slapd is OpenLDAPs implementation of a directory server.

We use it as directory complement for

  • The ?qmail-ldap Email server
  • The Dovecot IMAP server
  • ?OwnCloud/Nextcloud
  • Roundcube Webmail
  • The eJabberd XMPP server
  • Apache Basic Auth access
  • Pure-FTPd

We have one main directory server where all edits are done - there are not much. On each machine which needs directory services runs a ?consumer slapd instance which replicates from the main server.

For directory setup and maintenance we:

  • install the ?phpLDAPadmin web client on the main server
  • apt-get install ldapvi on each client machine
  • and use the JXplorer LDAP Browser on the desktop.

Installation

apt-get install slapd

During installation you are asked for the administrator password – have a good one handy and remember it, KeePass is your friend.

The ?basedn is set to the machines FQDNs domain part. This fails on typical Debian setups, resulting in a dc=nodomain basedn. Fix this with:

dpkg-reconfigure slapd

, discard the previous configuration and specify the domain manually.

You can wipe/remove the backups which are hold in /var/backups/slapd-* directories.

Setup Overview

  1. Bootstrap the main server
    • Set up TLS and disable insecure access
    • Create user directory and administrative accounts
    • Set up access control
    • Enable remote configuration
    • Set up the ?syncrepl provider role
    • Install additional schemas
  2. Install slapd on consumer server
    • Set up TLS and disable insecure access
    • Enable remote configuration
    • Set up access control
    • Configure syncrepl schema consumer
    • Configure syncrepl directory consumer
  3. Wash, rinse, repeat from step 2

Enable remote configuration

Default Debian access allows the root user to access the cn=config base of slapd from the commandline.

In order to access from remote, via add the admin user, created during installation the the access control rules. This must be done from the commandline as root, we use ldapvi for it.

ldapvi -Y EXTERNAL -b cn=config

This opens the complete cn=config LDAP tree as LDIF file in your default editor.

Find the line containing config,cn=config, it is the olcDatabaseConfig for the configuration. Add the following line after the default olcAccess entry:

olcAccess: {1}to * by dn.exact=cn=admin,dc=magma-soft,dc=at manage by * break

Save and exit.

Set up access control on consumer server

For a starter, we just don't want the directory content to be publically available.

The default Debian access is already protecting things like the userPassword attribute.

Look up the last olcAccess entry in the respective database configuration, e.g. {1}mdb,cn=config and change from ...to * by * read to ...to * by self read.

Add the required schemas

Since we will replicate the complete tree, all additional schemas must be present, else the replication will not work.

The qmail-ldap source tree contains the following schema files which are used at MagmaSoft:

  • qmail_schema.ldif
  • phpqladmin_schema.ldif
  • pureftpd_schema.ldif

Configure syncrepl directory consumer

On the provider slapd add a simpleSecurityObject:

cn=$(hostname),ou=syncrepl,dc=magma-soft,dc=at
userPassword=$(password)

On the olcDatabase configuration with the basedn, dc=magma-soft,dc=at , in attribute olcSuffix configure the following.

Add and olcDbIndex with value entryUUID eq to the database configuration.

Add an olcSyncrepl attribute.

rid=0
provider=ldaps://ldap.magma-soft.at
bindmethod=simple
binddn="cn=$(hostname),ou=syncrepl,dc=magma-soft,dc=at"
credentials=$(password)
searchbase="dc=magma-soft,dc=at"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncdata=accesslog

If the consumer does not have a valid TLS certificate, append tls_reqcert=never to the end of the olcSyncrepl attribute.

Then add ldaps://ldap.magma-soft.at as olcUpdateRef attribute to redirect updaters to the master.

Client default configuration

The file /etc/ldap/ldap.conf contains default settings for most of the client software.

We use these settings:

BASE    dc=magma-soft,dc=at
URI     ldapi:///

ToDo

  • Give access to base dn for everyone. Else one can't even connect.