Initial LDAP Setup for Debian 3.1 (Sarge)
If, read ["LDAPOverview"], you have not, do it now, you must.
Important Note On nscd
I highly recommend you do not install [http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&keywords=nscd nscd] until after you have all your LDAP-based functionality working. This is because nscd (Name Service Caching Daemon) caches reads from the directory which means that a change you make in the tree will not be immediately seen by your client. That makes debugging very difficult and confusing. Trust me. On the other hand it does help system speed once you're done.
Install the OpenLDAP package slapd
Do 'apt-get install slapd' answering the prompts as follows:
- For the DNS domain name, enter your domain name.
This will be translated from 'part1.part2.part3 to an LDAP base of 'dc=part1,dc=part2,dc=part3'.
For example, 'theend.ofthe.world' would become 'dc=theend,dc=ofthe,dc=world'.
- This becomes what is known as your ["BaseDN"].
For your organzation you can enter any string; this becomes associated the 'ou' field of your ["BaseDN"] record.
Next enter your LDAP administrator password twice. This will set the password for 'cn=admin,[["BaseDN"]] and give 'cn=admin,[["BaseDN"]]' write access to everything in your LDAP tree.
Accept the default of No to the question Allow LDAPv2 protocol
Edit the LDAP configuration file
To make using LDAP utilities like 'ldapsearch' a little less painful, edit /etc/ldap/ldap.conf (installed by the 'libldap2' package on the stable (a.k.a. 'woody') distribution) to set:
BASE dc=<your>,dc=<domain> URI ldap://localhost
Configuring 'chsh' and 'chfn' to work with LDAP
Edit '/etc/ldap/slapd.conf' to allow access for users to update their loginShell and gecos entries by adding the following before the 'access to *' entry:
access to attrs=loginShell,gecos by dn="cn=admin,[["BaseDN"]]" write by self write by * read
access to attrs=loginShell,gecos by dn="cn=admin,dc=example,dc=com" write by self write by * read
For better performance do more indexing than the default.
Modify /etc/ldap/slapd.conf to contain the following:
index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index default sub index uidNumber eq index gidNumber eq index mail,givenName eq,subinitial index dc eq
Update the LDAP indices
Make sure the indexes are updated by doing (as root):
# /etc/init.d/slapd stop # slapindex # chown -R openldap:openldap /var/lib/ldap # /etc/init.d/slapd start
For SAMBA LDAP support
For Samba LDAP, slapd needs the Samba schema. The debian package seems to have a samba.schema file which is old and out of date, and a samba.schema.gz file which is actually the correct one. Do the following (as root):
# cd /usr/share/doc/samba-doc/examples/LDAP # gunzip samba.schema.gz # cp samba.schema /etc/ldap/schema/
Now add the following line to /etc/ldap/slapd.conf after the other includes:
And restart slapd:
# /etc/init.d/slapd restart
Access controls for subtree-specific LDAP Admins
If you choose to use ["LDAP"] for many functions, such having a single server for DNS, Authentication, and networking flat file database replacement, you may wish to have LDAP administrative users for each subtree in addition to the global admin (dn="cn=admin,[["BaseDN"]]"). The following example is useful when using a separate authentication tree which includes Samba.
# The manager dn has full write access to the auth subtree # Everyone else has read access to not otherwise protected fields and entries access to dn.sub="ou=auth,[["BaseDN"]]" by dn="cn=Manager,ou=auth,[["BaseDN"]]" write by * read
# The manager dn has full write access to the auth subtree # Everyone else has read access to not otherwise protected fields and entries access to dn.sub="ou=auth,dc=example,dc=com" by dn="cn=Manager,ou=auth,dc=example,dc=com" write by * read