HowTo: OpenLDAP and Karmic

[apalacheno]

In Ubuntu 9.10 Karmic Koala the installation of OpenLDAP got a bit complicated. Upon installation you are not asked for your password anymore, and you have to set up the database yourself. And this is only possible using the OpenLDAP server's root account. Yes, you read correctly: only a very minimal cn=config is provided by default.

There is an official statement about this [1] (in short: this is part of a future strategy to bring OpenLDAP to a broader spectrum - keyword: Kerberos), but unfortunately there is neither (november 4th, 2009) an official nor an inofficial HowTo on how to set up the whole thing. So here is my take:

First, install OpenLDAP:

Code:

apt-get -y install slapd ldap-utils

A dpkg-reconfigure slapd is useless btw.

Now add a few schemata (only core.schema is provided by default):

Code:

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

After that, we set up the initial cn=config database. Open a temporary file in your favourite text editor:

Code:

vi /root/db.ldif

and insert the following listing:

Code:

###########################################################
# DATABASE SETUP
###########################################################

# Load modules for database type
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb

# Create directory database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=home,dc=com
olcRootDN: cn=admin,dc=home,dc=com
olcRootPW: 1234
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=home,d
 c=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=home,dc=com" write by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq


###########################################################
# DEFAULTS MODIFICATION
###########################################################
# Some of the defaults need to be modified in order to allow
# remote access to the LDAP config. Otherwise only root
# will have administrative access.

dn: cn=config
changetype: modify
delete: olcAuthzRegexp

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {CRYPT}7hzU8RaZxaGi2

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

Apply this configuration with the following command:

Code:

ldapadd -Y EXTERNAL -H ldapi:/// -f /root/db.ldif

This creates an administrative LDAP user cn=admin,dc=home,dc=com with the password 1234. Be aware: from now on this user has all privileges on your LDAP-server!

Now set up a minimal LDAP DIT. Open another temporary file:

Code:

vi /tmp/base.ldif

and insert the following:

Code:

# Tree root
dn: dc=home,dc=com
objectClass: dcObject
objectclass: organization
o: home.com
dc: home
description: Tree root

# LDAP admin
dn: cn=admin,dc=home,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: 1234
description: LDAP administrator

...and apply it:

Code:

ldapadd -x -D cn=admin,dc=home,dc=com -W -f /tmp/base.ldif

when asked for a password, enter 1234. From now on you should be on the level of a fresh OpenLDAP installation in Jaunty. The rest is your part.

By the way, with the following commands you can read your cn=config:

Code:

ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb
ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W

and your LDAP DIT (this time as anonymous user - hence no password is shown for your cn=admin,dc=home,dc=com):

Code:

ldapsearch -xLLL -b dc=home,dc=com

Good luck!
Robert



[1] https://lists.ubuntu.com/archives/ub...st/003182.html

[druhboruch]

Thank you for a great howto.

There is already a discussion in this forum about this issue.
It contains links to the bugs opened in launchpad:

http://ubuntuforums.org/showthread.php?p=8154148

[sammonsjl]

I just figured out that you can configure OpenLDAP in Karmic to use the old slapd.conf file by doing the following:

Modify /etc/default/slapd

Set the SLAPD_CONF parameter to where your slapd.conf file is located: eg: SLAPD_CONF=/etc/ldap/slapd.conf

[Yanlux]

Hello,
is there a way to have OpenLDAP (slapd) and phpldapadmin working, installed from repository, on Ubuntu 9.10 as it was working before (7.10, 8.xx)? I'm going mad on this and I could not fix it in any way... Already googled but with no luck.
Thank you.

[apalacheno]

Is slapd standalone (without phpldapadmin) working already? I'm not using phpldapadmin, but at least the LDAP server should be in a functional state before using any admin tools.

[Yanlux]

Yes, slapd is installing fine but it is not possible to configure it via dpkg-reconfigure and I'm not so good with LDAP itself: I'm using it, through phpdalpadmin, to share an email address book. Thanx alot for your help.

[apalacheno]

dpkg-reconfigure is useless in karmic. Instead follow the described steps in the first post and it should work for you.

Unfortunately there is no way to avoid manually creating the LDAP database. The good news, however, is that it's just a matter of ten minutes to get it working.

[apalacheno]

Hint: My original HowTo is valid for Lucid as well, you just need to adjust the following section in /root/db.ldif:

Instead of

Code:

###########################################################
# DEFAULTS MODIFICATION
###########################################################
# Some of the defaults need to be modified in order to allow
# remote access to the LDAP config. Otherwise only root
# will have administrative access.

dn: cn=config
changetype: modify
delete: olcAuthzRegexp

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {CRYPT}7hzU8RaZxaGi2

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

You need this (effectively adding the olcRootDN):

Code:

###########################################################
# DEFAULTS MODIFICATION
###########################################################
# Some of the defaults need to be modified in order to allow
# remote access to the LDAP config. Otherwise only root
# will have administrative access.

dn: cn=config
changetype: modify
delete: olcAuthzRegexp

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {CRYPT}7hzU8RaZxaGi2

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess

Cheers,
Robert

[init-0]

Hi, thanks for the tutorial,

I have made a script for Ubuntu 10.0.4 and it is the following:

Code:

#!/bin/sh
passwd=xxxxxx
dc1=host
dc2=com
hash_pw=`slappasswd -s $passwd`
tmpdir=/tmp
#--------------------------------------------------------------#
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif
#——————————————————————-#
# database.ldif
#——————————————————————-#
cat <<EOF > $tmpdir/database.ldif
# Load dynamic backend modules
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb

# Create directory database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=$dc1,dc=$dc2
olcRootDN: cn=admin,dc=$dc1,dc=$dc2
olcRootPW: $hash_pw
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=$dc1,dc=$dc2" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=$dc1,dc=$dc2" write by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
################################
#        Modifications
################################

dn: cn=config
changetype: modify
delete: olcAuthzRegexp

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: $hash_pw

dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess
EOF
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f $tmpdir/database.ldif
####################################
#         Mini DIT
####################################
cat <<EOF> $tmpdir/dit.ldif
# Tree root

dn: dc=$dc1,dc=$dc2
objectClass: dcObject
objectclass: organization
o: $dc1.$dc2
dc: $dc1
description: Tree root

# LDAP admin
dn: cn=admin,dc=$dc1,dc=$dc2
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: $hash_pw
description: LDAP administrator
EOF

sudo ldapadd -x -D cn=admin,dc=$dc1,dc=$dc2 -W -f $tmpdir/dit.ldif

Now all is fine until:

Code:

adding new entry "olcDatabase={1}hdb,cn=config"

modifying entry "cn=config"
ldap_modify: Undefined attribute type (17)
    additional info: olcAuthRegexp: attribute type undefined

Enter LDAP Password: 
adding new entry "dc=host,dc=com"

adding new entry "cn=admin,dc=host,dc=com"

The password is OK

UPDATE_ Fixed, I removed the olcAuthRegexp line.
Now work just fine.

[alextvm]

I'm trying to revive LDAP with ubuntu 10.04 in one of the labs at my school but our domain consists of dc=cs,dc=school,dc=edu, why does it complain about name attributes? Does it only like a 2 part domain?