apt-get install slapd
If you have configured debconf (dpkg-reconfigure debconf) to ask
question with priorites higher then medium then you should get asked
the following questions:
- DNS domain name (will be seperated to
dc=example,dc=com) - Organzation (will be the
ou=field of the base record) - Password
- Allow LDAPv2 (enter NO)
The main configuration file for the server process is
/etc/ldap/slapd.conf where we should modify the index, so let's add
(cited from debian wiki):
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index memberUid pres,sub,eq
index default sub
index uid eq
index uniqueMember eq
index gidNumber eq
index mail,givenName eq,subinitial
index dc eq
If you analyze this you can see that the index is especially suitable
if you want to store unix user informations in ldap - that's what we
want. To rebuild the index
/etc/init.d/slapd stop
slapindex
chown -R openldap:openldap /var/lib/ldap
/etc/init.d/slapd start
I like to edit my ldap tree with the tool ldapvi
apt-get install ldapvi
Now we can edit the tree through binding as cn=admin and the
passwort we gave during installation
ldapvi -d -h ldap://localhost -D cn=admin,dc=example,dc=com
Now let's add our first user entry. Therefore we have to add an
organizational unit to store all the users we well add in future. We
could name this people if we want too. I'd also like to add an ou
for all the groups we want to add and I'll call it groups.
add ou=groups,dc=example,dc=com
ou: groups
objectClass: top
objectClass: organizationalUnit
add ou=people,dc=example,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit
add cn=users,ou=groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: users
gidNumber: 100
dn: cn=Michael Hammer,ou=people,dc=example,dc=com
givenName: Michael
sn: Hammer
cn: Michael Hammer
uid: huhu
uidNumber: 1234567
gidNumber: 1234567
homeDirectory: /home/mueli
loginShell: /bin/zsh
maildrop: michael@derhammer.net
mailbox: /var/vmail/derhammer.net/michael
associatedDomain: derhammer.net
associatedDomain: michael-hammer.at
objectClass: domainRelatedObject
objectClass: inetOrgPerson
objectClass: mailUser
objectClass: posixAccount
objectClass: top
mail: bugs@michael-hammer.at
mail: mail@michael-hammer.at
mail: michael@derhammer.net
mail: postmaster@derhammer.net
mail: postmaster@michael-hammer.at
mail: root@derhammer.net
Now we should be able to use this content for the naming service.
apt-get install libnss-ldap
(Hint: We want use libpam_ldap because we are authentication against kerberos and not LDAP).
Now we have to configure libnss-ldap to find the content inside the
ldap server. Few config options have already been given through
debconf but here is the whole config file
base dc=example,dc=com
uri ldap://localhost
ldap_version 3
scope one
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
nss_base_passwd ou=people,dc=example,dc=com
nss_base_shadow ou=people,dc=example,dc=com
nss_base_group ou=groups,dc=example,dc=com
suffix "dc=example,dc=com"
The last step is to configure the naming system to use `libnss-ldap`
what is done through the `/etc/nsswitch.conf`
passwd: files ldap
group: files ldap
shadow: files ldap
Now we can test the configuration
/etc/init.d/nscd restart
getent passwd