Configure OpenLDAP
From DOC
Contents |
Overview
Note that after the configuration below, LDAP will not start, until SSL credentials are in place, and that will occur later during the configuration process. This step only needs to occur once for a Tolven installation.
Initial openLDAP Setup for Windows
slapd.conf Entries
Edit the slapd.conf file in the openLDAP directory. The slapd.conf file varies over time with different versions and configurations. Below are the directives known and used by Tolven. Copy or replace the equivalent lines in the slapd.conf file of your openldap installation.
These schema includes must be present (core is usually there by default. If not add it too)
include ./schema/core.schema include ./schema/cosine.schema include ./schema/inetorgperson.schema
The next four lines allow use of TLS for encrypting connections using a self-signed test certificates. These lines will prevent the LDAP server from starting until the credentials indicated a put in place later during this configuration process.
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile ./tolvendev-ldap-cacerts.pem TLSCertificateFile ./tolvendev-ldap-cert.pem TLSCertificateKeyFile ./tolvendev-ldap-key.pem
Cleartext passwords, especially for the rootdn, should be avoided. See slappasswd(8) and slapd.conf(5) for details. Use of strong authentication encouraged. This hashed password is secret by default.
suffix dc=tolven,dc=com
rootdn cn=Manager,dc=tolven,dc=com
rootpw {SSHA}KHCgqfsybbtXVI4yPkAFKlE2gQPXNemf
The following is an LDAP directive for the database directory, which must exist prior to running slapd and should only be accessible by the slapd and slap tools.
directory ./tolvendata
Index on the following attributes to improve performance
index objectClass eq index sn eq index uid eq
LDAP Database
Please note that the LDAP database is very important. The LDAP user entries that it contains, have the encryption keys for the data created by those users in the database. Those keys are the only way to decrypt the data. Thus the LDAP database should be backed up appropriately. Create a new directory to hold the tolven LDAP data:
c:\openLDAP> md tolvendata
Add the root elements into this new LDAP database using the slapadd command. Ensure that the required entries exist in the slapd.conf as specified in the Configure OpenLDAP section.
c:\openLDAP> slapadd -f slapd.conf -l tolveninitial.ldif
NB: The file tolveninitial.ldif can be empty, but at least on one version of openldap, this command does not error, but won't complete without the -l option.
Test LDAP in non-SSL Mode
Temporarily comment out the four lines beginning with TLS, which were added above, from the slapd.conf, by placing a '#' at the start of each line. Now execute the following command, to start LDAP in non-secure mode.
c:\openLDAP> slapd -h ldap://
Now use an application e.g. JXplorer to access LDAP on port 389 and ensure that it is running correctly. You can also use the 'netstat -a' command. If you have trouble accessing LDAP, then again temporarily start it with debug on:
c:\openLDAP> slapd -d 256 -h ldap://
Now you can stop LDAP and reactivate the commented lines so that when you return with the SSL credentials later on, you will be ready to restart LDAP in secure mode.
openLDAP Setup for Linux
slapd.conf Entries
Edit the slapd.conf file in the openLDAP directory. The slapd.conf file varies over time with different versions and configurations. Below are the directives known and used by Tolven. Copy or replace the equivalent lines in the slapd.conf file of your openldap installation.
These schema includes must be present (core is usually there by default. If not add it too). On linux, the full path to the files below may be required, so the entries below assume that openldap is installed in /etc/openldap. These lines will prevent the LDAP server from starting, until the credentials indicated a put in place later during this configuration process.
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema
The next four lines allow use of TLS for encrypting connections using a self-signed test certificates. These lines will prevent the LDAP server from starting, until the credentials indicated a put in place later during this configuration process.
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/tolvendev-ldap-cacerts.pem TLSCertificateFile /etc/openldap/tolvendev-ldap-cert.pem TLSCertificateKeyFile /etc/openldap/tolvendev-ldap-key.pem
Cleartext passwords, especially for the rootdn, should be avoided. See slappasswd(8) and slapd.conf(5) for details. Use of strong authentication encouraged. This hashed password is secret by default.
suffix dc=tolven,dc=com
rootdn cn=Manager,dc=tolven,dc=com
rootpw {SSHA}KHCgqfsybbtXVI4yPkAFKlE2gQPXNemf
The following is an LDAP directive for the database directory, which must exist prior to running slapd and should only be accessible by the slapd and slap tools (Linux mode 700 recommended).
directory /etc/openldap/tolvendata
Index on the following attributes to improve performance
index objectClass eq index sn eq index uid eq
LDAP Database
Please note that the LDAP database is very important. The LDAP user entries that it contains, have the encryption keys for the data created by those users in the database. Those keys are the only way to decrypt the data. Thus the LDAP database should be backed up appropriately. Create a new directory to hold the tolven LDAP data:
/etc/openldap> mkdir tolvendata
Add the root elements into this new LDAP database using the slapadd command. NB: The file tolveninitial.ldif can be empty, but at least on one version of openldap, this command does not error, but won't complete without the -l option.
/etc/openldap> slapadd -f slapd.conf -l tolveninitial.ldif
Change the permissions of the openldap directory to that of the user ldap e.g. on fedora:
chown -R ldap:ldap /etc/openldap
Test LDAP in non-SSL Mode
Temporarily comment out the four lines beginning with TLS, which were added above, from the slapd.conf, by placing a '#' at the start of each line. Now execute the following command, to start LDAP in non-secure mode.
c:\openLDAP> slapd -h ldap://
Now use an application e.g. JXplorer or the command below to access LDAP and ensure that it is running correctly.
ldapsearch -x -W -D cn=Manager,dc=tolven,dc=com -b "dc=tolven,dc=com" -LLL "(uid=*)" dn
If you have trouble accessing LDAP, then again temporarily start it with debug on:
c:\openLDAP> slapd -d 256 -h ldap://
Now you can stop LDAP and reactivate the commented lines so that when you return with the SSL credentials later on, you will be ready to restart LDAP in secure mode.
If openLDAP shuts down abruptly
The Berkeley DB software (BDB) underlying openLDAP can become corrupted if openLDAP is shut down abnormally such as when power fails. A convenient way to harmlessly repair the database is to use the BDB db_recover command.
db_recover -c -h tolvendata
You can even include this command in a batch file that starts up openLDAP so that the repair is attempted, if needed, automatically every time openLDAP is started.
