|
Size: 4330
Comment: remove note on nscd because it isn't relevant for slapd but for NSS
|
Size: 3442
Comment: reorganisation
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = Initial LDAP Setup for Debian 3.1 (Sarge) = If, '''read ["LDAPOverview"]''', you have not, do it now, you must. |
## page was renamed from OpenLDAPSetup = Setting up an LDAP server with OpenLDAP = |
| Line 6: | Line 5: |
| Do '{{{apt-get install slapd}}}' answering the prompts as follows: | |
| Line 8: | Line 6: |
| 1. For the DNS domain name, enter your domain name. 1. This will be translated from '{{{part1.part2.part3}}} to an {{{LDAP}}} base of '{{{dc=part1,dc=part2,dc=part3}}}'. 1. For example, '{{{theend.ofthe.world}}}' would become '{{{dc=theend,dc=ofthe,dc=world}}}'. 1. This becomes what is known as your ["BaseDN"]. 1. For your organzation you can enter any string; this becomes associated the '{{{ou}}}' field of your ["BaseDN"] record. 1. Next enter your LDAP administrator password twice. This will set the password for '{{{cn=admin,[["BaseDN"]]}}} and give '{{{cn=admin,[["BaseDN"]]}}}' write access to everything in your LDAP tree. 1. Accept the default of {{{No}}} to the question {{{Allow LDAPv2}}} protocol |
Install the package with: {{{ # apt-get install slapd }}} answering the prompts as follows: |
| Line 16: | Line 12: |
| * For the DNS domain name, enter your domain name. [[BR]]This will be translated to an LDAP DN (for example, '{{{example.com}}}' would become '{{{dc=example, dc=com}}}'). This becomes what is known as your BaseDN, the root of your database. * For your organzation you can enter any string; this becomes associated the '{{{ou}}}' field of your BaseDN record. * Next enter your LDAP administrator password twice. This will set the password for '{{{cn=admin, BaseDN}}} and give '{{{cn=admin, BaseDN}}}' write access to everything in your LDAP tree. * Accept the default of {{{No}}} to the question {{{Allow LDAPv2}}} protocol |
|
| Line 17: | Line 18: |
| == Edit the LDAP configuration file == | For querying the LDAP server utilities like {{{ldapsearch}}} are available. See the ["LDAPTools"] topic for more details. |
| Line 19: | Line 20: |
| To make using LDAP utilities like '{{{ldapsearch}}}' a little less painful, edit {{{/etc/ldap/ldap.conf}}} (installed by the '{{{libldap2}}}' package on the stable (a.k.a. 'woody') distribution) to set:{{{ BASE dc=<your>,dc=<domain> URI ldap://localhost |
== For better performance do more indexing than the default. == Modify {{{/etc/ldap/slapd.conf}}} to contain the following: {{{ index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index default sub index uidNumber eq index gidNumber eq index mail,givenName eq,subinitial index dc eq |
| Line 24: | Line 36: |
== Configuring 'chsh' and 'chfn' to work with LDAP == Edit '{{{/etc/ldap/slapd.conf}}}' to allow access for users to update their {{{loginShell}}} and {{{gecos}}} entries by adding the following before the '{{{access to *}}}' entry: === Skeleton === |
After any new indexes have been defined or other major database changes have been made (e.g. {{{slapadd}}} was used) it is best to recreate the indexes. Note that you should stop {{{slapd}}} before recreating the indexes and should fix the permissions afterward. |
| Line 30: | Line 38: |
| access to attrs=loginShell,gecos by dn="cn=admin,[["BaseDN"]]" write by self write by * read }}} === Example === {{{ access to attrs=loginShell,gecos by dn="cn=admin,dc=example,dc=com" write by self write by * read }}} == For better performance do more indexing than the default. == Modify {{{/etc/ldap/slapd.conf}}} to contain the following:{{{ index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index default sub index uidNumber eq index gidNumber eq index mail,givenName eq,subinitial index dc eq }}} == Update the LDAP indices == Make sure the indexes are updated by doing (as {{{root}}}):{{{ |
|
| Line 67: | Line 44: |
| == Configuring 'chsh' and 'chfn' to work with LDAP == Edit '{{{/etc/ldap/slapd.conf}}}' to allow access for users to update their {{{loginShell}}} and {{{gecos}}} entries by adding the following before the '{{{access to *}}}' entry: {{{ access to attrs=loginShell,gecos by dn="cn=admin,dc=example,dc=com" write by self write by * read }}} |
|
| Line 70: | Line 57: |
| For Samba LDAP, slapd needs the Samba schema. The debian package seems to have a samba.schema file which is old and out of date, and a samba.schema.gz file which is actually the correct one. Do the following (as {{{root}}}):{{{ # cd /usr/share/doc/samba-doc/examples/LDAP # gunzip samba.schema.gz # cp samba.schema /etc/ldap/schema/ |
For Samba LDAP, slapd needs the Samba schema. The Debian package seems to have a samba.schema file which is old and out of date, and a samba.schema.gz file which is actually the correct one. Do the following (as {{{root}}}): {{{ # cd /usr/share/doc/samba-doc/examples/LDAP # gunzip samba.schema.gz # cp samba.schema /etc/ldap/schema/ |
| Line 76: | Line 64: |
| Now add the following line to /etc/ldap/slapd.conf after the other includes:{{{ | Now add the following line to /etc/ldap/slapd.conf after the other includes: {{{ |
| Line 80: | Line 69: |
| And restart slapd:{{{ # /etc/init.d/slapd restart |
And restart slapd: {{{ # /etc/init.d/slapd restart |
| Line 84: | Line 74: |
| == Access controls for subtree-specific LDAP Admins == | |
| Line 85: | Line 76: |
| == Access controls for subtree-specific LDAP Admins == If you choose to use ["LDAP"] for many functions, such having a single server for DNS, Authentication, and networking flat file database replacement, you may wish to have LDAP administrative users for each subtree in addition to the global admin ({{{dn="cn=admin,[["BaseDN"}}}]]"). The following example is useful when using a separate authentication tree which includes Samba. |
If you choose to use LDAP for many functions, such as having a single server for DNS, Authentication, and networking flat file database replacement, you may wish to have LDAP administrative users for each subtree in addition to the global admin ({{{dn="cn=admin, dc=example, dc=com}}}). The following example is useful when using a separate authentication tree which includes Samba. |
| Line 88: | Line 78: |
| === Skeleton === {{{ # The manager dn has full write access to the auth subtree # Everyone else has read access to not otherwise protected fields and entries access to dn.sub="ou=auth,[["BaseDN"]]" by dn="cn=Manager,ou=auth,[["BaseDN"]]" write by * read }}} === Example === |
|
| Line 106: | Line 85: |
---- || Previous: [["LDAPOverview"]] || Top: ["LDAP"] || Next: ["LDAPMigrationTools"] || ---- ''Updated 2005-08-02 by DanielDickinson (added new content; left old content at bottom of page).'' ''Updated 2006-04-30 by DonovanBaarda (tweaked new content; removed old content).'' |
Setting up an LDAP server with OpenLDAP
Install the OpenLDAP package slapd
Install the package with:
# apt-get install slapd
answering the prompts as follows:
- For the DNS domain name, enter your domain name.
?BRThis will be translated to an LDAP DN (for example, 'example.com' would become 'dc=example, dc=com'). This becomes what is known as your BaseDN, the root of your database.
For your organzation you can enter any string; this becomes associated the 'ou' field of your BaseDN record.
Next enter your LDAP administrator password twice. This will set the password for 'cn=admin, BaseDN and give 'cn=admin, BaseDN' write access to everything in your LDAP tree.
Accept the default of No to the question Allow LDAPv2 protocol
For querying the LDAP server utilities like ldapsearch are available. See the ["LDAPTools"] topic for more details.
For better performance do more indexing than the default.
Modify /etc/ldap/slapd.conf to contain the following:
index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index default sub index uidNumber eq index gidNumber eq index mail,givenName eq,subinitial index dc eq
After any new indexes have been defined or other major database changes have been made (e.g. slapadd was used) it is best to recreate the indexes. Note that you should stop slapd before recreating the indexes and should fix the permissions afterward.
# /etc/init.d/slapd stop # slapindex # chown -R openldap:openldap /var/lib/ldap # /etc/init.d/slapd start
Configuring 'chsh' and 'chfn' to work with LDAP
Edit '/etc/ldap/slapd.conf' to allow access for users to update their loginShell and gecos entries by adding the following before the 'access to *' entry:
access to attrs=loginShell,gecos
by dn="cn=admin,dc=example,dc=com" write
by self write
by * read
For SAMBA LDAP support
For Samba LDAP, slapd needs the Samba schema. The Debian package seems to have a samba.schema file which is old and out of date, and a samba.schema.gz file which is actually the correct one. Do the following (as root):
# cd /usr/share/doc/samba-doc/examples/LDAP # gunzip samba.schema.gz # cp samba.schema /etc/ldap/schema/
Now add the following line to /etc/ldap/slapd.conf after the other includes:
include /etc/ldap/schema/samba.schema
And restart slapd:
# /etc/init.d/slapd restart
Access controls for subtree-specific LDAP Admins
If you choose to use LDAP for many functions, such as having a single server for DNS, Authentication, and networking flat file database replacement, you may wish to have LDAP administrative users for each subtree in addition to the global admin (dn="cn=admin, dc=example, dc=com). The following example is useful when using a separate authentication tree which includes Samba.
# The manager dn has full write access to the auth subtree
# Everyone else has read access to not otherwise protected fields and entries
access to dn.sub="ou=auth,dc=example,dc=com"
by dn="cn=Manager,ou=auth,dc=example,dc=com" write
by * read