Initial LDAP Setup for Debian 3.1 (Sarge)

If, read ["LDAPOverview"], you have not, do it now, you must.

Important Note On nscd

I highly recommend you do not install [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=nscd nscd] until after you have all your LDAP-based functionality working. This is because nscd (Name Service Caching Daemon) caches reads from the directory which means that a change you make in the tree will not be immediately seen by your client. That makes debugging very difficult and confusing. Trust me. On the other hand it does help system speed once you're done.

Install the OpenLDAP package slapd

Do 'apt-get install slapd' answering the prompts as follows:

  1. For the DNS domain name, enter your domain name.

    1. This will be translated from 'part1.part2.part3 to an LDAP base of 'dc=part1,dc=part2,dc=part3'.

    2. For example, 'theend.ofthe.world' would become 'dc=theend,dc=ofthe,dc=world'.

    3. This becomes what is known as your ["BaseDN"].

  2. For your organzation you can enter any string; this becomes associated the 'ou' field of your ["BaseDN"] record.

  3. Next enter your LDAP administrator password twice. This will set the password for 'cn=admin,[["BaseDN"]] and give 'cn=admin,[["BaseDN"]]' write access to everything in your LDAP tree.

  4. Accept the default of No to the question Allow LDAPv2 protocol

Edit the LDAP configuration file

To make using LDAP utilities like 'ldapsearch' a little less painful, edit /etc/ldap/ldap.conf (installed by the 'libldap2' package on the stable (a.k.a. 'woody') distribution) to set:

 BASE dc=<your>,dc=<domain>
 URI ldap://localhost

Configuring 'chsh' and 'chfn' to work with LDAP

Edit '/etc/ldap/slapd.conf' to allow access for users to update their loginShell and gecos entries by adding the following before the 'access to *' entry:

Skeleton

 access to attrs=loginShell,gecos
       by dn="cn=admin,[["BaseDN"]]" write
       by self write
       by * read

Example

 access to attrs=loginShell,gecos
       by dn="cn=admin,dc=example,dc=com" write
       by self write
       by * read

For better performance do more indexing than the default.

Modify /etc/ldap/slapd.conf to contain the following:

 index           objectClass            eq
 index          cn                      pres,sub,eq
 index          sn                      pres,sub,eq
 index          uid                     pres,sub,eq
 index          displayName             pres,sub,eq
 index          default                 sub
 index          uidNumber               eq
 index          gidNumber               eq
 index          mail,givenName          eq,subinitial
 index          dc                      eq

Update the LDAP indices

Make sure the indexes are updated by doing (as root):

  # /etc/init.d/slapd stop
  # slapindex
  # chown -R openldap:openldap /var/lib/ldap
  # /etc/init.d/slapd start

For SAMBA LDAP support

For Samba LDAP, slapd needs the Samba schema. The debian package seems to have a samba.schema file which is old and out of date, and a samba.schema.gz file which is actually the correct one. Do the following (as root):

# cd /usr/share/doc/samba-doc/examples/LDAP 
# gunzip samba.schema.gz 
# cp samba.schema /etc/ldap/schema/

Now add the following line to /etc/ldap/slapd.conf after the other includes:

include /etc/ldap/schema/samba.schema

And restart slapd:

# /etc/init.d/slapd restart

Access controls for subtree-specific LDAP Admins

If you choose to use ["LDAP"] for many functions, such having a single server for DNS, Authentication, and networking flat file database replacement, you may wish to have LDAP administrative users for each subtree in addition to the global admin (dn="cn=admin,[["BaseDN"]]"). The following example is useful when using a separate authentication tree which includes Samba.

Skeleton

 # The manager dn has full write access to the auth subtree
 # Everyone else has read access to not otherwise protected fields and entries
 access to dn.sub="ou=auth,[["BaseDN"]]"
         by dn="cn=Manager,ou=auth,[["BaseDN"]]" write
         by * read

Example

 # The manager dn has full write access to the auth subtree
 # Everyone else has read access to not otherwise protected fields and entries
 access to dn.sub="ou=auth,dc=example,dc=com"
         by dn="cn=Manager,ou=auth,dc=example,dc=com" write
         by * read

Previous: ?"LDAPOverview"

Top: ["LDAP"]

Next: ["LDAPMigrationTools"]

Updated 2005-08-02 by DanielDickinson (added new content; left old content at bottom of page). Updated 2006-04-30 by DonovanBaarda (tweaked new content; removed old content).