003. OpenLDAP Post Install

Introduction

Here I will try to document all my customizations for new OpenLDAP server

Prerequisite

Post Installation

Configure access to cn=config by your root user

  • In phpLDAPadmin login to cn=config
  • Go to cn=config -> olcDatabase={0}config
  • Add in olcAccess value  the root DN of your LDAP root DN
{0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.base="cn=root,dc=humus234,dc=com" manage by * none

Configure access to monitor database so we can monitor OpenLDAP server

  • In phpLDAPadmin login as cn=config or your DN
  • Go to cn=config -> olcDatabase={1}monitor
  • Change in olcAccess value  the root DN to your LDAP root DN
{0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read  by dn.base="cn=root,dc=humus234,dc=com" read  by * none

Now you can login to your LDAP domain using your root DN and click on monitor to see the monitor DB data of your OpenLDAP server

Configure log level of OpenLDAP server

  • In phpLDAPadmin login to cn=config
  • Go to cn=config
  • Click on “Add new attribute”
  • Choose olcLogLevel and enter stats for basic stats logging

Change database directory

You can change your database directory to a new mounted disk to get better performance

  • In phpLDAPadmin
  • Go to cn=config -> olcDatabase={2}hdb
  • Change olcDbDirectory to your new mounted folder

Change database cache size

You can change the number of entries of the in-memory cache maintain by your DB

  • In phpLDAPadmin
  • Go to cn=config -> olcDatabase={2}hdb
  • Change olcDbCacheSize to your needs

Change database cache size for indexes

You can change the number of entries of the in-memory cache, in index slot maintain by your DB

  • In phpLDAPadmin
  • Go to cn=config -> olcDatabase={2}hdb
  • Change olcDbIDLcacheSize to your needs

Specify indices

You can specify indices to maintain for a given attribute

  • In phpLDAPadmin
  • Go to cn=config -> olcDatabase={2}hdb
  • Add the following values to olcDbIndex
olcDbIndex: default pres,eq
olcDbIndex: uid
olcDbIndex: cn,sn pres,eq,sub
olcDbIndex: objectClass eq

Change database configuration setting

You can change specific database configuration setting to get more performance. Idealy you should set DB cache size to be as large as your working set of database, the log buffer size should be large enough for most transactions without  overflowing, and the log directory should be on a separate physical disk from the main database files.

  • In phpLDAPadmin
  • Go to cn=config -> olcDatabase={2}hdb
  • Add the following values to olcDbConfig:
{0}set_cachesize 0 10485760 0
{1}set_lg_bsize 2097152
{2}set_lg_dir /var/db/disk2/bdb-log

Please visit http://www.openldap.org for more information about OpenLDAP project.

002. phpLDAPadmin Installation

Introduction

phpLDAPadmin is a web based LDAP client. It provides easy management interface for LDAP servers.

You can use phpLDAPadmin to manage different LDAP servers, but in this guide I will assume the use of  phpLDAPadmin to manage OpenLDAP server.

Tested On

OS: CentOS 6.3 x86_64
OpenLDAP version: slapd 2.4.23
phpLDAPadmin version: 1.2.2
Hardware: Virtual Machine (VirtualBox 4.2.4)

Prerequisite

  • Check that you have access to your OpenLDAP server schema with using an anonymous bind
ldapsearch -xLLLh localhost -b '' -s base subschemaSubentry

Procedure

  • Install EPEL repository
rpm -ihv http://mirror.switch.ch/ftp/mirror/epel/6/i386/epel-release-6-7.noarch.rpm
  • Install phpLDAPadmin
yum install phpldapadmin -y
  • Configure phpLDAPadmin to use Distinguish Name (DN) for login attribute (comment out the configuration line of uid login attribute)
vi /etc/phpldapadmin/config.php
...
// $servers->setValue('login','attr','uid');
...
  • Start apache and configure it to start at boot
service httpd start
chkconfig httpd on
  • Browse to phpLDAPadmin application http://phpldapadmin-server-ip/phpldapadmin login with your admin DN (e.g. cn=root,dc=humus234,dc=com) and password and start manage your OpenLDAP server using phpLDAPadmin

Managing OpenLDAP configuration through phpLDAPadmin

If you want to manage your OpenLDAP dynamic configuration (slapd.d directory) using phpLDAPadmin you need to do the following:

  • Generate new password for cn=config
slappasswd -h {MD5}
  • Create the following ldif file that will add root password for cn=config database. Copy the generated password from the last step to olcRootPW attribute.
vi /tmp/add_admin.ldif
dn: cn=config
changetype: modify

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {MD5}vJ5A/BrpqbnekVueDrcXiQ==
  • Using root user add the new ldif file to OpenLDAP configuration
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/add_admin.ldif
  • Check OpenLDAP configuration for new cn=config RootPW attribute
ldapsearch -LLL -Y EXTERNAL -H ldapi:///  -b cn=config | less
  • Configure LDAP domains in phpLDAPadmin configuration file. If you don’t do this phpLDAPadmin will not recognize cn=config domain
vi /etc/phpldapadmin/config.php
/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
   auto-detect it for you. */
// $servers->setValue('server','base',array(''));
$servers->setValue('server','base',array('cn=config','dc=humus234,dc=com')); 

Browse to phpLDAPadmin application http://phpldapadmin-server-ip/phpldapadmin login with cn=config DN and password and start configure your OpenLDAP server using phpLDAPadmin

Please visit http://phpldapadmin.sourceforge.net for more information about phpLDAPadmin project.

001. OpenLDAP Server Installation

Introduction

OpenLdap is an open source implementation the Lightweight Directory Access Protocol. You can use when you need data to be centrally manged, stored and accessible via standards based method. Some common use cases are: users and groups management and authentication, address book, telephony information store and more.

Tested On

OS: CentOS 6.3 x86_64
OpenLDAP version: slapd 2.4.23
Hardware: Virtual Machine (VirtualBox 4.2.4)

Procedure

  • Install OpenLDAP server and client
yum install openldap-servers openldap-clients -y
  • Remove the default configured backend
rm -f /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
  • Start slapd service and configure it to start on reboot
service slapd start
chkconfig slapd on
  • Create new backend configuration file (change olcSuffix olcRootDN and olcRootPW to your needs)
vi /tmp/backend.ldif
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=humus234,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=root,dc=humus234,dc=com
olcRootPW: secret
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 10
olcDbConfig: set_cachesize 0 10485760 0
olcDbConfig: set_lg_bsize 2097152
olcDbIDLcacheSize: 3000
olcDbIndex: objectClass eq
  • Add the new backend configuration file to OpenLDAP
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/backend.ldif
  • Create configuration file for your first entries of your created backend (change dn and user password to your backend configuration)
vi /tmp/first_entries.ldif
# Create top-level object in domain
dn: dc=humus234,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Humus234 Organization
dc: Humus234
description: LDAP Humus234

# Admin user.
dn: cn=root,dc=humus234,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: root
description: LDAP administrator
userPassword: secret
  • Add to new file entries to OpenLDAP
ldapadd -x -D cn=root,dc=humus234,dc=com -W -f /tmp/first_entries.ldif

Useful Commands

  • Search for your entries in OpenLDAP backend
ldapsearch -xLLL -b "dc=humus234,dc=com"
  • Check OpenLDAP configuration
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn

OpenLDAP installation completed. You can now install phpLDAPadmin as web client interface to manage your OpenLDAP server.

Here is a link for phpLDAPadmin installation.

Please visit http://www.openldap.org/ for more information about OpenLDAP project.