Differences between revisions 31 and 32
Revision 31 as of 2005-08-02 05:30:33
Size: 4320
Editor: anonymous
Comment:
Revision 32 as of 2005-08-02 05:31:44
Size: 4319
Editor: anonymous
Comment:
Deletions are marked like this. Additions are marked like this.
Line 52: Line 52:
== Important Note on [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=nscd =nscd] == == Important Note on [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=nscd nscd] ==

Initial LDAP Setup for Debian 3.1 (Sarge)

Updated 2005-08-02 DanielDickinson

i. Install the OpenLDAP package [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=slapd slapd]

Do 'apt-get install slapd' answering the prompts as follows:

  1. For the DNS domain name, enter your domain name.
    1. This will be translated from 'part1.part2.part3 to an LDAP base of 'dc=part1,dc=part2,dc=part3'.

    2. For example, 'theend.ofthe.world' would become 'dc=theend,dc=ofthe,dc=world'.

    3. This becomes what is known as your ["BaseDN"].
  2. For your organzation you can enter any string; this becomes associated the 'ou' field of your ["BaseDN"] record.

  3. Next enter your LDAP administrator password twice. This will set the password for 'cn=admin,[["BaseDN"]] and give 'cn=admin,[["BaseDN"]]' write access to everything in your LDAP tree.

  4. Accept the default of No to the question Allow ["LDAPv2" protocol]

ii. To get 'chsh' and 'chfn' to work for updating LDAP

Edit '/etc/ldap/slapd.conf' to allow access for users to update their loginShell and gecos entries by adding the following before the 'access to *' entry:

 access to attrs=loginShell
       by dn="cn=admin,[["BaseDN"]]" write
       by self write
       by * read

  access to attrs=gecos
       by dn="cn=admin,[["BaseDN"]]" write
       by self write
       by * read

iii. For better performance do more indexing than the default.

Modify /etc/slapd.conf to contain the following:

 index           objectClass            eq
 index          cn                      pres,sub,eq
 index          sn                      pres,sub,eq
 index          uid                     pres,sub,eq
 index          displayName             pres,sub,eq
 index          default                 sub
 index          uidNumber               eq
 index          gidNumber               eq
 index          mail,givenName          eq,subinitial
 index          dc                      eq

iv. Update the LDAP indices

Make sure the indexes are updated by doing (as root):

  # /etc/init.d/slapd stop
  # slapindex
  # /etc/init.d/slapd start

Important Note on [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=nscd nscd]

I highly recommend you do not install [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=nscd nscd] until after you have all your LDAP-based functionality working. This is because nscd (Name Service Caching Daemon) caches reads from the directory which means that a chance you make in the tree will not immediately seen by your client.


  • See also: ["LDAP"], ?"LDAPAuthentication", ["LDAPMigrationTools"]


. . .


Old: Configuring LDAP Authentication for Debian

OpenLDAPSetup

1. Install the ["OpenLDAP"] package [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=slapd slapd]

Do 'apt-get install slapd', answering prompts as required and generaly picking defaults except where they are obviously examples.

2. Edit the LDAP configuration file

To make using LDAP utilities like 'ldapsearch' a little less painful, edit /etc/ldap/ldap.conf (installed by the 'libldap2' package on the stable (a.k.a. 'woody') distribution) to set:

 BASE dc=<your>,dc=<domain>
 URI ldap://localhost

3. To get 'chsh' and 'chfn' to work for updating LDAP, edit /etc/ldap/slapd.conf to allow access for users to update their loginShell and gecos entries by adding the following before the access to * entry:

  access to attrs=loginShell
       by dn="cn=admin,dc=<your>,dc=<domain>" write
       by self write
       by * read

  access to attrs=gecos
       by dn="cn=admin,dc=<your>,dc=<domain>" write
       by self write
       by * read

3. Tune your LDAP server performance

To improve LDAP performance, edit /etc/ldap/slapd.conf to set more indexes than the stable (a.k.a. 'woody') default of just objectClass (taken from the Mandrake documentation):

  index objectClass,uid,uidNumber,gidNumber eq
  index cn,mail,surname,givenName           eq,subinitial

4. Update the LDAP indexes

Make sure the indexes are updated by doing (as root):

  # /etc/init.d/slapd stop
  # slapindex
  # /etc/init.d/slapd start


  • ["LDAPAuthentication"]