Wiki Page Content

Installing OpenLDAP

Introdution:

This describer how to build an shared Address book with OpenLDAP with the Schemas used by Mozilla Thunderbird and maybe other Mozilla Products.

Installing OpenLDAP on FreeBSD:

  • portinstall net/openldap23-server Make sure you select BDB backend and if needed the replication/slurpd daemon.

Choose a password for your rootdn and make sure it's encrypted:

  • beekini ldap # slappasswd -s mysuperdup3g7pass {SSHA}Saf3jUFsxS0yxf7JaK1vDEkEkmknbE7Y

Configure your slapd.conf to reflect your environment. Example slapd.conf is included in the directory.

Then you have to tweak some schema files where the diffs are included.

  • core.schema.diff cosine.schema.diff nis.schema.diff

Then you have to ldapadd the init diff:

  • ldapadd -x -D "cn=Manager,dc=ion,dc=lu" -W -f init.ldif This has to be tailored to the client and add any sub address books

For the web-interface you need:

  • portinstall lang/php5 php5-ldap php5-xml

phpldapadmin:

  • portinstall phpldapadmin php5-session php5-session required for phpldapadmin

ldap.conf:

  • The ldap.conf configuration file is used to set system-wide defaults to be applied when running ldap clients.

To enable SSL:

  • mkdir /usr/local/etc/openldap/certs chmod 700 /usr/local/etc/openldap/certs chown ldap:ldap /usr/local/etc/openldap/certs cd /usr/local/etc/openldap/certs

"

  • openssl req -new -x509 -nodes -keyout openldap-server.key -out openldap-server.crt openssl genrsa -des3 -out openldap-ca-server.key 1024 openssl rsa -in openldap-ca-server.key -out openldap-ca-server.key openssl req -new -x509 -days 3650 -key openldap-ca-server.key -out openldap-ca-server.crt

"

  • chmod 600 *.crt *.key chown ldap:ldap *.crt *.key

slapd.conf:

  • TLSCACertificateFile /usr/local/etc/openldap/certs/openldap-ca-server.crt TLSCertificateFile /usr/local/etc/openldap/certs/openldap-server.crt TLSCertificateKeyFile /usr/local/etc/openldap/certs/openldap-server.key

ldap.conf on clients:

TLS_REQCERT allow

TLS_CACERT /usr/local/etc/openldap/certs/openldap-server.pem TLS_REQCERT demand

rc.conf:

  • slapd_enable="YES" slapd_flags='-h "ldap://0.0.0.0/ ldaps://0.0.0.0/"' slapd_sockets="/var/run/openldap/ldapi"

slapd_flags:

If you need a Unix socket add the following to the ldap_flags to create /var/run/openldap/

  • ldapi://%2fvar%2frun%2fopenldap%2fldapi/

ldap.conf:

  • HOST myserver.com PORT 636

Replication server:

To have an OpenLDAP replicated environment some changes needed to be made and slurpd has to be run on the Master server to slurp to it's slaves.

on the master add:

replica uri=ldap://malium.ion.lu:389

  • binddn="cn=Replicator,dc=ion,dc=lu" bindmethod=simple credentials=secret

replogfile /var/db/openldap-slurp/replica/slurpd.replog

on the slave:

updatedn "cn=Replicator,dc=ion,dc=lu" updateref "ldap://malium.ion.lu:389"

Note that you need to have the very same schemas etc..

stop the ldap master server and slapcat export the data and slapadd it on the slave

ldapadd -x -D "cn=Replicator,dc=ion,dc=lu" -W -f init.ldif ldapadd -x -D "cn=Replicator,dc=ion,dc=lu" -W -f import.ldif

start the slapd slurpd on the master

ldap-contacts (last edited 2010-04-11 19:32:21 by SteveClement)