This blog posting is a part of a series of blog postings:

The OpenLDAP packages in Ubuntu have seen quite a bit of changes over the past few years. The packaging has changed the configuration file format to the new config backend and there’s no directory initialization in the package scripts anymore. This means that when the slapd package is installed, it doesn’t ask for basic directory information anymore, but one needs to do full configuration himself.

I documented the setup that I made on Ubuntu 10.04 alpha 2 to get OpenLDAP working in different configurations.

The goal of this setup is to have OpenLDAP running so that users can authenticate to it using pam-ldap and nss-ldap can get user and group information.

The following documents were used when testing this:

Server setup

On the server the following packages are needed:

sudo apt-get install slapd ldap-utils

After installing the packages the following files are present under /etc/ldap/slapd.d:

/etc/ldap/slapd.d/
/etc/ldap/slapd.d/cn=config
/etc/ldap/slapd.d/cn=config/cn=schema
/etc/ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif
/etc/ldap/slapd.d/cn=config/cn=schema.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
/etc/ldap/slapd.d/cn=config.ldif

The schemas need to be loaded in the server as by default there are none:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif

To create the actual database that stores the entries in the directory, one needs to create an ldif file. In this example we use dc=edu,dc=example,dc=org as the directory suffix and place the database under /var/lib/ldap/.

create_database.ldif:

# Load hdb backend module
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb

# Create the hdb database and place the files under /var/lib/ldap
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=edu,dc=example,dc=org
olcRootDN: uid=admin,ou=People,dc=edu,dc=example,dc=org
olcRootPW: example
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq

ldapadd is used to modify the cn=config entries:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f create_database.ldif

Next the new database needs to be populated with ou=People and ou=Groups to hold hold the user and group information.

init_database.ldif

dn: dc=edu,dc=example,dc=org
objectClass: dcObject
objectclass: organization
o: edu.example.org
dc: edu
description: LDAP root

dn: ou=People,dc=edu,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=edu,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Groups

Use ldapadd to apply init_database.ldif:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f init_database.ldif

Finally modify the ACL to limit access to the database. Here we allow anonymous access to read the directory:

acls.ldif:

dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="uid=admin,ou=People,dc=edu,dc=example,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.subtree="" by * read
olcAccess: {2}to * by dn="uid=admin,ou=People,dc=edu,dc=example,dc=org" write by * read

Modify the database:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f acls.ldif

The following commands can be useful while configuring and debugging:

# Show the current configuration:
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

# Show the current data in the directory as anonymous user:
ldapsearch -x -h localhost -b dc=edu,dc=example,dc=org

# Dump the database with metadata:
sudo slapcat

Once the server responds to queries, it’s time to configure the client.

Client setup

The client setup uses the new nss-ldapd and pam-ldapd modules that provide local daemon functionality:

sudo apt-get install libnss-ldapd libpam-ldapd

During installation select ldap for the following nss services:

  • group
  • passwd

This configured /etc/nsswitch.conf, /etc/pam.d/common-auth and /etc/nslcd.conf automatically to work correctly.

To add some test users we can use ldapscripts package. The installation can be done either on the ldap server or on a remote server as the scripts connect to the server specified in the configuration file. After installing the ldapscripts package one needs to configure it.

/etc/ldapscripts/ldapscripts.conf:

SERVER="ldap://localhost"
BINDDN="uid=admin,ou=People,dc=edu,dc=example,dc=org"
BINDPWD="example"
SUFFIX="dc=edu,dc=example,dc=org" # Global suffix
GSUFFIX="ou=Groups"        # Groups ou (just under $SUFFIX)
USUFFIX="ou=People"         # Users ou (just under $SUFFIX)

Adding users with ldapadduser may take time if machine random number entropy
pool is low. To use pseudo-random number generation (with weaker passwords),
you may also change:

PASSWORDGEN="cat /dev/urandom | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"

Creating groups and users and changing passwords can be done with simple commands:

sudo ldapaddgroup testgroup
sudo ldapadduser testuser testgroup
sudo ldapsetpasswd testuser

To test that everything works correctly, let’s try getent and logins:

getent passwd
getent group

ssh testuser@localhost

And everything seems to work as planned. Great! The setup is still lacking encryption and other features that need to be added next. The next steps are to get tls working and get kerberos+samba+autofs to use the ldap installation.

Veli-Matti Lintu