ASCII Smiley Face Daniel Dickinson Mini Headshot
The C Shore
Daniel Dickinson's Website - Experimental

Debian OpenLDAP Setup

Initial LDAP Setup for Debian 3.1 (Sarge)

If you haven't read LDAPOverview, you probably should do so now.

Important note on nscd

I highly recommend you do not install nscd until after you have all your LDAP-based functionality working. This is because nscd (Name Service Caching Daemon) caches reads from the directory. This means that a change you make in the tree will not be immediately seen by your client. That makes debugging very difficult and confusing. (Trust me). On the other hand it does help speed things up once you're done.

i. Install the OpenLDAP package slapd

Do 'apt-get install slapd' answering the prompts as follows:

  1. For the DNS domain name, enter your domain name.
    1. This will be translated from 'part1.part2.part3 to an LDAP base of 'dc=part1,dc=part2,dc=part3'
    2. For example, 'theend.ofthe.world' would become 'dc=theend,dc=ofthe,dc=world'
    3. This becomes what is known as your BaseDN
  2. For your organzation you can enter any string; this becomes associated the 'ou' field of your BaseDN record
  3. Next enter your LDAP administrator password twice. This will set the password for 'cn=admin,BaseDN and give 'cn=admin,[BaseDN]' write access to everything in your LDAP tree
  4. Accept the default of No to the question Allow LDAPv2 protocol

ii. Configuring 'chsh' and 'chfn' to work with LDAP

Edit '/etc/ldap/slapd.conf' to allow access for users to update their loginShell and gecos entries by adding the following before the 'access to *' entry:

Remember the first access control that matches, reading from the top down, is the entry that will be used. See OpenLDAP Access Control Lists for more details.

Skeleton

 access to attrs=loginShell
       by dn="cn=admin,[BaseDN]" write
       by self write
       by * read

  access to attrs=gecos
       by dn="cn=admin,[BaseDN]" write
       by self write
       by * read

Example

access to attrs=loginShell
       by dn="cn=admin,dc=example,dc=com" write
       by self write
       by * read

  access to attrs=gecos
       by dn="cn=admin,dc=example,dc=com" write
       by self write
       by * read

iii. For better performance do more indexing than the default

Modify /etc/slapd.conf to contain the following:

 index           objectClass 		eq
 index		cn			pres,sub,eq
 index		sn			pres,sub,eq
 index		uid			pres,sub,eq
 index		displayName		pres,sub,eq
 index		default			sub
 index		uidNumber		eq
 index		gidNumber		eq
 index		mail,givenName		eq,subinitial
 index		dc			eq

iv. Update the LDAP indices

Make sure the indexes are updated by doing (as root):

  # /etc/init.d/slapd stop
  # slapindex
  # /etc/init.d/slapd start

Access controls for subtree-specific LDAP Admins

If you choose to use LDAP for many functions, such having a single server for DNS, Authentication, and networking flat file database replacement, you may wish to have LDAP administrative users for each subtree in addition to the global admin (dn="cn=admin,[BaseDN]"). The following example is useful when using a separate authentication tree which includes Samba.

Remember the first access control that matches, reading from the top down, is the entry that will be used. See OpenLDAP Access Control Lists for more details.

Skeleton

 # The manager dn has full write access to the auth subtree
 # Everyone else has read access to not otherwise protected fields and entries
 access to dn.sub="ou=auth,[BaseDN]"
         by dn="cn=Manager,ou=auth,[BaseDN]" write
         by * read

Example

 # The manager dn has full write access to the auth subtree
 # Everyone else has read access to not otherwise protected fields and entries
 access to dn.sub="ou=auth,dc=example,dc=com"
         by dn="cn=Manager,ou=auth,dc=example,dc=com" write
         by * read


Previous: LDAPOverview Top: LDAP Next: LDAPMigrationTools