Installing OpenLDAP 2.4 on Debian Squeeze

Home / Installing OpenLDAP 2.4 on Debian Squeeze

Installing OpenLDAP 2.4 on Debian Squeeze

December 9, 2015 | Article | No Comments

OpenLDAP is one of software that implement Lightweight Directory Access Protocol (LDAP).

In this article we will do installation of OpenLDAP on Debian. Technically say, we will install OpenLDAP 2.4 which is provided by Debian repository. The benefits of LDAP, and OpenLDAP specifically, is we can achieve Single Sign On to other services such as FTP, SSH, etc. The LDAP will act as back-end which authenticates user.

OpenLDAP consists of some packages, but basically we can be categorized them as three categories: main application (daemon), supporting application, and packages for extending LDAP functionalities (as well as libraries for other applications).

In this article we will use Debian 6.0.7 (Squeeze) for amd64 with following packages:

  1. slapd
  2. ldap-utils
  3. db4.8-util

The method we use here should be applicable to x86 (32 bit) Debian as well.

Things to Know

In previous version of OpenLDAP, all server configuration used to be stored on a single file, /etc/ldap/slapd.conf. The configuration is in plain text and quite readable format.

Starting from version 2.4, the configuration now stored inside the LDAP tree, rather than on slapd.conf.

If you need to migrate from the old format to new format, you can check this article.

The main advantage of this approach is ability to update configuration while the server is still running. This is good for enterprise grade applications but also has drawback. The drawback is that we have to use the poorly readable LDIF syntax, just to be able to create a new database, define the database admin, configure ACLs, etc.

In this article, we will only do fresh installation of OpenLDAP 2.4 on Debian Squeeze look things that change on this version. In this version, understanding about LDIF Is required and encouraged. We will see why in the later section.

Obtain the Materials

All the packages can be downloaded and installed from repositories. Use following command to install them:

apt-get install slapd ldap-utils db4.8-util

These are the minimum packages we need: slapd (as a daemon), ldap-utils (as utilities), and db4.8-util (as back-end database).

LDAP is a protocol and it is not focusing on actual storage processing. The back-end for that can be berkeley DB, MySQL, PostGreSQL, etc. In this case we use db4.8 or Berkeley DB.

On Installation

When installing OpenLDAP we will be prompted by several questions. You can adjust the answer with your conditions. We can skip that and configure them later by invoking:

dpkg-reconfigure slapd

In general, on installation progress will ask you about these information:

  1. Administrator password for this LDAP package. This is not password for the system, but the password used for manage or administrate LDAP.
  2. Server host, can DNS domain name (fully qualified domain name) or IP Address
  3. Organization name.
  4. Database backed to use.
  5. LDAP version (v2 or v3)
  6. Distinguish name (dn) of the machine.
  7. DN used as administrator.

When creating a base distinguish name (base DN), the easiest way is using FQDN (URL) as a base DN. For example: from we can create a base DN as following: dc=xathrya,dc=id

Another we should prepare is the distinguish name used for administration. For example: cn=master,dc=xathrya,dc=id

At this point, we have successfully install OpenLDAP on our Debian machine.

Listing LDAP configuration

As stated, OpenLDAP 2.4 use different configuration location and format. To see the running configuration, use one of this command:

slapcat -b cn=config

# or

ldapsearch -LLQY EXTERNAL -H ldapi:/// -b cn=config

Adjust LDAP Configuration

To modify a configuration using a .ldif file, use following command:

ldapmodify -Y EXTERNAL -H ldapi:// -f <ldif file>.ldif

A configuration can be written on LDIF file. This snippet can be read as an example:

# Increase log level
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats

# Add indexes
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uid eq

add: oldDbIndex
olcDbIndex: cn eq

add: olcDbIndex
olcDbIndex: ou eq

add: olcDbIndex
olcDbIndex: dc eq

That example will modify log level and add new indexes on attributes.

Database Definition

In this new format, database definition is performed through LDIF file.

Create a directory on filesystem to store all files related to this database. This directory should be separated from main / root of ldap directory

mkdir /var/lib/ldap-database
chown openldap.openldap /var/lib/ldap-database

Next, load create an LDIF file, let call it as new-db.ldif. Adjust it with your setting:

dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: dc=xathrya,dc=id
olcDbDirectory: /var/lib/ldap-database
olcRootDN: cn=Manager,dc=xathrya,dc=id
olcRootPW: secret
olcDbIndex: cn,sn,uid pres,eq,approx,sub
olcDbIndex: objectClass eq
olcAccess: to attrs=userPassword
  by self write
  by anonymous auth
  by dn.base="cn=Admin,dc=xathrya,dc=id" write
  by * none
olcAccess: to *
  by self write
  by dn.base="cn=Admin,dc=xathrya,dc=id" write
  by * read

Then load it with following command:

ldapadd -Y EXTERNAL -H ldapi:/// -f new-db.ldif

In a LDAP tree, we do not have ordered elements. This is why we have this optional {n} syntax which allows database ordering.

, ,

About Author

about author


A man who is obsessed to low level technology.

Leave a Reply

Your email address will not be published. Required fields are marked *

Social Share Buttons and Icons powered by Ultimatelysocial