Zarafa LDAP cn config How To
From Zarafa wiki
(→Installing and configuring LDAP with cn=config) |
|||
| Line 12: | Line 12: | ||
= Installing and configuring LDAP with cn=config = | = Installing and configuring LDAP with cn=config = | ||
| - | Important note: From ZCP 7.0.6 and up we included a pre-made ldif file. It is located in /usr/share/doc/zarafa/ and its name zarafa.ldif. | + | Important note: From ZCP 7.0.6 and up we included a pre-made ldif file. It is located in /usr/share/doc/zarafa/ and its name zarafa.ldif.<br /> |
You can easily import it like this: ldapadd -H ldapi:/// -Y EXTERNAL < zarafa.ldif | You can easily import it like this: ldapadd -H ldapi:/// -Y EXTERNAL < zarafa.ldif | ||
| Line 257: | Line 257: | ||
apt-get install slapd | apt-get install slapd | ||
</pre> | </pre> | ||
| - | |||
= Falling Back To slapd.conf = | = Falling Back To slapd.conf = | ||
Latest revision as of 14:06, 17 April 2012
| Article information | |
| |
| Applies to: | |
|---|---|
| Zarafa Version(s) | 6.40.x |
| OS version(s) | Ubuntu 10.04.1 |
Contents |
Installing and configuring LDAP with cn=config
Important note: From ZCP 7.0.6 and up we included a pre-made ldif file. It is located in /usr/share/doc/zarafa/ and its name zarafa.ldif.
You can easily import it like this: ldapadd -H ldapi:/// -Y EXTERNAL < zarafa.ldif
Introduction
OpenLDAP has two configuration methods:
- Through a separate config file, slapd.conf (the 'old' method). The advantage of this approach is that it's relatively 'easy' to configure and maintain. The disadvantage is that for each change, the OpenLDAP process has to be restarted.
- By means of a dynamic config backend, referred to as 'cn=config'. The advantage of this approach is that each change is instantly reflected into the directory, without any process having to be restarted. The disadvantage is that this approach is slightly more complicated, especially for novice users.
This article describes how to set up Zarafa with the LDAP plugin using the second, cn=config method.
The Zarafa Administrator Manual still refers to the first method. To switch back to this method, please refer to the final section of this article, "Using slapd.conf"
Note: Zarafa sometimes changes the schema files, especially when new features are introduced. When switching to OpenLDAP with dynamic config backend it is strongly recommended that you acquire knowledge on how to apply schema changes to the directory using this backend, before proceeding.
Note: Please make sure that you login to the server as the root user while following this how-to. You can do this using the command: "sudo su" without quotes.
This howto is based on Ubuntu Lucid Lynx, exact version it was tested under is 10.04.1. It seems that every linux distribution comes with their own initial cn=config configuration, so it might be that this howto will not work on another distribution. Even Ubuntu 10.04 changed their initial cn=config configuration over time, as stated before the exact version this was tested on is 10.04.1.
Install SLAPD
First, install the LDAP server daemon (slapd) on the server.
# aptitude install slapd ldap-utils
Minimum Configuration
Set up the initial cn=config database.
The following example configuration contains the following which may not reflect your installation :
- The following examples uses password 1234 gives {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW.
- Use slappasswd to generate an administrative password for your installation.
- The root distinguished name dn is dc=example,dc=com
- The administrative user is cn=admin,dc=example,dc=com
Create a temporary file somewhere:
# vi db.ldif
Fill the file with the information below:
###########################################################
# DATABASE SETUP
###########################################################
# Load modules for database type
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
# Create directory database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
###########################################################
# DEFAULTS MODIFICATION
###########################################################
# Some of the defaults need to be modified in order to allow
# remote access to the LDAP config. Otherwise only root
# will have administrative access.
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW
dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess
Be aware: from now on this user has all privileges on your LDAP-server!
Create an administrative LDAP by applying the configuration with the following command:
# ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif
Validate configuration:
Use ldapsearch to view the tree, entering the admin password set during installation or reconfiguration:
# ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb
# ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W
The output above is the current configuration options for the hdb backend database. Which in this case containes the dc=example,dc=com suffix.
Minimum Directory Information Tree
Now set up a minimal LDAP DIT (Directory Information Tree). Open another temporary file:
# vi base.ldif
Insert the following. Once again the dn has to be changed to reflect your environment.
# Tree root
dn: dc=example,dc=com
objectClass: dcObject
objectclass: organization
o: example.com
dc: example
description: Tree root
# LDAP admin
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {SSHA}LDeTJEEBhqypKL2FpQuFc2j4Na1TLTRW
description: LDAP administrator
Apply the file:
# ldapadd -x -D cn=admin,dc=example,dc=com -W -f base.ldif
Validate LDAP DIT: Query your LDAP DIT : this time as anonymous user - hence no password is shown for your cn=admin,dc=example,dc=com):
# ldapsearch -xLLL -b dc=example,dc=com
Note about admin users
We now have created 2 admin users:
- cn=admin,cn=config -> This user has admin rights on the cn=config tree.
- cn=admin,dc=example,dc=local -> This user has admin rights on the dc=example,dc=local tree.
Create Schema
Now add a few schemas (only core.schema is provided by default):
# ldapadd -x -D "cn=admin,cn=config" -W -f /etc/ldap/schema/cosine.ldif # ldapadd -x -D "cn=admin,cn=config" -W -f /etc/ldap/schema/inetorgperson.ldif # ldapadd -x -D "cn=admin,cn=config" -W -f /etc/ldap/schema/nis.ldif
Convert Zarafa Schema
If you would also like to use the default zarafa schema we will first have to go ahead and convert it. To add schemas to your OpenLDAP, you will need to convert the schema files to ldif files.
Create a file called schema_convert.conf
Add the schema files you need to this file, e.g.:
include /etc/ldap/schema/corba.schema include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/collective.schema include /etc/ldap/schema/zarafa.schema
Note: OpenLDAP configuration is usually located in /etc, depending on the used distribution it is:
Red Hat Enterprise Linux: /etc/openldap SUSE: /etc/openldap Debian & Ubuntu: /etc/ldap
Create a directory /tmp/ldif_output
# mkdir /tmp/ldif_output
Run slaptest to convert the schemas:
# slaptest -f schema_convert.conf -F /tmp/ldif_output
Edit /tmp/ldif_output/cn=config/cn=schema/cn={xx}[zarafa].ldif and edit the lines at the top of the file (Remove the {xx} part, make it look like the following and don't forget to add cn=schema,cn=config):
dn: cn=zarafa,cn=schema,cn=config ... cn: zarafa
And remove the following lines at the bottom of that file:
structuralObjectClass: olcSchemaConfig entryUUID: 506bb32c-c232-102e-81c9-e11e06f59dd0 creatorsName: cn=config createTimestamp: 20100312145015Z entryCSN: 20100312145015.702589Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20100312145015Z
Finally, using the ldapadd utility, add the new schema to the directory:
# ldapadd -x -D "cn=admin,cn=config" -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{12\}zarafa.ldif
Extra Notes
SELinux
If running SELinux (when running Redhat or Centos) then disable SELinux, or fix SELinux so slapd can write in cn=config subdirs
Starting over
If anything went wrong during installation and you want to start from the scratch, just purge the openldap installation:
apt-get purge slapd
The purge does not remove the ldap database, so you may want to remove the database:
rm -rf /var/lib/ldap/*
Finally reinstall openldap:
apt-get install slapd
Falling Back To slapd.conf
It is possible to fall back to the old config method with a slapd.conf config file.
First stop the slapd (if running)
/etc/init.d/slapd stop
Change the file /etc/default/slapd to reflect the fact that you now want to use a slapd.conf file:
SLAPD_CONF="/etc/ldap/slapd.conf"
Get a slapd.conf file or create one from the example below.
Make sure it's readable to the user slapd runs under. In Ubuntu, this user is 'openldap':
chown openldap:openldap /etc/ldap/slapd.conf chmod 640 /etc/ldap/slapd.conf
And start your slapd again:
/etc/init.d/slapd start
NOTE: Tested under Ubuntu 10.4 and 10.10
Example slapd.conf
If you can't recycle a slapd.conf file from a previous installation, you'll need to set up a fresh slapd.conf file in /etc/ldap/ .
It's beyond the scope of this article to provide you with information on how to do that.
For your reference however, here's the default slapd.conf from Ubuntu 8.04.3.
DISCLAIMER: The contents of this file is provided 'as is' and comes with NO GUARANTEES whatsoever.
Please refer to the slapd.conf manual pages on how to tune this file to your specific needs.
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel none
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
#######################################################################
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend hdb
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type hdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database hdb
# The base of your directory in database #1
suffix "dc=nodomain"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
# rootdn "cn=admin,dc=nodomain"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts. They do NOT override existing an existing DB_CONFIG
# file. You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=nodomain" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=nodomain" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=nodomain" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be hdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
