Configure OpenLDAP
OpenLDAP is a free Lightweight Directory Access Protocol. These are some notes about its installation.
Installation
Under Debian, you need to install these following packages :
sudo apt-get install slapd ldap-utils
Configuration
Modify /etc/ldap/slapd.conf to have these similar configuration :
suffix "dc=example,dc=com" rootdn "dc=example,dc=com" rootpw password index objectClass eq
You can change dc=example,dc=com as you wish, according to your hostname for example. The debian installer should have done it for you.
Directory Layout
In this example, the directory layout is defined into a ldif file. This file is used in argument of the ldapadd command.
Create a file named directory.ldif like this one:
dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization dc: example o: Society, Inc. dn: ou=people,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: people
Then add the directory layout with:
ldapadd -D 'dc=example,dc=com' -f directory.ldif -W -x
Password asked is the password corresponding to rootpw in your sladp.conf. Now, you can check if it’s has been done:
ldapsearch -b 'dc=example,dc=com' 'objectclass=*' -x
If everything went well, you should see something like that:
search: 2 result: 0 Success
Contacts Attributes
Create a file named contact.ldif like this one :
dn: cn=John Doe,ou=people,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: John Doe gn: John sn: Doe mail: john.doe@example.com physicalDeliveryOfficeName: Society, Inc. postalAddress: 5, rue de Vaugirard l: Paris ou: people st: Ile de France postalCode: 75000 telephoneNumber: 555-555-5551 facsimileTelephoneNumber: 555-555-5552 mobile: 555-555-5553 homePhone: 555-555-5554
Then add your contacts with:
ldapadd -D 'dc=example,dc=com' -f contact.ldif -W -x
Check if all went well :
ldapsearch -b 'ou=people,dc=example,dc=com' '(objectclass=*)' -x
Secure LDAP
If you are using a debian woody, you will need to recompile openldap with the TLS support. To make SSL/TLS works, you will need to create certificats and other SSL stuff:
/usr/lib/ssl/misc/CA.sh -newca
Check that Common Name for your certificate is corresponding to your ldap server domain name or hostname. This command have create a certificate, you find it in the /demoCA/ directory.
Now, we generate a cert request and private key for the server ::
openssl req -new -nodes -keyout newreq.pem -out newreq.pem /usr/lib/ssl/misc/CA.sh -sign
Then copy this security stuff like that:
cp demoCA/cacert.pem /etc/ssl/certs/ldap.cert mv newcert.pem /etc/ssl/certs/ldap.csr mv newreq.pem /etc/ssl/certs/ldap.key chmod 600 /etc/ssl/certs/ldap.key
Then add to your /etc/ldap/sladp.conf:
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA TLSCertificateFile /etc/ssl/certs/ldap.csr TLSCertificateKeyFile /etc/ssl/certs/ldap.key TLSCACertificateFile /etc/ssl/certs/ldap.cert TLSVerifyClient allow
And this to the /etc/ldap/ldap.conf:
TLS_CACERT /etc/ssl/certs/ldap.cert TLS_REQCERT allow
Then modify the /etc/init.d/sladp script like this (replace the command by this in the script):
start-stop-daemon --start --quiet [..] --exec /usr/sbin/slapd -- -h "ldap://0.0.0.0 ldaps://0.0.0.0" [..]
In a newer version of the script in Debian Sarge you will have trouble to replace the command as you won’t be able to find it. As the newer version is more generic it’s enough to put the line:
SLAPD_SERVICES="ldap:/// ldaps:///"
or alternatively:
SLAPD_SERVICES="ldap://yourhost:389/ ldaps://yourhost:636/"
somewhere at the begining of the script.
And then restart your openldap server:
sudo /etc/init.d/slapd restart
Client Configuration
We are going to configure thunderbird 0.6 to access our ldap directory.
- First, go to Tools > Options > Composition.
- Then select : Directory Server and click on Edit Directories and on the Add button.
- Select or not Use secure connection, if you run an secure ldap or not.
You can verify that the connection work, only by writing a new mail and typing, in the To: Fields, the beginning of the name of one your contact.
Then you should get a list of person corresponding taken from the ldap directory.
