Page 1 of 8 123 ... LastLast
Results 1 to 10 of 73

Thread: HowTo: OpenLDAP and Karmic

  1. #1
    Join Date
    Nov 2006
    Beans
    83

    Arrow HowTo: OpenLDAP and Karmic

    In Ubuntu 9.10 Karmic Koala the installation of OpenLDAP got a bit complicated. Upon installation you are not asked for your password anymore, and you have to set up the database yourself. And this is only possible using the OpenLDAP server's root account. Yes, you read correctly: only a very minimal cn=config is provided by default.

    There is an official statement about this [1] (in short: this is part of a future strategy to bring OpenLDAP to a broader spectrum - keyword: Kerberos), but unfortunately there is neither (november 4th, 2009) an official nor an inofficial HowTo on how to set up the whole thing. So here is my take:

    First, install OpenLDAP:
    Code:
    apt-get -y install slapd ldap-utils
    A dpkg-reconfigure slapd is useless btw.

    Now add a few schemata (only core.schema is provided by default):

    Code:
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
    After that, we set up the initial cn=config database. Open a temporary file in your favourite text editor:

    Code:
    vi /root/db.ldif
    and insert the following listing:

    Code:
    ###########################################################
    # DATABASE SETUP
    ###########################################################
    
    # Load modules for database type
    dn: cn=module{0},cn=config
    objectClass: olcModuleList
    cn: module{0}
    olcModulePath: /usr/lib/ldap
    olcModuleLoad: {0}back_hdb
    
    # Create directory database
    dn: olcDatabase={1}hdb,cn=config
    objectClass: olcDatabaseConfig
    objectClass: olcHdbConfig
    olcDatabase: {1}hdb
    olcDbDirectory: /var/lib/ldap
    olcSuffix: dc=home,dc=com
    olcRootDN: cn=admin,dc=home,dc=com
    olcRootPW: 1234
    olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=home,d
     c=com" write by anonymous auth by self write by * none
    olcAccess: {1}to dn.base="" by * read
    olcAccess: {2}to * by dn="cn=admin,dc=home,dc=com" write by * read
    olcLastMod: TRUE
    olcDbCheckpoint: 512 30
    olcDbConfig: {0}set_cachesize 0 2097152 0
    olcDbConfig: {1}set_lk_max_objects 1500
    olcDbConfig: {2}set_lk_max_locks 1500
    olcDbConfig: {3}set_lk_max_lockers 1500
    olcDbIndex: uid pres,eq
    olcDbIndex: cn,sn,mail pres,eq,approx,sub
    olcDbIndex: objectClass eq
    
    
    ###########################################################
    # DEFAULTS MODIFICATION
    ###########################################################
    # Some of the defaults need to be modified in order to allow
    # remote access to the LDAP config. Otherwise only root
    # will have administrative access.
    
    dn: cn=config
    changetype: modify
    delete: olcAuthzRegexp
    
    dn: olcDatabase={-1}frontend,cn=config
    changetype: modify
    delete: olcAccess
    
    dn: olcDatabase={0}config,cn=config
    changetype: modify
    add: olcRootPW
    olcRootPW: {CRYPT}7hzU8RaZxaGi2
    
    dn: olcDatabase={0}config,cn=config
    changetype: modify
    delete: olcAccess
    Apply this configuration with the following command:

    Code:
    ldapadd -Y EXTERNAL -H ldapi:/// -f /root/db.ldif
    This creates an administrative LDAP user cn=admin,dc=home,dc=com with the password 1234. Be aware: from now on this user has all privileges on your LDAP-server!

    Now set up a minimal LDAP DIT. Open another temporary file:

    Code:
    vi /tmp/base.ldif
    and insert the following:

    Code:
    # Tree root
    dn: dc=home,dc=com
    objectClass: dcObject
    objectclass: organization
    o: home.com
    dc: home
    description: Tree root
    
    # LDAP admin
    dn: cn=admin,dc=home,dc=com
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    cn: admin
    userPassword: 1234
    description: LDAP administrator
    ...and apply it:

    Code:
    ldapadd -x -D cn=admin,dc=home,dc=com -W -f /tmp/base.ldif
    when asked for a password, enter 1234. From now on you should be on the level of a fresh OpenLDAP installation in Jaunty. The rest is your part.

    By the way, with the following commands you can read your cn=config:

    Code:
    ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb
    ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W
    and your LDAP DIT (this time as anonymous user - hence no password is shown for your cn=admin,dc=home,dc=com):

    Code:
    ldapsearch -xLLL -b dc=home,dc=com
    Good luck!
    Robert



    [1] https://lists.ubuntu.com/archives/ub...st/003182.html
    Last edited by apalacheno; November 22nd, 2009 at 10:42 AM.

  2. #2
    Join Date
    Oct 2006
    Location
    Montreal
    Beans
    228
    Distro
    Ubuntu 11.10 Oneiric Ocelot

    Re: HowTo: OpenLDAP and Karmic

    Thank you for a great howto.

    There is already a discussion in this forum about this issue.
    It contains links to the bugs opened in launchpad:

    http://ubuntuforums.org/showthread.php?p=8154148

  3. #3
    Join Date
    Jun 2009
    Beans
    1

    Re: HowTo: OpenLDAP and Karmic

    I just figured out that you can configure OpenLDAP in Karmic to use the old slapd.conf file by doing the following:

    Modify /etc/default/slapd

    Set the SLAPD_CONF parameter to where your slapd.conf file is located: eg: SLAPD_CONF=/etc/ldap/slapd.conf

  4. #4
    Join Date
    Dec 2008
    Location
    Milano
    Beans
    7
    Distro
    Ubuntu Studio 9.10 Karmic Koala

    Re: HowTo: OpenLDAP and Karmic

    Hello,
    is there a way to have OpenLDAP (slapd) and phpldapadmin working, installed from repository, on Ubuntu 9.10 as it was working before (7.10, 8.xx)? I'm going mad on this and I could not fix it in any way... Already googled but with no luck.
    Thank you.

  5. #5
    Join Date
    Nov 2006
    Beans
    83

    Re: HowTo: OpenLDAP and Karmic

    Is slapd standalone (without phpldapadmin) working already? I'm not using phpldapadmin, but at least the LDAP server should be in a functional state before using any admin tools.

  6. #6
    Join Date
    Dec 2008
    Location
    Milano
    Beans
    7
    Distro
    Ubuntu Studio 9.10 Karmic Koala

    Re: HowTo: OpenLDAP and Karmic

    Yes, slapd is installing fine but it is not possible to configure it via dpkg-reconfigure and I'm not so good with LDAP itself: I'm using it, through phpdalpadmin, to share an email address book. Thanx alot for your help.

  7. #7
    Join Date
    Nov 2006
    Beans
    83

    Re: HowTo: OpenLDAP and Karmic

    dpkg-reconfigure is useless in karmic. Instead follow the described steps in the first post and it should work for you.

    Unfortunately there is no way to avoid manually creating the LDAP database. The good news, however, is that it's just a matter of ten minutes to get it working.

  8. #8
    Join Date
    Dec 2008
    Location
    Milano
    Beans
    7
    Distro
    Ubuntu Studio 9.10 Karmic Koala

    Re: HowTo: OpenLDAP and Karmic

    Ok, I'm going to try this on a new server as soon as it is ready and I'll let you know if it will work... Thank you very much for your help, it is really invaluable.

    P.S.: Just a little complaint about this whole matter. I think Ubuntu is also intended to be used to spread Linux open OS to the mass and this kind of attitude from the developers will not help. Not everyone has to be a coder/developer and the users should be advised when similar changes have to be introduced in critical services as LDAP is.
    Last edited by Yanlux; November 12th, 2009 at 05:02 PM.

  9. #9
    Join Date
    Nov 2006
    Beans
    83

    Re: HowTo: OpenLDAP and Karmic

    Good luck!

  10. #10
    Join Date
    Dec 2008
    Location
    Milano
    Beans
    7
    Distro
    Ubuntu Studio 9.10 Karmic Koala

    Re: HowTo: OpenLDAP and Karmic

    Thanks alot for the guide, now I managed to have OpenLDAP and PHPLDAPADMIN working.
    Bye!

Page 1 of 8 123 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •