LDAP Server

LDAP Server

LDAP itself should be considered as database. It doesn’t solve data management and the dependencies between entries.

Strategy

LDAP should contain only data which are really needed. Administration accounts and groups like wheel should be local.

Basic Configuration

Create password for LDAP administrator and users and write it into the slapd.conf.

slappasswd -h {SSHA} -s MySecretPassword

Generate certificates in /usr/local/etc/openldap/cert

Configure server - create /usr/local/etc/openldap/slapd.conf

Add to /etc/rc.conf

slapd_enable="YES"

Configure client - create /jails/ldap/usr/local/etc/openldap/ldap.conf

Enable replication

overlay syncprov
syncprov-checkpoint 10 10
syncprov-sessionlog 100

Replica

syncrepl 1
    provider=ldap[s]://<hostname>[:port]
    searchbase=<base DN>
    scope=sub
    type=refreshOnly
    interval=dd:hh:mm:ss
    bindmethod=simple
    credentials=<passwd>
    binddn=<dn>

updateref ldap://...

Server data

Feed empty server:

slapadd -l file.ldif

Dump server’s database:

slapcat -l file.ldif

Input Data

Check if LDAP does something:

ldapsearch -Z [-d 255]

Add data to the DB:

ldapadd -Z -D "cn=ldapadmin,dc=example,dc=org" -W -f /root/example.ldif

Dump DB:

ldapsearch -Z -D "cn=ldapadmin,dc=example,dc=org" -W

Other tools:

ldapvi -D "cn=ldapadmin,dc=example,dc=org" -h ldap.server.com

Set user’s password as admin

ldappasswd -D "cn=ldapadmin,dc=example,dc=org" -S -W "cn=Jon Doe,ou=people,dc=example,dc=org"

Server Replication

Links

• FreeBSD Wiki: LDAP
• FreeBSD Doc: LDAP
• Whitney Technologies - Setup an OpenLDAP Server
• How To Change Account Passwords on an OpenLDAP Server

Package message

Message from openldap-client-2.4.46:

************************************************************

The OpenLDAP client package has been successfully installed.

Edit
  /usr/local/etc/openldap/ldap.conf
to change the system-wide client defaults.

Try `man ldap.conf' and visit the OpenLDAP FAQ-O-Matic at
  http://www.OpenLDAP.org/faq/index.cgi?file=3
for more information.

************************************************************
Message from openldap-server-2.4.46_4:

************************************************************

The OpenLDAP server package has been successfully installed.

In order to run the LDAP server, you need to edit
  /usr/local/etc/openldap/slapd.conf
to suit your needs and add the following lines to /etc/rc.conf:
  slapd_enable="YES"
  slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"'
  slapd_sockets="/var/run/openldap/ldapi"

Then start the server with
  /usr/local/etc/rc.d/slapd start
or reboot.

Try `man slapd' and the online manual at
  http://www.OpenLDAP.org/doc/
for more information.

slapd runs under a non-privileged user id (by default `ldap'),
see /usr/local/etc/rc.d/slapd for more information.

************************************************************