Configure OpenLDAP: Difference between revisions

Lightweight Directory Access Protocol (LDAP) is often employed as an authentication mechanism, providing a common username and password across many different applications. This tutorial shows how to install and configure the OpenLDAP package on Alpine Linux.

Installing Packages

There is an Alpine package for OpenLDAP. However, simply adding the openldap apk is not enough to get you up and running. You'll also need to install a backend database and some LDAP command-line tools.

Here's how:

# apk add openldap openldap-back-mdb openldap-clients

But, before you start up the slapd service and go, there's a bit of configuration to do.

Customizing Configuration for OpenLDAP 2.3+

The Alpine OpenLDAP package can use either a configuration directory (slapd.d) or a configuration file (slapd.conf). Since OpenLDAP version 2.3, the preferred method is to use the slapd.d configuration directory. Any official OpenLDAP documentation, including their quickstart guide, will use this configuration method.

First, create the slapd.d directory with the proper ownership and permissions.

# install -m 755 -o ldap -g ldap -d /etc/openldap/slapd.d

Next, edit the slapd startup configuration to use the directory instead of the file.

1. Open up /etc/conf.d/slapd in your favorite editor
2. Comment out cfgfile="/etc/openldap/slapd.conf"
3. Uncomment cfgdir="/etc/openldap/slapd.d"

Finally, get rid of the included slapd.conf file.

# rm /etc/openldap/slapd.conf

Updating Shared Libraries File Names

Open up /etc/openldap/slapd.ldif in your favorite editor. Search for the file names ending with .la and change the extension to .so

Customizing Configuration for Your Domain

Your LDAP domain can be the same as your DNS domain or it can be completely different. Whatever you choose, be sure to use the LDAP naming convention of dc=domain,dc=tld rather than the dot separated DNS style of domain.tld

1. Edit slapd.ldif again.
2. Find the olcSuffix: keyword.
3. Change the value to match your domain
4. Find olcRootDN:
5. Change the value to match your domain

Later, this document will assume the domain is dc=home or dc=contoso,dc=com, reflecting a domain of home or contoso.com respectively.

Adding Schema for Linux User Accounts

The basic OpenLDAP configuration does not include anything other than core schema definitions. To be useful for Linux systems, the inetOrgPerson schema and NIS schema are often included. The schema files are provided with the OpenLDAP package. All that needs to be done is to include them in the slapd.ldif configuration along with the cosine.ldif dependency.

1. Edit slapd.ldif again.
2. Find the line include: file:///etc/openldap/schema/core.ldif
3. Append similar lines referencing cosine.ldif, inetorgperson.ldif, and nis.ldif.

It should look like this when you're done:

Importing the Configuration

Verify slapd.ldif one last time and use the slapadd command to import it into the backend database.

# slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif

There should be no errors, only a "Closing DB..." message.

Next, change ownership on the resulting files in /etc/openldap/slapd.d

If you skip this step, the slapd service will refuse to start.

# chown -R ldap:ldap /etc/openldap/slapd.d/*

Configuring the slapd Service

The pid directory is missing. We'll need to create it or the service won't start, so this needs to be done first.

# install -m 755 -o ldap -g ldap -d /var/lib/openldap/run

Next, you can start the service and enable it at boot.

# rc-service slapd start # rc-update add slapd

Testing

The OpenLDAP quickstart guide uses the ldapsearch utility to test the configuration.

$ ldapsearch -x -b "" -s base '(objectclass=*)' namingContexts

You should see your domain.

You can also test with slapcat

$ slapcat -n 0

This will dump the entire config database in LDIF format. You can also pipe to grep and specify your domain name to verify everything looks correct. When using grep, remember LDAP uses the format dc=domain,dc=com and not the more familiar domain.com.

Later, when you begin populating your LDAP database, you can use slapcat -n 1 to see your information. (Zero is the config database. Numbers above zero are user-defined databases.)

Finally, you can run netstat -tln and look for LDAP port 389 in the output.

Scripted Installation

If you want to automate the steps above, use the following script. Be sure to adjust the DOMAIN value to fit your needs.

 export DOMAIN="dc=home"
 
 echo "Installing packages..."
 apk add openldap openldap-back-mdb openldap-clients
 
 echo "Configuring for v2.3+ style slapd.d config directory..."
 install -m 755 -o ldap -g ldap -d /etc/openldap/slapd.d
 sed -i~ \
   -e 's/^cfgfile=/#cfgfile=/' \
   -e 's/^#cfgdir=.*/cfgdir=\"\/etc\/openldap\/slapd.d\"/' \
   /etc/conf.d/slapd
 rm /etc/openldap/slapd.conf
 
 echo "Customizing for domain: ${DOMAIN}..."
 sed -i~ \
   -e 's/\.la$/.so/' \
   -e "s/dc=my-domain,dc=com/${DOMAIN}/" /etc/openldap/slapd.ldif
 
 echo "Adding schema for Linux user accounts..."
 cp /etc/openldap/slapd.ldif /etc/openldap/slapd.ldif~1
 awk '{ print } /^include:/ { sub("core", "cosine", $0); print $0; sub("cosine", "inetorgperson"); print $0; sub("inetorgperson", "nis"); print  }' /etc/openldap/slapd.ldif~1 >/etc/openldap/slapd.ldif
 
 echo "Importing configuration..."
 slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif
 chown -R ldap:ldap /etc/openldap/slapd.d/*
 
 echo "Configuring slapd service..."
 install -m 755 -o ldap -g ldap -d /var/lib/openldap/run
 service slapd start
 rc-update add slapd

Creating an Organizational Structure

Now that the installation is done, you can start using your LDAP database. At a minimum, you'll need to create an organization within your LDAP directory. This is covered as step 11 in the OpenLDAP quickstart document.

Here is an example using the contoso.com domain as the organization and home/dc=home as the base DN (update the baseDN if yours differs):

 cat <<EOF >org.ldif
 dn: dc=contoso,dc=com
 objectclass: dcObject
 objectclass: organization
 o: Fictional Company
 dc: contoso
 
 dn: cn=Manager,dc=contoso,dc=com
 objectclass: organizationalRole
 cn: Manager
 EOF
 
 ldapadd -x -D "cn=Manager,dc=home" -w secret -f org.ldif

You may also want to create organizational units (OUs) to help keep your directory tidy.

Here's an LDIF to create People and Groups as OUs:

 # Organizational unit for users
 dn: ou=People,dc=home
 changetype: add
 objectClass: organizationalUnit
 ou: People
 
 # Organizational unit for groups.
 dn: ou=Groups,dc=home
 changetype: add
 objectClass: organizationalUnit
 ou: Groups

Import the OUs with an ldapadd command similar to the one used to create the organization.

Now that this is done, you're ready to connect to the LDAP server with the administration tool of your choice and begin populating users, groups, etc. LDAPAdmin 🔓 is an oldie, but a goodie for Windows users.

Next Steps

The configuration presented here does not include provisions for TLS (encrypted) communication. It should not be used on an untrusted network. Refer to the official OpenLDAP docs for instructions on setting up encrypted LDAP connections.

References

• OpenLDAP Software 2.6 Administrator's Guide: A Quick-Start Guide
• ldap - Did I import inetOrgPerson schema correctly for OpenLDAP on Alpine Linux? - Stack Overflow