This is a one-stop LDAP (Lightweight Directory Access Protocol) installation, configuration and testing page. This page is intended to get you started on LDAP quickly and easily.
1. Install the LDAP softwareIn other words install the software provided by Open LDAP/.For FreeBSD systems, simply go to /usr/ports/net/ and then install the openldap client and server software. For example, /usr/ports/net/openldap24-server/>sudo make install clean /usr/ports/net/openldap24-client/>sudo make install cleanOpenLDAP server provides 2 major components: the OpenLDAP server "slapd" and LDIF Tools for use with slapd. 2. Configure LDAPFor security reasons we should use TLS with OpenLDAP. However we have found that not all applications support TLS and if you need to use such an application with LDAP, then please make sure that it is run from the same server which will host LDAP.If you don't need TLS support, simple skip the section below 2.a 2.a With TLS SupportEdit /usr/local/etc/openldap/slapd.conf security ssf=128 TLSCertificateFile /path/to/your/cert.crt TLSCertificateKeyFile /path/to/your/cert.key TLSCACertificateFile /path/to/your/cacert.crtGenerate certifcates [!] Make sure the certificates are accessible from a folder that can be read by slapd.
% openssl genrsa -out cert.key 1024 Generating RSA private key, 1024 bit long modulus ....................++++++ ...++++++ e is 65537 (0x10001) % openssl req -new -key cert.key -out cert.csr [!] When creating cert.scr please make sure that the value of "Common Name" is the fully qualified domain name of the server which will host LDAP. For example, server.example.com
% openssl x509 -req -in cert.csr -days 365 -signkey cert.key -out cacert.crt Signature ok subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd Getting Private keyFinally, you should end up with the following three files:
3. Starting slapdOn FreeBSD systems, edit /etc/rc.confslapd_enable="YES"Then start slapd, /usr/local/etc/rc.d/slapd startConfirm that slapd is running, % sockstat -4 -p 389 ldap slapd 3261 7 tcp4 *:389 *:*If you didn't get any output from above, then try to run slapd by directly executing it with debug options. /usr/local/libexec/slapd -d -1The debugging data should help you isolate the cause of failure. Sometimes slapd will run when directly executed instead of the rc startup script. Running further testing below will help reveal such failures. 4. Further ConfigurationNow that we got slapd up and running, we will perform further configuration and then restart the slapd server.Edit /usr/local/etc/openldap/ldap.conf to setup the connection parameters: base dc=example,dc=com uri ldap://server.example.com/ ssl start_tls tls_cacert /path/to/your/cacert.crt--- or, without TLS support: --- base dc=example,dc=org uri ldap://server.example.com/Generate connection authorization information - hash, passwords
%slappasswd -s secret
{SSHA}3t7MIHB3VSkuqBZtBs37qXzXnejQan8x
Edit /usr/local/etc/openldap/slapd.conf
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}3t7MIHB3VSkuqBZtBs37qXzXnejQan8x
Restart the slapd server
/usr/local/etc/rc.d/slapd restart 5. Sample Entries for TestingCreate a file called example.ldif with the following entries. Make sure there are no trailing spaces.dn: dc=example,dc=com objectclass: dcObject objectclass: organization o: Example Company dc: example dn: cn=Manager,dc=example,dc=com objectclass: organizationalRole cn: ManagerWith TLS support run, ldapadd -Z -D "cn=Manager,dc=example,dc=com" -W -f example.ldifWithout TLS support run, ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f example.ldifYou will be prompted to provide password. Provide the password you used to generate the hash "{SSHA}3t7MIHB3VSkuqBZtBs37qXzXnejQan8x" for rootpw in step 4 above. Make sure the -D "cn=Manager,dc=example,dc=com" is corresponding to the entries in your slapd.conf: rootdn "cn=Manager,dc=example,dc=com"You should see: adding new entry "dc=example,dc=com" adding new entry "cn=Manager,dc=example,dc=com"With TLS support run, ldapsearch -Z -b 'dc=example,dc=com' '(objectclass=*)'Without TLS support run, ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'The command above will show all results in your LDAP tree. 6. More Testing with phpldapadminInstalling phpLdapAdmin is a great way to experiment with LDAP. On FreeBSD, just run:/usr/ports/net/phpldapadmin>sudo make install cleanWe just create a symbolic link from the web hosting folder to phpldapadmin for our needs, sudo ln -s ../../../phpldapadmin/ phpldapadminMake sure you have PHP support extensions installed. For example, LDAP and GetText. Edit the config.php to suit your needs. $ldapservers->SetValue($i,'server','host','server.example.com');If, using TLS then also enable, $ldapservers->SetValue($i,'server','tls',true); Bonus Section: Redmine LDAP AuthenticationIf you are having fun so far, then continue to integrate Redmine authentication with LDAP :)Create a record with the following objectClasses
dn: cn=John Doe,ou=people,dc=dictm,dc=dk
cn: John Doe
objectclass: person
objectclass: top
objectclass: uidObject
sn: Doe
uid: john
userpassword: {SHA}iEPX+SQWIR3p67lj/0zigSWTKHg=
In Redmine Admin end (used LDAP without TLS), follow the steps below:
Bigger and greater LDAP things awaits us on the horizon like centralized authentication for all kind of applications and very large number of data experiments (millions of phone book entries). Write a Comment |