running slappasswd
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXX
olcMonitoring: FALSE
olcAccess: to * by * none
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
olcAccess: to dn.subtree="cn=monitor"
  by dn.exact="cn=Manager,cn=config" read
  by dn.exact="cn=Manager,dc=example,dc=com" read
  by * none
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcMonitoring: TRUE
olcDbMaxSize: 42949672960
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=Manager,dc=example,dc=com
# generate a password by running slappasswd
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXX
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq

# Tuning, not sure what these do maybe test them
#olcDbConfig: set_cachesize 0 2097152 0
#olcDbConfig: set_lk_max_objects 1500
#olcDbConfig: set_lk_max_locks 1500
#olcDbConfig: set_lk_max_lockers 1500
#olcLastMod: TRUE
#olcMonitoring: TRUE
#olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword
   by self write
   by anonymous auth
   by dn.base="cn=Manager,dc=example,dc=com" write
   by * none
olcAccess: to attrs=shadowLastChange
   by self write
   by * read
olcAccess: to *
   by dn.exact="cn=Manager,dc=example,dc=com" write
   by * read
Now add it to the configuration:

cat main.ldif | slapadd -v -F /etc/openldap/slapd.d -n 0

Start the server:

systemctl start slapd

Add a root object:

ldapadd -h localhost -D "cn=Manager,dc=example,dc=com" -w YOURPASSWORDHERE <<EOF
dn: dc=example,dc=com
objectClass:top
objectClass:organization
objectClass: dcobject
o: Your organization's name
<<EOF

You should now install phpldapadmin or a client of your liking to add more data. A note for phpldapadmin, if you want to connect as the manager you should edit the configuration (/usr/share/phpldapadmin/config/config.php) and make sure

$servers->setValue('login','attr','dn');

is set. The default seems to be 'uid' which does not work with our manager definition.

To add to the configuration, for instance to define a custom object, attributes and so on you should use an LDAP client,  with the base dn cn=config and the user/pass combination specified for the config database, in our example user name is  cn=Manager,cn=config.

Useful links (somewhat contradicted info though):
  1. http://www.server-world.info/en/note?os=CentOS_7&p=openldap 
  2. http://www.nies.ch/doc/openldap-replication.en.php 
  3. Fixes for the OpenLDAP example config and deployment tips
  4. Admin Guide (clearly not uptodate, still useful though)

6 comments:

Unknown said...

Hello,
can you help me why i got this error when i try to import it?

[root@localhost ~]# cat main.ldif | slapadd -v -F /etc/openldap/slapd.d -n 0
5cbb8639 str2entry: entry -1 has multiple DNs "cn=config" and "cn=module,cn=config"
slapadd: could not parse entry (line=1)

Anonymous said...

I'm having the problem. I came here because I wanted to use the MDB Backend.

Panos said...

Hey all, sorry this is a kind of old article, you should really check the OpenLdap Docs for newer versions. For the issue you have, it sounds like you are not rm -rf /etc/openldap/slapd.d/* each time you're cating the ldif.

Anonymous said...

Actually, I just used this article to guide me on a setup. I got the same error and found that there are some cut and paste formatting errors. There must be a blank line between dn's in the ldif. Also, I think there were some hidden characters.

This loads for me, without error. Also, slapd sometimes won't start under systemd, throwing a bind error on the ldapi socket. It'll run just fine from the command line, but systemd screws it up. I've fixed that by cleaning everything out of /tmp and rebooting. There's a stray socket file lying around someplace. Haven't looked in detail for it.


# https://blog.roeften.com/2015/03/openldap-24-on-centos-7-using-mdb.html
# slapadd -v -F /etc/openldap/slapd.d -n 0 -l slapd.ldif

#global configuration
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
# You *need* olcTLSCACertificatePath
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCACertificateFile: /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
structuralObjectClass: olcGlobal

# Load the mdb backend
# back_mdb is built-in
# slapd -VVV will show built-in modules.
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib64/openldap
#olcModuleload: back_mdb

# Load external definitions
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

# You may want to add more, make sure to satisfy any dependencies though
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/openldap.ldif

# front end db
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to * by * read
olcSizelimit: size.soft=10000 size.hard=1000000
olcTimelimit: time.soft=300 time.hard=3600

# configuration db, we define a separate RootDN and passwd, use this one to change the config
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=Manager,cn=config
# generate a password by running slappasswd
olcRootPW: {SSHA}ZWijrBYJXnotarealpasswdIlfoZgIzI
olcMonitoring: FALSE
olcAccess: to * by * none

dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
olcAccess: to dn.subtree="cn=monitor"
by dn.exact="cn=Manager,cn=config" read
by dn.exact="cn=Manager,dc=mydomain" read
by * none

dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcMonitoring: TRUE
# In bytes. Needs to be enough room on disk to back this.
olcDbMaxSize: 5368709120
olcSuffix: dc=mydomain
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=Manager,dc=mydomain
# generate a password by running slappasswd
olcRootPW: {SSHA}uQk4notarealpasswd4KQtY2xkqq7
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq
# Tuning, not sure what these do maybe test them
#olcDbConfig: set_cachesize 0 2097152 0
#olcDbConfig: set_lk_max_objects 1500
#olcDbConfig: set_lk_max_locks 1500
#olcDbConfig: set_lk_max_lockers 1500
#olcLastMod: TRUE
#olcMonitoring: TRUE
#olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=mydomain" write
by * none
olcAccess: to attrs=shadowLastChange
by self write
by * read
olcAccess: to *
by dn.exact="cn=Manager,dc=mydomain" write
by * read

Panos said...

You are right, there are some formatting errors due to the blog markup + me being lazy.

Ashlee said...

This is aa great post