Configuring the Server

If you have been using LDAP for years, you will be aware of its immense power and flexibility. On the other hand, if you are just trying LDAP for the first time, it will seem like the most broken component you could imagine. LDAP has specific configuration requirements, is vastly lacking in graphical tools, and has a large number of acronyms to remember. On the bright side, all the hard work you put in will be worth it because, when it works, LDAP will hugely improve your networking experience.

The first step in configuring your LDAP server is to install the client and server applications. Start up Synaptic and install the slapd and ldap-utils packages. You'll be asked to enter an administrator password for slapd.

Now, use sudo to edit /etc/ldap/slapd.conf in the text editor of your choice. This is the primary configuration file for slapd, the OpenLDAP server daemon. Scroll down until you see the lines database, suffix, and rootdn.

This is the most basic configuration for your LDAP system. What is the name of your server? The dc stands for domain component, which is the name of your domain as stored in DNSfor example, example.com. For our examples, we used hudzilla.org. LDAP considers each part of a domain name (separated by a period) to be a domain component, so the domain hudzilla.org is made up of a domain component hudzilla and a domain component org.

Change the suffix line to match your domain components, separated by commas. For example:

suffix "dc=hudzilla,dc=org"

The next line defines the root DN, which is another LDAP acronym meaning distinguished name. A DN is a complete descriptor of a person in your directory: her name and the domain in which she resides. For example rootdn "cn=root,dc=hudzilla,dc=org"

CN is yet another LDAP acronym, this time meaning common name. A common name is just thatthe name a person is usually called. Some people have several common names. Andrew Hudson is a common name, but that same user might also have the common name Andy Hudson. In our rootdn line, we define a complete user: common name root at domain hudzilla.org. These lines are essentially read backward. LDAP goes to org first, searches org for hudzilla, and then searches hudzilla for root.

The rootdn is important because it is more than just another person in your directory. The root LDAP user is like the root user in Linux. It is the person who has complete control over the system and can make whatever changes he wants to.

Now comes a slightly more complex part: We need to give the LDAP root user a password. The easiest way to do this is to open a new terminal window alongside your existing one. Switch to root in the new terminal and type siappasswd. This tool generates password hashes for OpenLDAP using the SHA1 hash algorithm. Enter a password when it prompts you. When you have entered and confirmed your password, you should see output like this:

{SSHA}qMVxFT2K1UUmrA89Gd7z6EK3gRLDIo2W

That is the password hash generated from your password. Yours will differ from the one shown here, but what is important is that it has {ssha} at the beginning to denote it uses SHA1. You now need to switch back to the other terminal (the one editing slapd.conf) and add this line below the rootdn line:

rootpw <your password hash>

You should replace <your password hash> with the full output from slappasswd, like this:

rootpw {SSHA}qMVxFT2K1UUmrA89Gd7z6EK3gRLDIo2W

That sets the LDAP root password to the one you just generated with slappaswd. That is the last change you need to make in the slapd.conf file, so save your changes and close your editor.

Back in the terminal, run the slaptest command. This checks your slapd.conf file for errors and ensures you edited it correctly. Presuming there are no errors, run /etc/init.d/slapd to start OpenLDAP.

Ubuntu automatically starts OpenLDAP each time you boot up, but that command starts it right now.

The final configuration step is to tell Ubuntu which DN it should use if none is specified. You do so by going to System Settings and selecting Authentication. In the dialog box that appears, check Enable LDAP Support in both the User Information tab and Authentication tab. Next, click the Configure LDAP button, enter your DCs (for example, dc=hudzilla,dc=org) for the LDAP Search Base DN, and enter 127.0.0.1 for the LDAP Server. Click OK, and then click Ok again.

Checking Enable LDAP Support does not actually change the way in which your users log in. Behind the scenes, this forces Ubuntu to set up the ldap.conf file in /etc/ldap so that LDAP searches that do not specify a base search start point are directed to your DC.

Was this article helpful?

0 0

Post a comment