Configure OpenLDAP: Difference between revisions
Line 124: | Line 124: | ||
At a minimum, you'll need to create an organization within your LDAP directory. This is covered as step 11 in the OpenLDAP [https://openldap.org/doc/admin26/quickstart.html quickstart] document. | At a minimum, you'll need to create an organization within your LDAP directory. This is covered as step 11 in the OpenLDAP [https://openldap.org/doc/admin26/quickstart.html quickstart] document. | ||
Here is an example using the contoso.com domain as the organization: | |||
cat <<EOF >org.ldif | |||
dn: dc=contoso,dc=com | |||
objectclass: dcObject | |||
objectclass: organization | |||
o: Fictional Company | |||
dc: contoso | |||
dn: cn=Manager,dc=contoso,dc=com | |||
objectclass: organizationalRole | |||
cn: Manager | |||
EOF | |||
You will probably want to add the schema for inetOrgPerson before creating user account. But, since inetOrgPerson is dependent on the cosine schema, you'll need to import that first. | |||
Here's the two steps to add the schema: | |||
slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/schema/cosine.ldif | |||
slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/schema/inetorgperson.ldif | |||
Now that this is done, you're ready to connect to the LDAP server with the administration tool of your choice and begin populating users, groups, etc. [http://ldapadmin.org/ LDAPAdmin] is an oldie, but a goodie for Windows users. | |||
== Reference == | == Reference == | ||
https://openldap.org/doc/admin26/quickstart.html | https://openldap.org/doc/admin26/quickstart.html |
Revision as of 18:00, 5 May 2022
Lightweight Directory Access Protocol (LDAP) is often employed as an authentication mechanism, providing a common username and password across many different applications. This tutorial shows how to install and configure the OpenLDAP package on Alpine Linux.
Installing Packages
There is an Alpine package for OpenLDAP. However, simply adding the openldap apk is not enough to get you up and running. You'll also need to install a backend database and some LDAP command-line tools.
Here's how:
apk add openldap openldap-back-mdb openldap-clients
But, before you start up the slapd service and go, there's a bit of configuration to do.
Customizing Configuration for OpenLDAP 2.3+
The Alpine OpenLDAP package can use either a configuration directory (slapd.d) or a configuration file (slapd.conf). Since OpenLDAP version 2.3, the preferred method is to use the slapd.d configuration directory. Any official OpenLDAP documentation, including their quickstart guide, will use this configuration method.
First, create the slapd.d directory with the proper ownership and permissions.
install -m 755 -o ldap -g ldap -d /etc/openldap/slapd.d
Next, edit the slapd startup configuration to use the directory instead of the file.
- Open up /etc/conf.d/slapd in your favorite editor
- Comment out cfgfile="/etc/openldap/slapd.conf"
- Uncomment cfgdir="/etc/openldap/slapd.d"
Finally, get rid of the included slapd.conf file.
rm /etc/openldap/slapd.conf
Open up /etc/openldap/slapd.ldif in your favorite editor. Search for the file names ending with .la
and change the extension to .so
Customizing Configuration for Your Domain
Your LDAP domain can be the same as your DNS domain or it can be completely different. Whatever you choose, be sure to use the LDAP naming convention of dc=domain,dc=tld
rather than the dot separated DNS style of domain.tld
- Edit slapd.ldif again.
- Find the
olcSuffix:
keyword. - Change the value to match your domain
- Find
olcRootDN:
- Change the value to match your domain
Import the Configuration
Before starting the slapd service, import the configuration into the backend database.
Use the slapadd
command like this:
slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif
There should be no errors, only a "Closing DB..." message.
Change ownership on the files or the slapd service will refuse to start.
chown -R ldap:ldap /etc/openldap/slapd.d/*
Configuring the slapd Service
The pid directory is missing. We'll need to create it or the service won't start.
install -m 755 -o ldap -g ldap -d /var/lib/openldap/run
Testing
The OpenLDAP quickstart guide uses the ldapsearch
utility to test the configuration.
ldapsearch -x -b "" -s base '(objectclass=*)' namingContexts
You should see your domain.
You can also test with slapcat
slapcat -n 0
This will dump the entire config database in LDIF format. You can also pipe to grep and specify your domain name to verify everything looks correct. When using grep, remember LDAP uses the format dc=domain,dc=com and not the more familiar domain.com.
Later, when you begin populating your LDAP database, you can use slapcat -n 1
to see your information. (Zero is the config database. Numbers above zero are user-defined databases.)
Finally, you can run netstat -tln
and look for LDAP port 389 in the output.
Scripted Installation
If you want to automate the process, use the following script. Be sure to adjust the DOMAIN value to fit your needs.
export DOMAIN="dc=contoso,dc=com" echo "Installing packages..." apk add openldap openldap-back-mdb openldap-clients echo "Configuring for v2.3+ style slapd.d config directory..." install -m 755 -o ldap -g ldap -d /etc/openldap/slapd.d sed -i~ \ -e 's/^cfgfile=/#cfgfile=/' \ -e 's/^#cfgdir=.*/cfgdir=\"\/etc\/openldap\/slapd.d\"/' \ /etc/conf.d/slapd rm /etc/openldap/slapd.conf echo "Customizing for domain: ${DOMAIN}..." sed -i~ \ -e 's/\.la$/.so/' \ -e "s/dc=my-domain,dc=com/${DOMAIN}/" /etc/openldap/slapd.ldif echo "Importing configuration..." slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif chown -R ldap:ldap /etc/openldap/slapd.d/* echo "Configuring slapd service..." install -m 755 -o ldap -g ldap -d /var/lib/openldap/run service slapd start rc-update add slapd # To test, use ldapsearch: # ldapsearch -x -b "" -s base '(objectclass=*)' namingContexts # # To wipe installation and redo: # service slapd stop # rm /etc/openldap/slapd.d/* # rm /var/lib/openldap/openldap-data/*
Next Steps
Before you can use LDAP for authentication, you'll need to populate the database with user information. You may also want to enable secure communications with TLSSTART or LDAPS and change the password. Refer to the OpenLDAP project documentation to learn how to do this.
At a minimum, you'll need to create an organization within your LDAP directory. This is covered as step 11 in the OpenLDAP quickstart document.
Here is an example using the contoso.com domain as the organization:
cat <<EOF >org.ldif dn: dc=contoso,dc=com objectclass: dcObject objectclass: organization o: Fictional Company dc: contoso dn: cn=Manager,dc=contoso,dc=com objectclass: organizationalRole cn: Manager EOF
You will probably want to add the schema for inetOrgPerson before creating user account. But, since inetOrgPerson is dependent on the cosine schema, you'll need to import that first.
Here's the two steps to add the schema:
slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/schema/cosine.ldif slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/schema/inetorgperson.ldif
Now that this is done, you're ready to connect to the LDAP server with the administration tool of your choice and begin populating users, groups, etc. LDAPAdmin is an oldie, but a goodie for Windows users.