Initial LDAP Setup for Debian 3.1 (Sarge)
Updated 2005-08-02 DanielDickinson
If you haven't already read ["LDAPOverview"].
i. Install the OpenLDAP package [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=slapd slapd]
Do 'apt-get install slapd' answering the prompts as follows:
- For the DNS domain name, enter your domain name.
This will be translated from 'part1.part2.part3 to an LDAP base of 'dc=part1,dc=part2,dc=part3'.
For example, 'theend.ofthe.world' would become 'dc=theend,dc=ofthe,dc=world'.
- This becomes what is known as your ["BaseDN"].
For your organzation you can enter any string; this becomes associated the 'ou' field of your ["BaseDN"] record.
Next enter your LDAP administrator password twice. This will set the password for 'cn=admin,[["BaseDN"]] and give 'cn=admin,[["BaseDN"]]' write access to everything in your LDAP tree.
Accept the default of No to the question Allow ["LDAPv2" protocol]
ii. To get 'chsh' and 'chfn' to work for updating LDAP
Edit '/etc/ldap/slapd.conf' to allow access for users to update their loginShell and gecos entries by adding the following before the 'access to *' entry:
access to attrs=loginShell
by dn="cn=admin,[["BaseDN"]]" write
by self write
by * read access to attrs=gecos
by dn="cn=admin,[["BaseDN"]]" write
by self write
by * read
iii. For better performance do more indexing than the default.
Modify /etc/slapd.conf to contain the following:
index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index default sub index uidNumber eq index gidNumber eq index mail,givenName eq,subinitial index dc eq
iv. Update the LDAP indices
Make sure the indexes are updated by doing (as root):
# /etc/init.d/slapd stop # slapindex # /etc/init.d/slapd start
Important Note on [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=nscd nscd]
I highly recommend you do not install [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=nscd nscd] until after you have all your LDAP-based functionality working. This is because nscd (Name Service Caching Daemon) caches reads from the directory which means that a chance you make in the tree will not immediately seen by your client.
See also: ["LDAP"], ?"LDAPAuthentication", ["LDAPMigrationTools"]
Previous: ?"LDAPOverview" |
Top: ["LDAP"] |
Next: ["LDAPMigrationTools"] |
. . .
Old: Configuring LDAP Authentication for Debian
OpenLDAPSetup
1. Install the ["OpenLDAP"] package [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=slapd slapd]
Do 'apt-get install slapd', answering prompts as required and generaly picking defaults except where they are obviously examples.
2. Edit the LDAP configuration file
To make using LDAP utilities like 'ldapsearch' a little less painful, edit /etc/ldap/ldap.conf (installed by the 'libldap2' package on the stable (a.k.a. 'woody') distribution) to set:
BASE dc=<your>,dc=<domain> URI ldap://localhost
3. To get 'chsh' and 'chfn' to work for updating LDAP, edit /etc/ldap/slapd.conf to allow access for users to update their loginShell and gecos entries by adding the following before the access to * entry:
access to attrs=loginShell
by dn="cn=admin,dc=<your>,dc=<domain>" write
by self write
by * read access to attrs=gecos
by dn="cn=admin,dc=<your>,dc=<domain>" write
by self write
by * read3. Tune your LDAP server performance
To improve LDAP performance, edit /etc/ldap/slapd.conf to set more indexes than the stable (a.k.a. 'woody') default of just objectClass (taken from the Mandrake documentation):
index objectClass,uid,uidNumber,gidNumber eq index cn,mail,surname,givenName eq,subinitial
4. Update the LDAP indexes
Make sure the indexes are updated by doing (as root):
# /etc/init.d/slapd stop # slapindex # /etc/init.d/slapd start
- ["LDAPAuthentication"]
Previous: ?"LDAPOverview" |
Top: ["LDAP"] |
Next: ["LDAPMigrationTools"] |