There is an official statement about this [1] (in short: this is part of a future strategy to bring OpenLDAP to a broader spectrum - keyword: Kerberos), but unfortunately there is neither (november 4th, 2009) an official nor an inofficial HowTo on how to set up the whole thing. So here is my take:
First, install OpenLDAP:
Code:
sudo apt-get -y install slapd ldap-utils
Now add a few schemata (only core.schema is provided by default):
Code:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
Code:
sudo gedit /home/afzal/rootdb.ldif
Code:
###########################################################
# DATABASE SETUP
###########################################################
# Load modules for database type
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
# Create directory database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=afzal,dc=com
olcRootDN: cn=admin,dc=afzal,dc=com
olcRootPW: secret
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=afzal,d
c=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=afzal,dc=com" write by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
###########################################################
# DEFAULTS MODIFICATION
###########################################################
# Some of the defaults need to be modified in order to allow
# remote access to the LDAP config. Otherwise only root
# will have administrative access.
dn: cn=config
changetype: modify
delete: olcAuthzRegexp
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {CRYPT}7hzU8RaZxaGi2
dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccessCode:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /home/afzal/rootdb.ldif
Now set up a minimal LDAP DIT. Open another temporary file:
Code:
sudo gedit /home/afzal/base.ldif
Code:
# Tree root dn: dc=afzal,dc=com objectClass: dcObject objectClass: organization o: escenic dc: escenic description: Afzal's ldap system # LDAP admin dn: cn=admin,dc=afzal,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin userPassword: secret description: LDAP administrator #index objectClass,uid,member eq #index cn,mail,sn,givenname eq,subinitial
Code:
sudo ldapadd -x -D cn=admin,dc=afzal,dc=com -W -f /home/afzal/base.ldif
Your LDAP DIT (this time as anonymous user - hence no password is shown for your cn=admin,dc=afzal,dc=com):
Code:
sudo ldapsearch -xLLL -b dc=afzal,dc=com
