slapd is OpenLDAPs implementation of a directory server.
We use it as directory complement for
- The ?qmail-ldap Email server
- The Dovecot IMAP server
- ?OwnCloud/Nextcloud
- Roundcube Webmail
- The eJabberd XMPP server
- Apache Basic Auth access
- Pure-FTPd
We have one main directory server where all edits are done - there are
not much. On each machine which needs directory services runs a
?consumer slapd instance which replicates from the main
server.
For directory setup and maintenance we:
- install the ?phpLDAPadmin web client on the main server
apt-get install ldapvion each client machine- and use the JXplorer LDAP Browser on the desktop.
Installation
apt-get install slapd ldapvi
During installation you are asked for the administrator password – have a good one handy and remember it, KeePass is your friend.
The ?basedn is set to the machines FQDNs domain part.
This fails on typical Debian setups, resulting in
a dc=nodomain basedn. Fix this with:
dpkg-reconfigure slapd
, discard the previous configuration and specify the domain manually.
You can wipe/remove the backups which are hold in
/var/backups/slapd-* directories.
The file /etc/ldap/ldap.conf contains default settings for most of
the client software.
We use these settings:
BASE dc=magma-soft,dc=at
URI ldapi:///
Setup Overview
- Bootstrap the main server
- Install
slapdon consumer server- Set up TLS and disable insecure access
- Enable remote configuration
- Set up access control
- Configure syncrepl schema consumer
- Configure syncrepl directory consumer
- Wash, rinse, repeat from step 2
Enable remote configuration
Default Debian access allows the root user to access the cn=config
base of slapd from the commandline.
In order to access from remote, via add the admin user, created during
installation the the access control rules. This must be done from the
commandline as root, we use ldapvi for it.
ldapvi -Y EXTERNAL -b cn=config
This opens the complete cn=config LDAP tree as LDIF file in your
default editor.
Find the line containing config,cn=config, it is the
olcDatabaseConfig for the configuration. Add the following line
after the default olcAccess entry:
olcAccess: {1}to * by dn.exact=cn=admin,dc=magma-soft,dc=at manage by * break
Save and exit.
Set up access control on consumer server
For a starter, we just don’t want the directory content to be publically available.
The default Debian access is already protecting things like the
userPassword attribute.
Look up the last olcAccess entry in the respective database
configuration, e.g. {1}mdb,cn=config and change from ...to * by *
read to ...to * by self read.
Add the required schemas
Since we will replicate the complete tree, all additional schemas must be present, else the replication will not work.
The qmail-ldap source tree contains the following schema files which are used at MagmaSoft:
qmail_schema.ldifphpqladmin_schema.ldifpureftpd_schema.ldif
Configure syncrepl directory consumer
On the provider slapd add a simpleSecurityObject:
cn=$(hostname),ou=syncrepl,dc=magma-soft,dc=at
userPassword=$(password)
On the olcDatabase configuration with the basedn,
dc=magma-soft,dc=at , in attribute olcSuffix configure the
following.
Add and olcDbIndex with value entryUUID eq to the database configuration.
Add an olcSyncrepl attribute.
rid=0
provider=ldaps://ldap.magma-soft.at
bindmethod=simple
binddn="cn=$(hostname),ou=syncrepl,dc=magma-soft,dc=at"
credentials=$(password)
searchbase="dc=magma-soft,dc=at"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
If the consumer does not have a valid TLS certificate, append
tls_reqcert=never to the end of the olcSyncrepl attribute.
Then add ldaps://ldap.magma-soft.at as olcUpdateRef attribute to
redirect updaters to the master.
ToDo
- Give access to base dn for everyone. Else one can’t even connect.