OpenLDAP

From philcrump.co.uk
Jump to: navigation, search

Configuring slapd on Ubuntu Server

Installation

apt-get install slapd ldap-utils

Now reconfigure the default schema

dpkg-reconfigure slapd

Set up groups

groups.ldif

dn: ou=People,dc=batc,dc=tv
objectClass: organizationalUnit
ou: People
 
dn: ou=Groups,dc=batc,dc=tv
objectClass: organizationalUnit
ou: Groups
 
dn: cn=cloud-users,ou=Groups,dc=batc,dc=tv
objectClass: groupOfNames
cn: cloud-users
 
dn: cn=streamer-users,ou=Groups,dc=batc,dc=tv
objectClass: groupOfNames
cn: streamer-users

Add as admin

ldapadd -x -D cn=admin,dc=batc,dc=tv -W -f groups.ldif

New User

user.ldif

dn: uid=joe,ou=People,dc=batc,dc=tv
objectClass: inetOrgPerson
objectClass: shadowAccount
uid: joe
sn: Bloggs
givenName: Joe
cn: Joe Bloggs
displayName: John Bloggs
userPassword: joeldap

Add as admin

ldapadd -x -D cn=admin,dc=batc,dc=tv -W -f user.ldif

Test Password Auth

ldapwhoami -vvv -x -w "joeldap" -D "uid=joe,ou=People,dc=batc,dc=tv"

Delete Entry

ldapdelete -W -D "cn=admin,dc=batc,dc=tv" "uid=adam,ou=users,dc=batc,dc=tv"

Add User to Group

addtogroup.ldif

dn: cn=streamer-users,ou=groups,dc=batc,dc=tv
changetype: modify
add: member
member: uid=joe,ou=People,dc=batc,dc=tv

Modify as admin

ldapmodify -x -W -D "cn=admin,dc=batc,dc=tv" -f addtogroup.ldif

Troubleshooting

Malformed LDIF File

ldapadd: attributeDescription "dn": (possible missing newline after line 9, entry "ou=People,dc=batc,dc=tv"?)
ldapadd: attributeDescription "dn": (possible missing newline after line 10, entry "ou=People,dc=batc,dc=tv"?)
ldapadd: attributeDescription "dn": (possible missing newline after line 11, entry "ou=People,dc=batc,dc=tv"?)

This can mean that the ldif file is malformed. In my case, copying and pasting from this page had inserted space characters on the blank newlines. Removing these solved the issue.

Cannot create empty group

ldap_add: Object class violation (65)
	additional info: object class 'groupOfNames' requires attribute 'member'

According to the RFC spec, a groupOfNames must contain at least one member. I worked around this by adding a 'blank' user to the group definition.

member: uid=people_placeholder,ou=People,dc=batc,dc=tv

This could be a security hole - will investigate removal after group population.