You're ready to go to work and get your OpenLDAP server up and running. What's the best way to install it on Debian?
Just fire up Aptitude and install these packages:
#aptitude install slapd ldap-utils gq db4.3-doc db4.2-utilYou will be asked to create an LDAP admin password. Debian will then create the LDAP admin user, and take your existing domain name as the suffix, or naming context.
Then, run this simple search to make sure the server is running and responding to requests:
# ldapsearch -xb '' -s base '(objectclass=*)' namingContexts
[...]
dn:
namingContexts: dc=alrac,dc=net
[...]Run this command to show the admin user:
$ ldapsearch -xb 'dc=alrac,dc=net'
[...]
# admin, alrac.net
dn: cn=admin,dc=alrac,dc=net
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
[...]Very good! This shows success. Now, you are ready to move on to the next steps.
Debian creates a bare-bones configuration, creates an openldap user, which you can see in /etc/passwd, creates startup files and starts it at boot, and gives all the files the correct ownership and permissions. It also creates the OpenLDAP admin user, which is not a system user like openldap, but a user in the OpenLDAP directory.
You've probably seen OpenLDAP How-tos that create a rootdn and rootpw in
slapd.conf. The rootdn is the database superuser, just like
our admin user, and rootpw is the rootdn's password. This is necessary for the
initial creation of your directory, and you may prefer to configure
your database superuser this way. rootdn automatically has unrestricted access
to everything, and does not need access controls, which our
admin user does.
Some admins don't want the rootpw in slapd.conf
for security reasons. Some admins don't want the superuser in the
directory, like our admin user, for security
reasons. If you do keep it in slapd.conf, make
triple sure-that file is protected—make it readable only by the owner
and group owner, and turn on write access only when you need to make
changes.
OpenLDAP depends on the Sleepycat Berkeley DB for its backend database. Aptitude should pull in the version you need. The db4.2-util package includes essential commands for managing the BDB.
The db4.3-doc package contains the complete Sleepycat BDB manual. It's targeted at programmers, but it contains a lot of helpful information for server administrators, too. (There is no db4.2-doc package, but the package version mismatch doesn't matter.)
Get the version of db4.*-util that matches your Berkeley DB version. If you don't know which package name to look for, dpkg shows you what is installed on your system:
$ dpkg -l | grep db4
ii libdb4.2 4.2.52+dfsg-2 Berkeley v4.2 Database Libraries [runtime]
ii libdb4.3 4.3.29-8 Berkeley v4.3 Database Libraries [runtime]
ii libdb4.4 4.4.20-8 Berkeley v4.4 Database Libraries [runtime]You'll probably have multiple versions because a lot of applications use Berkeley DB for their backends. Find the correct version that goes with slapd with apt-cache:
$ apt-cache depends slapd | grep db4
Depends: libdb4.2You can see your suffix, which is the base name of your directory, in /etc/ldap/slapd.conf:
# The base of your directory in database #1 suffix "dc=alrac,dc=net"
This is what the ldapsearch options mean:
-xBind to the directory with plaintext authentication.
-bStart the search here.
-sDefine the scope of the search. Your choices are base, one, or sub. base means search the base
object, one searches the
immediate children of an entry and does not include the entry
itself, sub is search the
whole subtree and the entry. The default is sub.
You may install from sources if you really really want to. Please visit OpenLDAP.org (http://www.openldap.org/) for instructions.
OpenLDAP.org: http://www.openldap.org/
LDAP Directories Explained: An Introduction and Analysis, by Brian Arkills (Addison-Wesley)