Configure LDAP Server on SmartOS using OpenLDAP
I assume that you already have a SmartOS local zone running on your machine. Refer to my previous post if not. The global zone of SmartOS is immutable, therefore, you’ll not be able to do any installation on it. This is by design.
Install Package
SmartOS uses NetBSD’s package manager. The command is pkgin. The following command will install the openldap server package on your local zone.
pkgin install openldap-server
Configure LDAP Server
The default directory for the configuration files is cd /opt/local/etc/openldap/. Here you’ll find sldapd.conf. SmartOS hasn’t adopted the new way of configuring LDAP server (i.e. load ldif files), therefore, you’ll need to edit sldapd.conf to configure the openldap server.
Load additional modules
Core.schema is loaded in slapd.conf by default. You’ll need to load more inorder to enable new modules. I used the following:
include /opt/local/etc/openldap/schema/core.schema
include /opt/local/etc/openldap/schema/cosine.schema
include /opt/local/etc/openldap/schema/nis.schema
include /opt/local/etc/openldap/schema/inetorgperson.schema
Configure rootdn Authentication and Domain
Here I only changed three variables “suffix”, “rootdn” and “rootpw”.
rootpw is generated using command “slappasswd”.
Sample configuration
#######################################################################
# MDB database definitions
#######################################################################
database mdb
maxsize 1073741824
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}DK11geBKDtK9NxeRZQpd43te63LwWDuydh
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/openldap/openldap-data
# Indices to maintain
index objectClass eq
Start LDAP server
Run the following command to load the new configuration and restart LDAP server.
svcadm refresh pkgsrc/openldap-server
svcadm restart pkgsrc/openldap-server
Check LDAP server Daemon
Run the following command to check the LDAP server daemon
svcs -xv pkgsrc/openldap-server
You should see the following:
Create Basic Group Schema
Here is a sample schema for creating groups in LDAP server. The name of the file is basedn.ldif. I created the file under /opt/local/etc/openldap/schema where I kept all my schema files.
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
dc: example
o: Example
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
Run the following command to load the scheme into LDAP.
ldapadd -x -D cd=Manager,dc=example,dc=com -W -f /opt/local/etc/openldap/schema/basedn.ldif -n
Create a Sample User Account
Here is a sample LDIF file for adding a new user into LDAP server:
dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Test
sn: User
userPassword: {SSHA}eE38x262GWtfWrmpCs1fwHWQIeYE240A
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/testuser
dn: cn=testuser,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: LDAP Test Group
gidNumber: 2000
memberUid: testuser
In order for the listed objectClass to work, we need to load the cosine.schema, nis.ldif and inetorgperson.schema as previously mentioned.
The user password is also generated using slappasswd command.
Add the New User
Run the following command to add the new LDIF file:
ldapadd -x -W -D 'cn=Manager,dc=example,dc=com' -f /opt/local/etc/openldap/schema/ldaptestuser.ldif
Now should have a basic (NON-SECURE) LDAP server running with a sinple user account.
Comments
Post a Comment