Thursday, December 23, 2010

Debian OpenLDAP

OpenLDAP is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP).

Install OpenLDAP Server

  1. Ensure the host name is FQDN:
    ldap1:~# hostname 
    ldap1.dev.local
    
    If it is not, issue the following:
    echo "ldap1.dev.local" > /etc/hostname
    hostname -F /etc/hostname
    
  2. Install necessary packages (during a package configuration phase set admin password and accept all default options):
    apt-get -y install rsyslog slapd ldap-utils
    
  3. Setup system-wide defaults for LDAP clients (file /etc/ldap/ldap.conf):
    BASE    dc=dev,dc=local
    URI     ldap://ldap1.dev.local
    
  4. Disable ipv6 support for slapd (file /etc/default/slapd):
    # Additional options to pass to slapd
    SLAPD_OPTIONS="-4"
    
    Restart slapd:
    /etc/init.d/slapd restart
    netstat -tunlp | grep slapd
    
    Output:
    tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      1557/slapd
    

Logging

  1. Create a file that enable ldap logging (file log-stats.ldif):
    # Enable LDAP logging
    dn: cn=config
    changetype: modify
    replace: olcLogLevel
    olcLogLevel: stats
    
  2. ... disable ldap logging (file log-none.ldif):
    # Disable LDAP logging
    dn: cn=config
    changetype: modify
    replace: olcLogLevel
    olcLogLevel: none
    
  3. And here is a command (changes are applied immediately, no need to restart slapd):
    ldapmodify -QY EXTERNAL -H ldapi:/// -f log-stats.ldif
    

What to index

  1. Create indexes to match the actual filter terms used in search queries. Read more here. We are going to add the following indexes: uid, cn. So here is our index file (file db-index.ldif):
    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    add: olcDbIndex
    olcDbIndex: uid eq
    -
    add: olcDbIndex
    olcDbIndex: cn eq
    -
    add: olcDbIndex
    olcDbIndex: ou eq
    -
    add: olcDbIndex
    olcDbIndex: dc eq
    -
    add: olcDbIndex
    olcDbIndex: uniqueMember eq
    -
    add: olcDbIndex
    olcDbIndex: uidNumber eq
    -
    add: olcDbIndex
    olcDbIndex: gidNumber eq
    
    Apply changes:
    ldapmodify -QY EXTERNAL -H ldapi:/// -f db-index.ldif
    

Reindex database

  1. Here is a simple script to reindex database (file /usr/local/sbin/slap-reindex). You do not need to run it often, that is depends how big is your database and how many changes occur, consider run it monthly:
    #!/bin/sh
    /etc/init.d/slapd stop > /dev/null
    su openldap -c "slapindex"
    /etc/init.d/slapd start > /dev/null
    

Simple tree structure

  1. Here is our simple structure:
    dev.local
    |--people
    `--groups
    
  2. It correspond to the following (file init-tree.ldif):
    dn: ou=people,dc=dev,dc=local
    ou: people
    objectClass: organizationalUnit
    
    dn: ou=groups,dc=dev,dc=local
    ou: groups
    objectClass: organizationalUnit
    
  3. Add it to ldap:
    ldapadd -cxWD cn=admin,dc=dev,dc=local -f init-tree.ldif
    
  4. Test if we can find it:
    ldapsearch -x ou=people
    
    Here is search result:
    # extended LDIF
    #
    # LDAPv3
    # base  (default) with scope subtree
    # filter: ou=people
    # requesting: ALL
    #
    
    # people, dev.local
    dn: ou=people,dc=dev,dc=local
    ou: people
    objectClass: organizationalUnit
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    

No comments :

Post a Comment