Professional Documents
Culture Documents
Basic OpenLDAP Installation & Configuration - Acidx's Blog
Basic OpenLDAP Installation & Configuration - Acidx's Blog
Acidx's Blog
Home Tools About Disclaimer Contact
LDAP stands for Lightweight Directory Access Protocol and is based on the X.500 standard which defines the Categories
structure of directory services. The primary use of directory services is storing user- and object data in a central
system and make this data available to other applications (often for authentication or as an address book). In Flashlight
contrast to relational database management systems (RDBMS) directory services are specifically optimized for
Hardware
read access.
HowTo
The directory is built as a tree structure. The whole tree is referred to as the DIT (Directory Information Tree). Information
At the very top of this tree is the (invisible) RootDSE which is the Directory Service Entry point. Then follows a Linux
BaseDN (Base Distinguished Name) that looks like a domain name and can consist of multiple components (i.e.
Mac
dc=example,dc=com). But in contrast to domain names (i.e. example.com) an LDAP DN has to be spelled in
Raspberry
attribute/value pairs (attribute1=value1,…,attributeN=valueN). Beneath the BaseDN any desired structure of
OUs (Organizational Units) can be created to represent the company structure. At the very bottom would be the Review
actual resources (persons, user/service accounts or any other objects) with their properties. Windows
Meta
Log in
Entries RSS
Comments RSS
WordPress.org
The OpenLDAP daemon (server) is not configured through a classic config file; the configuration is stored in the
directory itself. Changes to the configuration, the tree structure or objects are described in LDIF files (LDAP
Data Interchange Format) and then added to the directory.
2. OpenLDAP Installation
Become root, update the software repository and upgrade your system:
1 sudo -i
2 apt-get update
3 apt-get upgrade
Install the OpenLDAP daemon (slapd) and the LDAP configuration tools (ldap-utils). During installation you’ll
have to define a password for the LDAP Administrator account. Then check if slapd is running:
1 de 10 6/8/17 22:56
Basic OpenLDAP Installation & Configuration | Acidx's Blog http://acidx.net/wordpress/2014/04/basic-openldap-installation-co...
WordPress
The configuration can be found in /etc/ldap. Here’s a short explanation of the existing files/folders:
The actual database, that is automatically built from this configuration, is stored in /var/lib/ldap.
Now that slapd is running, you can set up your own directory. This can be done by hand (writing and importing
LDIF files) or – on Ubuntu – with the Debian Packet Manager (dpkg). I like it simple, so I’m going to chose the
second option. This however should only be used for a first-time setup.
1 dpkg-reconfigure slapd
5. A First Test
This query should return two DNs: your directory (dc=example,dc=com) and your admin account
(cn=admin,dc=example,dc=com).
If you don’t want to type the user DN and the search base for every query, you can put these into ~/.ldaprc:
1 BASE dc=example,dc=com
2 BINDDN cn=admin,dc=example,dc=com
1 ldapsearch -x -W -LLL
2 de 10 6/8/17 22:56
Basic OpenLDAP Installation & Configuration | Acidx's Blog http://acidx.net/wordpress/2014/04/basic-openldap-installation-co...
6. Directory Modification
There are three ways to make changes and add entries to the directory:
Using the ldap-utils is probably the best way, especially for script and batch operations (see chapter 12 & 13 for
a quick overview). To get started, I’m going to use a graphical interface.
Create a new connection in the connection window (bottom left corner) using the following parameters:
Optionally create a second connection for the cn=config tree (only works after step 9):
To connect and make changes to cn=config (which contains the LDAP configuration) an admin user and
password has to be created. This can be done with an LDIF file (/etc/ldap/own_ldifs
/configroot.ldif):
1 dn: olcDatabase={0}config,cn=config
2 changetype: modify
3 de 10 6/8/17 22:56
Basic OpenLDAP Installation & Configuration | Acidx's Blog http://acidx.net/wordpress/2014/04/basic-openldap-installation-co...
3 add: olcRootDN
4 olcRootDN: cn=admin,cn=config
5
6 dn: olcDatabase={0}config,cn=config
7 changetype: modify
8 add: olcRootPW
9 olcRootPW: {SSHA}juW1dDVtEV+KTwp5a6nTUO3GBs16mdAg
The password can be generated with slappasswd. Then import the LDIF as follows:
Go into the schema directory and add your custom schema (in this case the postfix-book.schema):
1 cd /etc/ldap/schema
2 wget http://www.postfix-buch.com/download/postfix-book.schema.gz
3 gunzip postfix-book.schema.gz
To load a schema with ldapadd, it has to be in LDIF format, so it must be converted first. The conversion can
be done with slapcat. You’ll need a config file and an output directory:
1 cd /etc/ldap/schema
2 mkdir ldif_output
3 touch schema_convert.conf
The schema_convert.conf file contains the schema to be converted (and any dependencies):
1 include /etc/ldap/schema/core.schema
2 include /etc/ldap/schema/cosine.schema
3 include /etc/ldap/schema/nis.schema
4 include /etc/ldap/schema/inetorgperson.schema
5 include /etc/ldap/schema/postfix-book.schema
1 cp /etc/ldap/schema/ldif_output/cn\=config/cn\=schema/cn\=\{4\}postfix-book.ldif /etc/ldap/schema/postfix-book.ldif
dn: cn=postfix-book,cn=schema,cn=config
cn: postfix-book
Remove the metadata starting from structuralObjectClass
11. Security
To control the directory access (–> who may access which parts of the directory?) ACLs can be created in the
cn=config tree — see steps 8 and 9 on how to connect to it. ACLs are saved under olcDatabase={1}hdb in
the olcAccess attribute (there can be more than one of those). The following screenshot shows an “allow
everything” ACL, which will allow anyone write access to the whole directory:
4 de 10 6/8/17 22:56
Basic OpenLDAP Installation & Configuration | Acidx's Blog http://acidx.net/wordpress/2014/04/basic-openldap-installation-co...
1 {1}to dn.subtree="dc=example,dc=com"
2 by self read
3 by dn.base="cn=admin,dc=example,dc=com" write
4 by dn.children="ou=services,dc=example,dc=com" read
5 by * none
1 dn: ou=people,dc=example,dc=com
2 changetype: add
3 objectClass: organizationalUnit
4 objectClass: top
5 ou: people
Create a userimport.ldif with the following content to add a single user (the value for userPassword can be
generated with slappasswd):
1 # Some User
2 dn: uniqueIdentifier=some.user,ou=people,dc=example,dc=com
3 objectClass: organizationalPerson
4 objectClass: person
5 objectClass: top
6 objectClass: PostfixBookMailAccount
7 objectClass: extensibleObject
8 cn: Some User
9 givenName: User
10 mail: some.user@example.com
11 mailEnabled: TRUE
12 mailGidNumber: 5000
13 mailHomeDirectory: /srv/vmail/some.user@example.com
14 mailQuota: 10240
15 mailStorageDirectory: maildir:/srv/vmail/some.user@example.com/Maildir
16 mailUidNumber: 5000
17 sn: Some
18 uniqueIdentifier: some.user
19 userPassword: {SSHA}Ifz0oceGr1wwBP1BtBduPLTVbo6A2Qkd
Create a pwreset.ldif with the following content to reset the password of a user account (the value for
userPassword can be generated with slappasswd):
1 dn: uniqueIdentifier=alice,ou=people,dc=example,dc=com
2 changetype: modify
3 replace: userPassword
4 userPassword: {SSHA}Rs60p+2QKxAFRnA6vtWV71SI6Jz57CDF
« Previous | Next »
5 de 10 6/8/17 22:56
Basic OpenLDAP Installation & Configuration | Acidx's Blog http://acidx.net/wordpress/2014/04/basic-openldap-installation-co...
I am trying to setup Postfix to work with OpenLDAP. So first I would like LDAP to work correctly. I followed you
article here (without the web interface part) and I am stuck when trying to add a user.
It lists:
dn: dc=myDomain,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: myDomain.com
dc: myDomain
dn: cn=admin,dc=myDomain,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: superHash=
Successfully imported !
dn: uniqueIdentifier=frank,ou=people,dc=myDomain,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: PostfixBookMailAccount
objectClass: extensibleObject
cn: Frank Moses
givenName: Frank Moses
mail: frank@myDomain.com
mailEnabled: TRUE
mailGidNumber: 5000
mailHomeDirectory: /my/mailbox/frank@myDomain.com
mailQuota: 10240
mailStorageDirectory: maildir:/my/mailbox/frank@myDomain.com
mailUidNumber: 5000
sn: Some
uniqueIdentifier: frank
userPassword: {MD5}mysuperpasswordhash==
I don’t know why it doesn’t work, but I think that I am making a mistake with the OU or a CN somewhere…
6 de 10 6/8/17 22:56
Basic OpenLDAP Installation & Configuration | Acidx's Blog http://acidx.net/wordpress/2014/04/basic-openldap-installation-co...
I just noticed that I did not mention to create the OU “people”. Is it possible that you don’t have this? I created
it within the graphical editor.
Hi,
Well that’s what I thought, but I can’t find the exact content of the ldif file to add the people OU. As I want to
do this all by hand (to make scripts later on) I avoid using an interface.
Do you have any idea ? (I am searching allready but if you have the correct answer it is much better).
Thank you
dn: ou=people,dc=myDomain,dc=com
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: people
Hi,
Yes I had created such a OU file, but when I tried to import it with:
ldapadd -x -W -D cn=admin,cn=config -f /etc/ldap/LDIF/peopleOuAdd.ldif
But I stumble upon this error that seems to be linked with my permissions (as cn=admin,cn=config):
Do you have any idea about what I am doing wrong ? Because this OU is new, it does not depend on another
particular tree, I don’t get why I have this error.
Thanks
Hi,
There might be something wrong with your ACL (olcAccess in config tree).
Regarding your previous message, which user should be able to query information on “ou=people,dc=acs-
tmp,dc=com” ?
Because admin has (for sure) all rights. Example of query for user f.moses:
ldapsearch -W -D “cn=admin,dc=myDomain,dc=com” -b “ou=people,dc=myDomain,dc=com” -P 3 -LLL
“(&(mail=f.moses@myDomain.com)(mailEnabled=TRUE))”
But for security reasons, I see that in your postfix conf file (ldap_virtual_recipients.cf) you use a user
“uid=postfix,ou=services,dc=myDomain,dc=com” to do the queries.
Did you create that user ? Because I saw that in your ACL your autorize “ou=services,dc=example,dc=com” to
read
I applied the ACLS but if I want to run a read/write test I then have no idea about the
“uid=postfix,ou=services,dc=myDomain,dc=com” user’s credentials…
I fact I found out that you created a OU “services” and some users “postfix”, “dovecot” etc…
Do you have the exact structure of the OU and users ?
Here are two screenshots showing the structure of my OUs and users:
http://acidx.net/wordpress/wp-content/uploads/2014/06/mailserver_ldap_config_01.png
http://acidx.net/wordpress/wp-content/uploads/2014/06/mailserver_ldap_config_02.png
I created those extra users in the service OU (postfix, dovecot, …) so that I don’t have to use the admin
credentials in any config files of Postfix and Dovecot. Also, those users only get read access, which allows them
to perform lookup queries but doesn’t allow them to change anything.
7 de 10 6/8/17 22:56
Basic OpenLDAP Installation & Configuration | Acidx's Blog http://acidx.net/wordpress/2014/04/basic-openldap-installation-co...
With the admin user you should be able to add OUs and users since the admin has write access. You should
try the “allow everything” ACL (“{0}to * by * write”) to see if works at all. If it does work with this, there is
definitely something wrong with your current ACL.
Great !
dn: ou=services,dc=myDomain,dc=com
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: services
dn: uid=postfix,ou=services,dc=myDomain,dc=com
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
uid: postfix
userPassword: HASH==
And then an ACL ldif file (to allow write only to admin, read only to “services” and nothing for others) with:
With previous LDIF files everything is fine, just like in your example.
Mybe you can add it to your Topic for people trying do it by hand… 😉
MFG,
[GvD]
Thanks for the feedback! I’ll try to add that information to the article some time.
By the way: Please be aware that this example doesn’t use TLS encryption. This means, that LDAP queries
(including passwords) and replies are transferred in cleartext.
Hi,
You are welcome ! Yes, I know, I will add it soon and send you the steps to follow to secure servicesLDAP
exchanges (if you want to add them).
Best regards,
[GvD]
Hi,
I have a little change regarding the ACL lidfi file I gave previously. In fact using the one I sent will make the
LDAP having troubles (non admin loose all rights).
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to dn.subtree=”dc=myDoamin,dc=com” attrs=userPassword
by self write
by dn.base=”cn=admin,dc=myDoamin,dc=com” write
by dn.children=”ou=services,dc=myDoamin,dc=com” read
by anonymous auth
by * none
olcAccess: {1}to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn=”cn=admin,dc=myDoamin,dc=com” write
by * none
olcAccess: {2}to dn.subtree=”dc=myDoamin,dc=com”
by self read
by dn.base=”cn=admin,dc=myDoamin,dc=com” write
by dn.children=”ou=services,dc=myDoamin,dc=com” read
by * none
olcAccess: {3}to dn.base=”” by * none
8 de 10 6/8/17 22:56
Basic OpenLDAP Installation & Configuration | Acidx's Blog http://acidx.net/wordpress/2014/04/basic-openldap-installation-co...
Hi,
I get an error when I try to add a user with your suggested code in userimport.ldif.
The error message is “warning according to the schema attribute uniqueidentifier is not allowed”
Thnaks
Hi, I’m not sure about this but it might be due to a broken schema/database. uniqueIdentifier should be
available through the extensibleObject auxiliary class.
hi, i’m following this tutorial as part of your email tutorial. i’ve installed an ldap server before, but without sasl.
when i tried to add the configroot.ldif file after changing the password i get this…
ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info:
SASL(-4): no mechanism available:
i am ssh’d in from another machine on my lan.i tried using just ldap:/// and not ldapi:/// since that is how i ran
dpkg-reconfigure
any ideas?
Hello dividschmivid,
admittedly I don’t entirely understand that whole ldap/ldapi/sasl part, but I think the problem might be that
ldapadd -Y EXTERNAL -H ldapi:/// -f configroot.ldif
is not executed as root. I have changed the corresponding part in section 9. There is now a sudo in front of
that command.
Hi thank you very much for this tutorial! It helped a lot. I just wanted to ask if you might know how to activate
ldaps and deactivate ldap unencrypted. I have searched some tutorials and tried them, but did not get very far.
Maybe you could also point me in a direction where I could find something.
Thanks in advance,
Mohammed Ajil
Hi, sry I can’t help with the configuration of ldaps. Haven’t implemented that yet.
Leave a Comment
b i link b-quote del ins img ul ol li code more close tags crayon
NAME
Website URL
9 de 10 6/8/17 22:56
Basic OpenLDAP Installation & Configuration | Acidx's Blog http://acidx.net/wordpress/2014/04/basic-openldap-installation-co...
CAPTCHA Code
SUBMIT
10 de 10 6/8/17 22:56