Ubuntu 10.10 SBS (Small Business Server) Setup: Part 3 – OpenLDAP

This is part of a guide to setting up an Ubuntu server for a small/medium business. The server will provide DHCP, DNS, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

OpenLDAP is a directory service. Think of it as a database for storing all your users, their passwords and groups. In time you can use it to store much more, but initially we’re going to use it as a centralised authorisation system. Clients will check usernames and permissions against those stored in the directory on the server. Though it is also possible to store passwords in LDAP and use it for authorisation, we’ll be using Kerberos for this purpose.

The first step is to install OpenLDAP along with some utilities for administering. We’re also going to load some basic schema (directory layouts) for storing user credentials in:

sudo apt-get install slapd ldap-utils
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

OpenLDAP uses a separate directory to hold the cn=config Directory Information Tree (DIT). The cn=config DIT is used to dynamically configure the slapd daemon, allowing the modification of schema definitions, indices, Access Control Lists, etc without stopping the service. In older versions and configurations, a text based configuration was used, much like that for Dnsmasq above. However, in large scale deployments OpenLDAP can become an absolutely critical service. Restarting it to load a new configuration is simply not an option.

The backend cn=config directory has only a minimal configuration and will need additional configuration options in order to populate the frontend directory. The frontend will be populated with a “classical” scheme that will be compatible with address book applications and with Unix Posix accounts. Posix accounts will allow authentication to various applications, such as web applications, email Mail Transfer Agent (MTA) applications, etc.

To create the backend, we write an LDIF file (backend.danbishop.org.ldif) to be imported by OpenLDAP:

# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=danbishop,dc=org
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=danbishop,dc=org
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=danbishop,dc=org" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=danbishop,dc=org" write by * read

Note the line “olcRootPW: PASSWORD”. Substitute PASSWORD with a (secure!) password of your choice!

Now it’s time to add the LDIF file to your directory:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.danbishop.org.ldif

That’s the boring configuration bit taken care of… now it’s time to create the directories for storing your users and groups. This is done by creating a similar file to the one above frontend.danbishop.org.ldif like so:

# Create top-level object in domain 
dn: dc=danbishop,dc=org
objectClass: top
objectClass: dcObject
objectclass: organization
o: danbishop Organization
dc: danbishop
description: LDAP danbishop

dn: ou=people,dc=danbishop,dc=org
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=danbishop,dc=org
objectClass: organizationalUnit
ou: groups

And we add the LDIF in the following way, entering your root LDAP password when prompted (PASSWORD):

sudo ldapadd -x -D cn=admin,dc=danbishop,dc=org -W -f frontend.danbishop.org.ldif

Access Control

Restricting access to sensitive data such as user passwords in the directory is important. The following section describes the configuration of LDAP’s Access Control Lists (ACLs).

Authentication requires access to password field, which will not be accessible by default. Also during password change, shadowLastChange needs to be accessible too. We change these settings using an LDIF again (acls.ldif):

dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="uid=admin,dc=danbishop,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.subtree="" by * read
olcAccess: {2}to * by dn="uid=admin,dc=danbishop,dc=org" write by * read

We apply these changes with the following command:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f acls.ldif