Getting started with OpenLDAP on FreeBSD10.0

OpenLDAP is one of the more interesting, sometimes challenging services to get up and running on FreeBSD. It implements a light-weight directory protocol that can be used for authentication and authorization by programs that support LDAP. Let’s look at the installation and configuration below.

Note: We assume a fictional top level domain of acme.com. Replace it with your own domain.

Installation

First step is to edit the /etc/hosts file and append a line similar to the following:

127.0.1.1 admin.acme.com admin

We’re now good to install the OpenLDAP server and client for FreeBSD via the pkg command.

pkg install openldap-server
pkg install openldap-client

The package openldap-server would give us the server components (affectionately called slapd) and configuration files. openldap-client gives us the client accessories: basically tools that let us add, modify, delete stuff and query/search for stuff inside the LDAP directory.

Configuration

Before we start, let’s get ourselves a nice strong password that we can use to do administrative tasks. We use the slappasswd command for this:

slappasswd -h '{SHA}'
New password: 
Re-enter new password: 
{SHA}Y2fEjdGT1W6nsLqtJbGUVeUp9e4=

We have specified that we want a SHA-1 summed password. We got back a base64 encoded version of our password. Keep the password for use later.

Let’s now edit the server configuration file /usr/local/etc/openldap/slapd.conf and and make it look similar to the following:

# Make sure the lines below are present
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/collective.schema
include /usr/local/etc/openldap/schema/openldap.schema
#... make sure the lines below are un-commented
moduleload      back_mdb
moduleload      back_ldap
#... make sure the lines below are modified accordingly
suffix		"dc=acme,dc=com"
rootdn		"cn=admin,dc=acme,dc=com"
#... replace rootpw value with the one we created
database mdb
maxsize 1073741824
rootpw {SHA}Y2fEjdGT1W6nsLqtJbGUVeUp9e4=

directory /var/db/openldap-data
index objectClass eq

Edit the file /etc/rc.conf and append the following lines

slapd_enable="YES"
slapd_flags='-h "ldapi://%252fvar%252frun%252fopenldap%252fldapi/ ldap://0.0.0.0/"'
slapd_sockets="/var/run/openldap/ldapi"

This enables start of ldap service at boot and makes the service listen to all addresses. We are almost done, let’s start the LDAP service

service slapd start

Verifying the installation & configuration

Let’s test if it all works. We shall run the following command from within the FreeBSD machine:

ldapsearch -x -W -D cn=admin,dc=acme,dc=com
Enter LDAP Password:

We could also run the command from outside the system like so.

ldapsearch -x -H ldap://sub.domain.com

Where sub.domain.com is the fully qualified domain name (fqdn) of the FreeBSD system. You can also use the IP address in place of the fqdn. You should get results similar to the following if your setup is successful:

# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

Adding data to the directory

Create a file (addstuff.ldif) containing the following contents.

dn: dc=acme,dc=com
objectclass: dcObject
objectclass: organization
o: labs
dc: acme

dn: cn=admin,dc=acme,dc=com
objectclass: organizationalRole
cn: admin

Explaining LDAP is out of the scope of this post. So that’s for some other time. Now let’s add the data to LDAP using the ldapadd command.

ldapadd -x -W -D cn=admin,dc=acme,dc=com -f addstuff.ldif
Enter LDAP password:

The same thing can be done from outside the machine via the following command.

ldapadd -x -W -H ldap://sub.domain.com -D cn=admin,dc=acme,dc=com -f addstuff.ldif
Enter LDAP password:

We can add more data from here if we want to: addppl.ldif . After doing this,  let’s check if it has worked from within the FreeBSD system:

ldapsearch -x -LLL -b dc=acme,dc=com

and from outside the system like this:

ldapsearch -x -H ldap://sub.domain.com -b dc=acme,dc=com

If this worked, we should be able to see a bunch of names, cn, sn, userPasswords, etc. in the output. We have successfully installed OpenLDAP on FreeBSD.

Hope you liked this post. Try it out and send your feedback/questions via. the blog’s comments section.