OpenLDAP is an open source implementation of the L ightweight D irectory A ccess P rotocol which is used to access centrally stored information over a network . LDAP Server is mainly used as address book and authentication backend for various services.
This setup is carried out for Open LDAP 2.4.40 on Ubuntu 14.04, using Oracle JDK 7.
Prerequisite : Basic understanding of Open LDAP terms/terminology is required to understand this blog.
Steps to Setup Open LDAP
1. Download Open LDAP version 2.4.40 from its official website by following command :
wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.40.tgz
2. Unzip downloaded file
tar zxf openldap-2.4.40.tgz
3. Configure Open LDAP
- Now Navigate to your unzipped openldap directory by executing “cd openldap” and then Run “ ./configure”
- command in terminal. Most probably you will get an error as “configure: error : BDB/HDB: BerkeleyDB not available”.
- To fix this we need to install BerkeleyDB. To install Berkeley DB follow command below:
sudo apt-get install libdb-dev
4. Re-run ./configure command after successful installation of Berkeley DB as follows :
./configure
- Then execute command as follows:
make depend
make
5. Now install software by following command :
6. Create Directory for your base dn which will be used to keep BDB files and indices for your domain.
sudo mkdir /usr/local/var/openldap-data/your-domain.com
7. OpenLDAP with a BDB backend requires a DB_CONFIG file for configuration and tuning of database. This file exists in /usr/local/etc/openldap/DB_CONFIG.example. Copy this file to your base directory and rename it as DB_CONFIG as follows.
sudo cp /usr/local/etc/openldap/DB_CONFIG.example /usr/local/var/openldap-data/your-domain.com/
sudo mv /usr/local/var/openldap-data/your-domain.com/DB_CONFIG.example /usr/local/var/openldap-data/
your-domain.com/DB_CONFIG
NOTE: You can also change configuration of DB_CONFIG file for optimum performance and tuning of database. In our set up, we have kept default configuration in DB_CONFIG file.
8. Execute “sudo nano /usr/local/etc/openldap/slapd.conf” and Edit slapd.conf file to specify connection information of your LDAP as follows :
# Specify your LDAP connection information here suffix "dc=your-domain,dc=com" rootdn "cn=Manager,dc=your-domain,dc=com" rootpw secret
Then change following line to specify the base directory of your LDAP where the BDB files containing the database and associated indices live. In our setup, our base directory is /usr/local/var/openldap-data/your-domain.comdirectory /usr/local/var/openldap-data/your-domain.com
9. Start LDAP
- Goto /usr/local/libexec directory, and execute following
sudo ./slapd
10. heck slapd is running or not by following command:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
This command should return your base dn as follows:
- dn : namingContexts: dc=your-domain,dc=com
11. Open slapd.conf file by executing “sudo nano /usr/local/etc/openldap/slapd.conf” and add following lines in it to add required schema in LDAP :
- include /usr/local/etc/openldap/schema/cosine.schema
- include /usr/local/etc/openldap/schema/inetorgperson.schema
12. Then Restart slapd as follows:
- To stop LDAP use following command:
sudo kill -INT `cat /usr/local/var/run/slapd.pid`
- Then to start LDAP, Goto /usr/local/libexec directory, and execute following
13. Now you are able to create Entries in LDAP from Apache Directory Studio.
- Open Apache directory studio and click on new connection. Enter Hostname=<your-host-name>, port = 389 & click Next.
- Enter Bind DN or user and Bind password as per your configuration in slapd.conf. file.
- In our example, it is cn=Manager,dc= your-domain.com,dc=com and secret respectively.
- Click on Finish.
Add Slapd as System Service
- If LDAP is installed by util commands then init script for slapd is automatically created at time of installation. But if you have installed slapd by downloading zip file, then you have to to add slapd as system service manually.
- To Manually add slapd as system service do as follows:
1. First create slapd service file as follows:
sudo touch /etc/init.d/slapd
cd /etc/init.d
sudo nano slapd
2. Download slapd service file attached at the end of this post. Copy contents of that file and paste it in your service file.
3. Open slapd service file and check if following paths are properly set or not for your LDAP.
- SLAPD=/usr/local/libexec/slapd
- SLAPD_CONF=/usr/local/etc/openldap/slapd.conf
4. Now give necessary permission to service file as follows:
sudo chmod +x /etc/init.d/slapd
5. Configure the service in init levels as follows:
sudo ln -s /etc/init.d/slapd /etc/rc3.d/S90slapd
sudo ln -s /etc/init.d/slapd /etc/rc4.d/S90slapd
sudo ln -s /etc/init.d/slapd /etc/rc5.d/S90slapd
sudo ln -s /etc/init.d/slapd /etc/rc0.d/K10slapd
sudo ln -s /etc/init.d/slapd /etc/rc6.d/K10slapd
6. To enable System Startup links run following command:
sudo update-rc.d slapd defaults
7. Restart slapd as follows:
sudo service slapd restart
8. Now LDAP is setup as your system service, so use following commands to start and stop and restart LDAP Server.
sudo service slapd start
sudo service slapd stop
sudo service slapd restart
Enable Separate Logging for Open LDAP
1. Execute “sudo nano /etc/rsyslog.d/50-default.conf” and edit following line as follows to enable Open LDAP logging.:
*.*;auth,authpriv,local4.none -/var/log/syslog
Add following line there to enable generation of Open LDAP logs in separate file: local4.* -/var/log/openldap/openldap
2. Create configuration file to manage Open LDAP log rotation by executing “sudo touch /etc/logrotate.d/openldap" and add following configuration in it . You can change this configuration as per your requirements :
/var/log/openldap/openldap
{
# Add extension of date with name of log file
dateext
# Specify format of date appended with name of the log file
dateformat -%Y-%m-%d.log
# Keep 365 days worth of backlogs
rotate 365
# Rotate log files daily
daily
# If the log file is missing, go on to the next one without issuing an error message.
missingok
# Postpone compression of the previous log file until next rotation of logs. This only works when used in combination with
# compress
delaycompress
# Compress old log files
compress
# Lines between postrotate and endscript are executed after the log file is rotated. Following line stands for gracefully restart
# of rsyslog service after log rotation.
postrotate
invoke-rc.d rsyslog reload > /dev/null
endscript
}
3. Open /etc/logrotate.conf file and uncomment following line to enable compression of all log files generated by rsyslog service :
4. Then restart "rsyslog" and "slapd" service with following commands respectively :
sudo service rsyslog restart
sudo service slapd restart
Congratulations !! Now you have successfully configured OpenLDAP on Ubuntu.
Download slapd service file from below link :
slapd