====== Install and Configure OpenLDAP ====== Here is the slapd.conf afternet uses for reference: # load syncrepl provider support, replacing slurpd #moduleload syncprov # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/inetorganon.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's #schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values # 1 trace function calls # 2 debug packet handling # 4 heavy trace debugging # 8 connection management # 16 print out packets sent and received # 32 search filter processing # 64 configuration file processing # 128 access control list processing # 256 stats log connections/operations/results # 512 stats log entries sent # 1024 print communication with shell backends # 2048 entry parsing #loglevel 392 #loglevel 2043 #loglevel 0 #loglevel 64 #loglevel any loglevel 14 #loglevel 184 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb ####################################################################### # SSL: # Uncomment the following lines to enable SSL and use the default # snakeoil certificates. TLSCACertificateFile /etc/ssl/certs/afternet.pem TLSCertificateFile /etc/ssl/certs/ssl-ldap1bare.pem TLSCertificateKeyFile /etc/ssl/private/ssl-ldap1.key ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb #cachesize 1000000 #dbcachesize 10000000 ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb modulepath /usr/lib/ldap moduleload syncprov overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 # The base of your directory in database #1 suffix "dc=afternet,dc=org" checkpoint 512 30 rootdn "cn=admin,dc=afternet,dc=org" rootpw ********* # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # Indexing options for database #1 index objectClass,uid,userPassword,mail eq # Save the time that the entry gets modified, for database #1 lastmod on # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword by dn="cn=admin,dc=afternet,dc=org" write by dn="uid=rubin,ou=Users,dc=afternet,dc=org" write by dn="cn=replicator,dc=afternet,dc=org" read by anonymous auth by self write by * none access to attrs=mail by dn="cn=admin,dc=afternet,dc=org" write by dn="cn=sympa,dc=afternet,dc=org" read by dn="uid=rubin,ou=Users,dc=afternet,dc=org" write by dn="cn=replicator,dc=afternet,dc=org" read by anonymous none by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=afternet,dc=org" write by dn="uid=rubin,ou=Users,dc=afternet,dc=org" write by dn="cn=replicator,dc=afternet,dc=org" read by * read TLSVerifyClient never sizelimit unlimited In /etc/default/slapd, varibles are defined for ubuntu's init scripts to run slapd with arguments. Mainly you need to tell it to listen on all interfaces for ldaps. We use something like this to make ldap available to localhost, and ldaps available everywhere. We then use IPTABLES to restrict the ldaps port to our trusted other hosts: # slapd normally serves ldap only on all TCP-ports 389. slapd can also # service requests on TCP-port 636 (ldaps) and requests via unix # sockets. # Example usage: SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"